|
Because of the issues I've been having with authentication
with Freeradius I started from scratch and used RPM to remove Freeradius and
then re-installed the latest version. I needed to be able to accept both PAP and CHAP
authentication, however I couldn't get it to do both and had to by default to
get it to auth everyone no matter what the password should be. But I don't see
this as ideal. Since I took over the radius server from someone else I'm
guessing it had been changed by the previous person to the extend where only a
re-install would solve the problem. I read that out of the box Freeradius would accept both PAP
and CHAP authentication as long as the password was in clear text and I used
"Password ==". So I re-installed Freeradius version
freeradius-1.0.1-3.RHEL4.3 and convert all the entries from Auth-Type := Accept
to "Password == <password>" where <password> was the
users password. On testing I found users still couldn't authenticate by PAP
or CHAP, I run "radiusd -X" and from what I could see its because of
the Default setting: DEFAULT Auth-Type = System Fall-Through = 1 The NAS is a Cisco 7204VXR and the line for the
authentication is: ppp authentication pap chap callin Here is the debug from radius ################ Ready to process requests. rad_recv: Access-Request packet from host 10.0.0.3:1645,
id=142, length=95 Framed-Protocol = PPP User-Name = "[EMAIL PROTECTED]" User-Password = "deabercyap" NAS-Port-Type = Virtual NAS-Port = 1074 Service-Type = Framed-User NAS-IP-Address = 10.0.0.3 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns
ok for request 0 modcall[authorize]: module "chap" returns noop
for request 0 modcall[authorize]: module "mschap" returns noop
for request 0 rlm_realm: Looking up realm "bb.adslco.com"
for User-Name = "[EMAIL PROTECTED]" rlm_realm: No such realm "bb.adslco.com" modcall[authorize]: module "suffix" returns noop
for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop
for request 0 users: Matched DEFAULT at 152 users: Matched DEFAULT at 171 users: Matched DEFAULT at 183 modcall[authorize]: module "files" returns ok
for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 modcall[authenticate]: module "unix" returns
notfound for request 0 modcall: group authenticate returns notfound for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 142 to 10.0.0.3:1645 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 142 with timestamp 443377fc Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 10.0.0.3:1645,
id=143, length=95 Framed-Protocol = PPP User-Name = "[EMAIL PROTECTED]" User-Password = "" NAS-Port-Type = Virtual NAS-Port = 643 Service-Type = Framed-User NAS-IP-Address = 10.0.0.3 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns
ok for request 1 modcall[authorize]: module "chap" returns noop
for request 1 modcall[authorize]: module "mschap" returns noop
for request 1 rlm_realm: Looking up realm "bb.adslco.com"
for User-Name = "[EMAIL PROTECTED]" rlm_realm: No such realm "bb.adslco.com" modcall[authorize]: module "suffix" returns noop
for request 1 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop
for request 1 users: Matched DEFAULT at 152 users: Matched DEFAULT at 171 users: Matched DEFAULT at 183 modcall[authorize]: module "files" returns ok
for request 1 modcall: group authorize returns ok for request 1 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 modcall[authenticate]: module "unix" returns
notfound for request 1 modcall: group authenticate returns notfound for request 1 auth: Failed to validate the user. Delaying request 1 for 1 seconds Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 143 to 10.0.0.3:1645 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 143 with timestamp 44337809 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 10.0.0.3:1645,
id=144, length=95 Framed-Protocol = PPP User-Name = "[EMAIL PROTECTED]" User-Password = "" NAS-Port-Type = Virtual NAS-Port = 1154 Service-Type = Framed-User NAS-IP-Address = 10.0.0.3 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns
ok for request 2 modcall[authorize]: module "chap" returns noop
for request 2 modcall[authorize]: module "mschap" returns noop
for request 2 rlm_realm: Looking up realm "bb.adslco.com"
for User-Name = "[EMAIL PROTECTED]" rlm_realm: No such realm "bb.adslco.com" modcall[authorize]: module "suffix" returns noop
for request 2 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop
for request 2 users: Matched DEFAULT at 152 users: Matched DEFAULT at 171 users: Matched DEFAULT at 183 modcall[authorize]: module "files" returns ok
for request 2 modcall: group authorize returns ok for request 2 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 modcall[authenticate]: module "unix" returns
notfound for request 2 modcall: group authenticate returns notfound for request 2 auth: Failed to validate the user. Delaying request 2 for 1 seconds Finished request 2 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 144 to 10.0.0.3:1645 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 2 ID 144 with timestamp 44337821 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 10.0.0.3:1645,
id=145, length=95 Framed-Protocol = PPP User-Name = "[EMAIL PROTECTED]" User-Password = "wewyam" NAS-Port-Type = Virtual NAS-Port = 108 Service-Type = Framed-User NAS-IP-Address = 10.0.0.3 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns
ok for request 3 modcall[authorize]: module "chap" returns noop
for request 3 modcall[authorize]: module "mschap" returns noop
for request 3 rlm_realm: Looking up realm "bb.adslco.com"
for User-Name = "[EMAIL PROTECTED]" rlm_realm: No such realm "bb.adslco.com" modcall[authorize]: module "suffix" returns noop
for request 3 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop
for request 3 users: Matched DEFAULT at 152 users: Matched DEFAULT at 171 users: Matched DEFAULT at 183 modcall[authorize]: module "files" returns ok
for request 3 modcall: group authorize returns ok for request 3 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 modcall[authenticate]: module "unix" returns
notfound for request 3 modcall: group authenticate returns notfound for request 3 auth: Failed to validate the user. Delaying request 3 for 1 seconds Finished request 3 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 145 to 10.0.0.3:1645 Waking up in 4 seconds... ####################### What do I need to change to get Freeradius to accept both
PAP and CHAP authentication? Thanks Tony -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. |
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
