Hi all.
have been enjoying radius for a while now. Had to make a severupgrade
and move over to Fedora 8 for HW support. Still using 1.1.7 because it
rocks. Well not quite any more, i moved over the configfiles i had on
Debian and everything seems ok except for no users can login anymore
via pptp on my firewall.
My config:
Linux ns.intern.fb.se 2.6.24.3-50.fc8 #1 SMP Thu Mar 20 14:47:10 EDT
2008 i686 i686 i386 GNU/Linux
[EMAIL PROTECTED] usersdepot]# radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = "/usr"
main: localstatedir = "/var"
main: logdir = "/var/log/radius"
main: libdir = "/usr/lib"
main: radacctdir = "/var/log/radius/radacct"
main: hostname_lookups = yes
main: snmp = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/var/log/radius/radius.log"
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = no
main: pidfile = "/var/run/radius/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
pap: auto_header = yes
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "(null)"
unix: group = "(null)"
unix: radwtmp = "/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = "md5"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = "Password: "
gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/etc/raddb/huntgroups"
preprocess: hints = "/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
preprocess: with_alvarion_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/etc/raddb/users"
files: acctusersfile = "/etc/raddb/acct_users"
files: preproxy_usersfile = "/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/
detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
When a user login:
rad_recv: Access-Request packet from host 10.0.5.1:60461, id=3,
length=181
NAS-Identifier = "halon"
NAS-IP-Address = 10.0.5.1
Message-Authenticator = 0x18e8c7acd5db57751eb497c6d6c59503
NAS-Port = 0
NAS-Port-Type = Virtual
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = "212.247.38.166"
User-Name = "giobbi"
MS-CHAP-Challenge = 0xbb1e6823d2ae12e363e056523f30a6de
MS-CHAP2-Response =
0x01000357ec5a5b0eb534ea8682a730849e89000000000000000034ff990a30a4a24681b50b31d7da17a3d2634e2e55ad5e17
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
modcall[authorize]: module "mschap" returns ok for request 0
rlm_realm: No '@' in User-Name = "giobbi", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 0
users: Matched entry DEFAULT at line 185
users: Matched entry giobbi at line 4
modcall[authorize]: module "files" returns ok for request 0
rlm_pap: Found existing Auth-Type, not changing it.
modcall[authorize]: module "pap" returns noop for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type MS-CHAP
auth: type "MS-CHAP"
Processing the authenticate section of radiusd.conf
modcall: entering group MS-CHAP for request 0
rlm_mschap: Told to do MS-CHAPv2 for giobbi with NT-Password
rlm_mschap: adding MS-CHAPv2 MPPE keys
modcall[authenticate]: module "mschap" returns ok for request 0
modcall: leaving group MS-CHAP (returns ok) for request 0
Login OK: [giobbi] (from client fw-halon port 0 cli 212.247.38.166)
Sending Access-Accept of id 3 to 10.0.5.1 port 60461
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
Service-Type = Framed-User
Framed-Route = "10.0.4.0/24 10.0.5.245 10.0.5.0/24 10.0.5.1
10.0.8.0/24 10.0.5.245 10.0.9/24 10.0.5.245"
MS-CHAP2-Success =
0x01533d34444432314431443741453246333335453632323046463633304643464435463835353236393736
MS-MPPE-Recv-Key = 0x9f2fb3fc6a24b8a5a5251de891f8ece8
MS-MPPE-Send-Key = 0xd488a4ec77025f4c8c3e4defc4fbdf70
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.0.5.1:60461, id=3,
length=181
Sending duplicate reply to client fw-halon:60461 - ID: 3
Re-sending Access-Accept of id 3 to 10.0.5.1 port 60461
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.0.5.1:60461, id=3,
length=181
Sending duplicate reply to client fw-halon:60461 - ID: 3
Re-sending Access-Accept of id 3 to 10.0.5.1 port 60461
Waking up in 6 seconds...
Firewall log:
halon(Firewall_GOT)# system logs pptp
PPTP: Incoming control connection from 212.247.38.166 55553 to
212.247.38.166 1723
pptp0: attached to connection with 212.247.38.166 55553
[pptp0] Accepting PPTP connection
[pptp0] opening link "pptp0"...
[pptp0] link: OPEN event
[pptp0] LCP: Open event
[pptp0] LCP: state change Initial --> Starting
[pptp0] LCP: LayerStart
[pptp0] PPTP: attaching to peer's outgoing call
[pptp0] link: UP event
[pptp0] link: origination is remote
[pptp0] LCP: Up event
[pptp0] LCP: state change Starting --> Req-Sent
[pptp0] LCP: SendConfigReq #31
ACFCOMP
PROTOCOMP
MRU 1460
MAGICNUM a3e02c2f
AUTHPROTO CHAP MSOFTv2
[pptp0] LCP: rec'd Configure Request #1 (Req-Sent)
ACCMAP 0x00000000
MAGICNUM c5887687
PROTOCOMP
ACFCOMP
[pptp0] LCP: SendConfigAck #1
ACCMAP 0x00000000
MAGICNUM c5887687
PROTOCOMP
ACFCOMP
[pptp0] LCP: state change Req-Sent --> Ack-Sent
[pptp0] LCP: SendConfigReq #32
ACFCOMP
PROTOCOMP
MRU 1460
MAGICNUM a3e02c2f
AUTHPROTO CHAP MSOFTv2
[pptp0] LCP: rec'd Configure Ack #32 (Ack-Sent)
ACFCOMP
PROTOCOMP
MRU 1460
MAGICNUM a3e02c2f
AUTHPROTO CHAP MSOFTv2
[pptp0] LCP: state change Ack-Sent --> Opened
[pptp0] LCP: auth: peer wants nothing, I want CHAP
[pptp0] CHAP: sending CHALLENGE len:17
[pptp0] LCP: LayerUp
[pptp0] CHAP: rec'd RESPONSE #1
Name: "giobbi"
[pptp0] AUTH: Auth-Thread started
[pptp0] AUTH: Trying RADIUS
[pptp0] RADIUS: RadiusAuthenticate for: giobbi
[pptp0] RADIUS: rad_send_request failed: No valid RADIUS responses
received
[pptp0] AUTH: RADIUS returned undefined
[pptp0] AUTH: Trying INTERNAL
AUTH: User "giobbi" not found in secret file
[pptp0] AUTH: INTERNAL returned failed
[pptp0] AUTH: ran out of backends
[pptp0] AUTH: Auth-Thread finished normally
[pptp0] CHAP: ChapInputFinish: status failed
Reply message: E=691 R=0 M=Login incorrect
[pptp0] CHAP: sending FAILURE len:27
[pptp0] LCP: authorization failed
[pptp0] LCP: parameter negotiation failed
[pptp0] LCP: state change Opened --> Stopping
[pptp0] AUTH: Cleanup
[pptp0] LCP: SendTerminateReq #33
[pptp0] LCP: LayerDown
[pptp0] LCP: rec'd Terminate Request #2 (Stopping)
[pptp0] LCP: SendTerminateAck #34
[pptp0] LCP: rec'd Terminate Ack #33 (Stopping)
[pptp0] LCP: state change Stopping --> Stopped
[pptp0] LCP: LayerFinish
pptp0-0: clearing call
pptp0-0: killing channel
[pptp0] PPTP call terminated
[pptp0] link: DOWN event
[pptp0] LCP: Close event
[pptp0] LCP: state change Stopped --> Closed
[pptp0] LCP: Down event
[pptp0] LCP: state change Closed --> Initial
pptp0: closing connection with 212.247.38.166 55553
pptp0: ctrl connection closed by peer
pptp0: killing connection with 212.247.38.166 55553
So here's the problem, the firewall doesn't like the response it gets,
isn't valid for some reason. I'm using the exact same configs as in
the working Debian version (same radius, 1.1.7), so in theory these
should work just as fine in my Fedora setup right?
Any clues or tip is greatly appreciated.
thx
p
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
