1. First rule is to start with default configuration and then make changes.
2. I don't see any modules running here - only perl and preprocess. You have obviously made major changes to the default configuration. 3. Go back to the default configuration uncomment digest entries and get digest authentication working with an entry in users file: http://wiki.freeradius.org/Digest 4. Once that is working add your perl module into the mix. As i said before digest attributes might be in $RAD_CHECK rather than $RAD_REQUEST. Ivan Kalik Kalik Informatika ISP Dana 6/5/2008, "johnson elangbam" <[EMAIL PROTECTED]> piše: >>Good. Now you are getting Digest-Attributes. Now uncomment digest entry >>in authorize section of default or whatever virtual server is processing >>this. >Hi Kalik, > As per your instruction I've uncommented all the digest entry >in authorize and authenticate section in the sites-enabled/default file, >unfortunately I still didn't get the values of these attributes in my perl >code to authenticate. I am confusing what should I emphasized, please help. > > >*I am submitting the complete radius log when it run in debug mode before >authenticate a user here* > >FreeRADIUS Version 2.0.3, for host i686-pc-linux-gnu, built on Apr 9 2008 >at 21:42:16 >Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. >There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A >PARTICULAR PURPOSE. >You may redistribute copies of FreeRADIUS under the terms of the >GNU General Public License. >Starting - reading configuration files ... >including configuration file /usr/local/etc/raddb/radiusd.conf >including configuration file /usr/local/etc/raddb/clients.conf >including configuration file /usr/local/etc/raddb/snmp.conf >including configuration file /usr/local/etc/raddb/eap.conf >including configuration file /usr/local/etc/raddb/sql.conf >including configuration file /usr/local/etc/raddb/policy.conf >including files in directory /usr/local/etc/raddb/sites-enabled/ >including configuration file /usr/local/etc/raddb/sites-enabled/default >including dictionary file /usr/local/etc/raddb/dictionary >main { > prefix = "/usr/local" > localstatedir = "/usr/local/var" > logdir = "/usr/local/var/log/radius" > libdir = "/usr/local/lib" > radacctdir = "/usr/local/var/log/radius/radacct" > hostname_lookups = no > max_request_time = 30 > cleanup_delay = 5 > max_requests = 1024 > allow_core_dumps = no > pidfile = "/usr/local/var/run/radiusd/radiusd.pid" > checkrad = "/usr/local/sbin/checkrad" > debug_level = 0 > proxy_requests = yes > security { > max_attributes = 200 > reject_delay = 1 > status_server = yes > } >} > client localhost { > ipaddr = 127.0.0.1 > require_message_authenticator = no > secret = "testing123" > shortname = "localhost" > nastype = "other" > } > client 192.168.1.227 { > require_message_authenticator = no > secret = "johnson" > } >radiusd: #### Loading Realms and Home Servers #### >radiusd: #### Instantiating modules #### > instantiate { > Module: Linked to module rlm_exec > Module: Instantiating exec > exec { > wait = yes > input_pairs = "request" > shell_escape = yes > } > Module: Linked to module rlm_expr > Module: Instantiating expr > Module: Linked to module rlm_expiration > Module: Instantiating expiration > expiration { > reply-message = "Password Has Expired " > } > Module: Linked to module rlm_logintime > Module: Instantiating logintime > logintime { > reply-message = "You are calling outside your allowed timespan " > minimum-timeout = 60 > } > } >radiusd: #### Loading Virtual Servers #### >server { > modules { > Module: Checking authenticate {...} for more modules to load > Module: Linked to module rlm_perl > Module: Instantiating perl > perl { > module = "/usr/local/etc/raddb/myperltemp.pl" > func_authorize = "authorize" > func_authenticate = "authenticate" > func_accounting = "accounting" > func_preacct = "preacct" > func_checksimul = "checksimul" > func_detach = "detach" > func_xlat = "xlat" > func_pre_proxy = "pre_proxy" > func_post_proxy = "post_proxy" > func_post_auth = "post_auth" > } > perl { > max_clones = 32 > start_clones = 32 > min_spare_clones = 0 > max_spare_clones = 32 > cleanup_delay = 5 > max_request_per_clone = 0 > } > Module: Linked to module rlm_pap > Module: Instantiating pap > pap { > encryption_scheme = "auto" > auto_header = no > } > Module: Linked to module rlm_chap > Module: Instantiating chap > Module: Linked to module rlm_digest > Module: Instantiating digest > Module: Checking authorize {...} for more modules to load > Module: Linked to module rlm_preprocess > Module: Instantiating preprocess > preprocess { > huntgroups = "/usr/local/etc/raddb/huntgroups" > hints = "/usr/local/etc/raddb/hints" > with_ascend_hack = no > ascend_channels_per_line = 23 > with_ntdomain_hack = no > with_specialix_jetstream_hack = no > with_cisco_vsa_hack = no > with_alvarion_vsa_hack = no > } > Module: Linked to module rlm_realm > Module: Instantiating suffix > realm suffix { > format = "suffix" > delimiter = "@" > ignore_default = no > ignore_null = no > } > Module: Linked to module rlm_eap > Module: Instantiating eap > eap { > default_eap_type = "md5" > timer_expire = 60 > ignore_unknown_eap_types = no > cisco_accounting_username_bug = no > } > Module: Linked to sub-module rlm_eap_md5 > Module: Instantiating eap-md5 > Module: Linked to sub-module rlm_eap_leap > Module: Instantiating eap-leap > Module: Linked to sub-module rlm_eap_gtc > Module: Instantiating eap-gtc > gtc { > challenge = "Password: " > auth_type = "PAP" > } > Module: Linked to sub-module rlm_eap_tls > Module: Instantiating eap-tls > tls { > rsa_key_exchange = no > dh_key_exchange = yes > rsa_key_length = 512 > dh_key_length = 512 > verify_depth = 0 > pem_file_type = yes > private_key_file = "/usr/local/etc/raddb/certs/server.pem" > certificate_file = "/usr/local/etc/raddb/certs/server.pem" > CA_file = "/usr/local/etc/raddb/certs/ca.pem" > private_key_password = "whatever" > dh_file = "/usr/local/etc/raddb/certs/dh" > random_file = "/usr/local/etc/raddb/certs/random" > fragment_size = 1024 > include_length = yes > check_crl = no > cipher_list = "DEFAULT" > make_cert_command = "/usr/local/etc/raddb/certs/bootstrap" > } > Module: Linked to sub-module rlm_eap_ttls > Module: Instantiating eap-ttls > ttls { > default_eap_type = "md5" > copy_request_to_tunnel = no > use_tunneled_reply = no > } > Module: Linked to sub-module rlm_eap_peap > Module: Instantiating eap-peap > peap { > default_eap_type = "mschapv2" > copy_request_to_tunnel = no > use_tunneled_reply = no > proxy_tunneled_request_as_eap = yes > } > Module: Linked to sub-module rlm_eap_mschapv2 > Module: Instantiating eap-mschapv2 > mschapv2 { > with_ntdomain_hack = no > } > Module: Linked to module rlm_files > Module: Instantiating files > files { > usersfile = "/usr/local/etc/raddb/users" > acctusersfile = "/usr/local/etc/raddb/acct_users" > preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" > compat = "no" > } > Module: Checking preacct {...} for more modules to load > Module: Linked to module rlm_acct_unique > Module: Instantiating acct_unique > acct_unique { > key = "User-Name, Acct-Session-Id, NAS-IP-Address, >Client-IP-Address, NAS-Port" > } > Module: Checking accounting {...} for more modules to load > Module: Linked to module rlm_detail > Module: Instantiating detail > detail { > detailfile = >"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" > header = "%t" > detailperm = 384 > dirperm = 493 > locking = no > log_packet_header = no > } > Module: Linked to module rlm_radutmp > Module: Instantiating radutmp > radutmp { > filename = "/usr/local/var/log/radius/radutmp" > username = "%{User-Name}" > case_sensitive = yes > check_with_nas = yes > perm = 384 > callerid = yes > } > Module: Linked to module rlm_attr_filter > Module: Instantiating attr_filter.accounting_response > attr_filter attr_filter.accounting_response { > attrsfile = "/usr/local/etc/raddb/attrs.accounting_response" > key = "%{User-Name}" > } > Module: Checking session {...} for more modules to load > Module: Checking post-proxy {...} for more modules to load > Module: Checking post-auth {...} for more modules to load > Module: Instantiating attr_filter.access_reject > attr_filter attr_filter.access_reject { > attrsfile = "/usr/local/etc/raddb/attrs.access_reject" > key = "%{User-Name}" > } > } >} >radiusd: #### Opening IP addresses and Ports #### >listen { > type = "auth" > ipaddr = * > port = 0 >} >listen { > type = "acct" > ipaddr = * > port = 0 >} >main { > snmp = no > smux_password = "" > snmp_write_access = no >} >Listening on authentication address * port 1812 >Listening on accounting address * port 1813 >Listening on proxy address * port 1814 >Ready to process requests. > >*Here is the log output after rejecting a user* > > >rad_recv: Access-Request packet from host 192.168.1.227 port 33192, id=169, >length=271 > User-Name = "[EMAIL PROTECTED]" > Digest-Attributes = 0x0a096a6f686e736f6e > Digest-Attributes = 0x010f3139322e3136382e312e323237 > Digest-Attributes = >0x022a34383230326231303038353039346632353131636332393230663634666635653332333335373931 > Digest-Attributes = 0x04137369703a3139322e3136382e312e323237 > Digest-Attributes = 0x030a5245474953544552 > Digest-Response = "bb91be247c053ec09ab0da78d666c469" > Service-Type = Sip-Session > Sip-Uri-User = "johnson" > Cisco-AVPair = "call-id= >[EMAIL PROTECTED]" > NAS-IP-Address = 127.0.0.1 > NAS-Port = 5060 >+- entering group authorize >++[preprocess] returns ok >perl_pool: item 0x9cb1b90 asigned new request. Handled so far: 1 >found interpetator at address 0x9cb1b90 >rlm_perl: ############################################################### >rlm_perl: RAD_REQUEST: Digest-Response = bb91be247c053ec09ab0da78d666c469 >rlm_perl: RAD_REQUEST: Service-Type = Sip-Session >rlm_perl: RAD_REQUEST: Cisco-AVPair = call-id= >[EMAIL PROTECTED] >rlm_perl: RAD_REQUEST: User-Name = [EMAIL PROTECTED] >rlm_perl: RAD_REQUEST: Sip-Uri-User = johnson >rlm_perl: RAD_REQUEST: NAS-IP-Address = 127.0.0.1 >rlm_perl: RAD_REQUEST: NAS-Port = 5060 >rlm_perl: RAD_REQUEST: Digest-Attributes = ARRAY(0x9e79f88) >rlm_perl: ############################################################### >rlm_perl: Added pair Digest-Response = bb91be247c053ec09ab0da78d666c469 >rlm_perl: Added pair Service-Type = Sip-Session >rlm_perl: Added pair Cisco-AVPair = call-id= >[EMAIL PROTECTED] >rlm_perl: Added pair User-Name = [EMAIL PROTECTED] >rlm_perl: Added pair Sip-Uri-User = johnson >rlm_perl: Added pair NAS-IP-Address = 127.0.0.1 >rlm_perl: Added pair NAS-Port = 5060 >rlm_perl: Added pair Digest-Attributes = 0x0a096a6f686e736f6e >rlm_perl: Added pair Digest-Attributes = 0x010f3139322e3136382e312e323237 >rlm_perl: Added pair Digest-Attributes = >0x022a34383230326231303038353039346632353131636332393230663634666635653332333335373931 >rlm_perl: Added pair Digest-Attributes = >0x04137369703a3139322e3136382e312e323237 >rlm_perl: Added pair Digest-Attributes = 0x030a5245474953544552 >rlm_perl: Added pair Reply-Message = Incorrect Password >perl_pool total/active/spare [32/0/32] >Unreserve perl at address 0x9cb1b90 >++[perl] returns reject >Invalid user: [EMAIL PROTECTED]/<no User-Password attribute>] (from >client 192.168.1.227 port 5060) > Found Post-Auth-Type Reject >+- entering group REJECT > expand: %{User-Name} -> [EMAIL PROTECTED] > attr_filter: Matched entry DEFAULT at line 11 >++[attr_filter.access_reject] returns updated >Delaying reject of request 0 for 1 seconds >Going to the next request >Waking up in 0.9 seconds. >rad_recv: Access-Request packet from host 192.168.1.227 port 33193, id=170, >length=271 > User-Name = "[EMAIL PROTECTED]" > Digest-Attributes = 0x0a096a6f686e736f6e > Digest-Attributes = 0x010f3139322e3136382e312e323237 > Digest-Attributes = >0x022a34383230326231303038353039346632353131636332393230663634666635653332333335373931 > Digest-Attributes = 0x04137369703a3139322e3136382e312e323237 > Digest-Attributes = 0x030a5245474953544552 > Digest-Response = "bb91be247c053ec09ab0da78d666c469" > Service-Type = Sip-Session > Sip-Uri-User = "johnson" > Cisco-AVPair = "call-id= >[EMAIL PROTECTED]" > NAS-IP-Address = 127.0.0.1 > NAS-Port = 5060 >+- entering group authorize >++[preprocess] returns ok >perl_pool: item 0x9eeddc8 asigned new request. Handled so far: 1 >found interpetator at address 0x9eeddc8 >rlm_perl: ############################################################### >rlm_perl: RAD_REQUEST: Digest-Response = bb91be247c053ec09ab0da78d666c469 >rlm_perl: RAD_REQUEST: Service-Type = Sip-Session >rlm_perl: RAD_REQUEST: Cisco-AVPair = call-id= >[EMAIL PROTECTED] >rlm_perl: RAD_REQUEST: User-Name = [EMAIL PROTECTED] >rlm_perl: RAD_REQUEST: Sip-Uri-User = johnson >rlm_perl: RAD_REQUEST: NAS-IP-Address = 127.0.0.1 >rlm_perl: RAD_REQUEST: NAS-Port = 5060 >rlm_perl: RAD_REQUEST: Digest-Attributes = ARRAY(0x9f83c98) >rlm_perl: ############################################################### >rlm_perl: Added pair Digest-Response = bb91be247c053ec09ab0da78d666c469 >rlm_perl: Added pair Service-Type = Sip-Session >rlm_perl: Added pair Cisco-AVPair = call-id= >[EMAIL PROTECTED] >rlm_perl: Added pair User-Name = [EMAIL PROTECTED] >rlm_perl: Added pair Sip-Uri-User = johnson >rlm_perl: Added pair NAS-IP-Address = 127.0.0.1 >rlm_perl: Added pair NAS-Port = 5060 >rlm_perl: Added pair Digest-Attributes = 0x0a096a6f686e736f6e >rlm_perl: Added pair Digest-Attributes = 0x010f3139322e3136382e312e323237 >rlm_perl: Added pair Digest-Attributes = >0x022a34383230326231303038353039346632353131636332393230663634666635653332333335373931 >rlm_perl: Added pair Digest-Attributes = >0x04137369703a3139322e3136382e312e323237 >rlm_perl: Added pair Digest-Attributes = 0x030a5245474953544552 >rlm_perl: Added pair Reply-Message = Incorrect Password >perl_pool total/active/spare [32/0/32] >Unreserve perl at address 0x9eeddc8 >++[perl] returns reject >Invalid user: [EMAIL PROTECTED]/<no User-Password attribute>] (from >client 192.168.1.227 port 5060) > Found Post-Auth-Type Reject >+- entering group REJECT > expand: %{User-Name} -> [EMAIL PROTECTED] > attr_filter: Matched entry DEFAULT at line 11 >++[attr_filter.access_reject] returns updated >Delaying reject of request 1 for 1 seconds >Going to the next request >Waking up in 0.4 seconds. >Sending delayed reject for request 0 >Sending Access-Reject of id 169 to 192.168.1.227 port 33192 > Reply-Message = "Incorrect Password" >Waking up in 0.4 seconds. >Sending delayed reject for request 1 >Sending Access-Reject of id 170 to 192.168.1.227 port 33193 > Reply-Message = "Incorrect Password" >Waking up in 4.5 seconds. >Cleaning up request 0 ID 169 with timestamp +8 >Waking up in 0.4 seconds. >Cleaning up request 1 ID 170 with timestamp +8 >Ready to process requests. > > >Thanks for your valuable time. > >With regards, >Elangbam Johnson > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
