Multiple Realms
Hi, I have spent some time reading and trying to configure multiple realms to no avail. Basically I currently have one active realm and need to have another realm configured onto the same radius box. For example dsl.example.com.au is one and voice.example.com.au is the second. How can I configure the second? I know it's somewhat to do with proxy.conf file, but not sure how or where to do this. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple Realms
Shawky Skaff wrote:
Basically I currently have one active realm and need to have another
realm configured onto the same radius box. For example
dsl.example.com.au is one and voice.example.com.au is the second.
You need to configure two realms.
How can I configure the second? I know it’s somewhat to do with
proxy.conf file, but not sure how or where to do this.
You create another realm block, using the name of the second realm.
It shouldn't be hard.
realm foo {
...
}
realm bar {
...
}
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Values for MySQL tables for pptpd ?
Hi I did setup pptpd with freeradius + mysql http://poptop.sourceforge.net/dox/radius_mysql.html. pptpd poptop works fine without freeradius, with freeradius and mysql, all seems fine apart from me not knowing what values to enter into the mysql tables of freeradius. With no entries in database I get Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:45194, id=198, length=67 Service-Type = Framed-User Framed-Protocol = PPP User-Name = test Calling-Station-Id = 193.227.186.146 NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 rlm_realm: No '@' in User-Name = test, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 radius_xlat: 'test' rlm_sql (sql): sql_set_user escaped user -- 'test' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'test' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 rlm_sql (sql): User test not found in radcheck radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'test' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'test' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): User test not found in radgroupcheck rlm_sql (sql): Released sql socket id: 4 rlm_sql (sql): User not found ### modcall[authorize]: module sql returns notfound for request 0 modcall[authorize]: module mschap returns noop for request 0 modcall: leaving group authorize (returns ok) for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 198 to 127.0.0.1 port 45194 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 198 with timestamp 4fbc8c9d When I do add to radcheck - INSERT INTO `radcheck` (`id`, `UserName`, `Attribute`, `op`, `Value`) VALUES (11, 'test', 'Chap-Password', '==', 'test'); I get rad_recv: Access-Request packet from host 127.0.0.1:46882, id=199, length=67 Service-Type = Framed-User Framed-Protocol = PPP User-Name = test Calling-Station-Id = 193.227.186.146 NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 rlm_realm: No '@' in User-Name = test, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 1 radius_xlat: 'test' rlm_sql (sql): sql_set_user escaped user -- 'test' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'test' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 3 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'test' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'test' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'test' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 3 rlm_sql (sql): No matching entry in the database for request from user [test] modcall[authorize]: module sql returns notfound for request 1 modcall[authorize]: module mschap returns noop for request 1 modcall: leaving group authorize (returns ok) for request 1 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user # auth: Failed to validate the user. Delaying request 1 for 1 seconds Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... ---
Re: Values for MySQL tables for pptpd ?
Ali Jawad wrote: When I do add to radcheck - INSERT INTO `radcheck` (`id`, `UserName`, `Attribute`, `op`, `Value`) VALUES (11, 'test', 'Chap-Password', '==', 'test'); That's wrong. See the FAQ. Use Cleartext-Password := test. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Values for MySQL tables for pptpd ?
Thanks Alan, I assumed Chap-Password because during testing I got auth: No User-Password or CHAP-Password attribute in the request Regards On Wed, May 23, 2012 at 10:16 AM, Alan DeKok al...@deployingradius.comwrote: Ali Jawad wrote: When I do add to radcheck - INSERT INTO `radcheck` (`id`, `UserName`, `Attribute`, `op`, `Value`) VALUES (11, 'test', 'Chap-Password', '==', 'test'); That's wrong. See the FAQ. Use Cleartext-Password := test. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554* - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Values for MySQL tables for pptpd ?
Hi Alan Sorry for the many mails I did test with Cleartext-Password and got rlm_sql: Failed to create the pair: Unknown attribute Cleartext-Password rlm_sql (sql): Error getting data from database I have microsoft and merit dictionary loaded Regards On Wed, May 23, 2012 at 10:44 AM, Ali Jawad ali.ja...@splendor.net wrote: Thanks Alan, I assumed Chap-Password because during testing I got auth: No User-Password or CHAP-Password attribute in the request Regards On Wed, May 23, 2012 at 10:16 AM, Alan DeKok al...@deployingradius.comwrote: Ali Jawad wrote: When I do add to radcheck - INSERT INTO `radcheck` (`id`, `UserName`, `Attribute`, `op`, `Value`) VALUES (11, 'test', 'Chap-Password', '==', 'test'); That's wrong. See the FAQ. Use Cleartext-Password := test. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554* -- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554* - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Values for MySQL tables for pptpd ?
Ali Jawad wrote: I did test with Cleartext-Password and got rlm_sql: Failed to create the pair: Unknown attribute Cleartext-Password rlm_sql (sql): Error getting data from database Then you edited the default configuration and broke the server. I have microsoft and merit dictionary loaded What does that mean? DONT edit the dictionaries. The server WORKS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Values for MySQL tables for pptpd ?
On 05/23/2012 08:46 AM, Ali Jawad wrote: Hi Alan Sorry for the many mails I did test with Cleartext-Password and got rlm_sql: Failed to create the pair: Unknown attribute Cleartext-Password rlm_sql (sql): Error getting data from database Which version of FreeRADIUS? I have microsoft and merit dictionary loaded I you have fiddled with the dictionaries, you'll break everything. Don't do that. Leave the dictionaries alone. There's no problem loading them all. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Values for MySQL tables for pptpd ?
Fair enough, what is the value that forces use of Cleartext-Password ? Thanks ! On Wed, May 23, 2012 at 11:15 AM, Alan DeKok al...@deployingradius.comwrote: Ali Jawad wrote: I did test with Cleartext-Password and got rlm_sql: Failed to create the pair: Unknown attribute Cleartext-Password rlm_sql (sql): Error getting data from database Then you edited the default configuration and broke the server. I have microsoft and merit dictionary loaded What does that mean? DONT edit the dictionaries. The server WORKS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554* - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Values for MySQL tables for pptpd ?
Hi Alan I did only add an include which I did remove now, the freeradius version is 1.1.3 + freeradius-mysql from CentOS 5 repos thanks On Wed, May 23, 2012 at 11:17 AM, Phil Mayers p.may...@imperial.ac.ukwrote: On 05/23/2012 08:46 AM, Ali Jawad wrote: Hi Alan Sorry for the many mails I did test with Cleartext-Password and got rlm_sql: Failed to create the pair: Unknown attribute Cleartext-Password rlm_sql (sql): Error getting data from database Which version of FreeRADIUS? I have microsoft and merit dictionary loaded I you have fiddled with the dictionaries, you'll break everything. Don't do that. Leave the dictionaries alone. There's no problem loading them all. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html -- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554* - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Values for MySQL tables for pptpd ?
Ali Jawad wrote: Fair enough, what is the value that forces use of Cleartext-Password ? DON'T EDIT THE DICTIONARIES. There is NOTHING YOU NEED TO DO. My example WORKS USING THE DEFAULT CONFIGURATION. I have NO IDEA why you're asking that question. It shows a deep misunderstanding of how the server works. Happily, you don't need to understand it. Just DON'T EDIT THE DICTIONARIES. MY EXAMPLE WORKS. What else do I need to say to convince you that you should DO WHAT I SAID? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Values for MySQL tables for pptpd ?
On Wed, May 23, 2012 at 3:22 PM, Ali Jawad ali.ja...@splendor.net wrote: Fair enough, what is the value that forces use of Cleartext-Password ? Thanks ! Step back a bit. As Phil said, what version of FR are you using? If you're using 2.1.x, then the dictionary should have an attribute called Cleartext-Password. If the server doesn't recognize it, you need to: - check for typos in your config/db entry. just in case - make SURE you don't break the server (e.g. changing something like default dictionary location) - make SURE you use new-enough version. For example, RHEL/Centos5 has it under the name freeradius2 package. pptpd does need some dictionary file modification, but you should make it so that it uses SEPARATE directory from the one that FR is using. Do NOT change anything in FR's dictionary directory. Is that clear enough? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Values for MySQL tables for pptpd ?
On Wed, May 23, 2012 at 3:26 PM, Ali Jawad ali.ja...@splendor.net wrote: Hi Alan I did only add an include which I did remove now, the freeradius version is 1.1.3 + freeradius-mysql from CentOS 5 repos Upgrade. Seriously. Don't bother doing anything else until you upgrade. Uninstall 1.1.3, install freeradius2 package (and the corresponding freeradius2-mysql) -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Values for MySQL tables for pptpd ?
Ali Jawad wrote: Hi Alan I did only add an include which I did remove now, the freeradius version is 1.1.3 + freeradius-mysql from CentOS 5 repos sigh It would have helped to say that at the start. Delete the 1.1.3 version. Install freeradius2. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Values for MySQL tables for pptpd ?
Hi
I switched to freeradius2.
I did edit only sql.conf to the correct MySQL values and I did import
schema.sql from sql/mysql/. I did add a user to the new tables and that is
about all.
Now I get the below, I did NOT edit any other settings, is there something
that needs to be done so FR checks in the database like adding sql entries
to authorize{} and session{}
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = test, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry DEFAULT at line 172
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user. Authentication
may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting
the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - test
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 247 to 127.0.0.1 port 60798
Waking up in 4.9 seconds.
Cleaning up request 0 ID 247 with timestamp +18
Ready to process requests.
Regards
On Wed, May 23, 2012 at 11:49 AM, Alan DeKok al...@deployingradius.comwrote:
Ali Jawad wrote:
Hi Alan
I did only add an include which I did remove now, the freeradius version
is 1.1.3 + freeradius-mysql from CentOS 5 repos
sigh It would have helped to say that at the start.
Delete the 1.1.3 version.
Install freeradius2.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
*Ali Jawad
*
*Information Systems Manager*
*Splendor Telecom (www.splendor.net)
Beirut, Lebanon
Phone: +9611373725/ext 116
FAX: +9611375554*
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Values for MySQL tables for pptpd ?
On Wed, May 23, 2012 at 4:11 PM, Ali Jawad ali.ja...@splendor.net wrote:
is there something
that needs to be done so FR checks in the database like adding sql entries
to authorize{}
exactly. sites-available/default should be enough for pptpd since it
doesn't use EAP.
The comments on that file should be clear enough. Just uncomment sql
on authorize section.
and session{}
only if you use simultaneous check. I suggest just ignore it for now.
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Values for MySQL tables for pptpd ?
On Wed, May 23, 2012 at 4:16 PM, Fajar A. Nugraha l...@fajar.net wrote:
On Wed, May 23, 2012 at 4:11 PM, Ali Jawad ali.ja...@splendor.net wrote:
is there something
that needs to be done so FR checks in the database like adding sql entries
to authorize{}
exactly. sites-available/default should be enough for pptpd since it
doesn't use EAP.
The comments on that file should be clear enough. Just uncomment sql
on authorize section.
... and don't forget to read radiusd.conf as well. Read the commetns
there, and uncomment the line that includes sql.conf (since you didn't
mention it, you probably didn't do that either).
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Values for MySQL tables for pptpd ?
hi, sql support isnt turned on by default as you need to have SQL server,schema etc need to ensure sql.conf is read and sql is enabled in the relevant sections however, given that you are installing from package you probably also need to install freeradius2-mysql or freeradius2-sql package too...which might setup some things for you alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Values for MySQL tables for pptpd ?
Thanks for your patience so far.
I did edit include sql.conf and only edited authorize to uncomment sql line.
Now I am getting the below.
[chap] ERROR: You set 'Auth-Type = CHAP' for a request that does not
contain a CHAP-Password attribute!
I did try as LOCAL and it says set CHAP, I also tried mschap
##
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 36343, id=0,
length=67
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = test
Calling-Station-Id =
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = test, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry DEFAULT at line 172
++[files] returns ok
[sql] expand: %{User-Name} - test
[sql] sql_set_user escaped user -- 'test'
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY
id - SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'test' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT
groupname FROM radusergroup WHERE username = 'test'
ORDER BY priority
[sql] expand: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = '%{Sql-Group}'
ORDER BY id - SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = 'normalusers'
ORDER BY id
[sql] User found in group normalusers
[sql] expand: SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = '%{Sql-Group}'
ORDER BY id - SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = 'normalusers'
ORDER BY id
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user. Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = CHAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group CHAP {...}
[chap] ERROR: You set 'Auth-Type = CHAP' for a request that does not
contain a CHAP-Password attribute!
++[chap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - test
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 0 to 127.0.0.1 port 36343
Waking up in 4.9 seconds.
Cleaning up request 0 ID 0 with timestamp +8
Ready to process requests.
My DB entries are :
INSERT INTO `radcheck` (`id`, `username`, `attribute`, `op`, `value`) VALUES
(1, 'test', 'Cleartext-Password', '==', '123456'),
INSERT INTO `radgroupcheck` (`id`, `groupname`, `attribute`, `op`, `value`)
VALUES
(1, 'normalusers', 'Auth-Type', '==', 'chap');
INSERT INTO `radgroupreply` (`id`, `groupname`, `attribute`, `op`, `value`)
VALUES
(1, 'normalusers', 'Framed-Compression', '=', 'Van-Jacobson-TCP-IP'),
(2, 'normalusers', 'Framed-Protocol', '=', 'PPP'),
(3, 'normalusers', 'Service-Type', '=', 'Framed-User');
INSERT INTO `radreply` (`id`, `username`, `attribute`, `op`, `value`) VALUES
(1, 'test', 'Framed-IP-Address', '=', '192.168.100.233');
INSERT INTO `radusergroup` (`username`, `groupname`, `priority`) VALUES
('test', 'normalusers', 1);
On Wed, May 23, 2012 at 12:17 PM, Fajar A. Nugraha l...@fajar.net wrote:
On Wed, May 23, 2012 at 4:16 PM, Fajar A. Nugraha l...@fajar.net wrote:
On Wed, May 23, 2012 at 4:11 PM, Ali Jawad ali.ja...@splendor.net
wrote:
is there something
that needs to be done so FR checks in the database like adding sql
entries
to authorize{}
exactly. sites-available/default should be enough for pptpd since it
doesn't use EAP.
The comments on that file should be clear enough. Just uncomment sql
on authorize section.
... and don't forget to read radiusd.conf as well. Read the commetns
there, and uncomment the line that includes sql.conf (since you didn't
mention it, you probably didn't do that either).
--
Fajar
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
*Ali Jawad
*
Re: Values for MySQL tables for pptpd ?
Ali Jawad wrote: Thanks for your patience so far. I did edit include sql.conf and only edited authorize to uncomment sql line. Now I am getting the below. [chap] ERROR: You set 'Auth-Type = CHAP' for a request that does not contain a CHAP-Password attribute! Because you forced Auth-Type := CHAP. Don't do that. I did try as LOCAL and it says set CHAP, I also tried mschap It's MUCH better to *understand* what's going on. Trying random changes is terrible. Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 36343, id=0, length=67 Service-Type = Framed-User Framed-Protocol = PPP User-Name = test Calling-Station-Id = NAS-IP-Address = 127.0.0.1 NAS-Port = 0 There's no password in this request. Use a RADIUS client that sends a password! Whatever RADIUS client you're using is broken. Don't use it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Values for MySQL tables for pptpd ?
Hi I did install freeradius2-mysql, configured /etc/raddb/sql.conf and included sql.conf in /etc/raddb/radius.conf and uncommented sql from authorize section of default. I did also import schema.sql from sql/mysql/. The queries show in the debug output but I am getting the error shown in the last email. Thanks Regards On Wed, May 23, 2012 at 12:46 PM, alan buxey a.l.m.bu...@lboro.ac.ukwrote: hi, sql support isnt turned on by default as you need to have SQL server,schema etc need to ensure sql.conf is read and sql is enabled in the relevant sections however, given that you are installing from package you probably also need to install freeradius2-mysql or freeradius2-sql package too...which might setup some things for you alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554* - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Values for MySQL tables for pptpd ?
On Wed, May 23, 2012 at 4:48 PM, Ali Jawad ali.ja...@splendor.net wrote: Now I am getting the below. [chap] ERROR: You set 'Auth-Type = CHAP' for a request that does not contain a CHAP-Password attribute! I did try as LOCAL and it says set CHAP, I also tried mschap As Alan said, you shouldn't need to set Auth-Type manually. So don't do that ## Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 36343, id=0, length=67 Service-Type = Framed-User Framed-Protocol = PPP User-Name = test Calling-Station-Id = NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Which client generates this? I highly suggest you try with radtest first. Once that works, you can try it with pptpd (or whatever client that you're going to use) -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Values for MySQL tables for pptpd ?
Hi
Thanks again
I did remove Auth-Type entry from DB and error says now
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user. Authentication
may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting
the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - test
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
I am using a pptpd server, it has plugin radius.so plugin radattr.so
loaded. The radius client is :
rpm -qa | grep radiusclient
radiusclient-ng-utils-0.5.6-3.el5
radiusclient-ng-0.5.6-3.el5
It's radiusclient config is :
auth_order radius
login_tries 4
login_timeout 60
nologin /etc/nologin
issue /etc/radiusclient/issue
authserver localhost:1812
acctserver localhost:1813
servers /etc/radiusclient/servers
#dictionary /etc/raddb/dictionary
dictionary /usr/share/radiusclient-ng/dictionary
login_radius/usr/sbin/login.radius
seqfile /var/run/radius.seq
mapfile /etc/radiusclient/port-id-map
default_realm
radius_timeout 10
radius_retries 3
login_local /bin/login
On Wed, May 23, 2012 at 12:54 PM, Alan DeKok al...@deployingradius.comwrote:
Ali Jawad wrote:
Thanks for your patience so far.
I did edit include sql.conf and only edited authorize to uncomment sql
line.
Now I am getting the below.
[chap] ERROR: You set 'Auth-Type = CHAP' for a request that does not
contain a CHAP-Password attribute!
Because you forced Auth-Type := CHAP. Don't do that.
I did try as LOCAL and it says set CHAP, I also tried mschap
It's MUCH better to *understand* what's going on. Trying random
changes is terrible.
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 36343, id=0,
length=67
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = test
Calling-Station-Id =
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
There's no password in this request. Use a RADIUS client that sends a
password!
Whatever RADIUS client you're using is broken. Don't use it.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
*Ali Jawad
*
*Information Systems Manager*
*Splendor Telecom (www.splendor.net)
Beirut, Lebanon
Phone: +9611373725/ext 116
FAX: +9611375554*
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Values for MySQL tables for pptpd ?
Hi
I got it to work at least half way, I did change pptpd options from
-chap
-mschap
+mschap-v2
require-mppe
TO
+chap
+mschap
+mschap-v2
#require-mppe
And in MS Win 7 VPN settings I did set encryption to optional. This way I
can connect, see
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 0,Client-IP-Address =
127.0.0.1,NAS-IP-Address = 127.0.0.1,Acct-Session-Id =
4FBCBB330F5000,User-Name = test'
[acct_unique] Acct-Unique-Session-ID = 6bbdd9f2f808f872.
++[acct_unique] returns ok
[suffix] No '@' in User-Name = test, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
++[files] returns noop
# Executing section accounting from file /etc/raddb/sites-enabled/default
+- entering group accounting {...}
[detail]expand: %{Packet-Src-IP-Address} - 127.0.0.1
[detail]expand:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
- /var/log/radius/radacct/127.0.0.1/detail-20120523
[detail]
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
expands to /var/log/radius/radacct/127.0.0.1/detail-20120523
[detail]expand: %t - Wed May 23 11:25:55 2012
++[detail] returns ok
++[unix] returns ok
[radutmp] expand: /var/log/radius/radutmp - /var/log/radius/radutmp
[radutmp] expand: %{User-Name} - test
++[radutmp] returns ok
++[exec] returns noop
[attr_filter.accounting_response] expand: %{User-Name} - test
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 27 to 127.0.0.1 port 50177
Finished request 2.
Cleaning up request 2 ID 27 with timestamp +15
Going to the next request
Waking up in 4.7 seconds.
However when I do try to use MSCHAPV2 in VPN settings or if I do require
encryption with appropriate settings in pptpd it fails.
Test example :
Set in VPN client in Win 7 to require encryption and MSCHAPV2 - default
options
Set pptpd options to :
-chap
-mschap
+mschap-v2
require-mppe
I get the following in radius
++[sql] returns ok
++[expiration] returns noop
rlm_logintime: Checking Login-Time: 'Al0800-1200'
rlm_logintime: timestr returned accept
rlm_logintime: Session-Timeout set to: 1200
++[logintime] returns ok
[pap] No clear-text password in the request. Not performing PAP.
++[pap] returns noop
!!!
!!!Replacing User-Password in config items with Cleartext-Password.
!!!
!!!
!!! Please update your configuration so that the known good
!!!
!!! clear text password is in Cleartext-Password, and not in User-Password.
!!!
!!!
WARNING: Please update your configuration, and remove 'Auth-Type = Local'
WARNING: Use the PAP or CHAP modules instead.
No User-Password or CHAP-Password attribute in the request.
Cannot perform authentication.
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - test
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 12 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 12
Sending Access-Reject of id 45 to 127.0.0.1 port 60652
Waking up in 4.9 seconds.
Cleaning up request 12 ID 45 with timestamp +591
Ready to process requests.
In short it works for chap but not mschap, any input please ?
Regards
On Wed, May 23, 2012 at 1:13 PM, Ali Jawad ali.ja...@splendor.net wrote:
Hi
Thanks again
I did remove Auth-Type entry from DB and error says now
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting
the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - test
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
I am using a pptpd server, it has plugin radius.so plugin radattr.so
loaded. The radius client is :
rpm -qa | grep radiusclient
radiusclient-ng-utils-0.5.6-3.el5
radiusclient-ng-0.5.6-3.el5
It's radiusclient config is :
auth_order radius
login_tries 4
login_timeout 60
nologin /etc/nologin
issue /etc/radiusclient/issue
authserver localhost:1812
acctserver localhost:1813
servers /etc
Re: Values for MySQL tables for pptpd ?
In btw, I do not have any Auth-Type settings now.
Thanks
On Wed, May 23, 2012 at 1:42 PM, Ali Jawad ali.ja...@splendor.net wrote:
Hi
I got it to work at least half way, I did change pptpd options from
-chap
-mschap
+mschap-v2
require-mppe
TO
+chap
+mschap
+mschap-v2
#require-mppe
And in MS Win 7 VPN settings I did set encryption to optional. This way I
can connect, see
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 0,Client-IP-Address =
127.0.0.1,NAS-IP-Address = 127.0.0.1,Acct-Session-Id =
4FBCBB330F5000,User-Name = test'
[acct_unique] Acct-Unique-Session-ID = 6bbdd9f2f808f872.
++[acct_unique] returns ok
[suffix] No '@' in User-Name = test, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
++[files] returns noop
# Executing section accounting from file /etc/raddb/sites-enabled/default
+- entering group accounting {...}
[detail]expand: %{Packet-Src-IP-Address} - 127.0.0.1
[detail]expand:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
- /var/log/radius/radacct/127.0.0.1/detail-20120523
[detail]
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
expands to /var/log/radius/radacct/127.0.0.1/detail-20120523
[detail]expand: %t - Wed May 23 11:25:55 2012
++[detail] returns ok
++[unix] returns ok
[radutmp] expand: /var/log/radius/radutmp - /var/log/radius/radutmp
[radutmp] expand: %{User-Name} - test
++[radutmp] returns ok
++[exec] returns noop
[attr_filter.accounting_response] expand: %{User-Name} - test
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 27 to 127.0.0.1 port 50177
Finished request 2.
Cleaning up request 2 ID 27 with timestamp +15
Going to the next request
Waking up in 4.7 seconds.
However when I do try to use MSCHAPV2 in VPN settings or if I do require
encryption with appropriate settings in pptpd it fails.
Test example :
Set in VPN client in Win 7 to require encryption and MSCHAPV2 - default
options
Set pptpd options to :
-chap
-mschap
+mschap-v2
require-mppe
I get the following in radius
++[sql] returns ok
++[expiration] returns noop
rlm_logintime: Checking Login-Time: 'Al0800-1200'
rlm_logintime: timestr returned accept
rlm_logintime: Session-Timeout set to: 1200
++[logintime] returns ok
[pap] No clear-text password in the request. Not performing PAP.
++[pap] returns noop
!!!
!!!Replacing User-Password in config items with Cleartext-Password.
!!!
!!!
!!! Please update your configuration so that the known good
!!!
!!! clear text password is in Cleartext-Password, and not in
User-Password. !!!
!!!
WARNING: Please update your configuration, and remove 'Auth-Type = Local'
WARNING: Use the PAP or CHAP modules instead.
No User-Password or CHAP-Password attribute in the request.
Cannot perform authentication.
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - test
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 12 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 12
Sending Access-Reject of id 45 to 127.0.0.1 port 60652
Waking up in 4.9 seconds.
Cleaning up request 12 ID 45 with timestamp +591
Ready to process requests.
In short it works for chap but not mschap, any input please ?
Regards
On Wed, May 23, 2012 at 1:13 PM, Ali Jawad ali.ja...@splendor.net wrote:
Hi
Thanks again
I did remove Auth-Type entry from DB and error says now
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request:
Rejecting the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - test
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
I am using a pptpd server, it has plugin radius.so plugin radattr.so
loaded. The radius client is :
rpm -qa | grep radiusclient
radiusclient-ng-utils-0.5.6-3.el5
radiusclient-ng-0.5.6-3.el5
It's radiusclient config
RE: Help about debug mode and python
Thank you for the answer, it's was helpful :-) Vlad. -Original Message- From: freeradius-users-bounces+kolla=netxp...@lists.freeradius.org [mailto:freeradius-users-bounces+kolla=netxp...@lists.freeradius.org] On Behalf Of Alan DeKok Sent: mercredi 16 mai 2012 08:49 To: FreeRadius users mailing list Subject: Re: Help about debug mode and python Phil Mayers wrote: http://bugs.python.org/issue4434 Warning: reading that bug will make you either sad or angry. Probably both. Use the static library, closing NOTABUG. Sigh. I believe it's fixed in Python 2.7. In my code, I worked around it by dlopen()ing libpython, as per the 1st suggestion in the above bug. I'll try adding that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Values for MySQL tables for pptpd ?
On Wed, May 23, 2012 at 01:42:56PM +0300, Ali Jawad wrote: I got it to work at least half way, I did change pptpd options from -chap -mschap +mschap-v2 require-mppe TO +chap +mschap +mschap-v2 #require-mppe That's a lot of changes in one go (unless you tested each one individually). I'd check you've got the right entries in the microsoft dictionary for radiusclient (MS-MPPE-Send-Key, MS-MPPE-Recv-Key etc). For what it's worth, we got l2tp/ipsec working recently with radiusclient. The pppd options include: refuse-pap refuse-chap refuse-mschap require-mschap-v2 and you can connect from Windows just fine. No need for CHAP/MSCHAP, or to disable encryption. I'd imagine pptp is similar (albeit the final solution less secure - I don't believe anyone has recommended pptp for new deployments for at least the last five years). However, radiusclient and radius.so are, from what I can tell, ancient and seem in rather need of an overhaul. The dictionary support is nasty, compared to the recent dictionary format. I'm not sure who looks after them now, or if they are maintained. I've just found radiusclient-ng, which looks more recent, but have no experience of it. But this is all mildly off-topic for FreeRADIUS... Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Values for MySQL tables for pptpd ?
Matthew Newton wrote: I'm not sure who looks after them now, or if they are maintained. I've just found radiusclient-ng, which looks more recent, but have no experience of it. But this is all mildly off-topic for FreeRADIUS... radiusclient-ng is no longer developed. It has become freeradius-client. :) See http://freeradius.org Even that is terrible. I'm inclined to fix it once and for all. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Values for MySQL tables for pptpd ?
On Wed, May 23, 2012 at 02:02:02PM +0200, Alan DeKok wrote: Matthew Newton wrote: I'm not sure who looks after them now, or if they are maintained. I've just found radiusclient-ng, which looks more recent, but have no experience of it. But this is all mildly off-topic for FreeRADIUS... radiusclient-ng is no longer developed. It has become freeradius-client. :) See http://freeradius.org Ah - thanks. I had it on my list to hack at the radiusclient code to try and update it. 30 minutes ago, that list entry changed to radiusclient-ng. Looks like I'll be looking at the freeradius-client code instead now... if I ever get time! Cheers, Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Values for MySQL tables for pptpd ?
Hi again
I did do some more reading and finally got radius to authenticate mschap, I
am using the users file to add users for the time being and no SQL. A user
can authenticate properly
See
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 3 ID 100 with timestamp +136
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 57868, id=101,
length=132
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = test
MS-CHAP-Challenge = 0x65c4689b30c27f604fcca7ba1370fdba
MS-CHAP2-Response =
0x31004bfca25ae57e8617e1e2d3cebde28904c4cd490b424b34bfa53ad8b65fb786d994c6f647dbdd001a
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name = test, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry test at line 76
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = MSCHAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group MS-CHAP {...}
[mschap] Creating challenge hash with username: test
[mschap] Told to do MS-CHAPv2 for test with NT-Password
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 101 to 127.0.0.1 port 57868
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Address = 172.16.3.33
Framed-IP-Netmask = 255.255.255.0
Framed-Routing = Broadcast-Listen
Framed-Filter-Id = std.ppp
Framed-MTU = 1500
Framed-Compression = Van-Jacobson-TCP-IP
MS-CHAP2-Success =
0x31533d433030354632344435303132433435414432344634334344343931374636363944453733
MS-MPPE-Recv-Key = 0x494fa970f9bb475a70b1b37179089b1d
MS-MPPE-Send-Key = 0x546cdc52da0bf3818284fe5e6c48332d
MS-MPPE-Encryption-Policy = 0x0002
MS-MPPE-Encryption-Types = 0x0004
Finished request 4.
but I get the following error on the pptpd side
May 23 13:30:01 pptp-test-100-13 pppd[7512]: rc_check_reply: received
invalid reply digest from RADIUS server
Any input please ?
Regards
On Wed, May 23, 2012 at 3:17 PM, Matthew Newton m...@leicester.ac.ukwrote:
On Wed, May 23, 2012 at 02:02:02PM +0200, Alan DeKok wrote:
Matthew Newton wrote:
I'm not sure who looks after them now, or if they are maintained.
I've just found radiusclient-ng, which looks more recent, but have
no experience of it.
But this is all mildly off-topic for FreeRADIUS...
radiusclient-ng is no longer developed.
It has become freeradius-client. :) See http://freeradius.org
Ah - thanks. I had it on my list to hack at the radiusclient code
to try and update it. 30 minutes ago, that list entry changed to
radiusclient-ng.
Looks like I'll be looking at the freeradius-client code instead
now... if I ever get time!
Cheers,
Matthew
--
Matthew Newton, Ph.D. m...@le.ac.uk
Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, ith...@le.ac.uk
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
*Ali Jawad
*
*Information Systems Manager*
*Splendor Telecom (www.splendor.net)
Beirut, Lebanon
Phone: +9611373725/ext 116
FAX: +9611375554*
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Values for MySQL tables for pptpd ?
NM posted to quickly, secrets were wrong, fiddling around with
Unsupported protocol 'IPv6 Control Protovol' (0x8057) received
after that it should work, will definitively post it up in a howto.
Regards
On Wed, May 23, 2012 at 3:31 PM, Ali Jawad ali.ja...@splendor.net wrote:
Hi again
I did do some more reading and finally got radius to authenticate mschap,
I am using the users file to add users for the time being and no SQL. A
user can authenticate properly
See
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 3 ID 100 with timestamp +136
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 57868, id=101,
length=132
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = test
MS-CHAP-Challenge = 0x65c4689b30c27f604fcca7ba1370fdba
MS-CHAP2-Response =
0x31004bfca25ae57e8617e1e2d3cebde28904c4cd490b424b34bfa53ad8b65fb786d994c6f647dbdd001a
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name = test, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry test at line 76
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = MSCHAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group MS-CHAP {...}
[mschap] Creating challenge hash with username: test
[mschap] Told to do MS-CHAPv2 for test with NT-Password
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 101 to 127.0.0.1 port 57868
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Address = 172.16.3.33
Framed-IP-Netmask = 255.255.255.0
Framed-Routing = Broadcast-Listen
Framed-Filter-Id = std.ppp
Framed-MTU = 1500
Framed-Compression = Van-Jacobson-TCP-IP
MS-CHAP2-Success =
0x31533d433030354632344435303132433435414432344634334344343931374636363944453733
MS-MPPE-Recv-Key = 0x494fa970f9bb475a70b1b37179089b1d
MS-MPPE-Send-Key = 0x546cdc52da0bf3818284fe5e6c48332d
MS-MPPE-Encryption-Policy = 0x0002
MS-MPPE-Encryption-Types = 0x0004
Finished request 4.
but I get the following error on the pptpd side
May 23 13:30:01 pptp-test-100-13 pppd[7512]: rc_check_reply: received
invalid reply digest from RADIUS server
Any input please ?
Regards
On Wed, May 23, 2012 at 3:17 PM, Matthew Newton m...@leicester.ac.ukwrote:
On Wed, May 23, 2012 at 02:02:02PM +0200, Alan DeKok wrote:
Matthew Newton wrote:
I'm not sure who looks after them now, or if they are maintained.
I've just found radiusclient-ng, which looks more recent, but have
no experience of it.
But this is all mildly off-topic for FreeRADIUS...
radiusclient-ng is no longer developed.
It has become freeradius-client. :) See http://freeradius.org
Ah - thanks. I had it on my list to hack at the radiusclient code
to try and update it. 30 minutes ago, that list entry changed to
radiusclient-ng.
Looks like I'll be looking at the freeradius-client code instead
now... if I ever get time!
Cheers,
Matthew
--
Matthew Newton, Ph.D. m...@le.ac.uk
Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, ith...@le.ac.uk
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
*Ali Jawad
*
*Information Systems Manager*
*Splendor Telecom (www.splendor.net)
Beirut, Lebanon
Phone: +9611373725/ext 116
FAX: +9611375554*
--
*Ali Jawad
*
*Information Systems Manager*
*Splendor Telecom (www.splendor.net)
Beirut, Lebanon
Phone: +9611373725/ext 116
FAX: +9611375554*
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Values for MySQL tables for pptpd ?
Ali Jawad wrote: May 23 13:30:01 pptp-test-100-13 pppd[7512]: rc_check_reply: received invalid reply digest from RADIUS server Any input please ? Fix the RADIUS shared secrets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
more EAP/TTLS trouble
I've got authentication with Android and Linux clients working using
EAP/TTLS and PAP, however Windows and OSX clients dont seem to work.
This is a log of a Windows 7 client. I was able to get iphones working
with a special config, but the same method doesn't seem to work for
OSX. Any help you could offer is appreciated
Log follows, with secure bits edited out:
FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Nov
14 2010 at 21:12:30
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/clients.conf
including configuration file /etc/freeradius/snmp.conf
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/sites-enabled/default
main {
user = freerad
group = freerad
allow_core_dumps = no
}
including dictionary file /etc/freeradius/dictionary
main {
prefix = /usr
localstatedir = /var
logdir = /var/log/freeradius
libdir = /usr/lib/freeradius
radacctdir = /var/log/freeradius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = /var/run/freeradius/freeradius.pid
checkrad = /usr/sbin/checkrad
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = yes
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: Loading Realms and Home Servers
radiusd: Loading Clients
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = -removed-
shortname = localhost
}
-EDITED: Client entries removed-
radiusd: Instantiating modules
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module exec from file /etc/freeradius/radiusd.conf
exec {
wait = yes
input_pairs = request
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating module expr from file /etc/freeradius/radiusd.conf
Module: Linked to module rlm_expiration
Module: Instantiating module expiration from file
/etc/freeradius/radiusd.conf
expiration {
reply-message = Password Has Expired
}
Module: Linked to module rlm_logintime
Module: Instantiating module logintime from file /etc/freeradius/radiusd.conf
logintime {
reply-message = You are calling outside your allowed timespan
minimum-timeout = 60
}
}
radiusd: Loading Virtual Servers
server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module pap from file /etc/freeradius/radiusd.conf
pap {
encryption_scheme = auto
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating module chap from file /etc/freeradius/radiusd.conf
Module: Linked to module rlm_pam
Module: Instantiating module pam from file /etc/freeradius/radiusd.conf
pam {
pam_auth = radiusd
}
Module: Linked to module rlm_eap
Module: Instantiating module eap from file /etc/freeradius/eap.conf
eap {
default_eap_type = ttls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = Password:
auth_type = PAP
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = /etc/ssl/private/-removed-_generic.key
certificate_file = /etc/ssl/certs/-removed-_generic.crt
CA_file = /etc/ssl/certs/-removed-_ca.crt
dh_file = /etc/freeradius/certs/dh
random_file = /dev/urandom
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = DEFAULT
make_cert_command = /etc/freeradius/certs/bootstrap
cache {
enable = no
Re: more EAP/TTLS trouble
Steve Hopps wrote: I've got authentication with Android and Linux clients working using EAP/TTLS and PAP, however Windows and OSX clients dont seem to work. This is a log of a Windows 7 client. I was able to get iphones working with a special config, but the same method doesn't seem to work for OSX. Any help you could offer is appreciated This is pretty definitive: [peap] Length Included [peap] eaptls_verify returned 11 [peap] TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert read:fatal:unknown CA TLS_accept: failed in SSLv3 read client certificate A rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca SSL: SSL_read failed inside of TLS (-1), TLS session fails. IIRC, it means that the client doesn't have the same CA as the server. So it gets the server's certificate, and goes huh?. It then sends an unknown CA back to the server. The solution is to add the CA to the client PC. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: more EAP/TTLS trouble
The log shows the client is using PEAP and is failing at the certificate level - does the client have the CA for your server installed? You're also using 2.1.10 which is old and has bugs alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: more EAP/TTLS trouble
On 23/05/12 16:16, Alan DeKok wrote: rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca SSL: SSL_read failed inside of TLS (-1), TLS session fails. IIRC, it means that the client doesn't have the same CA as the server. So it gets the server's certificate, and goes huh?. It then sends an unknown CA back to the server. The solution is to add the CA to the client PC. For what it's worth, it would be *really* handle to be able to trigger a log message (with controllable format) when this happened; possibly a trigger? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How do I find out the query error?
Hi there Alan DeKok-2, Just came by to say thanks for your kind response and to let you know that I fixed the problem by trying the querys manually until I got them all working. Thank you very much. Best Regards. -- View this message in context: http://freeradius.1045715.n5.nabble.com/How-do-I-find-out-the-query-error-tp5713188p5713349.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How do I find out the query error?
Coizado wrote: Hi there Alan DeKok-2, Just came by to say thanks for your kind response and to let you know that I fixed the problem by trying the querys manually until I got them all working. Thank you very much. You're welcome. It's what I do. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SSHA512
Hi Are there any plans to support SSHA512 with the 4000 ish folds etc. as this is pretty much the default for most linux distros these days? Thanks JH - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
