Problem with ip pools
Hi,
I'm using ip pools to manage my client ips from the radius side.
Here's my conf:
* users file :
DEFAULT Service-Type == Framed-User, Pool-Name := main_pool
Framed-Protocol = PPP,
Framed-MTU = 576
* radiusd.conf file:
ippool main_pool {
range-start = 192.168.52.2
range-stop = 192.168.52.254
netmask = 255.255.255.0
cache-size = 800
session-db = ${raddbdir}/db.ippool
ip-index = ${raddbdir}/db.ipindex
}
Everything is working well for some days then my clients could not get
anymore ips from the radius. I've found a way to correct this by deletinf
the db.ip* files and restarting the radius but this is not *clean*.
Is there a way to dump the content of the ippool database ?
I want to understand how ips are freed from the pool because I think that
there's a problem when a client disconnects. It seems that ips stay in the
pool as used even if the client has disconnected.
Thanks in advance for your help.
Regargs,
--
Sebastien Cantos [EMAIL PROTECTED]
Network / System Manager
Neopost DIVA
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem with ip pools
Hi,
The main_pool line in the accounting section of the radiusd.conf file was
commented ... Maybe that was my mistake.
Ok for the rlm_ippool_tool I'm gonna use it to see if my modification of
radiusd.conf is working or not. I was not using accounting at all so I forgot
about it but it seems that I will have to configure it well to get the ip_pool
working.
Thank for answering.
Best regards,
--
Sebastien Cantos [EMAIL PROTECTED]
Network / System Manager
Neopost DIVA
-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] De la
part de Kostas Kalevras
Envoy : jeudi 31 mars 2005 13:47
: freeradius-users@lists.freeradius.org
Objet : Re: Problem with ip pools
On Thu, 31 Mar 2005, Sbastien Cantos wrote:
Hi,
I'm using ip pools to manage my client ips from the radius side.
Here's my conf:
* users file :
DEFAULT Service-Type == Framed-User, Pool-Name := main_pool
Framed-Protocol = PPP,
Framed-MTU = 576
* radiusd.conf file:
ippool main_pool {
range-start = 192.168.52.2
range-stop = 192.168.52.254
netmask = 255.255.255.0
cache-size = 800
session-db = ${raddbdir}/db.ippool
ip-index = ${raddbdir}/db.ipindex
}
Everything is working well for some days then my clients
could not get
anymore ips from the radius. I've found a way to correct
this by deletinf
the db.ip* files and restarting the radius but this is not *clean*.
Is there a way to dump the content of the ippool database ?
I want to understand how ips are freed from the pool
because I think that
there's a problem when a client disconnects. It seems that
ips stay in the
pool as used even if the client has disconnected.
Thanks in advance for your help.
There's rlm_ippool_tool which might help you in
src/modules/rlm_ippool.
rlm_ippool depends on accounting working ok. If it is not
working then you might
get into problems. The module *does* have a few more methods
of finding out
stale records and deleting them:
1. maximum-timeout directive. You can set that to the maximum
session time
expected in your network (if that can be calculated) in order
to make sure no ip
remains active for more time than maximum-timeout.
2. Each time an authentication request is performed from a
nas ip/port pair
which has already an ip allocated that ip is cleaned up. That
means that as long
as your ip pool is as large as your nas ports number it will
be difficult to run
out of available ip's.
My suggestion is to make sure you don't run an old version of
the module (older
version did have problems) and to take a closer look at how
well your accounting
works.
Regargs,
--
Sebastien Cantos [EMAIL PROTECTED]
Network / System Manager
Neopost DIVA
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem with ip pools
Still no luck. I made a connection, the disconnect but the IP it is always
in the databases. I would like to understand if accounting is working well.
Only thing I know is that files in
[EMAIL PROTECTED]:/usr/local/var/log/radius/radacct/192.168.10.8 are being
fullfiled. (192.168.10.8 is a cisco router which acts as a NAS forwarding
NAS requests).
[EMAIL PROTECTED]:/usr/local/var/log/radius/radacct/192.168.10.8# cat
auth-detail-20050331
Packet-Type = Access-Request
Thu Mar 31 14:31:55 2005
Framed-Protocol = PPP
User-Name = masqued
CHAP-Password = masqued
NAS-Port-Type = Virtual
NAS-Port = 135
Calling-Station-Id = masqued
Called-Station-Id = masqued
Service-Type = Framed-User
NAS-IP-Address = 192.168.10.8
Client-IP-Address = 192.168.10.8
CHAP-Challenge = masqued
[EMAIL PROTECTED]:/usr/local/var/log/radius/radacct/192.168.10.8# cat
reply-detail-20050331
Packet-Type = Access-Accept
Thu Mar 31 14:31:55 2005
Framed-Protocol = PPP
Framed-MTU = 576
Framed-IP-Address = 192.168.52.79
Framed-IP-Netmask = 255.255.255.0
Does this means that accounting is working ?
Regards,
--
Sebastien Cantos [EMAIL PROTECTED]
Network / System Manager
Neopost DIVA
-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] De la
part de Sébastien Cantos
Envoyé : jeudi 31 mars 2005 14:26
À : freeradius-users@lists.freeradius.org
Objet : RE: Problem with ip pools
Hi,
The main_pool line in the accounting section of the
radiusd.conf file was commented ... Maybe that was my mistake.
Ok for the rlm_ippool_tool I'm gonna use it to see if my
modification of radiusd.conf is working or not. I was not
using accounting at all so I forgot about it but it seems
that I will have to configure it well to get the ip_pool working.
Thank for answering.
Best regards,
--
Sebastien Cantos [EMAIL PROTECTED]
Network / System Manager
Neopost DIVA
-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] De la
part de Kostas Kalevras
Envoyé : jeudi 31 mars 2005 13:47
À : freeradius-users@lists.freeradius.org
Objet : Re: Problem with ip pools
On Thu, 31 Mar 2005, S?bastien Cantos wrote:
Hi,
I'm using ip pools to manage my client ips from the radius side.
Here's my conf:
* users file :
DEFAULT Service-Type == Framed-User, Pool-Name := main_pool
Framed-Protocol = PPP,
Framed-MTU = 576
* radiusd.conf file:
ippool main_pool {
range-start = 192.168.52.2
range-stop = 192.168.52.254
netmask = 255.255.255.0
cache-size = 800
session-db = ${raddbdir}/db.ippool
ip-index = ${raddbdir}/db.ipindex
}
Everything is working well for some days then my clients
could not get
anymore ips from the radius. I've found a way to correct
this by deletinf
the db.ip* files and restarting the radius but this is
not *clean*.
Is there a way to dump the content of the ippool database ?
I want to understand how ips are freed from the pool
because I think that
there's a problem when a client disconnects. It seems that
ips stay in the
pool as used even if the client has disconnected.
Thanks in advance for your help.
There's rlm_ippool_tool which might help you in
src/modules/rlm_ippool.
rlm_ippool depends on accounting working ok. If it is not
working then you might
get into problems. The module *does* have a few more methods
of finding out
stale records and deleting them:
1. maximum-timeout directive. You can set that to the maximum
session time
expected in your network (if that can be calculated) in order
to make sure no ip
remains active for more time than maximum-timeout.
2. Each time an authentication request is performed from a
nas ip/port pair
which has already an ip allocated that ip is cleaned up. That
means that as long
as your ip pool is as large as your nas ports number it will
be difficult to run
out of available ip's.
My suggestion is to make sure you don't run an old version of
the module (older
version did have problems) and to take a closer look at how
well your accounting
works.
Regargs,
--
Sebastien Cantos [EMAIL PROTECTED]
Network / System Manager
Neopost DIVA
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_ldap - Attribute User-Password is required for authentication
I had the same problem a few weeks ago. In fact the ldap wasn't returning
the user-password so it wasn't working. Chack with ldapsearch to make the
querry directly to the ldap as if you were the radius and I think that you
will see that the userpassword is not returned.
rlm_ldap: bind as / to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=users,dc=gibraltar,dc=local, with
Make sure that the user/password in radiusd.conf for the user that will make
the search in the ldap is valid. I think that the radius is binding
anonymously on the ldap so it can read passwords. Another thing to note is
that you have to store passwords in clear text into the ldap.
ldap {
server = myserver.mydomain.com
identity =
cn=some_user_that_can_read_passwords_on_the_ldap
password = password_for_this_user
Regards,
--
Sebastien Cantos [EMAIL PROTECTED]
Network / System Manager
Neopost DIVA
-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] De la
part de guest01
Envoyé : mardi 8 mars 2005 15:44
À : freeradius-users@lists.freeradius.org
Objet : Re: rlm_ldap - Attribute User-Password is required
for authentication
hm, radius is very strange Can anyone please help me?
this is the logfile output after testing with radexample:
rad_recv: Access-Request packet from host 127.0.0.1:1025,
id=40, length=66
User-Name = testuser
User-Password = 123456
Service-Type = Authenticate-Only
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
users: Matched DEFAULT at 152
modcall[authorize]: module files returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for testuser
radius_xlat: '((objectclass=gibraltarUser)(uid=testuser))'
radius_xlat: 'ou=users,dc=gibraltar,dc=local'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as / to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=users,dc=gibraltar,dc=local, with
filter ((objectclass=gibraltarUser)(uid=testuser))
rlm_ldap: checking if remote access for testuser is allowed
by isVPNUser
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user testuser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type LDAP
auth: type LDAP
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 0
rlm_ldap: - authenticate
rlm_ldap: login attempt by testuser with password 123456
rlm_ldap: user DN: uid=testuser,ou=users,dc=gibraltar,dc=local
rlm_ldap: (re)connect to localhost:389, authentication 1
rlm_ldap: bind as
uid=testuser,ou=users,dc=gibraltar,dc=local/123456 to
localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user testuser authenticated succesfully
modcall[authenticate]: module ldap returns ok for request 0
modcall: group Auth-Type returns ok for request 0
Sending Access-Accept of id 40 to 127.0.0.1:1025
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 40 with timestamp 422db560
Nothing to do. Sleeping until we see a request.
and this is the output after trying to connect via pptpd with
winxp prof.
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1:1025,
id=41, length=54
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = testuser
NAS-IP-Address = 66.150.161.140
NAS-Port = 0
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
users: Matched DEFAULT at 152
users: Matched DEFAULT at 171
users: Matched DEFAULT at 183
modcall[authorize]: module files returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for testuser
radius_xlat: '((objectclass=gibraltarUser)(uid=testuser))'
radius_xlat: 'ou=users,dc=gibraltar,dc=local'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as / to localhost:389
RE: rlm_ldap - Attribute User-Password is required for authentication
So maybe it's a NAS problem. Are you sure that the NAS is sending the
userpassword in the request ?
--
Sebastien Cantos [EMAIL PROTECTED]
Network / System Manager
Neopost DIVA
-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] De la
part de guest01
Envoyé : mardi 8 mars 2005 16:16
À : freeradius-users@lists.freeradius.org
Objet : Re: rlm_ldap - Attribute User-Password is required
for authentication
Sébastien Cantos wrote:
I had the same problem a few weeks ago. In fact the ldap
wasn't returning
the user-password so it wasn't working. Chack with
ldapsearch to make the
querry directly to the ldap as if you were the radius and I
think that you
will see that the userpassword is not returned.
Thxs for your help, but it still doesn't work :-(
Ok, I store the passwords in cleartext (just base64encoded),
ldapsearch
works:
ldapsearch -x -D cn=Manager,dc=gibraltar,dc=local -w secret
((objectclass=gibraltaruser)(uid=testuser)) userPassword
# extended LDIF
#
# LDAPv3
# base with scope sub
# filter: ((objectclass=gibraltaruser)(uid=testuser))
# requesting: userPassword
#
# testuser, users, gibraltar.local
dn: uid=testuser,ou=users,dc=gibraltar,dc=local
userPassword:: MTIzNDU2
# search result
search: 2
result: 0 Success
Make sure that the user/password in radiusd.conf for the
user that will make
the search in the ldap is valid. I think that the radius is binding
anonymously on the ldap so it can read passwords. Another
thing to note is
that you have to store passwords in clear text into the ldap.
ldap {
server = myserver.mydomain.com
identity =
cn=some_user_that_can_read_passwords_on_the_ldap
password = password_for_this_user
hm, my LDAP is still in testing, therefor everyone is allowed
everthing... But I also tried it
with the rootdn, but no difference. But I don't think thats
the problem,
because the
authorization-part works fine, user testuser authorized to use remote
access,
just that damned authentication part ...
rad_recv: Access-Request packet from host 127.0.0.1:1025,
id=55, length=54
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = testuser
NAS-IP-Address = 69.25.27.173
NAS-Port = 0
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
users: Matched DEFAULT at 153
users: Matched DEFAULT at 172
users: Matched DEFAULT at 185
modcall[authorize]: module files returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for testuser
radius_xlat: '((objectclass=gibraltarUser)(uid=testuser))'
radius_xlat: 'ou=users,dc=gibraltar,dc=local'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as cn=Manager,dc=gibraltar,dc=local/secret to
localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=users,dc=gibraltar,dc=local, with
filter ((objectclass=gibraltarUser)(uid=testuser))
rlm_ldap: checking if remote access for testuser is allowed
by isVPNUser
rlm_ldap: performing search in
uid=testuser,ou=radius,dc=gibraltar,dc=local, with filter
(objectclass=radiusprofile)
rlm_ldap: Adding radiusAuthType as Auth-Type, value LDAP op=21
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user testuser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type LDAP
auth: type LDAP
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 0
rlm_ldap: - authenticate
rlm_ldap: Attribute User-Password is required for authentication.
modcall[authenticate]: module ldap returns invalid for request 0
modcall: group Auth-Type returns invalid for request 0
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 55 to 127.0.0.1:1025
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 55 with timestamp 422dc076
Nothing to do. Sleeping until we see a request.
Any other ideas? How did you solve your problem?
regards
peda
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list
RE: Ip pool management
Yes you are right. Luaching the server in debug mode told me that Pool-name is a check item and that it should be on the first line. The problem is that it is complaining: rlm_ippool: could not find Pool-Name attribute For my *newbie* understanding, if the Pool-name is a check item it should be in the request I get from my clients. I'm true ? If yes, I can't modify the I got from the NAS (it's not mine). So is there a way to use ippool without this check item ? Thanks for your help. Regards, -- Sebastien Cantos [EMAIL PROTECTED] Network / System Manager Neopost DIVA -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Alan DeKok Envoyé : mercredi 2 mars 2005 18:50 À : freeradius-users@lists.freeradius.org Objet : Re: Ip pool management Sébastien Cantos [EMAIL PROTECTED] wrote: I've followed instructions in radiusd.conf : My users file looks like this: DEFAULT Service-Type == Framed-User Pool-Name := osiris-pool, You did not follow the instructions in radiusd.conf. The Pool-Name attribute should go on the first line. If you had run the server in debugging mode, the server would have told you this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Ip pool management
Ok it works with : DEFAULT Service-Type == Framed-User, Pool-Name := main_pool Framed-Protocol = PPP, Framed-MTU = 576 Thanks a lot for your help. Kind Regards, -- Sebastien Cantos [EMAIL PROTECTED] Network / System Manager Neopost DIVA -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Alan DeKok Envoyé : jeudi 3 mars 2005 17:41 À : freeradius-users@lists.freeradius.org Objet : Re: Ip pool management Sébastien Cantos [EMAIL PROTECTED] wrote: The problem is that it is complaining: rlm_ippool: could not find Pool-Name attribute The *module* is printing that message because the Pool-Name attribute is not found in the list of check items. For my *newbie* understanding, if the Pool-name is a check item it should be in the request I get from my clients. No. Nothing in the server documentation would lead you to that conclusion. The documentation would lead you to the *correct* conclusion, which is that the check items are not the request items. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Ip pool management
Hi,
I've followed instructions in radiusd.conf :
My users file looks like this:
DEFAULT Service-Type == Framed-User
Pool-Name := osiris-pool,
Framed-Protocol = PPP,
Framed-MTU = 576
And in my radiusd.conf I've:
post-auth {
# Get an address from the IP Pool.
# main_pool
osiris-pool
...
}
modules {
...
ippool osiris-pool {
range-start = 192.168.52.1
range-stop = 192.168.52.254
netmask = 255.255.255.0
cache-size = 800
session-db = ${raddbdir}/db.ippool
ip-index = ${raddbdir}/db.ipindex
}
}
I get this error :
rlm_ippool: could not find Pool-Name attribute
And my client doesn't get back the IP.
I surely miss something Could someone help me please ?
Regards,
--
Sebastien Cantos [EMAIL PROTECTED]
Network / System Manager
Neopost DIVA
-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] De la
part de Alan DeKok
Envoyé : mardi 1 mars 2005 18:50
À : freeradius-users@lists.freeradius.org
Objet : Re: Ip pool management
Sébastien Cantos [EMAIL PROTECTED] wrote:
I would like to configure my radius to give the first
available IP in the
subnet 192.168.52.0/24 without carrying about the NAS modem number.
Is there a way to configure this ?
Read radiusd.conf. Look for ippool
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ip pool management
Hi, I've something like this in my user file: DEFAULT Service-Type == Framed-User Framed-Protocol = PPP, Framed-MTU = 576, Framed-IP-Address = 192.168.52.1+, Framed-IP-Netmask = 255.255.255.0 I've noticed that the IP on the client side depends on the NAS modem number. For example if modem is number 1 the IP is 192.168.52.1, is modem is number 10, ip is 192.168.52.10. I would like to configure my radius to give the first available IP in the subnet 192.168.52.0/24 without carrying about the NAS modem number. Is there a way to configure this ? Regards, -- Sebastien Cantos [EMAIL PROTECTED] Network / System Manager Neopost DIVA - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius with LDAP
Rlm_ldap needs some openldap libraries to compile well on solaris. One solution is to install OpenLDAP even if you use Sun LDAP. This way the module will compile. Regards, -- Sebastien Cantos [EMAIL PROTECTED] Network / System Manager Neopost DIVA -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Michael Mitchell Envoyé : vendredi 18 février 2005 13:30 À : freeradius-users@lists.freeradius.org Objet : Re: FreeRadius with LDAP dbx is your friend... But check to see that the ldap module actually built... unless you've got things installed in the default places, it can take a little work to get the ldap module to compile on Solaris... José Berenguer wrote: Hello! We are trying to authenticate the last version of freeradius (1.0.1) in Solaris 9 against LDAP and we are always getting the same error when we try to start radius with the command: /usr/local/sbin/radiusd -S -X You can view the radiusd.conf and users files, and the error we get is this: Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Segmentation Fault Anyone can help us? Thanks very much! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP + CHAP problem
Hello,
I'm trying to figure out how to make freeradius work with LDAP and CHAP
authentification.
My user file looks like this:
DEFAULT Service-Type = Framed-User
Framed-Protocol = PPP,
Framed-IP-Address = 192.168.10.100+,
Framed-IP-Netmask = 255.255.255.0
And in my radiusd.conf I've something like this:
modules {
...
chap {
authtype = CHAP
}
ldap {
server = myserver
basedn = ou=devices,o=group,dc=toto,dc=com
filter = (cn=%u)
ldap_connections_number = 5
password_header = {clear}
password_attribute = userPassword
timeout = 4
timelimit = 3
net_timeout = 1
}
}
authorize {
chap
ldap
files
}
authenticate {
Auth-Type CHAP {
chap
}
Auth-Type LDAP {
ldap
}
}
Everithing is working well with the radtest utility whci sends User-Password
Attribute, but when I try to authentificate a client that sends
Chap-password I've the following output:
rlm_ldap: user authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns ok for request 0
users: Matched DEFAULT at 4
modcall[authorize]: module files returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type CHAP
auth: type CHAP
Processing the authenticate section of radiusd.conf
modcall: entering group authtype for request 0
rlm_chap: login attempt by with CHAP password
rlm_chap: Could not find clear text password for user
modcall[authenticate]: module chap returns invalid for request 0
modcall: group authtype returns invalid for request 0
auth: Failed to validate the user.
Login incorrect (rlm_chap: Clear text password not available):
[/CHAP-Password] (from client radiusFT port 99 cli 490760808)
I've read a lot of posts and FAQs vut didn't find any solution. Can anyone
help me in solving this problem please ?
Thanks in advances
Best regards,
--
Sebastien Cantos [EMAIL PROTECTED]
Network / System Manager
Neopost DIVA
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
