Auth type change when it called through asterisk.
Hi, I successfully done my authentication and authorization with the perl and digest with mix mode, and it reply access accept packets from the radius server. But when i tried to call through asterisk, the server again try to authenticate again and rejected. The auth type is turned into local again though i put perl and digest. How the auth type will be into perl and digest when I called through asterisk. *This is the output log after the server authenticate a user: * rad_recv: Access-Request packet from host 192.168.1.227 port 32958, id=215, length=259 User-Name = [EMAIL PROTECTED] Digest-Attributes = \n\005100 Digest-Attributes = \001\017192.168.1.227 Digest-Attributes = \002*4832e5db308756e206b4536810ea3e70cf300c66 Digest-Attributes = \004\023sip:192.168.1.227 Digest-Attributes = \003\nREGISTER Digest-Response = 805279e87b5ef1a7bc640350165079ff Service-Type = SIP Sip-URI-User = 100 Cisco-AVPair = call-id= [EMAIL PROTECTED] NAS-IP-Address = 127.0.0.1 NAS-Port = 5060 +- entering group authorize ++[preprocess] returns ok perl_pool: item 0x98c2a88 asigned new request. Handled so far: 1 found interpetator at address 0x98c2a88 rlm_perl: Added pair Digest-Response = 805279e87b5ef1a7bc640350165079ff rlm_perl: Added pair Service-Type = SIP rlm_perl: Added pair Cisco-AVPair = call-id= [EMAIL PROTECTED] rlm_perl: Added pair User-Name = [EMAIL PROTECTED] rlm_perl: Added pair Sip-URI-User = 100 rlm_perl: Added pair NAS-IP-Address = 127.0.0.1 rlm_perl: Added pair NAS-Port = 5060 rlm_perl: Added pair Digest-Attributes = \n\005100 rlm_perl: Added pair Digest-Attributes = \001\017192.168.1.227 rlm_perl: Added pair Digest-Attributes = \002*4832e5db308756e206b4536810ea3e70cf300c66 rlm_perl: Added pair Digest-Attributes = \004\023sip:192.168.1.227 rlm_perl: Added pair Digest-Attributes = \003\nREGISTER rlm_perl: Added pair Cleartext-Password = 100 perl_pool total/active/spare [32/0/32] Unreserve perl at address 0x98c2a88 ++[perl] returns ok rlm_digest: Adding Auth-Type = DIGEST ++[digest] returns ok rlm_realm: Looking up realm 192.168.1.227 for User-Name = [EMAIL PROTECTED] rlm_realm: No such realm 192.168.1.227 ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop rad_check_password: Found Auth-Type DIGEST auth: type digest +- entering group authenticate rlm_digest: Converting Digest-Attributes to something sane... Digest-User-Name = 100 Digest-Realm = 192.168.1.227 Digest-Nonce = 4832e5db308756e206b4536810ea3e70cf300c66 Digest-URI = sip:192.168.1.227 Digest-Method = REGISTER A1 = 100:192.168.1.227:100 A2 = REGISTER:sip:192.168.1.227 H(A1) = fc0ea6eaea4a4b50ad280e803f4bd6a2 H(A2) = fbf27b090821dd0f71c0a0dda09e5e8e KD = fc0ea6eaea4a4b50ad280e803f4bd6a2:4832e5db308756e206b4536810ea3e70cf300c66:fbf27b090821dd0f71c0a0dda09e5e8e EXPECTED 805279e87b5ef1a7bc640350165079ff RECEIVED 805279e87b5ef1a7bc640350165079ff ++[digest] returns ok Login OK: [EMAIL PROTECTED]/via Auth-Type = DIGEST] (from client 192.168.1.227 port 5060) +- entering group post-auth perl_pool: item 0x9997960 asigned new request. Handled so far: 1 found interpetator at address 0x9997960 rlm_perl: Added pair Digest-User-Name = 100 rlm_perl: Added pair Digest-Response = 805279e87b5ef1a7bc640350165079ff rlm_perl: Added pair Service-Type = SIP rlm_perl: Added pair Digest-URI = sip:192.168.1.227 rlm_perl: Added pair Digest-Realm = 192.168.1.227 rlm_perl: Added pair Cisco-AVPair = call-id= [EMAIL PROTECTED] rlm_perl: Added pair Digest-Method = REGISTER rlm_perl: Added pair User-Name = [EMAIL PROTECTED] rlm_perl: Added pair Sip-URI-User = 100 rlm_perl: Added pair Digest-Nonce = 4832e5db308756e206b4536810ea3e70cf300c66 rlm_perl: Added pair NAS-IP-Address = 127.0.0.1 rlm_perl: Added pair NAS-Port = 5060 rlm_perl: Added pair Digest-Attributes = \n\005100 rlm_perl: Added pair Digest-Attributes = \001\017192.168.1.227 rlm_perl: Added pair Digest-Attributes = \002*4832e5db308756e206b4536810ea3e70cf300c66 rlm_perl: Added pair Digest-Attributes = \004\023sip:192.168.1.227 rlm_perl: Added pair Digest-Attributes = \003\nREGISTER rlm_perl: Added pair Cleartext-Password = 100 rlm_perl: Added pair Auth-Type = digest perl_pool total/active/spare [32/0/32] Unreserve perl at address 0x9997960 ++[perl] returns ok Sending Access-Accept of id 215 to 192.168.1.227 port 32958 Finished request 1. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 214 with timestamp +5 Cleaning up request 1 ID 215 with timestamp +5 Ready to process requests. *This is the output log after the server reject a user when it is call through asterisk *rad_recv: Access-Request packet from host 192.168.1.227 port 33036, id=222, length=104 Called-Station-Id = 200 Calling-Station-Id = 100 User-Name =
Re: How to activate the accounting sub section in perl script
add perl to the accouting section in whatever virtual server you are running, enable the accouting part in the perl config (in experimental.conf) and ensure you have an accounting subroutine in your perl module alan Hi, I am a new user in freeradius and this is my first time that I am configuring freeradius. As advice by Alan I've done all the possible steps to activate the accounting section. These are the things I've changes 1. I've added an entry perl to the accounting sub section on default file. 2. Entry included of perl { } in module { } sub section in radiusd.conf. 3. And I already had an accounting sub module in my perl script. Unfortunately I didn't found any execution of my queries (start_accounting_query and stop_accounting_query), please tell me the simplest way of how to test my accounting queries to make it work. or please provide me the simplest accounting query to check the accounting module if possible. *here is the log output when it runs in debug mode* FreeRADIUS Version 2.0.3, for host i686-pc-linux-gnu, built on May 7 2008 at 16:45:53 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/clients.conf including configuration file /usr/local/etc/raddb/snmp.conf including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/sql.conf including configuration file /usr/local/etc/raddb/policy.conf including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/default including dictionary file /usr/local/etc/raddb/dictionary main { prefix = /usr/local localstatedir = /usr/local/var logdir = /usr/local/var/log/radius libdir = /usr/local/lib radacctdir = /usr/local/var/log/radius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = /usr/local/var/run/radiusd/radiusd.pid checkrad = /usr/local/sbin/checkrad debug_level = 0 proxy_requests = yes security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = testing123 shortname = localhost nastype = other } client 192.168.1.227 { require_message_authenticator = no secret = johnson } radiusd: Loading Realms and Home Servers radiusd: Instantiating modules instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = yes input_pairs = request shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = Password Has Expired } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = You are calling outside your allowed timespan minimum-timeout = 60 } } radiusd: Loading Virtual Servers server { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_perl Module: Instantiating perl perl { module = /usr/local/etc/raddb/myperltemp.pl func_authorize = authorize func_authenticate = authenticate func_accounting = accounting func_preacct = preacct func_checksimul = checksimul func_detach = detach func_xlat = xlat func_pre_proxy = pre_proxy func_post_proxy = post_proxy func_post_auth = post_auth } perl { max_clones = 32 start_clones = 32 min_spare_clones = 0 max_spare_clones = 32 cleanup_delay = 5 max_request_per_clone = 0 } Module: Linked to module rlm_digest Module: Instantiating digest Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = /usr/local/etc/raddb/huntgroups hints = /usr/local/etc/raddb/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = suffix delimiter = @ ignore_default = no ignore_null = no } Module: Linked to module rlm_eap
How to activate the accounting sub section in perl script
hi, I am doing my AAA in perl script for radius 2.0.3, can anybody please tell how do I activate my accounting subsection in my perl program, I didn't find any execution of my queries in the accounting sub section in my perl script. With Regards, Johnson Elangbam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thank you kalik
hi kalik, After a long pause, I've successfully done my authorization of my radius server by using digest and perl authentication in mixed mode, as per your advice I put the digest entry first before the perl authentication in the default file, and after that I've put a line of perl code RAD_CHECK{'Cleartext-Password'} = $mypassword, where the password is fetch from the database. And finally the server starts reading the cleartext password and starts calculating the md5 encryption and sucessfully authorized a user. Lastly, I thank to all the members of this forum who are dedicated here to help solving the complex problem in a complicated environment, especially Evan Kalik who is much envolved, regarding my problems of not getting my digest attributes. Thanking you for your valuable time and consideration. With Regards, Johnson Elangbam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't get the value of 'Digest-User-name', 'Digest-Realm', 'Digest-Method', 'Digest-Uri', 'Digest-Nonce'.
You are (again) sending a request without Digest-Attributes. Try sending one with them. Ivan Kalik Kalik Informatika ISP hi, I check all the clients attributes and start sending the Digest attributes.. now the problem is I can't get those attributes in my perl code by accessing using RAD_REQUEST or RAD_CHECK, so that I can calculate my ha1, ha2 for md5 encryption. Please help. Output log file when run in debug mode by using radiusd -X rad_recv: Access-Request packet from host 192.168.1.227 port 32817, id=222, length=262 User-Name = [EMAIL PROTECTED] Digest-Attributes = \n\006john Digest-Attributes = \001\017192.168.1.227 Digest-Attributes = \002*48281f56caacb6aa62fc3bb31ec98146efeaae15 Digest-Attributes = \004\023sip:192.168.1.227 Digest-Attributes = \003\nREGISTER Digest-Response = 9ae01536efc46358e61f2fe362552af4 Service-Type = SIP Sip-URI-User = john Cisco-AVPair = call-id= [EMAIL PROTECTED] NAS-IP-Address = 127.0.0.1 NAS-Port = 5060 +- entering group authorize ++[preprocess] returns ok perl_pool: item 0x8d08568 asigned new request. Handled so far: 1 found interpetator at address 0x8d08568 rlm_perl: ### rlm_perl: RAD_REQUEST: Digest-Response = 9ae01536efc46358e61f2fe362552af4 rlm_perl: RAD_REQUEST: Service-Type = SIP rlm_perl: RAD_REQUEST: Cisco-AVPair = call-id= [EMAIL PROTECTED] rlm_perl: RAD_REQUEST: User-Name = [EMAIL PROTECTED] rlm_perl: RAD_REQUEST: Sip-URI-User = john rlm_perl: RAD_REQUEST: NAS-IP-Address = 127.0.0.1 rlm_perl: RAD_REQUEST: NAS-Port = 5060 rlm_perl: RAD_REQUEST: Digest-Attributes = ARRAY(0x8df353c) rlm_perl: ### rlm_perl: Added pair Digest-Response = 9ae01536efc46358e61f2fe362552af4 rlm_perl: Added pair Service-Type = SIP rlm_perl: Added pair Cisco-AVPair = call-id= [EMAIL PROTECTED] rlm_perl: Added pair User-Name = [EMAIL PROTECTED] rlm_perl: Added pair Sip-URI-User = john rlm_perl: Added pair NAS-IP-Address = 127.0.0.1 rlm_perl: Added pair NAS-Port = 5060 rlm_perl: Added pair Digest-Attributes = \n\006john rlm_perl: Added pair Digest-Attributes = \001\017192.168.1.227 rlm_perl: Added pair Digest-Attributes = \002*48281f56caacb6aa62fc3bb31ec98146efeaae15 rlm_perl: Added pair Digest-Attributes = \004\023sip:192.168.1.227 rlm_perl: Added pair Digest-Attributes = \003\nREGISTER rlm_perl: Added pair Reply-Message = Incorrect Password perl_pool total/active/spare [32/0/32] Unreserve perl at address 0x8d08568 ++[perl] returns ok rlm_digest: Adding Auth-Type = DIGEST ++[digest] returns ok rlm_realm: Looking up realm 192.168.1.227 for User-Name = [EMAIL PROTECTED] rlm_realm: No such realm 192.168.1.227 ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop rad_check_password: Found Auth-Type DIGEST auth: type digest +- entering group authenticate rlm_digest: Cleartext-Password or Digest-HA1 is required for authentication. ++[digest] returns invalid auth: Failed to validate the user. Login incorrect: [EMAIL PROTECTED]/via Auth-Type = DIGEST] (from client 192.168.1.227 port 5060) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} - [EMAIL PROTECTED] attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 192.168.1.227 port 32818, id=223, length=262 User-Name = [EMAIL PROTECTED] Digest-Attributes = \n\006john Digest-Attributes = \001\017192.168.1.227 Digest-Attributes = \002*48281f56caacb6aa62fc3bb31ec98146efeaae15 Digest-Attributes = \004\023sip:192.168.1.227 Digest-Attributes = \003\nREGISTER Digest-Response = 9ae01536efc46358e61f2fe362552af4 Service-Type = SIP Sip-URI-User = john Cisco-AVPair = call-id= [EMAIL PROTECTED] NAS-IP-Address = 127.0.0.1 NAS-Port = 5060 +- entering group authorize ++[preprocess] returns ok perl_pool: item 0x8e67348 asigned new request. Handled so far: 1 found interpetator at address 0x8e67348 rlm_perl: ### rlm_perl: RAD_REQUEST: Digest-Response = 9ae01536efc46358e61f2fe362552af4 rlm_perl: RAD_REQUEST: Service-Type = SIP rlm_perl: RAD_REQUEST: Cisco-AVPair = call-id= [EMAIL PROTECTED] rlm_perl: RAD_REQUEST: User-Name = [EMAIL PROTECTED] rlm_perl: RAD_REQUEST: Sip-URI-User = john rlm_perl: RAD_REQUEST: NAS-IP-Address = 127.0.0.1 rlm_perl: RAD_REQUEST: NAS-Port = 5060 rlm_perl: RAD_REQUEST: Digest-Attributes = ARRAY(0x8efce0c) rlm_perl: ### rlm_perl: Added pair Digest-Response =
Re: Can't get the value of 'Digest-User-name', 'Digest-Realm', 'Digest-Method', 'Digest-Uri', 'Digest-Nonce', 'Digest-Response'
hi, I am using freeradius 2.0.3 with radiusclient-ng 0.5.6. I need to used the following attributes Digest-User-name', 'Digest-Realm', 'Digest-Method', 'Digest-Uri', 'Digest-Nonce', 'Digest-Response' into my perl code, to do my md5 calculation, unfortunately I can't get any of the values except Digest-Response, hopefully i've tried all the alternatives that is posted by Ivan Kalik earlier. 1. I've uncommented all the digest entries in sites-enabled/default file and I've uncommented out all the perl entries from the default. 2. I've tried accessing the digest attributes in my perl code by using RAD_CHECK as well as RAD_CHECK. But it doesn't work. can anybody please tell me that is it possible to call the digest attributes in the perl code. If it is possible, please show me the way how to call these attributes('Digest-User-name', 'Digest-Realm', 'Digest-Method', 'Digest-Uri', 'Digest-Nonce', 'Digest-Response'. Or will it be the problem of not getting the digest attributes by the incompatible dictionaries of radius client and radius server. Please help,I am really confused where is the problem. Thanks for your valuable time. *Here is the output files when running in debug mode before authenticate a user* FreeRADIUS Version 2.0.3, for host i686-pc-linux-gnu, built on May 7 2008 at 16:45:53 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/clients.conf including configuration file /usr/local/etc/raddb/snmp.conf including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/sql.conf including configuration file /usr/local/etc/raddb/policy.conf including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/default including dictionary file /usr/local/etc/raddb/dictionary main { prefix = /usr/local localstatedir = /usr/local/var logdir = /usr/local/var/log/radius libdir = /usr/local/lib radacctdir = /usr/local/var/log/radius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = /usr/local/var/run/radiusd/radiusd.pid checkrad = /usr/local/sbin/checkrad debug_level = 0 proxy_requests = yes security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = testing123 shortname = localhost nastype = other } client 192.168.1.227 { require_message_authenticator = no secret = johnson shortname = mynetwork nastype = other } radiusd: Loading Realms and Home Servers radiusd: Instantiating modules instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = yes input_pairs = request shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = Password Has Expired } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = You are calling outside your allowed timespan minimum-timeout = 60 } } radiusd: Loading Virtual Servers server { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_digest Module: Instantiating digest Module: Linked to module rlm_perl Module: Instantiating perl perl { module = /usr/local/etc/raddb/myperltemp.pl func_authorize = authorize func_authenticate = authenticate func_accounting = accounting func_preacct = preacct func_checksimul = checksimul func_detach = detach func_xlat = xlat func_pre_proxy = pre_proxy func_post_proxy = post_proxy func_post_auth = post_auth } perl { max_clones = 32 start_clones = 32 min_spare_clones = 0 max_spare_clones = 32 cleanup_delay = 5 max_request_per_clone = 0 } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = /usr/local/etc/raddb/huntgroups hints = /usr/local/etc/raddb/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack =
Re:Re Can't get the value of 'Digest-User-name', 'Digest-Realm', 'Digest-Method', 'Digest-Uri', 'Digest-Nonce', 'Digest-Response'
Good. Now you are getting Digest-Attributes. Now uncomment digest entry in authorize section of default or whatever virtual server is processing this. Hi Kalik, As per your instruction I've uncommented all the digest entry in authorize and authenticate section in the sites-enabled/default file, unfortunately I still didn't get the values of these attributes in my perl code to authenticate. I am confusing what should I emphasized, please help. *I am submitting the complete radius log when it run in debug mode before authenticate a user here* FreeRADIUS Version 2.0.3, for host i686-pc-linux-gnu, built on Apr 9 2008 at 21:42:16 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/clients.conf including configuration file /usr/local/etc/raddb/snmp.conf including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/sql.conf including configuration file /usr/local/etc/raddb/policy.conf including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/default including dictionary file /usr/local/etc/raddb/dictionary main { prefix = /usr/local localstatedir = /usr/local/var logdir = /usr/local/var/log/radius libdir = /usr/local/lib radacctdir = /usr/local/var/log/radius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = /usr/local/var/run/radiusd/radiusd.pid checkrad = /usr/local/sbin/checkrad debug_level = 0 proxy_requests = yes security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = testing123 shortname = localhost nastype = other } client 192.168.1.227 { require_message_authenticator = no secret = johnson } radiusd: Loading Realms and Home Servers radiusd: Instantiating modules instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = yes input_pairs = request shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = Password Has Expired } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = You are calling outside your allowed timespan minimum-timeout = 60 } } radiusd: Loading Virtual Servers server { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_perl Module: Instantiating perl perl { module = /usr/local/etc/raddb/myperltemp.pl func_authorize = authorize func_authenticate = authenticate func_accounting = accounting func_preacct = preacct func_checksimul = checksimul func_detach = detach func_xlat = xlat func_pre_proxy = pre_proxy func_post_proxy = post_proxy func_post_auth = post_auth } perl { max_clones = 32 start_clones = 32 min_spare_clones = 0 max_spare_clones = 32 cleanup_delay = 5 max_request_per_clone = 0 } Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = auto auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_digest Module: Instantiating digest Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = /usr/local/etc/raddb/huntgroups hints = /usr/local/etc/raddb/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = suffix delimiter = @ ignore_default = no ignore_null = no } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = md5 timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating
Re:Re Can't get the value of 'Digest-User-name', 'Digest-Realm', 'Digest-Method', 'Digest-Uri', 'Digest-Nonce', 'Digest-Response'
You are asking your questions on a wrong list. There is nothing you can do on a radius server in order to get those attributes if radius client is not sending Digest-Attributes. Direct your question to SER server support. hi Kalik, After I've done some changes in dictionary of radius server I can see the output sending digest attributes from the client, but still i didn't get the values at the radius server. Is it the problem of my configuration of radius server or it may be some other client configuration. Please advice, sorry for posting the same question again. Please tell me the possible problems of not getting these values: 'Digest-User-name', 'Digest-Realm', 'Digest-Method', 'Digest-Uri', 'Digest-Nonce', 'Digest-Response' here is the full output when I run in debug mode rad_recv: Access-Request packet from host 192.168.1.227 port 33093, id=86, length=271 User-Name = [EMAIL PROTECTED] Digest-Attributes = 0x0a096a6f686e736f6e Digest-Attributes = 0x010f3139322e3136382e312e323237 Digest-Attributes = 0x022a34383166353136663737396231653364366365313331653738656462346265393931356634386439 Digest-Attributes = 0x04137369703a3139322e3136382e312e323237 Digest-Attributes = 0x030a5245474953544552 Digest-Response = b8f4759b0c4462aaa56edd1794da872a Service-Type = Sip-Session Sip-Uri-User = johnson Cisco-AVPair = call-id= [EMAIL PROTECTED] NAS-IP-Address = 127.0.0.1 NAS-Port = 5060 +- entering group authorize ++[preprocess] returns ok perl_pool: item 0x89260f0 asigned new request. Handled so far: 1 found interpetator at address 0x89260f0 rlm_perl: ### rlm_perl: RAD_REQUEST: Digest-Response = b8f4759b0c4462aaa56edd1794da872a rlm_perl: RAD_REQUEST: Service-Type = Sip-Session rlm_perl: RAD_REQUEST: Cisco-AVPair = call-id= [EMAIL PROTECTED] rlm_perl: RAD_REQUEST: User-Name = [EMAIL PROTECTED] rlm_perl: RAD_REQUEST: Sip-Uri-User = johnson rlm_perl: RAD_REQUEST: NAS-IP-Address = 127.0.0.1 rlm_perl: RAD_REQUEST: NAS-Port = 5060 rlm_perl: RAD_REQUEST: Digest-Attributes = ARRAY(0x89dd638) rlm_perl: ### rlm_perl: Added pair Digest-Response = b8f4759b0c4462aaa56edd1794da872a rlm_perl: Added pair Service-Type = Sip-Session rlm_perl: Added pair Cisco-AVPair = call-id= [EMAIL PROTECTED] rlm_perl: Added pair User-Name = [EMAIL PROTECTED] rlm_perl: Added pair Sip-Uri-User = johnson rlm_perl: Added pair NAS-IP-Address = 127.0.0.1 rlm_perl: Added pair NAS-Port = 5060 rlm_perl: Added pair Digest-Attributes = 0x0a096a6f686e736f6e rlm_perl: Added pair Digest-Attributes = 0x010f3139322e3136382e312e323237 rlm_perl: Added pair Digest-Attributes = 0x022a34383166353136663737396231653364366365313331653738656462346265393931356634386439 rlm_perl: Added pair Digest-Attributes = 0x04137369703a3139322e3136382e312e323237 rlm_perl: Added pair Digest-Attributes = 0x030a5245474953544552 rlm_perl: Added pair Reply-Message = Incorrect Password perl_pool total/active/spare [32/0/32] Unreserve perl at address 0x89260f0 ++[perl] returns reject Invalid user: [EMAIL PROTECTED]/no User-Password attribute] (from client 192.168.1.227 port 5060) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} - [EMAIL PROTECTED] attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 2 for 1 seconds Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 192.168.1.227 port 33094, id=87, length=271 User-Name = [EMAIL PROTECTED] Digest-Attributes = 0x0a096a6f686e736f6e Digest-Attributes = 0x010f3139322e3136382e312e323237 Digest-Attributes = 0x022a34383166353136663737396231653364366365313331653738656462346265393931356634386439 Digest-Attributes = 0x04137369703a3139322e3136382e312e323237 Digest-Attributes = 0x030a5245474953544552 Digest-Response = b8f4759b0c4462aaa56edd1794da872a Service-Type = Sip-Session Sip-Uri-User = johnson Cisco-AVPair = call-id= [EMAIL PROTECTED] NAS-IP-Address = 127.0.0.1 NAS-Port = 5060 +- entering group authorize ++[preprocess] returns ok perl_pool: item 0x8a20548 asigned new request. Handled so far: 1 found interpetator at address 0x8a20548 rlm_perl: ### rlm_perl: RAD_REQUEST: Digest-Response = b8f4759b0c4462aaa56edd1794da872a rlm_perl: RAD_REQUEST: Service-Type = Sip-Session rlm_perl: RAD_REQUEST: Cisco-AVPair = call-id= [EMAIL PROTECTED] rlm_perl: RAD_REQUEST: User-Name = [EMAIL PROTECTED] rlm_perl: RAD_REQUEST: Sip-Uri-User = johnson rlm_perl: RAD_REQUEST: NAS-IP-Address = 127.0.0.1 rlm_perl: RAD_REQUEST: NAS-Port = 5060 rlm_perl: RAD_REQUEST: Digest-Attributes = ARRAY(0x8ab7bd0) rlm_perl:
Re:Re Can't get the value of 'Digest-User-name', 'Digest-Realm', 'Digest-Method', 'Digest-Uri', 'Digest-Nonce', 'Digest-Response'
Your radius client is not sending Digest-Attributes. It's sending Ascend VSAs. Read your NAS documentation how to set up digest authentication if you want that. hi Kalik, I am really sorry to post again the same question, as per your instruction I have check all the clients configurations radiusclient.conf as well as SER configuration ser.cfg, I've uncommented all the modules that will particularly help to do digest authentication in ser.cfg, but still the problem of not getting the values of digest attributes exist, I am using radiusclient 0.5.6 and SER 0.9.6, will it be the problem for incompatible of versions between the radius server and the radius clients or SER. Please tell me the possible problems of not getting these values: 'Digest-User-name', 'Digest-Realm', 'Digest-Method', 'Digest-Uri', 'Digest-Nonce', 'Digest-Response' And please tell me the things that I should change in radius server configuration to get these digest attributes. for the information I've mentioning the debug when run in radiusd -X rad_recv: Access-Request packet from host 192.168.1.227 port 33526, id=92, length=252 User-Name = [EMAIL PROTECTED] X-Ascend-Netware-timeout = 1785686126 X-Ascend-Send-Secret = 0x3139322e3136382e312e323237 X-Ascend-Receive-Secret = 0x3438316339313763326231623731373133343937623838636165613864326437326534653832 X-Ascend-IP-Pool-Definition = sip:192.168.1.227 X-Ascend-IPX-Peer-Mode = 0x5245474953544552 Digest-Response = 6d1bf8eacbbddb82a606811f7e5c76ae Service-Type = IAPP-Register X-Ascend-PW-Lifetime = 1785686126 Cisco-AVPair = call-id= [EMAIL PROTECTED] NAS-IP-Address = 127.0.0.1 NAS-Port = 5060 +- entering group authorize ++[preprocess] returns ok perl_pool: item 0x9f48768 asigned new request. Handled so far: 1 found interpetator at address 0x9f48768 rlm_perl: ### rlm_perl: RAD_REQUEST: Digest-Response = 6d1bf8eacbbddb82a606811f7e5c76ae rlm_perl: RAD_REQUEST: X-Ascend-Receive-Secret = 0x3438316339313763326231623731373133343937623838636165613864326437326534653832 rlm_perl: RAD_REQUEST: X-Ascend-IPX-Peer-Mode = 0x5245474953544552 rlm_perl: RAD_REQUEST: Service-Type = IAPP-Register rlm_perl: RAD_REQUEST: X-Ascend-Netware-timeout = 1785686126 rlm_perl: RAD_REQUEST: Cisco-AVPair = call-id= [EMAIL PROTECTED] rlm_perl: RAD_REQUEST: X-Ascend-IP-Pool-Definition = sip:192.168.1.227 rlm_perl: RAD_REQUEST: User-Name = [EMAIL PROTECTED] rlm_perl: RAD_REQUEST: X-Ascend-PW-Lifetime = 1785686126 rlm_perl: RAD_REQUEST: NAS-Port = 5060 rlm_perl: RAD_REQUEST: NAS-IP-Address = 127.0.0.1 rlm_perl: RAD_REQUEST: X-Ascend-Send-Secret = 0x3139322e3136382e312e323237 rlm_perl: ### rlm_perl: Added pair Digest-Response = 6d1bf8eacbbddb82a606811f7e5c76ae rlm_perl: Added pair X-Ascend-Receive-Secret = 0x3438316339313763326231623731373133343937623838636165613864326437326534653832 rlm_perl: Added pair X-Ascend-IPX-Peer-Mode = 0x5245474953544552 rlm_perl: Added pair Service-Type = IAPP-Register rlm_perl: Added pair X-Ascend-Netware-timeout = 1785686126 rlm_perl: Added pair Cisco-AVPair = call-id= [EMAIL PROTECTED] rlm_perl: Added pair X-Ascend-IP-Pool-Definition = sip:192.168.1.227 rlm_perl: Added pair User-Name = [EMAIL PROTECTED] rlm_perl: Added pair X-Ascend-PW-Lifetime = 1785686126 rlm_perl: Added pair NAS-Port = 5060 rlm_perl: Added pair NAS-IP-Address = 127.0.0.1 rlm_perl: Added pair X-Ascend-Send-Secret = 0x3139322e3136382e312e323237 rlm_perl: Added pair Reply-Message = Incorrect Password perl_pool total/active/spare [32/0/32] Unreserve perl at address 0x9f48768 ++[perl] returns reject Invalid user: [EMAIL PROTECTED]/no User-Password attribute] (from client 192.168.1.227 port 5060) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} - [EMAIL PROTECTED] attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 192.168.1.227 port 33528, id=93, length=252 User-Name = [EMAIL PROTECTED] X-Ascend-Netware-timeout = 1785686126 X-Ascend-Send-Secret = 0x3139322e3136382e312e323237 X-Ascend-Receive-Secret = 0x3438316339313763326231623731373133343937623838636165613864326437326534653832 X-Ascend-IP-Pool-Definition = sip:192.168.1.227 X-Ascend-IPX-Peer-Mode = 0x5245474953544552 Digest-Response = 6d1bf8eacbbddb82a606811f7e5c76ae Service-Type = IAPP-Register X-Ascend-PW-Lifetime = 1785686126 Cisco-AVPair = call-id= [EMAIL PROTECTED] NAS-IP-Address = 127.0.0.1 NAS-Port = 5060 +- entering group authorize ++[preprocess] returns ok perl_pool: item 0xa183d50 asigned new request. Handled so far: 1 found
Re: Can't get the value of 'Digest-User-name', 'Digest-Realm', 'Digest-Method', 'Digest-Uri', 'Digest-Nonce', 'Digest-Response'
No, there is a digest module in default radiusd.conf that should decode the attributes. Post radiusd -X for request with Digest-Attributes. Those attributes you want are not in the request - have you tried $RAD_CHECK. hi Kalik, I've tried $RAD_CHECK but still i didn't get the values of these attributes 'Digest-User-name', 'Digest-Realm', 'Digest-Method', 'Digest-Uri', 'Digest-Nonce', 'Digest-Response', I've found a digest module in radiusd.conf but actually don't have any idea how to handle the module. Please tell me how to get the value of these attributes. Here is the full output when the radius is run in debugging mode: [EMAIL PROTECTED] raddb]# radiusd -X FreeRADIUS Version 2.0.3, for host i686-pc-linux-gnu, built on Apr 9 2008 at 21:42:16 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/clients.conf including configuration file /usr/local/etc/raddb/snmp.conf including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/sql.conf including configuration file /usr/local/etc/raddb/policy.conf including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/default including dictionary file /usr/local/etc/raddb/dictionary main { prefix = /usr/local localstatedir = /usr/local/var logdir = /usr/local/var/log/radius libdir = /usr/local/lib radacctdir = /usr/local/var/log/radius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = /usr/local/var/run/radiusd/radiusd.pid checkrad = /usr/local/sbin/checkrad debug_level = 0 proxy_requests = yes security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = testing123 shortname = localhost nastype = other } client 192.168.1.227 { require_message_authenticator = no secret = johnson } radiusd: Loading Realms and Home Servers radiusd: Instantiating modules instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = yes input_pairs = request shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = Password Has Expired } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = You are calling outside your allowed timespan minimum-timeout = 60 } } radiusd: Loading Virtual Servers server { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_perl Module: Instantiating perl perl { module = /usr/local/etc/raddb/myperltemp.pl func_authorize = authorize func_authenticate = authenticate func_accounting = accounting func_preacct = preacct func_checksimul = checksimul func_detach = detach func_xlat = xlat func_pre_proxy = pre_proxy func_post_proxy = post_proxy func_post_auth = post_auth } perl { max_clones = 32 start_clones = 32 min_spare_clones = 0 max_spare_clones = 32 cleanup_delay = 5 max_request_per_clone = 0 } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = /usr/local/etc/raddb/huntgroups hints = /usr/local/etc/raddb/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = suffix delimiter = @ ignore_default = no ignore_null = no } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = md5 timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module:
Re: Can't get the value of 'Digest-User-name', 'Digest-Realm', 'Digest-Method', 'Digest-Uri', 'Digest-Nonce', 'Digest-Response'
Send a request with Digest-Attributes. hi Kalik, I've tried to called using Digest-Attributes in my perl code like this $dUserName= $RAD_REQUEST{'Digest-User-Name'}; $dRealm= $RAD_REQUEST{'Digest-Realm'}; $dMethod = $RAD_REQUEST{'Digest-Method'}; $dUri= $RAD_REQUEST{'Digest-URI'}; $dNonce=$RAD_REQUEST{'Digest-Nonce'}; $dResponse=$RAD_REQUEST{'Digest-Response'}; but still it doesn't get the values..except 'Digest-Response' May it be the problem from the radius client, or is it the problem in my perl code. I can't rectify the problem, I am confusing where should I emphasized Here is the new output when it is run in radiusd -X after rejecting da user. rad_recv: Access-Request packet from host 192.168.1.227 port 32847, id=182, length=252 User-Name = [EMAIL PROTECTED] X-Ascend-Netware-timeout = 1785686126 X-Ascend-Send-Secret = 0x3139322e3136382e312e323237 X-Ascend-Receive-Secret = 0x34383161663338653534346236663063383862343865393864346639313036626264363230306536 X-Ascend-IP-Pool-Definition = sip:192.168.1.227 X-Ascend-IPX-Peer-Mode = 0x5245474953544552 Digest-Response = 1e926599fa0777bef89010421e3e1c41 Service-Type = IAPP-Register X-Ascend-PW-Lifetime = 1785686126 Cisco-AVPair = call-id= [EMAIL PROTECTED] NAS-IP-Address = 127.0.0.1 NAS-Port = 5060 +- entering group authorize ++[preprocess] returns ok perl_pool: item 0x9ede730 asigned new request. Handled so far: 1 found interpetator at address 0x9ede730 rlm_perl: ### rlm_perl: RAD_REQUEST: Digest-Response = 1e926599fa0777bef89010421e3e1c41 rlm_perl: RAD_REQUEST: X-Ascend-Receive-Secret = 0x34383161663338653534346236663063383862343865393864346639313036626264363230306536 rlm_perl: RAD_REQUEST: X-Ascend-IPX-Peer-Mode = 0x5245474953544552 rlm_perl: RAD_REQUEST: Service-Type = IAPP-Register rlm_perl: RAD_REQUEST: X-Ascend-Netware-timeout = 1785686126 rlm_perl: RAD_REQUEST: Cisco-AVPair = call-id= [EMAIL PROTECTED] rlm_perl: RAD_REQUEST: X-Ascend-IP-Pool-Definition = sip:192.168.1.227 rlm_perl: RAD_REQUEST: User-Name = [EMAIL PROTECTED] rlm_perl: RAD_REQUEST: X-Ascend-PW-Lifetime = 1785686126 rlm_perl: RAD_REQUEST: NAS-Port = 5060 rlm_perl: RAD_REQUEST: NAS-IP-Address = 127.0.0.1 rlm_perl: RAD_REQUEST: X-Ascend-Send-Secret = 0x3139322e3136382e312e323237 rlm_perl: ### rlm_perl: Added pair Digest-Response = 1e926599fa0777bef89010421e3e1c41 rlm_perl: Added pair X-Ascend-Receive-Secret = 0x34383161663338653534346236663063383862343865393864346639313036626264363230306536 rlm_perl: Added pair X-Ascend-IPX-Peer-Mode = 0x5245474953544552 rlm_perl: Added pair Service-Type = IAPP-Register rlm_perl: Added pair X-Ascend-Netware-timeout = 1785686126 rlm_perl: Added pair Cisco-AVPair = call-id= [EMAIL PROTECTED] rlm_perl: Added pair X-Ascend-IP-Pool-Definition = sip:192.168.1.227 rlm_perl: Added pair User-Name = [EMAIL PROTECTED] rlm_perl: Added pair X-Ascend-PW-Lifetime = 1785686126 rlm_perl: Added pair NAS-Port = 5060 rlm_perl: Added pair NAS-IP-Address = 127.0.0.1 rlm_perl: Added pair X-Ascend-Send-Secret = 0x3139322e3136382e312e323237 rlm_perl: Added pair Reply-Message = Incorrect Password perl_pool total/active/spare [32/0/32] Unreserve perl at address 0x9ede730 ++[perl] returns reject Invalid user: [EMAIL PROTECTED]/no User-Password attribute] (from client 192.168.1.227 port 5060) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} - [EMAIL PROTECTED] attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 192.168.1.227 port 32848, id=183, length=252 User-Name = [EMAIL PROTECTED] X-Ascend-Netware-timeout = 1785686126 X-Ascend-Send-Secret = 0x3139322e3136382e312e323237 X-Ascend-Receive-Secret = 0x34383161663338653534346236663063383862343865393864346639313036626264363230306536 X-Ascend-IP-Pool-Definition = sip:192.168.1.227 X-Ascend-IPX-Peer-Mode = 0x5245474953544552 Digest-Response = 1e926599fa0777bef89010421e3e1c41 Service-Type = IAPP-Register X-Ascend-PW-Lifetime = 1785686126 Cisco-AVPair = call-id= [EMAIL PROTECTED] NAS-IP-Address = 127.0.0.1 NAS-Port = 5060 +- entering group authorize ++[preprocess] returns ok perl_pool: item 0xa119d28 asigned new request. Handled so far: 1 found interpetator at address 0xa119d28 rlm_perl: ### rlm_perl: RAD_REQUEST: Digest-Response = 1e926599fa0777bef89010421e3e1c41 rlm_perl: RAD_REQUEST: X-Ascend-Receive-Secret =
Can't get the value of 'Digest-User-name', 'Digest-Realm', 'Digest-Method', 'Digest-Uri', 'Digest-Nonce', 'Digest-Response'
hi, I am using free Radius 2.0.3. I m configured my AAA through rlm_perl. I need to do the authorization by using the following attributes. Digest-Realm Digest-Method Digest-Uri Digest-Nonce Digest-Nonce Digest-Response Unfortunately i did not get any value from these attributes when i called using $RAD_REQUEST. Please tell me any idea to get these values. Here is the piece of output when the radius is run in debugging mode: [EMAIL PROTECTED] raddb]# radiusd -X FreeRADIUS Version 2.0.3, for host i686-pc-linux-gnu, built on Apr 9 2008 at 21:42:16 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/clients.conf including configuration file /usr/local/etc/raddb/snmp.conf including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/sql.conf including configuration file /usr/local/etc/raddb/policy.conf including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/default including dictionary file /usr/local/etc/raddb/dictionary main { prefix = /usr/local localstatedir = /usr/local/var logdir = /usr/local/var/log/radius libdir = /usr/local/lib radacctdir = /usr/local/var/log/radius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = /usr/local/var/run/radiusd/radiusd.pid checkrad = /usr/local/sbin/checkrad debug_level = 0 proxy_requests = yes security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = testing123 shortname = localhost nastype = other } client 192.168.1.227 { require_message_authenticator = no secret = johnson } radiusd: Loading Realms and Home Servers radiusd: Instantiating modules instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = yes input_pairs = request shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = Password Has Expired } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = You are calling outside your allowed timespan minimum-timeout = 60 } } radiusd: Loading Virtual Servers server { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_perl Module: Instantiating perl perl { module = /usr/local/etc/raddb/myperltemp.pl func_authorize = authorize func_authenticate = authenticate func_accounting = accounting func_preacct = preacct func_checksimul = checksimul func_detach = detach func_xlat = xlat func_pre_proxy = pre_proxy func_post_proxy = post_proxy func_post_auth = post_auth } perl { max_clones = 32 start_clones = 32 min_spare_clones = 0 max_spare_clones = 32 cleanup_delay = 5 max_request_per_clone = 0 } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = /usr/local/etc/raddb/huntgroups hints = /usr/local/etc/raddb/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = suffix delimiter = @ ignore_default = no ignore_null = no } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = md5 timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = Password: auth_type = PAP } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no
Re: Can't get the value of 'Digest-User-name', 'Digest-Realm', 'Digest-Method', 'Digest-Uri', 'Digest-Nonce', 'Digest-Response'
That's a pap request. Send a request with Digest-Attributes and you will get digest attributes. hi, As advice by Ivan Kalik, I've tried sending the request with Digest-Attributes, unfortunately i didn't get any values from these attributes: 'Digest-User-name', 'Digest-Realm', 'Digest-Method', 'Digest-Uri', 'Digest-Nonce', 'Digest-Response'. here is the piece of perl code that i have used to access the values $dUserName= $RAD_REQUEST{'Digest-User-Name'}; $dRealm= $RAD_REQUEST{'Digest-Realm'}; $dMethod = $RAD_REQUEST{'Digest-Method'}; $dUri= $RAD_REQUEST{'Digest-URI'}; $dNonce=$RAD_REQUEST{'Digest-Nonce'}; $dResponse=$RAD_REQUEST{'Digest-Response'}; I've used md5 algorithm in my perl script, is there anything to be done in the eap.conf or in radius.conf ? Regards, Elangbam Johnson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't get the value of 'Digest-User-name', 'Digest-Realm', 'Digest-Method', 'Digest-Uri', 'Digest-Nonce', 'Digest-Response'
No, there is a digest module in default radiusd.conf that should decode the attributes. Post radiusd -X for request with Digest-Attributes. Those attributes you want are not in the request - have you tried $RAD_CHECK. hi Kalik, I've tried $RAD_CHECK but it doesn't work, I've found a digest module in radiusd.conf but actually don't have any idea how to handle the module. Here is the full output when the radius is run in debugging mode: [EMAIL PROTECTED] raddb]# radiusd -X FreeRADIUS Version 2.0.3, for host i686-pc-linux-gnu, built on Apr 9 2008 at 21:42:16 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/clients.conf including configuration file /usr/local/etc/raddb/snmp.conf including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/sql.conf including configuration file /usr/local/etc/raddb/policy.conf including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/default including dictionary file /usr/local/etc/raddb/dictionary main { prefix = /usr/local localstatedir = /usr/local/var logdir = /usr/local/var/log/radius libdir = /usr/local/lib radacctdir = /usr/local/var/log/radius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = /usr/local/var/run/radiusd/radiusd.pid checkrad = /usr/local/sbin/checkrad debug_level = 0 proxy_requests = yes security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = testing123 shortname = localhost nastype = other } client 192.168.1.227 { require_message_authenticator = no secret = johnson } radiusd: Loading Realms and Home Servers radiusd: Instantiating modules instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = yes input_pairs = request shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = Password Has Expired } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = You are calling outside your allowed timespan minimum-timeout = 60 } } radiusd: Loading Virtual Servers server { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_perl Module: Instantiating perl perl { module = /usr/local/etc/raddb/myperltemp.pl func_authorize = authorize func_authenticate = authenticate func_accounting = accounting func_preacct = preacct func_checksimul = checksimul func_detach = detach func_xlat = xlat func_pre_proxy = pre_proxy func_post_proxy = post_proxy func_post_auth = post_auth } perl { max_clones = 32 start_clones = 32 min_spare_clones = 0 max_spare_clones = 32 cleanup_delay = 5 max_request_per_clone = 0 } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = /usr/local/etc/raddb/huntgroups hints = /usr/local/etc/raddb/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = suffix delimiter = @ ignore_default = no ignore_null = no } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = md5 timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = Password: auth_type = PAP } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange
Can't get the value of 'Digest-User-name', 'Digest-Realm', 'Digest-Method', 'Digest-Uri', 'Digest-Nonce', 'Digest-Response'
hi, I am using free Radius 2.0.3. I m configured my AAA through rlm_perl. I need to do the authorization by using the following attributes. Digest-Realm Digest-Method Digest-Uri Digest-Nonce Digest-Nonce Digest-Response Unfortunately i did not get any value from these attributes when i called using $RAD_REQUEST. Please tell me any idea to get these values. Here is the piece of authorization code that i've used. sub authorize { my $nasuser1; my $nasuser; my $naspass; my $dUserName; my $dRealm; my $dMethod; my $dUri; my $dNonce; my $nameindex; my $dResponse; $nasuser = $RAD_REQUEST{'User-Name'}; $naspass = $RAD_REQUEST{'User-Password'}; $dUserName= $RAD_REQUEST{'Digest-User-Name'}; $dRealm= $RAD_REQUEST{'Digest-Realm'}; $dMethod = $RAD_REQUEST{'Digest-Method'}; $dUri= $RAD_REQUEST{'Digest-URI'}; $dNonce=$RAD_REQUEST{'Digest-Nonce'}; $dResponse=$RAD_REQUEST{'Digest-Response'}; my $dPassword; my $ha1; my $ha2; my $a1; my $a2; my $a; my $sqltest; my $sthtest; my $user = user; my $password = password; my $dbhtest=DBI-connect('dbi:ODBC:MSSQLDSN',$user,$password,{PrintError=0,RaiseError=0}); my $dbh = DBI- connect('dbi:ODBC:MSSQLDSN', $user, $password, {PrintError =0, RaiseError =0}); my $sql = qq/select * from testing where UserName = '$nasuser'/; my $sth=$dbh-prepare($sql); if($dbh) { $sth-execute(); if(my $row = $sth-fetchrow_hashref) { #password from database against the username $dPassword=$row-{UserPassword}; $a1=$dUserName.':'.$dRealm.':'.$dPassword; #first part of the hash calculated. $ha1=md5($a1); $a2=$dMethod.':'.$dUri; #second part of the hash calculated. $ha2=md5($a2); #final string to be hashed. $a=$ha1.':'.$dNonce.':'.$ha2; #final response to be checked with the digest-response $a=md5($a); if($a eq $dResponse) { $RAD_REPLY{'Reply-Message'} = Accepting Users; return RLM_MODULE_OK; } else { $RAD_REPLY{'Reply-Message'} = Incorrect Password; return RLM_MODULE_REJECT; } }#End of row fetch else { $RAD_REPLY{'Reply-Message'} = Incorrect Username; #$RAD_REPLY{'Reply-Message'} = $nasuser; return RLM_MODULE_REJECT; }#End of else }#end of if database connection else { $RAD_REPLY{'Reply-Message'} = Cannot connect to database; } }#End of authorization subsection With Regards Elangbam Johnson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How do i change the NAS ip address
hi, I've been configuring free radius 2.0.3, I've configured almost all the files and run successfully for the testing purpose from the localhost by using the radtest, now I need to implement my radius in the real invironment by putting the NAS ip address, currently my NAS ip address is displayed as 127.0.0.1, I need to change this ip address. Please anybody tell how to change the NAS ip address. Thanks and Regards Elangbam Johnson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Unable to authenticate with rlm_perl
hi, I am trying to used the rlm_perl for authentication, I've found reading all the perl modules, but wouldn't able to handle the username from the client. For the testing purpose I've put this simple script in the perl program if ($RAD_REQUEST{'User-Name'} eq john) { $RAD_REPLY{'A message'} = Accepting John; return RLM_MODULE_OK; } else { $RAD_REPLY{'A message'} = Rececting users; return RLM_MODULE_REJECT; } unfortunately everytime i try to authenticate the user john regardless of the password, the server rejects all the time here is the piece of output after rejecting the users rad_recv: Access-Request packet from host 127.0.0.1 port 32866, id=177, length=56 User-Name = john User-Password = password NAS-IP-Address = 127.0.0.1 NAS-Port = 0 +- entering group authorize ++[preprocess] returns ok perl_pool: item 0x9e63c98 asigned new request. Handled so far: 1 found interpetator at address 0x9e63c98 rlm_perl: Added pair User-Name = john rlm_perl: Added pair User-Password = password rlm_perl: Added pair NAS-Port = 0 rlm_perl: Added pair NAS-IP-Address = 127.0.0.1 perl_pool total/active/spare [32/0/32] Unreserve perl at address 0x9e63c98 ++[perl] returns ok rlm_realm: No '@' in User-Name = john, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop users: Matched entry DEFAULT at line 203 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop rad_check_password: Found Auth-Type Perl auth: type Perl +- entering group Perl perl_pool: item 0xa08e5d8 asigned new request. Handled so far: 1 found interpetator at address 0xa08e5d8 1,bill,Cleartext-Password,bill,:= Use of uninitialized value in string eq at /usr/local/etc/raddb/example.pmline 126. rlm_perl: Added pair User-Name = john rlm_perl: Added pair User-Password = password rlm_perl: Added pair NAS-IP-Address = 127.0.0.1 rlm_perl: Added pair NAS-Port = 0 rlm_perl: Added pair Auth-Type = Perl perl_pool total/active/spare [32/0/32] Unreserve perl at address 0xa08e5d8 ++[perl] returns reject auth: Failed to validate the user. Login incorrect: [john/password] (from client localhost port 0) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} - john attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 177 to 127.0.0.1 port 32866 Waking up in 4.9 seconds. Cleaning up request 0 ID 177 with timestamp +10 Ready to process requests. Regards, Elangbam Johnson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with authentication with rlm_perl
hi, I am using free Radius 2.0. I want to try to authenticate with the perl module, I've done all the necessary configurations in sites-enabled/default directory and in radiusd.conf and it reads my perl script when running my radius, unfortunately my radius server rejects all the time no matter what i've put the return value rlm_module_ok in my perl script. Please tell me is there any other things what i've to do to authenticate the username from perl module. Here is the output after running the radius server in debugging mode FreeRADIUS Version 2.0.2, for host i686-pc-linux-gnu, built on Feb 25 2008 at 09:51:36 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including configuration file /usr/local/etc/raddb/snmp.conf including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/sql.conf including configuration file /usr/local/etc/raddb/policy.conf including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/default including dictionary file /usr/local/etc/raddb/dictionary main { prefix = /usr/local localstatedir = /usr/local/var logdir = /usr/local/var/log/radius libdir = /usr/local/lib radacctdir = /usr/local/var/log/radius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = /usr/local/var/run/radiusd/radiusd.pid checkrad = /usr/local/sbin/checkrad debug_level = 0 proxy_requests = yes security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = testing123 nastype = other } radiusd: Loading Realms and Home Servers proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = auth secret = testing123 response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = status-server ping_check = none ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: Instantiating modules instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = yes input_pairs = request shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = Password Has Expired } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = You are calling outside your allowed timespan minimum-timeout = 60 } } radiusd: Loading Virtual Servers server { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_perl Module: Instantiating perl perl { module = /usr/local/etc/raddb/example.pm func_authorize = authorize func_authenticate = authenticate func_accounting = accounting func_preacct = preacct func_checksimul = checksimul func_detach = detach func_xlat = xlat func_pre_proxy = pre_proxy func_post_proxy = post_proxy func_post_auth = post_auth } perl { max_clones = 32 start_clones = 32 min_spare_clones = 0 max_spare_clones = 32 cleanup_delay = 5 max_request_per_clone = 0 } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = /usr/local/etc/raddb/huntgroups hints = /usr/local/etc/raddb/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module
Problems with using Customize table schema
hi, I've been asking for the same questions from the past few days about using my customized table schema and executing stored procedures in Ms Sql 2000 with free radius server 2.0, but I didn't find the exact solution till now. I've tried all the alternatives that is replied in the Maling list by Ivan Kalik, Alan Dekok and some other guys, unfortunately my requirements doesn't match their replies. I am stating the problem here, I appreciate any kind of advice. 1. Using my customized table of my own in Ms Sql 2000 rather than the default (ie radcheck) with free radius 2 through Perl script. 2. Executing stored procedures of Ms Sql 2000 through Perl script. I've put perl in the authorization section in the sites-enabled/default directory I've put Auth-Type perl { perl } in the authenticate section And I've put a section of perl module in the modules section in the radiusd.conf, the radiusd -X works fine and reads all the perl module while running the radius in debugging mode, My confusion is that how do I fetch the username and the password from my own customized table which contains only username and password and authenticate through perl script. Secondly how do I execute the stored procedures written in Ms Sql 2000 through perl script. Thanks and Regards Elangbam Johnson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems with using Customize table schema
HI, As advice by Ivan Kalik I've add a table and put username and password only, but still the problem is there, and the output is like this. Please let me know how to used the customized table. Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 32791, id=197, length=57 User-Name = david User-Password = david NAS-IP-Address = 192.168.1.227 NAS-Port = 0 +- entering group authorize ++[preprocess] returns ok rlm_realm: No '@' in User-Name = david, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop expand: %{User-Name} - david rlm_sql (sql): sql_set_user escaped user -- 'david' rlm_sql (sql): Reserving sql socket id: 4 expand: SELECT usernames,passwords FROM userpass WHERE usernames = '%{SQL-User-Name}' - SELECT usernames,passwords FROM userpass WHERE usernames = 'david' query: SELECT usernames,passwords FROM userpass WHERE usernames = 'david' rlm_sql: The 'Attribute' field is empty or NULL, skipping the entire row. rlm_sql (sql): Error getting data from database rlm_sql (sql): SQL query error; rejecting user rlm_sql (sql): Released sql socket id: 4 ++[sql] returns fail Invalid user: [david/david] (from client localhost port 0) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} - david attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 197 to 127.0.0.1 port 32791 Waking up in 4.9 seconds. Cleaning up request 0 ID 197 with timestamp +86 Ready to process requests. Regards Elangbam Johnson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems with using Customize table schema
hi, The only thing I want to do is to used my customize table schema of my own. I am confused whether I used the sql.conf or the perl module.Pleaseadvice which i should used. And if i used the perl module, please tell me how should I write the connection parameters and the sql queries for connecting to the Ms Sql. And if i used the sql.conf please tell me how to used my own customized table which contain only username and password. With Regards Elangbam Johnson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems with using Customize table schema
hi, I am using Free radius 2.0 and Ms Sql 2000.I need to used my own customised table schema rather than the default table which comes along with the radius server in schema.conf. To do so is it necessary to connect through rlm_perl and deactivate the sql module in the sites-enabled/default. If I am using perl script do I have to specify all the parameters that is specified in the dialup.conf. I mean do I have to specify all the database connection parameters in the perl, or is there any other means like as we do in the sql.conf. Regards Elangbam Johnson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to disabled rlm_sql module
hi, Do i need to disabled rlm_sql module if I am using perl script to fetch data from the database. If so then how do i disabled the rlm_sql module. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fetching username and password through perl script
hi, I am using free radius 2 along with Ms Sql 2000, I need to authenticate with perl script using my own table schema which contains only username and password. How do I read username and password from these customize table using perl script. With Regards Elangbam Johnson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How do I used my customized table in.
hi, I am using free radius server 2.0 and Ms Sql 2000, I want to used my customized tables which contains only username and password.I've tried modyfying the query in dialup.conf, but it doesn't work. Please tell me the solution. here is the piece of output after rejecting the user that is stored in the database rad_recv: Access-Request packet from host 127.0.0.1 port 32807, id=226, length=56 User-Name = John User-Password = 1 NAS-IP-Address = 192.168.2.227 NAS-Port = 0 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = John, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop expand: %{User-Name} - John rlm_sql (sql): sql_set_user escaped user -- 'John' rlm_sql (sql): Reserving sql socket id: 3 expand: SELECT UserName,Value FROM checking WHERE Username = '%{SQL-User-Name}' - SELECT UserName,Value FROM checking WHERE Username = 'John' query: SELECT UserName,Value FROM checking WHERE Username = 'John' rlm_sql_getvpdata: database query error rlm_sql (sql): SQL query error; rejecting user rlm_sql (sql): Released sql socket id: 3 ++[sql] returns fail Invalid user: [John/1] (from client localhost port 0) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} - John attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 226 to 127.0.0.1 port 32807 Waking up in 4.9 seconds. Cleaning up request 1 ID 226 with timestamp +17 Ready to process requests. Regards Elangbam Johnson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How do I used my customized table in Ms Sql through perl script
hi, I am using free radius server 2.0 and Ms Sql 2000, I want to used my customized tables which contains only username and password.I used to authenticate using perl script. Can I write SQL queries inside the perl script to fetch the data from the table rather than from the dialup.conf for Ms Sql so that i can used my customize table. Elangbam Johnson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Need to authenticate with Perl
Hi, I am trying to use authentication using Perl script, I've included a section of Perl in radiusd.conf which specifies the path of the Perl script, and I've included a section like Auth-Type Perl { perl }in the /sites-enabled/default file. I need to implement the stored procedures of MsSql in Perl script so that i can call the stored procedures through perl. Please help me how to implement it.With Regards Elangbam Johnson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Need to customized the table schema.
hi, I am using free radius 2 with MS Sql 2000. I want to make a database schema of my own to store only username and password in MS Sql. I would like to modify the query so that the radius server reads only this information from my customized table.I've tryied modyfying sql queries from dialup.confto read from my table but it doesn't work. Please help. Here is the piece of output of the radius server after rejecting the username and the password. rad_recv: Access-Request packet from host 127.0.0.1 port 32835, id=208, length=56 User-Name = John User-Password = 1 NAS-IP-Address = 192.168.2.227 NAS-Port = 0 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = John, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop expand: %{User-Name} - John rlm_sql (sql): sql_set_user escaped user -- 'John' rlm_sql (sql): Reserving sql socket id: 4 expand: SELECT name,value FROM checking WHERE name = '%{SQL-User-Name}' - SELECT name,value FROM checking WHERE name = 'John' query: SELECT name,value FROM checking WHERE name = 'John' rlm_sql: The 'Attribute' field is empty or NULL, skipping the entire row. rlm_sql (sql): Error getting data from database rlm_sql (sql): SQL query error; rejecting user rlm_sql (sql): Released sql socket id: 4 ++[sql] returns fail Invalid user: [John/1] (from client localhost port 0) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} - John attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 208 to 127.0.0.1 port 32835 Waking up in 4.9 seconds. Cleaning up request 0 ID 208 with timestamp +17 Ready to process requests. With Regards Elangbam Johnson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Setting up a new database schema
Hi, I am trying to make a new database schema in Ms Sql in order to read the user name and password only, how do I change the SQL queries in the coniguration files, i've change in the dialup.conf of mssql directory. Is there any configuration file to change so that it can be read only from my customize table.. Regards Elangbam Johnson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Unable to connect to data source
hi, I am trying to connect Ms SQL with free radius, I've configure all the related packages like freeTDS and unixodbc , and both of the package work well when I test using tsql and isql. But when I try to link with free radius, the following errors shows.Please tell what might be the proble for the following errors. rlm_sql (sql): Driver rlm_sql_unixodbc (module rlm_sql_unixodbc) loaded and linked rlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_unixodbc #0 rlm_sql_unixodbc: SQL down 08001 [unixODBC][FreeTDS][SQL Server]Unable to connect to data source rlm_sql_unixodbc: Connection failed rlm_sql (sql): Failed to connect DB handle #0 rlm_sql (sql): starting 1 rlm_sql (sql): starting 2 rlm_sql (sql): starting 3 rlm_sql (sql): starting 4 rlm_sql (sql): Failed to connect to any SQL server. Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique With Regards Elangbam Johnson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Could not link driver rlm_sql_mysql.so
hi, I couldn't be able to link the driver of mysql 5 with free radius 2.0.2due to this file rlm_sql_mysql.so. I couldn't locate this file in my entire system. I've gone througe all the faq's, but it doesn't work. the error's still there. The errors look like this. rlm_sql (sql): Could not link driver rlm_sql_mysql: rlm_sql_mysql.so: cannot open shared object file: No such file or directory rlm_sql (sql): Make sure it (and all its dependent libraries!) are in the search path of your system's ld. /usr/local/etc/raddb/sql.conf[22]: Instantiation failed for module sql /usr/local/etc/raddb/sites-enabled/default[124]: Failed to find module sql. /usr/local/etc/raddb/sites-enabled/default[34]: Errors parsing authorize section. With Regards Elangbam Johnson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sql_mysql.so where do I locate this file and its associated files for CentOS to run freeRadius and MySQL
Hi, I am trying to build a radius with free radius 2.0.0 using MySql 4.1.2and I am getting the following errors rlm_sql (sql): Could not link driver rlm_sql_mysql: rlm_sql_mysql.so: cannot open shared object file: No such file or directory rlm_sql (sql): Make sure it (and all its dependent libraries!) are in the search path of your system's ld. /usr/local/etc/raddb/sql.conf[22]: Instantiation failed for module sql /usr/local/etc/raddb/sites-enabled/default[124]: Failed to find module sql. /usr/local/etc/raddb/sites-enabled/default[34]: Errors parsing authorize section. where do I locate this file With Regards Elangbam Johnson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Could not link driver rlm_sql_mysql
Hi Alan, Thanks for helping me in configuring my freeradius with mysql. I've uncommented the sql in the file /usr/local/etc/raddb/sites-enabled/default . And now I've seen message trying to commucinate with mysql. But still there is a problem of not getting the mysql driver. I am using MySql 4.1.2. Please suggest to work out. Here is the piece of output emphasizing the errors. rlm_sql (sql): Could not link driver rlm_sql_mysql: rlm_sql_mysql.so: cannot open shared object file: No such file or directory rlm_sql (sql): Make sure it (and all its dependent libraries!) are in the search path of your system's ld. /usr/local/etc/raddb/sql.conf[22]: Instantiation failed for module sql /usr/local/etc/raddb/sites-enabled/default[123]: Failed to find module sql. /usr/local/etc/raddb/sites-enabled/default[33]: Errors parsing authorize section. With Regards, Elangbam Johnson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
conneting to mysql
hi, In order to connect to mysql what are the necessary configuration files to be changed. regards, Elangbam Johnson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
help in basic configuration in connection mysql with freeradius
hi, I am trying to use mysql database with free radius 2.0.0 for the first time. I am using centOS 4.5 and mysql 4.1.2.The authentication works fine if I am using the unix username and password. I modified some configurations in radiusd.conf and sql.conf but it doesn't work. Please tell me the most basic steps to configure freeradius with mysql. Here is the log file while running in debugging mode: [EMAIL PROTECTED] ~]# radiusd -X FreeRADIUS Version 2.0.0, for host i686-pc-linux-gnu, built on Jan 29 2008 at 12:25:11 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including configuration file /usr/local/etc/raddb/snmp.conf including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/sql.conf including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf including configuration file /usr/local/etc/raddb/sql/mysql/counter.conf including configuration file /usr/local/etc/raddb/policy.conf including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/default including dictionary file /usr/local/etc/raddb/dictionary main { prefix = /usr/local localstatedir = /usr/local/var logdir = /usr/local/var/log/radius libdir = /usr/local/lib radacctdir = /usr/local/var/log/radius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = /usr/local/var/run/radiusd/radiusd.pid user = root checkrad = /usr/local/sbin/checkrad debug_level = 0 proxy_requests = no log { syslog_facility = daemon stripped_names = no file = /usr/local/var/log/radius/radius.log auth = yes auth_badpass = yes auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = johnson123 nastype = other } radiusd: Loading Realms and Home Servers proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = auth secret = johnson123 response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = status-server ping_check = none ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: Instantiating modules instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = yes input_pairs = request shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = Password Has Expired } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = You are calling outside your allowed timespan minimum-timeout = 60 } } radiusd: Loading Virtual Servers server { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = auto auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = NULL } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = md5 timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to
need help in using mySql for freeRadius server.
hi, I am a new user in free radius with mysql, i've configure all the necessary .config files (viz., sql.conf and radiusd.conf) of the free radius for connecting to the mysql, but i wouldn't be able to connect to mysql database. Please tell me how to check that my free radius server is already connected to mysql and when i used the Unix username and password it receives access-accept packets. I've tried http://wiki.freeradius.org/SQL_HOWTO also but the instructions given there is slightly different from the one I am using. I am using free radius 2.0.0. Please help me in configuring this to connect to mysql. with regards Elangbam Johnson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
need help in using mySql for freeRadius server.
hi, I am a new user in free radius with mysql, i've configure all the necessary .config files (viz., sql.conf and radiusd.conf) of the free radius for connecting to the mysql, but i wouldn't be able to connect to mysql database. Please tell me how to check that my free radius server is already connected to mysql and when i used the Unix username and password it receives access-accept packets. I've tried http://wiki.freeradius.org/SQL_HOWTO also but the instructions given there is slightly different from the one I am using. I am using free radius 2.0.0. Please help me in configuring this to connect to mysql. the debug log display like this Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 32771, id=218, length=56 User-Name = john User-Password = radpass NAS-IP-Address = 192.168.1.227 NAS-Port = 0 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[unix] returns updated rlm_realm: No '@' in User-Name = john, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated rad_check_password: Found Auth-Type auth: type PAP +- entering group PAP rlm_pap: login attempt with password radpass rlm_pap: Using CRYPT encryption. rlm_pap: Passwords don't match ++[pap] returns reject auth: Failed to validate the user. Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} - john attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 218 to 127.0.0.1 port 32771 Waking up in 4.9 seconds. Cleaning up request 0 ID 218 with timestamp +34 Ready to process requests. with regards Elangbam Johnson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
need help in using mySql for freeRadius server.
hi, I am a new user in free radius with mysql, i've configure all the necessary .config files (viz., sql.conf and radiusd.conf) of the free radius for connecting to the mysql, but i wouldn't be able to connect to mysql database. Please tell me how to check that my free radius server is already connected to mysql and when i used the Unix username and password it receives access-accept packets. I've tried http://wiki.freeradius.org/SQL_HOWTO also but the instructions given there is slightly different from the one I am using. I am using free radius 2.0.0. Please help me in configuring this to connect to mysql. Debug of the server startup display like this [EMAIL PROTECTED] etc]# radiusd -X FreeRADIUS Version 2.0.0, for host i686-pc-linux-gnu, built on Jan 29 2008 at 12:25:11 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including configuration file /usr/local/etc/raddb/snmp.conf including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/sql.conf including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf including configuration file /usr/local/etc/raddb/sql/mysql/counter.conf including configuration file /usr/local/etc/raddb/policy.conf including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/default including dictionary file /usr/local/etc/raddb/dictionary main { prefix = /usr/local localstatedir = /usr/local/var logdir = /usr/local/var/log/radius libdir = /usr/local/lib radacctdir = /usr/local/var/log/radius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = /usr/local/var/run/radiusd/radiusd.pid checkrad = /usr/local/sbin/checkrad debug_level = 0 proxy_requests = yes log { syslog_facility = daemon stripped_names = no file = /usr/local/var/log/radius/radius.log auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = johnson123 nastype = other } radiusd: Loading Realms and Home Servers proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = auth secret = johnson123 response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = status-server ping_check = none ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: Instantiating modules instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = yes input_pairs = request shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = Password Has Expired } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = You are calling outside your allowed timespan minimum-timeout = 60 } } radiusd: Loading Virtual Servers server { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = auto auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = NULL } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = md5 timer_expire = 60
How to connect to mySql
hi, I am a new user in free radius server, i wanted to keep the username/password in mySql database. I've read almost all the radiusd.conffile to make through, but it doesn't help, please help me to configure to connect the database to make it work. Thanks, with regards, Elangbam Johnson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
need help in using free radius
Hi, When I first run the free Radius using the command radtest test test localhost 0 testing123 i found the following errors. Please help rad_recv: Access-Request packet from host 127.0.0.1 port 32775, id=80, length=56 User-Name = test User-Password = test NAS-IP-Address = 192.168.1.227 NAS-Port = 0 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound rlm_realm: No '@' in User-Name = test, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No known good password found for the user. Authentication m ay fail because of this. ++[pap] returns noop auth: No authenticate method (Auth-Type) configuration found for the request: Re jecting the user auth: Failed to validate the user. Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} - test attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 80 to 127.0.0.1 port 32775 Waking up in 4.9 seconds. Cleaning up request 0 ID 80 with timestamp +31 Ready to process requests. With Regards, Elangbam Johnson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html