Re: FreeRadius not sending access-deny

2008-08-29 Thread Ivan Kalik 
It is there:

>auth: Failed to validate the user.
>Login incorrect (rlm_ldap: User not found): [test] (from client
>NetworkEquipment port 0)
>Delaying request 0 for 1 seconds
>Finished request 0
>Going to the next request
>--- Walking the entire request list ---
>Waking up in 1 seconds...
>--- Walking the entire request list ---
>Waking up in 1 seconds...
>--- Walking the entire request list ---
>Sending Access-Reject of id 5 to 10.15.251.232 port 1337

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius not sending access-deny

2008-08-29 Thread Ryan Kramer 
That setting was at the default of 1, I tried setting to zero, no affect.

Here is the debug output with first a successful user followed by the same
user with a bad pwd.


--

rad_recv: Access-Request packet from host 10.15.251.232:1387, id=6,
length=62
User-Name = "test"
User-Password = "test"
Message-Authenticator = 0x0adeae0c4cb8659e2aaede3adb6009a3
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat:  '/var/log/radius-switch/radacct-switch/
10.15.251.232/auth-detail-20080829'
rlm_detail:
/var/log/radius-switch/radacct-switch/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius-switch/radacct-switch/
10.15.251.232/auth-detail-20080829
  modcall[authorize]: module "auth_log" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0
rlm_realm: No '\' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
  modcall[authorize]: module "ntdomain" returns noop for request 0
users: Matched entry DEFAULT at line 1
users: Matched entry test at line 33
rlm_ldap: Entering ldap_groupcmp()
radius_xlat:  'ou=***,dc=**,dc=**'
radius_xlat:  '(uid=test)'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 10.2.16.156:389, authentication 0
rlm_ldap: bind as cn=ITDRADIUSC,ou=USERS,ou=ITD,dc=nd,dc=gov/X27wireless45
to 10.2.16.156:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=***,dc=nd,**=***, with filter (uid=test)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap::ldap_groupcmp: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "files" returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for test
radius_xlat:  '(uid=test)'
radius_xlat:  'ou=***,dc=**,dc=***'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=***,**=nd,**=***, with filter (uid=test)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "" returns notfound for request 0
modcall: leaving group authorize (returns ok) for request 0
  rad_check_password:  Found Auth-Type Local
auth: type Local
auth: user supplied User-Password matches local User-Password
Login OK: [test] (from client NetworkEquipment port 0)
  Processing the post-auth section of radiusd.conf
modcall: entering group post-auth for request 0
radius_xlat:  '/var/log/radius-switch/radacct-switch/
10.15.251.232/reply-detail-20080829'
rlm_detail:
/var/log/radius-switch/radacct-switch/%{Client-IP-Address}/reply-detail-%Y%m%d
expands to /var/log/radius-switch/radacct-switch/
10.15.251.232/reply-detail-20080829
  modcall[post-auth]: module "reply_log" returns ok for request 0
modcall: leaving group post-auth (returns ok) for request 0
Sending Access-Accept of id 6 to 10.15.251.232 port 1387
NS-Admin-Privilege = Root-Admin
APC-Service-Type = 1
Service-Type = Administrative-User
Cisco-AVPair = "shell:priv-lvl=15"
Filter-Id = "unlim"
Extreme-Shell-Command = "Enable"
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...



--





rad_recv: Access-Request packet from host 10.15.251.232:1337, id=5,
length=62
User-Name = "test"
User-Password = "test2"
Message-Authenticator = 0x9bb6290c9d5e7dcffeeafe87e2c65b40
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat:  '/var/log/radius-switch/radacct-switch/
10.15.251.232/auth-detail-20080829'
rlm_detail:
/var/log/radius-switch/radacct-switch/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius-switch/radacct-switch/
10.15.251.232/auth-detail-20080829
  modcall[authorize]: module "auth_log" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0
rlm_realm

Re: FreeRadius not sending access-deny

2008-08-29 Thread Alan DeKok 
Ryan Kramer wrote:
> I recently discovered that my Freeradius 1.1.7 install is no longer
> sending access-deny messages for bad passwords.  This causes the device
> to mark the radius server as down and move on to the next one, or just
> marks it as down.  I know its probably something I did in the config,
> but for the life of me can't figure out how I managed to cause that. 
> Everything else on the install works great, just for the exception of no
> access-deny packets ever move. 

  Set "reject_delay = 0"

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius not sending access-deny

2008-08-29 Thread Ivan Kalik 
Post the debug of the user that should be rejected.

Ivan Kalik
Kalik Informatika ISP


Dana 29/8/2008, "Ryan Kramer" <[EMAIL PROTECTED]> piše:

>Hello,
>
>I recently discovered that my Freeradius 1.1.7 install is no longer sending
>access-deny messages for bad passwords.  This causes the device to mark the
>radius server as down and move on to the next one, or just marks it as
>down.  I know its probably something I did in the config, but for the life
>of me can't figure out how I managed to cause that.  Everything else on the
>install works great, just for the exception of no access-deny packets ever
>move.
>
>Any ideas?
>
>Ryan
>
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

FreeRadius not sending access-deny

2008-08-29 Thread Ryan Kramer 
Hello,

I recently discovered that my Freeradius 1.1.7 install is no longer sending
access-deny messages for bad passwords.  This causes the device to mark the
radius server as down and move on to the next one, or just marks it as
down.  I know its probably something I did in the config, but for the life
of me can't figure out how I managed to cause that.  Everything else on the
install works great, just for the exception of no access-deny packets ever
move.

Any ideas?

Ryan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html