Re: Voip database
] returns ok [suffix] No '@' in User-Name = 081609000, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop ++[files] returns noop Executing section accounting from file /etc/raddb/sites-enabled/default +- entering group accounting {...} [detail] expand: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d - /var/log/radius/radacct/212.13.228.58/detail-20110110 [detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radius/radacct/212.13.228.58/detail-20110110 [detail] expand: %t - Mon Jan 10 09:32:58 2011 ++[detail] returns ok ++[unix] returns noop [radutmp] expand: /var/log/radius/radutmp - /var/log/radius/radutmp [radutmp] expand: %{User-Name} - 081609000 rlm_radutmp: No NAS-Port seen. Cannot do anything. rlm_radumtp: WARNING: checkrad will probably not work! ++[radutmp] returns noop ++[exec] returns noop [attr_filter.accounting_response] expand: %{User-Name} - 081609000 attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] returns updated Sending Accounting-Response of id 3 to 212.13.228.58 port 35277 Finished request 4. Cleaning up request 4 ID 3 with timestamp +13 Going to the next request Waking up in 4.9 seconds. Cleaning up request 3 ID 66 with timestamp +13 Ready to process requests. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Voip-database-tp3295546p3334843.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Voip database
On Tue, Jan 4, 2011 at 2:40 PM, miha- miha_zou...@hotmail.com wrote: Currently, there is a password matching issue because the User-Password encoding is different during the Authentication from the Authorization. During the Authentication step, the Centile's radius client send a User-Password encrypted with the secret. But during the Authorization step, we don't expect the Radius server to check again this password (which is sent anyway, I don't know if this is a bug or if it is required by Eyebill...). So they deliberately do NOT encrypt password with the secret? That's just silly. They need to fix it. The Authorization request contains the attribute Acct-Status-Type with the value 17 that means authorize only. Shouldn't it be RADIUS Attribute 6, Service-Type? http://www.ietf.org/assignments/radius-types/radius-types.xml It also contains the attribute Message-Authenticator with the digest value. So Freeradius should use those two attributes to accept or reject the request instead of the User-Name and User-Password. If only pap is involved (which, from your debug log seems to be the case), you might be able to play with unlang and set Auth-Type := Accept for certain conditions (e.g. check whether Message-Authenticator exists, and whether it matches a certain value). http://wiki.freeradius.org/index.php/FAQ#How_do_I_permit_access_to_any_user_regardless_of_password.3F http://freeradius.org/radiusd/man/unlang.html -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Voip database
miha- wrote: Hello, I got answere what should I do that the freeradius will work with centile. Can you help me out where can I customized this settings? ... Currently, there is a password matching issue because the User-Password encoding is different during the Authentication from the Authorization. The vendor's behavior is idiotic. Throw their software in the garbage, and buy something that works. Go ask them how to make FreeRADIUS work with their product that violates the RADIUS specifications. It's not our problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Voip database
Hello, I got answere what should I do that the freeradius will work with centile. Can you help me out where can I customized this settings? Thanks!!! miha Currently, there is a password matching issue because the User-Password encoding is different during the Authentication from the Authorization. During the Authentication step, the Centile's radius client send a User-Password encrypted with the secret. But during the Authorization step, we don't expect the Radius server to check again this password (which is sent anyway, I don't know if this is a bug or if it is required by Eyebill...). The Authorization request contains the attribute Acct-Status-Type with the value 17 that means authorize only. It also contains the attribute Message-Authenticator with the digest value. So Freeradius should use those two attributes to accept or reject the request instead of the User-Name and User-Password. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Voip-database-tp3295546p3326679.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Voip database
Hello :) I got this from centile guys? I am now installing freeradius on different server with different equipment to see which section (equipment) is adding this fields to massagas. I have only one quastion. I am running freeradius on ESXi as a Vmware machine. Could this be the cause of the problem? THanks!!! According to the log, first step is done correctly. Issue is located on the second request, due to password received: User-Password = { It seems that Radius server receives a request which is not formatted correctly. Do you have any equipment used as proxy between IntraSwitch and Radius ? Some fields not provided by IntraSwitch are added into messages as the following: Cisco-Attr-130 = 0x683332332d63616c6c696e672d656e74657270726973652d69643d656e74504258 Do you have a specific architecture which would cause such behavior ? -- View this message in context: http://freeradius.1045715.n5.nabble.com/Voip-database-tp3295546p3319133.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Voip database
miha- wrote: I got this from centile guys? shrug It changes nothing. The shared secret is still wrong, and no amount of email back and forth changes that. I have only one quastion. I am running freeradius on ESXi as a Vmware machine. Could this be the cause of the problem? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Voip database
Thank you @Johan Meiring for that. It is not my intend to spam the group and asking same question again and again. Belive me that I have done everything that you said (I changed secret on the NAS and ond the radius and I restarted both,...). So please help me out with this problem. I can see that the secret is wrong. But why? First request goes through: +- entering group PAP {...} [pap] login attempt with password 1122 [pap] Using clear text password 1122 [pap] User authenticated successfully But the second what is rejected due to wrong secret. User-Name = 081609000 User-Password = \257+\360\350 [pap] login attempt with password ¯+ðè [pap] Using clear text password 1122 [pap] Passwords don't match SO this I am asking. If the first time secret is right and for the second request is wrong. Could the different encryption (the is sending nas) is causing the problem? I have also looked at the AVP pairs that the freeradius is sending to nas. IF I looked at the AVP pairs which are send from our radius (Ibill solution) to NAS I see that the freeradius is not sending all AVP pairs. Could this be cause of problem? I am realy greadful for you help! miha -- View this message in context: http://freeradius.1045715.n5.nabble.com/Voip-database-tp3295546p3313123.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Voip database
On 2010/12/21 10:01 AM, miha- wrote: Thank you @Johan Meiring for that. It is not my intend to spam the group and asking same question again and again. Belive me that I have done everything that you said (I changed secret on the NAS and ond the radius and I restarted both,...). So please help me out with this problem. I can see that the secret is wrong. But why? First request goes through: +- entering group PAP {...} [pap] login attempt with password 1122 [pap] Using clear text password 1122 [pap] User authenticated successfully But the second what is rejected due to wrong secret. User-Name = 081609000 User-Password = \257+\360\350 [pap] login attempt with password ¯+ðè [pap] Using clear text password 1122 [pap] Passwords don't match SO this I am asking. If the first time secret is right and for the second request is wrong. Could the different encryption (the is sending nas) is causing the problem? Answer the following: 1) What is the NAS's IP? 2) Post the section in clients.conf defining the NAS 3) Post the NAS config. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Voip database
1. My ip 1.2.3.4 (if will not post right one for security reasons) 2. Configuration on NAS ##- Activate RADIUS connection setProperty com.centile.connectors.aaa.watchdog.enable false setProperty com.centile.connectors.aaa radius setProperty com.centile.connectors.aaa.localserv intraswitch setProperty com.centile.connectors.aaa.localpass 1122 setProperty com.centile.connectors.aaa.remotserv 1.2.3.5 (ip of freeradius) setProperty com.centile.connectors.aaa.remotport 1812 setProperty com.centile.connectors.aaa.calltype any 3. clients.conf client 1.2.3.4 (ip nas) { secret = 1122 shortname = intraswitch nastype = cisco # require_message_authenticator = no } Thanks -- View this message in context: http://freeradius.1045715.n5.nabble.com/Voip-database-tp3295546p3313149.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Voip database
miha- wrote: ##- Activate RADIUS connection setProperty com.centile.connectors.aaa.watchdog.enable false setProperty com.centile.connectors.aaa radius setProperty com.centile.connectors.aaa.localserv intraswitch setProperty com.centile.connectors.aaa.localpass 1122 setProperty com.centile.connectors.aaa.remotserv 1.2.3.5 (ip of freeradius) setProperty com.centile.connectors.aaa.remotport 1812 setProperty com.centile.connectors.aaa.calltype any Go ask the centile.com people why their RADIUS client doesn't work. It is *not* our problem. FreeRADIUS works with Cisco, Juniper, HP, SIP servers, firewalls, switches, routers, open source, closed source, etc. Let me guess: in all of your time taken posting to this list, you haven't bothered asking the centile.com people any questions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Voip database
Belive me that I am asking centile people to. And to let you know I have begun asking centile.com before I made first post on this forum. thanks! Date: Tue, 21 Dec 2010 09:44:47 +0100 From: al...@deployingradius.com To: freeradius-users@lists.freeradius.org Subject: Re: Voip database miha- wrote: ##- Activate RADIUS connection setProperty com.centile.connectors.aaa.watchdog.enable false setProperty com.centile.connectors.aaa radius setProperty com.centile.connectors.aaa.localserv intraswitch setProperty com.centile.connectors.aaa.localpass 1122 setProperty com.centile.connectors.aaa.remotserv 1.2.3.5 (ip of freeradius) setProperty com.centile.connectors.aaa.remotport 1812 setProperty com.centile.connectors.aaa.calltype any Go ask the centile.com people why their RADIUS client doesn't work. It is *not* our problem. FreeRADIUS works with Cisco, Juniper, HP, SIP servers, firewalls, switches, routers, open source, closed source, etc. Let me guess: in all of your time taken posting to this list, you haven't bothered asking the centile.com people any questions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Voip database
Miha Zoubek wrote: Belive me that I am asking centile people to. And to let you know I have begun asking centile.com before I made first post on this forum. OK, that's better. But FreeRADIUS works. It really does. Try it with ntradping on another machine. There *only* issues are with the centile.com NAS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Voip database
On 2010/12/21 10:26 AM, miha- wrote: ##- Activate RADIUS connection setProperty com.centile.connectors.aaa.watchdog.enable false setProperty com.centile.connectors.aaa radius setProperty com.centile.connectors.aaa.localserv intraswitch setProperty com.centile.connectors.aaa.localpass 1122 setProperty com.centile.connectors.aaa.remotserv 1.2.3.5 (ip of freeradius) setProperty com.centile.connectors.aaa.remotport 1812 setProperty com.centile.connectors.aaa.calltype any I nothing of centile. Alan is right that you need to ask them.. But, my logic says that you need a line similar to the following on your centile NAS. setProperty com.centile.connectors.aaa.remotepass 1122 ^^ -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Voip database
On Tue, Dec 21, 2010 at 3:52 PM, Miha Zoubek miha_zou...@hotmail.com wrote: Belive me that I am asking centile people to. And to let you know I have begun asking centile.com before I made first post on this forum. I noticed from you earlier debug output that the NAS is sending different attributes. The working one (I selected some attributes only): NAS-Identifier = intraswitch NAS-IP-Address = 1.2.3.4 3GPP2-Prepaid-acct-Capability = 0x01060002 3GPP2-Session-Termination-Capability = 1 h323-conf-id = h323-conf-id=1292574457509 Vendor-Specific = 0x0009 the non working one Called-Station-Id = 38651357952 Cisco-AVPair = h323-called-enterprise-id=External h323-remote-address = h323-remote-address=unknown Acct-Session-Id = 129257445750920 h323-conf-id = h323-conf-id=1292574457509 h323-incoming-conf-id = h323-incoming-conf-id=1292574457509 3GPP2-Prepaid-Acct-Quota = 0x0a06564f495008040002 Acct-Status-Type = One-Time Message-Authenticator = 0x6f793daff586ab35701631c5f2a48d96 why is that? It almost seems like the request was made from two different NAS. In your question to centile people, it might help to also ask whether the device has more than one radius config section. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Voip database
Thank you very much for you help!!! I will ask them that and that I will report back! Thanks guys! miha Date: Tue, 21 Dec 2010 18:11:21 +0700 Subject: Re: Voip database From: w...@fajar.net To: freeradius-users@lists.freeradius.org On Tue, Dec 21, 2010 at 3:52 PM, Miha Zoubek miha_zou...@hotmail.com wrote: Belive me that I am asking centile people to. And to let you know I have begun asking centile.com before I made first post on this forum. I noticed from you earlier debug output that the NAS is sending different attributes. The working one (I selected some attributes only): NAS-Identifier = intraswitch NAS-IP-Address = 1.2.3.4 3GPP2-Prepaid-acct-Capability = 0x01060002 3GPP2-Session-Termination-Capability = 1 h323-conf-id = h323-conf-id=1292574457509 Vendor-Specific = 0x0009 the non working one Called-Station-Id = 38651357952 Cisco-AVPair = h323-called-enterprise-id=External h323-remote-address = h323-remote-address=unknown Acct-Session-Id = 129257445750920 h323-conf-id = h323-conf-id=1292574457509 h323-incoming-conf-id = h323-incoming-conf-id=1292574457509 3GPP2-Prepaid-Acct-Quota = 0x0a06564f495008040002 Acct-Status-Type = One-Time Message-Authenticator = 0x6f793daff586ab35701631c5f2a48d96 why is that? It almost seems like the request was made from two different NAS. In your question to centile people, it might help to also ask whether the device has more than one radius config section. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Voip database
2010 09:27:37 CET Acct-Status-Type = One-Time Message-Authenticator = 0x6f793daff586ab35701631c5f2a48d96 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = 081609000, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [pgsql-voip]expand: %{User-Name} - 081609000 [pgsql-voip] sql_set_user escaped user -- '081609000' rlm_sql (pgsql-voip): Reserving sql socket id: 21 [pgsql-voip]expand: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '081609000' ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 3 , fields = 5 [pgsql-voip] User found in radcheck table [pgsql-voip]expand: SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE Username = '081609000' ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 1 , fields = 5 [pgsql-voip]expand: SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority - SELECT GroupName FROM radusergroup WHERE UserName='081609000' ORDER BY priority rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 1 , fields = 1 [pgsql-voip]expand: SELECT id, GroupName, Attribute, Value, op FROM radgroupcheck WHERE GroupName = '%{Sql-Group}' ORDER BY id - SELECT id, GroupName, Attribute, Value, op FROM radgroupcheck WHERE GroupName = 'dynamic' ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 1 , fields = 5 [pgsql-voip] User found in group dynamic [pgsql-voip]expand: SELECT id, GroupName, Attribute, Value, op FROM radgroupreply WHERE GroupName = '%{Sql-Group}' ORDER BY id - SELECT id, GroupName, Attribute, Value, op FROM radgroupreply WHERE GroupName = 'dynamic' ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 4 , fields = 5 rlm_sql (pgsql-voip): Released sql socket id: 21 ++[pgsql-voip] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing MD5-Password from hex encoding [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = PAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group PAP {...} [pap] login attempt with password ?Êw? [pap] Using MD5 encryption. [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. WARNING: Unprintable characters in the password.Double-check the shared secret on the server and the NAS! Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - 081609000 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 3 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 3 Sending Access-Reject of id 193 to 1.2.3.4 port 55121 Waking up in 3.9 seconds. rad_recv: Access-Request packet from host 1.2.3.4 port 55121, id=193, length=335 Sending duplicate reply to client intraswitch port 55121 - ID: 193 Sending Access-Reject of id 193 to 1.2.3.4 port 55121 Waking up in 3.9 seconds. Cleaning up request 2 ID 139 with timestamp +728 Waking up in 1.0 seconds. Cleaning up request 3 ID 193 with timestamp +728 Ready to process requests. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Voip-database-tp3295546p3309116.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Voip database
On 12/17/2010 08:58 AM, miha- wrote: Hello, in wireshark I can see now that the first request for access goes throught but the second one for accounting is rejected. Can you help me out why? What about encryption ? The secret on the nas server and on the radius is 100% same. Lots of people say this, and they're always wrong: rad_recv: Access-Request packet from host 1.2.3.4 port 55121, id=193, length=335 User-Name = 081609000 User-Password = \022\312w\014 Does that look like a valid password to you? [pap] Normalizing MD5-Password from hex encoding [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = PAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group PAP {...} [pap] login attempt with password ?Êw? [pap] Using MD5 encryption. [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. WARNING: Unprintable characters in the password.Double-check the shared secret on the server and the NAS! Check it again. Change the shared-secret to something simple and new. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Voip database
Hello, this is user-name and password for phone that is registered on NAS. NAS is sending authentication to freeradius server. Is not shared secret different thing? I have shared secret entered in clients.conf and in sql NAS table. First he is trying with password 1122 for user name 081609000 and this is accepted: +- entering group PAP {...} [pap] login attempt with password 1122 [pap] Using MD5 encryption. [pap] User authenticated successfully ++[pap] returns ok # Executing section post Than he is trying with User-Password = \022\312w\014 but the password is set on 1122 Why? Thank you p.s.: if I try with radtest everything goes throught! miha User-Password = \022\312w\014 -- View this message in context: http://freeradius.1045715.n5.nabble.com/Voip-database-tp3295546p3309176.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Voip database
miha- wrote: this is user-name and password for phone that is registered on NAS. NAS is sending authentication to freeradius server. We all know that. Stating the obvious is not helpful. Is not shared secret different thing? I have shared secret entered in clients.conf and in sql NAS table. In two places? Why? And re-enter it on the NAS. *Not* clients.conf, and *not* SQL. You have been told this many times, and have totally failed to understand. First he is trying with password 1122 for user name 081609000 and this is accepted: ... Why? You have been told. If you're not going to follow instructions, you should stop posting messages to this list. If you keep posting the same messages, *everyone* here will ignore you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Voip database
On 2010/12/17 11:41 AM, miha- wrote: Hello, this is user-name and password for phone that is registered on NAS. NAS is sending authentication to freeradius server. Please do NOT confuse the shared secret and the password that the phone uses. The shares secret is a secret between the NAS and Freeradius. The Phones password (in access-request) is encrypted using the shared secret. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Voip database
Hello, I have tried with radtest from other server with the same configuration:I get this (this is ok) : pap] returns noopFound Auth-Type = PAP# Executing group from file /etc/raddb/sites-enabled/default+- entering group PAP {...}[pap] login attempt with password 12345[pap] Using clear text password 12345[pap] User authenticated successfully++[pap] returns ok# Executing section post-auth from file /etc/raddb/sites-enabled/default+- entering group post-auth {...}++[exec] returns noopSending Access-Accept of id 57 to 1.2.3.4 port 56067 Framed-Compression := Van-Jacobson-TCP-IPFramed-Protocol := PPP Service-Type := Framed-UserFinished request 0.Going to the next req When I try with same configuration from NAS I get:I guss that is something wrong with my NAS? +[expiration] returns noop++[logintime] returns noop[pap] WARNING: Auth-Type already set. Not setting to PAP++[pap] returns noopFound Auth-Type = PAP# Executing group from file /etc/raddb/sites-enabled/default+- entering group PAP {...}[pap] login attempt with password áø{k?[pap] Using clear text password 12345[pap] Passwords don't match++[pap] returns rejectFailed to authenticate the user. WARNING: Unprintable characters in the password.Double-check the shared secret on the server and the NAS! Thank you!!! Date: Wed, 8 Dec 2010 16:42:36 +0100 From: al...@deployingradius.com To: freeradius-users@lists.freeradius.org Subject: Re: Voip database Miha Zoubek wrote: Ok, if I set operation := I get this ( secret is 100% right) Sorry... changing the contents of the radcheck table has *no* effect on the shared secret for the client. Something else is going on. Since you previously butchered the default configuration and broke it, my guess would be that you've broken something else, too. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Voip database
On Thu, Dec 9, 2010 at 3:51 PM, Miha Zoubek miha_zou...@hotmail.com wrote: When I try with same configuration from NAS I get: I guss that is something wrong with my NAS? [pap] login attempt with password áø{k? [pap] Using clear text password 12345 [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! Did you read Alan's response? Did you read the big WARNING? Did you double-check both the settings on your NAS and radius to make sure shared secret is correct? Did you make sure that you set the shared secret in the correct place (most people set it on clients.conf, but some configs allow the client list to be stored in database)? Did you try restarting both radius and the NAS, as a last step to make sure that they read the correct shared secret settings, just in case you just change it but forgot to restart/reload? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Voip database
On Wed, Dec 8, 2010 at 2:55 PM, Miha Zoubek miha_zou...@hotmail.com wrote: I have replace voip-postpaid.conf with new one but still the same. I this configuration file (voip-postpaid.conf) is written: uthcheck_table = radcheck authreply_table = radreply groupcheck_table = radgroupcheck groupreply_table = radgroupreply usergroup_table = radusergroup Perhaps we started on the wrong assumptions. What do you intend to use postgresql for? Is it (a) only to store accounting data, or (b) to store user names/password AND accounting data if it's (a), then there should be nothing wrong with your first config. You simply need to place user data for 081609000 in whatever database you choose (whether it's users file, or something else). The error could simply be because you haven't define that user yet. If it's (b), then you need to forget for a moment that you're using it for voip. It doesn't really matter with regards to the problem you're facing. Get freeradius working with postgresql first. Your debug log says authorize_check_query = authorize_group_check_query = authorize_group_reply_query = when the they should not be empty. Fix that first. Worry about the rest later, after you fix that. The easiest way to do that, IMHO, is forget about voip-postpaid.conf and cisco_h323_db_schema.sql for the moment. Stick to the default sql.conf, sql/postgresql/dialup.conf, and sql/postgresql/schema.sql. AFTER you get it to work, then you can try to get that particular conf and sql scheme working. Perhaps the author might be able to help. The default sql.conf/dialup.conf and schema should work for voip or whatever. Probably not as efficient, but it'd still work. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Voip database
Thank you for your help! I included dailup.conf in voip-postpaid.conf.Now I getting different error: I have put this in tables: Nas: nasname: intraswitch, shortname: intraswitch, type: other, port: 1812: sercet: b, server: 1.2.3.4 (ip server), nad for comunity and dicription nullRadcheck: id: 1, username: 081609000, attribure: Cleartext-Password, Value: 12345, op: :=Radreply: id:1 , username: 081609000: atributte: Fall-Through, op: =, vaule: yes Thank you! ecv: Access-Request packet from host 212.13.228.58 port 38380, id=198, length=206Acct-Multi-Session-Id = 1291817780502Cisco-Attr-130 = 0x683332332d63616c6c696e672d656e74657270726973652d69643d656e74504258 Calling-Station-Id = 81609000NAS-Identifier = intraswitch NAS-IP-Address = 212.13.228.583GPP2-Prepaid-acct-Capability = 0x010600023GPP2-Session-Termination-Capability = 1 h323-conf-id = h323-conf-id=1291817780502Vendor-Specific = 0x0009 Event-Timestamp = Dec 8 2010 15:16:20 CETUser-Name = 081609000User-Password = 12345# Executing section authorize from file /etc/raddb/sites-enabled/default+- entering group authorize {...}++[preprocess] returns ok++[chap] returns noop++[mschap] returns noop++[digest] returns noop[suffix] No '@' in User-Name = 081609000, looking up realm NULL[suffix] No such realm NULL++[suffix] returns noop[eap] No EAP-Message, not doing EAP++[eap] returns noop[pgsql-voip]expand: %{User-Name} - 081609000[pgsql-voip] sql_set_user escaped user -- '081609000'rlm_sql (pgsql-voip): Reserving sql socket id: 24[pgsql-voip] expand: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '081609000' ORDER BY idrlm_sql_postgresql: Status: PGRES_TUPLES_OKrlm_sql_postgresql: query affected rows = 1 , fields = 5[pgsql-voip]expand: SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority - SELECT GroupName FROM radusergroup WHERE UserName='081609000' ORDER BY priorityrlm_sql_postgresql: Status: PGRES_TUPLES_OKrlm_sql_postgresql: query affected rows = 0 , fields = 1rlm_sql (pgsql-voip): Released sql socket id: 24[pgsql-voip] User 081609000 not found++[pgsql-voip] returns notfound++[expiration] returns noop++[logintime] returns noop[pap] WARNING! No known good password found for the user. Authentication may fail because of this.++[pap] returns noopERROR: No authenticate method (Auth-Type) found for the request: Rejecting the userFailed to authenticate the user.Using Post-Auth-Type Reject# Executing group from file /etc/raddb/sites-enabled/default+- entering group REJECT {...}[attr_filter.access_reject] expand: %{User-Name} - 081609000 attr_filter: Matched entry DEFAULT at line 11++[attr_filter.access_reject] returns updatedDelaying reject of request 0 for 1 secondsGoing to the next requestWaking up in 0.9 seconds.rad_recv: Access-Request packet from host 212.13.228.58 port 38380, id=198, length=206Waiting to send Access-Reject to client intraswitch port 38380 - ID: 198Sending delayed reject for request 0Sending Access-Reject of id 198 to 212.13.228.58 port 38380Waking up in 4.9 seconds. Date: Wed, 8 Dec 2010 16:29:27 +0700 Subject: Re: Voip database From: w...@fajar.net To: freeradius-users@lists.freeradius.org On Wed, Dec 8, 2010 at 2:55 PM, Miha Zoubek miha_zou...@hotmail.com wrote: I have replace voip-postpaid.conf with new one but still the same. I this configuration file (voip-postpaid.conf) is written: uthcheck_table = radcheck authreply_table = radreply groupcheck_table = radgroupcheck groupreply_table = radgroupreply usergroup_table = radusergroup Perhaps we started on the wrong assumptions. What do you intend to use postgresql for? Is it (a) only to store accounting data, or (b) to store user names/password AND accounting data if it's (a), then there should be nothing wrong with your first config. You simply need to place user data for 081609000 in whatever database you choose (whether it's users file, or something else). The error could simply be because you haven't define that user yet. If it's (b), then you need to forget for a moment that you're using it for voip. It doesn't really matter with regards to the problem you're facing. Get freeradius working with postgresql first. Your debug log says authorize_check_query = authorize_group_check_query = authorize_group_reply_query = when the they should not be empty. Fix that first. Worry about the rest later, after you fix that. The easiest way to do that, IMHO, is forget about voip-postpaid.conf and cisco_h323_db_schema.sql for the moment. Stick to the default sql.conf, sql/postgresql/dialup.conf, and sql/postgresql/schema.sql. AFTER you get it to work
RE: Voip database
Ok, if I set operation := I get this ( secret is 100% right) _sql_postgresql: query affected rows = 3 , fields = 5rlm_sql (pgsql-voip): Released sql socket id: 11++[pgsql-voip] returns ok++[expiration] returns noop++[logintime] returns noop[pap] WARNING: Auth-Type already set. Not setting to PAP++[pap] returns noopFound Auth-Type = PAP# Executing group from file /etc/raddb/sites-enabled/default+- entering group PAP {...}[pap] login attempt with password ûñ±?[pap] Using clear text password 12345[pap] Passwords don't match++[pap] returns rejectFailed to authenticate the user. WARNING: Unprintable characters in the password.Double-check the shared secret on the server and the NAS!Using Post-Auth-Type Reject# Executing group from file /etc/raddb/sites-enabled/default+- entering group REJECT {...}[attr_filter.access_reject] expand: %{User-Name} - 081609000 attr_filter: Matched entry DEFAULT at line 11++[attr_filter.access_reject] returns updated From: miha_zou...@hotmail.com To: freeradius-users@lists.freeradius.org Subject: RE: Voip database Date: Wed, 8 Dec 2010 14:22:10 + Thank you for your help! I included dailup.conf in voip-postpaid.conf.Now I getting different error: I have put this in tables: Nas: nasname: intraswitch, shortname: intraswitch, type: other, port: 1812: sercet: b, server: 1.2.3.4 (ip server), nad for comunity and dicription nullRadcheck: id: 1, username: 081609000, attribure: Cleartext-Password, Value: 12345, op: :=Radreply: id:1 , username: 081609000: atributte: Fall-Through, op: =, vaule: yes Thank you! ecv: Access-Request packet from host 212.13.228.58 port 38380, id=198, length=206Acct-Multi-Session-Id = 1291817780502Cisco-Attr-130 = 0x683332332d63616c6c696e672d656e74657270726973652d69643d656e74504258 Calling-Station-Id = 81609000NAS-Identifier = intraswitch NAS-IP-Address = 212.13.228.583GPP2-Prepaid-acct-Capability = 0x010600023GPP2-Session-Termination-Capability = 1 h323-conf-id = h323-conf-id=1291817780502Vendor-Specific = 0x0009 Event-Timestamp = Dec 8 2010 15:16:20 CETUser-Name = 081609000User-Password = 12345# Executing section authorize from file /etc/raddb/sites-enabled/default+- entering group authorize {...}++[preprocess] returns ok++[chap] returns noop++[mschap] returns noop++[digest] returns noop[suffix] No '@' in User-Name = 081609000, looking up realm NULL[suffix] No such realm NULL++[suffix] returns noop[eap] No EAP-Message, not doing EAP++[eap] returns noop[pgsql-voip]expand: %{User-Name} - 081609000[pgsql-voip] sql_set_user escaped user -- '081609000'rlm_sql (pgsql-voip): Reserving sql socket id: 24[pgsql-voip] expand: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '081609000' ORDER BY idrlm_sql_postgresql: Status: PGRES_TUPLES_OKrlm_sql_postgresql: query affected rows = 1 , fields = 5[pgsql-voip]expand: SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority - SELECT GroupName FROM radusergroup WHERE UserName='081609000' ORDER BY priorityrlm_sql_postgresql: Status: PGRES_TUPLES_OKrlm_sql_postgresql: query affected rows = 0 , fields = 1rlm_sql (pgsql-voip): Released sql socket id: 24[pgsql-voip] User 081609000 not found++[pgsql-voip] returns notfound++[expiration] returns noop++[logintime] returns noop[pap] WARNING! No known good password found for the user. Authentication may fail because of this.++[pap] returns noopERROR: No authenticate method (Auth-Type) found for the request: Rejecting the userFailed to authenticate the user.Using Post-Auth-Type Reject# Executing group from file /etc/raddb/sites-enabled/default+- entering group REJECT {...}[attr_filter.access_reject] expand: %{User-Name} - 081609000 attr_filter: Matched entry DEFAULT at line 11++[attr_filter.access_reject] returns updatedDelaying reject of request 0 for 1 secondsGoing to the next requestWaking up in 0.9 seconds.rad_recv: Access-Request packet from host 212.13.228.58 port 38380, id=198, length=206Waiting to send Access-Reject to client intraswitch port 38380 - ID: 198Sending delayed reject for request 0Sending Access-Reject of id 198 to 212.13.228.58 port 38380Waking up in 4.9 seconds. Date: Wed, 8 Dec 2010 16:29:27 +0700 Subject: Re: Voip database From: w...@fajar.net To: freeradius-users@lists.freeradius.org On Wed, Dec 8, 2010 at 2:55 PM, Miha Zoubek miha_zou...@hotmail.com wrote: I have replace voip-postpaid.conf with new one but still the same. I this configuration file (voip-postpaid.conf) is written: uthcheck_table = radcheck authreply_table = radreply groupcheck_table = radgroupcheck groupreply_table = radgroupreply usergroup_table = radusergroup Perhaps we
Re: Voip database
Miha Zoubek wrote: Ok, if I set operation := I get this ( secret is 100% right) Sorry... changing the contents of the radcheck table has *no* effect on the shared secret for the client. Something else is going on. Since you previously butchered the default configuration and broke it, my guess would be that you've broken something else, too. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Voip database
{ type = auth ipaddr = 127.0.0.1 port = 18120 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 1.2.3.4 port 60513, id=144, length=206 Acct-Multi-Session-Id = 1291717568337 Cisco-Attr-130 = 0x683332332d63616c6c696e672d656e74657270726973652d69643d656e74504258 Calling-Station-Id = 81609000 NAS-Identifier = intraswitch NAS-IP-Address = 1.2.3.4 3GPP2-Prepaid-acct-Capability = 0x01060002 3GPP2-Session-Termination-Capability = 1 h323-conf-id = h323-conf-id=1291717568337 Vendor-Specific = 0x0009 Event-Timestamp = Dec 7 2010 11:26:08 CET User-Name = 081609000 User-Password = 12345 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = 081609000, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - 081609000 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Voip-database-tp3295546p3295546.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Voip database
On Tue, Dec 7, 2010 at 5:27 PM, miha- miha_zou...@hotmail.com wrote: Hello, I need a little help:) I am setting radius for voip. I comment sql in default file (authorize, Authentication) what do you mean you comment sql? You DO know that for it to be used, the sql module needs to be configured correctly, AND it needs to be used on authorize and authentication section, right? Module: Instantiating module pgsql-voip from file /etc/raddb/sql/postgresql/voip-postpaid.conf sql pgsql-voip { looks like the module is instantiated correctly # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = 081609000, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject Do you have pgsql-voip line on your authorize and authenticate sections? Looks like you don't. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Voip database
I have uncomment only this # Cisco VoIP specific bulk accounting pgsql-voip under accounting section. I have not found it under authorize and authenticate. Must I put it there? Thanks! -- View this message in context: http://freeradius.1045715.n5.nabble.com/Voip-database-tp3295546p3295827.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Voip database
On Tue, Dec 7, 2010 at 9:17 PM, miha- miha_zou...@hotmail.com wrote: I have uncomment only this # Cisco VoIP specific bulk accounting pgsql-voip under accounting section. I have not found it under authorize and authenticate. Must I put it there? On second thought, you might not need it in authenticate. You'd need it in authorize and authenticate. Basically it depends on what you're trying to do. If you want to use users and password stored in sql database, then you need it on authorize section. If you want to log accounting entries in sql database, then you need it on accounting section. Look at the original /etc/raddb/sites-enabled/default that comes with your distro, and see where it puts sql line. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Voip database
On Tue, Dec 7, 2010 at 9:24 PM, Fajar A. Nugraha w...@fajar.net wrote: On Tue, Dec 7, 2010 at 9:17 PM, miha- miha_zou...@hotmail.com wrote: I have uncomment only this # Cisco VoIP specific bulk accounting pgsql-voip under accounting section. I have not found it under authorize and authenticate. Must I put it there? On second thought, you might not need it in authenticate. You'd need it in authorize and authenticate. I meant to say authorize and accounting. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Voip database
On Tue, Dec 7, 2010 at 9:39 PM, Miha Zoubek miha_zou...@hotmail.com wrote: I put it there but still the same problem: No, it's not. It's a different problem. Look at the debug log you posted and you'll see it's a different problem altogether. [pgsql-voip] expand: %{User-Name} - 081609000 [pgsql-voip] sql_set_user escaped user -- '081609000' rlm_sql (pgsql-voip): Reserving sql socket id: 24 [pgsql-voip] expand: - [pgsql-voip] Error generating query; rejecting user I'd focus on the last two lines. If the contents of your sql conf file contains something like this (as shown in your previous debug) authorize_check_query = authorize_group_check_query = authorize_group_reply_query = then the simple answer is you broke the config. Look at the original .conf file that comes with the distro/freeradius source (should be dialup.conf or some other file under /etc/raddb/sql or its subdirectory). -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Voip database
I have replace voip-postpaid.conf with new one but still the same. I this configuration file (voip-postpaid.conf) is written: uthcheck_table = radcheckauthreply_table = radreply groupcheck_table = radgroupcheckgroupreply_table = radgroupreply usergroup_table = radusergroup But in readme file is written that I must import cisco_h323_db_schema.sql in postgresql. In this shema (cisco_h323_db_schema.sql) there is no rad check or radreplay, only startvoip, etc. Thank you very much with your help!!! miha Date: Tue, 7 Dec 2010 22:43:32 +0700 Subject: Re: Voip database From: w...@fajar.net To: freeradius-users@lists.freeradius.org On Tue, Dec 7, 2010 at 9:39 PM, Miha Zoubek miha_zou...@hotmail.com wrote: I put it there but still the same problem: No, it's not. It's a different problem. Look at the debug log you posted and you'll see it's a different problem altogether. [pgsql-voip]expand: %{User-Name} - 081609000 [pgsql-voip] sql_set_user escaped user -- '081609000' rlm_sql (pgsql-voip): Reserving sql socket id: 24 [pgsql-voip]expand: - [pgsql-voip] Error generating query; rejecting user I'd focus on the last two lines. If the contents of your sql conf file contains something like this (as shown in your previous debug) authorize_check_query = authorize_group_check_query = authorize_group_reply_query = then the simple answer is you broke the config. Look at the original .conf file that comes with the distro/freeradius source (should be dialup.conf or some other file under /etc/raddb/sql or its subdirectory). -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html