Re: Voip database
] returns ok
[suffix] No '@' in User-Name = 081609000, looking up realm NULL [suffix]
No such realm NULL ++[suffix] returns noop ++[files] returns noop
Executing section accounting from file /etc/raddb/sites-enabled/default +-
entering group accounting {...} [detail] expand:
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d -
/var/log/radius/radacct/212.13.228.58/detail-20110110 [detail]
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to
/var/log/radius/radacct/212.13.228.58/detail-20110110 [detail] expand: %t -
Mon Jan 10 09:32:58 2011 ++[detail] returns ok ++[unix] returns noop
[radutmp] expand: /var/log/radius/radutmp - /var/log/radius/radutmp
[radutmp] expand: %{User-Name} - 081609000 rlm_radutmp: No NAS-Port seen.
Cannot do anything. rlm_radumtp: WARNING: checkrad will probably not work!
++[radutmp] returns noop ++[exec] returns noop
[attr_filter.accounting_response] expand: %{User-Name} - 081609000
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated Sending
Accounting-Response of id 3 to 212.13.228.58 port 35277 Finished request 4.
Cleaning up request 4 ID 3 with timestamp +13 Going to the next request
Waking up in 4.9 seconds. Cleaning up request 3 ID 66 with timestamp +13
Ready to process requests.
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/Voip-database-tp3295546p3334843.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Voip database
On Tue, Jan 4, 2011 at 2:40 PM, miha- miha_zou...@hotmail.com wrote: Currently, there is a password matching issue because the User-Password encoding is different during the Authentication from the Authorization. During the Authentication step, the Centile's radius client send a User-Password encrypted with the secret. But during the Authorization step, we don't expect the Radius server to check again this password (which is sent anyway, I don't know if this is a bug or if it is required by Eyebill...). So they deliberately do NOT encrypt password with the secret? That's just silly. They need to fix it. The Authorization request contains the attribute Acct-Status-Type with the value 17 that means authorize only. Shouldn't it be RADIUS Attribute 6, Service-Type? http://www.ietf.org/assignments/radius-types/radius-types.xml It also contains the attribute Message-Authenticator with the digest value. So Freeradius should use those two attributes to accept or reject the request instead of the User-Name and User-Password. If only pap is involved (which, from your debug log seems to be the case), you might be able to play with unlang and set Auth-Type := Accept for certain conditions (e.g. check whether Message-Authenticator exists, and whether it matches a certain value). http://wiki.freeradius.org/index.php/FAQ#How_do_I_permit_access_to_any_user_regardless_of_password.3F http://freeradius.org/radiusd/man/unlang.html -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Voip database
miha- wrote: Hello, I got answere what should I do that the freeradius will work with centile. Can you help me out where can I customized this settings? ... Currently, there is a password matching issue because the User-Password encoding is different during the Authentication from the Authorization. The vendor's behavior is idiotic. Throw their software in the garbage, and buy something that works. Go ask them how to make FreeRADIUS work with their product that violates the RADIUS specifications. It's not our problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Voip database
Hello, I got answere what should I do that the freeradius will work with centile. Can you help me out where can I customized this settings? Thanks!!! miha Currently, there is a password matching issue because the User-Password encoding is different during the Authentication from the Authorization. During the Authentication step, the Centile's radius client send a User-Password encrypted with the secret. But during the Authorization step, we don't expect the Radius server to check again this password (which is sent anyway, I don't know if this is a bug or if it is required by Eyebill...). The Authorization request contains the attribute Acct-Status-Type with the value 17 that means authorize only. It also contains the attribute Message-Authenticator with the digest value. So Freeradius should use those two attributes to accept or reject the request instead of the User-Name and User-Password. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Voip-database-tp3295546p3326679.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Voip database
Hello :)
I got this from centile guys?
I am now installing freeradius on different server with different equipment
to see which section (equipment) is adding this fields to massagas.
I have only one quastion. I am running freeradius on ESXi as a Vmware
machine. Could this be the cause of the problem?
THanks!!!
According to the log, first step is done correctly.
Issue is located on the second request, due to password received:
User-Password = {
It seems that Radius server receives a request which is not formatted
correctly.
Do you have any equipment used as proxy between IntraSwitch and Radius ?
Some fields not provided by IntraSwitch are added into messages as the
following:
Cisco-Attr-130 =
0x683332332d63616c6c696e672d656e74657270726973652d69643d656e74504258
Do you have a specific architecture which would cause such behavior ?
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/Voip-database-tp3295546p3319133.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Voip database
miha- wrote: I got this from centile guys? shrug It changes nothing. The shared secret is still wrong, and no amount of email back and forth changes that. I have only one quastion. I am running freeradius on ESXi as a Vmware machine. Could this be the cause of the problem? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Voip database
Thank you @Johan Meiring for that.
It is not my intend to spam the group and asking same question again and
again. Belive me that I have done everything that you said (I changed secret
on the NAS and ond the radius and I restarted both,...).
So please help me out with this problem.
I can see that the secret is wrong. But why?
First request goes through:
+- entering group PAP {...}
[pap] login attempt with password 1122
[pap] Using clear text password 1122
[pap] User authenticated successfully
But the second what is rejected due to wrong secret.
User-Name = 081609000
User-Password = \257+\360\350
[pap] login attempt with password ¯+ðè
[pap] Using clear text password 1122
[pap] Passwords don't match
SO this I am asking. If the first time secret is right and for the second
request is wrong. Could the different encryption (the is sending nas) is
causing the problem?
I have also looked at the AVP pairs that the freeradius is sending to nas.
IF I looked at the AVP pairs which are send from our radius (Ibill solution)
to NAS I see that the freeradius is not sending all AVP pairs.
Could this be cause of problem?
I am realy greadful for you help!
miha
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/Voip-database-tp3295546p3313123.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Voip database
On 2010/12/21 10:01 AM, miha- wrote:
Thank you @Johan Meiring for that.
It is not my intend to spam the group and asking same question again and
again. Belive me that I have done everything that you said (I changed secret
on the NAS and ond the radius and I restarted both,...).
So please help me out with this problem.
I can see that the secret is wrong. But why?
First request goes through:
+- entering group PAP {...}
[pap] login attempt with password 1122
[pap] Using clear text password 1122
[pap] User authenticated successfully
But the second what is rejected due to wrong secret.
User-Name = 081609000
User-Password = \257+\360\350
[pap] login attempt with password ¯+ðè
[pap] Using clear text password 1122
[pap] Passwords don't match
SO this I am asking. If the first time secret is right and for the second
request is wrong. Could the different encryption (the is sending nas) is
causing the problem?
Answer the following:
1) What is the NAS's IP?
2) Post the section in clients.conf defining the NAS
3) Post the NAS config.
--
Johan Meiring
Cape PC Services CC
Tel: (021) 883-8271
Fax: (021) 886-7782
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Voip database
1.
My ip 1.2.3.4 (if will not post right one for security reasons)
2. Configuration on NAS
##- Activate RADIUS connection
setProperty com.centile.connectors.aaa.watchdog.enable false
setProperty com.centile.connectors.aaa radius
setProperty com.centile.connectors.aaa.localserv intraswitch
setProperty com.centile.connectors.aaa.localpass 1122
setProperty com.centile.connectors.aaa.remotserv 1.2.3.5 (ip of freeradius)
setProperty com.centile.connectors.aaa.remotport 1812
setProperty com.centile.connectors.aaa.calltype any
3. clients.conf
client 1.2.3.4 (ip nas) {
secret = 1122
shortname = intraswitch
nastype = cisco
# require_message_authenticator = no
}
Thanks
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/Voip-database-tp3295546p3313149.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Voip database
miha- wrote: ##- Activate RADIUS connection setProperty com.centile.connectors.aaa.watchdog.enable false setProperty com.centile.connectors.aaa radius setProperty com.centile.connectors.aaa.localserv intraswitch setProperty com.centile.connectors.aaa.localpass 1122 setProperty com.centile.connectors.aaa.remotserv 1.2.3.5 (ip of freeradius) setProperty com.centile.connectors.aaa.remotport 1812 setProperty com.centile.connectors.aaa.calltype any Go ask the centile.com people why their RADIUS client doesn't work. It is *not* our problem. FreeRADIUS works with Cisco, Juniper, HP, SIP servers, firewalls, switches, routers, open source, closed source, etc. Let me guess: in all of your time taken posting to this list, you haven't bothered asking the centile.com people any questions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Voip database
Belive me that I am asking centile people to. And to let you know I have begun asking centile.com before I made first post on this forum. thanks! Date: Tue, 21 Dec 2010 09:44:47 +0100 From: al...@deployingradius.com To: freeradius-users@lists.freeradius.org Subject: Re: Voip database miha- wrote: ##- Activate RADIUS connection setProperty com.centile.connectors.aaa.watchdog.enable false setProperty com.centile.connectors.aaa radius setProperty com.centile.connectors.aaa.localserv intraswitch setProperty com.centile.connectors.aaa.localpass 1122 setProperty com.centile.connectors.aaa.remotserv 1.2.3.5 (ip of freeradius) setProperty com.centile.connectors.aaa.remotport 1812 setProperty com.centile.connectors.aaa.calltype any Go ask the centile.com people why their RADIUS client doesn't work. It is *not* our problem. FreeRADIUS works with Cisco, Juniper, HP, SIP servers, firewalls, switches, routers, open source, closed source, etc. Let me guess: in all of your time taken posting to this list, you haven't bothered asking the centile.com people any questions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Voip database
Miha Zoubek wrote: Belive me that I am asking centile people to. And to let you know I have begun asking centile.com before I made first post on this forum. OK, that's better. But FreeRADIUS works. It really does. Try it with ntradping on another machine. There *only* issues are with the centile.com NAS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Voip database
On 2010/12/21 10:26 AM, miha- wrote: ##- Activate RADIUS connection setProperty com.centile.connectors.aaa.watchdog.enable false setProperty com.centile.connectors.aaa radius setProperty com.centile.connectors.aaa.localserv intraswitch setProperty com.centile.connectors.aaa.localpass 1122 setProperty com.centile.connectors.aaa.remotserv 1.2.3.5 (ip of freeradius) setProperty com.centile.connectors.aaa.remotport 1812 setProperty com.centile.connectors.aaa.calltype any I nothing of centile. Alan is right that you need to ask them.. But, my logic says that you need a line similar to the following on your centile NAS. setProperty com.centile.connectors.aaa.remotepass 1122 ^^ -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Voip database
On Tue, Dec 21, 2010 at 3:52 PM, Miha Zoubek miha_zou...@hotmail.com wrote: Belive me that I am asking centile people to. And to let you know I have begun asking centile.com before I made first post on this forum. I noticed from you earlier debug output that the NAS is sending different attributes. The working one (I selected some attributes only): NAS-Identifier = intraswitch NAS-IP-Address = 1.2.3.4 3GPP2-Prepaid-acct-Capability = 0x01060002 3GPP2-Session-Termination-Capability = 1 h323-conf-id = h323-conf-id=1292574457509 Vendor-Specific = 0x0009 the non working one Called-Station-Id = 38651357952 Cisco-AVPair = h323-called-enterprise-id=External h323-remote-address = h323-remote-address=unknown Acct-Session-Id = 129257445750920 h323-conf-id = h323-conf-id=1292574457509 h323-incoming-conf-id = h323-incoming-conf-id=1292574457509 3GPP2-Prepaid-Acct-Quota = 0x0a06564f495008040002 Acct-Status-Type = One-Time Message-Authenticator = 0x6f793daff586ab35701631c5f2a48d96 why is that? It almost seems like the request was made from two different NAS. In your question to centile people, it might help to also ask whether the device has more than one radius config section. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Voip database
Thank you very much for you help!!! I will ask them that and that I will report back! Thanks guys! miha Date: Tue, 21 Dec 2010 18:11:21 +0700 Subject: Re: Voip database From: w...@fajar.net To: freeradius-users@lists.freeradius.org On Tue, Dec 21, 2010 at 3:52 PM, Miha Zoubek miha_zou...@hotmail.com wrote: Belive me that I am asking centile people to. And to let you know I have begun asking centile.com before I made first post on this forum. I noticed from you earlier debug output that the NAS is sending different attributes. The working one (I selected some attributes only): NAS-Identifier = intraswitch NAS-IP-Address = 1.2.3.4 3GPP2-Prepaid-acct-Capability = 0x01060002 3GPP2-Session-Termination-Capability = 1 h323-conf-id = h323-conf-id=1292574457509 Vendor-Specific = 0x0009 the non working one Called-Station-Id = 38651357952 Cisco-AVPair = h323-called-enterprise-id=External h323-remote-address = h323-remote-address=unknown Acct-Session-Id = 129257445750920 h323-conf-id = h323-conf-id=1292574457509 h323-incoming-conf-id = h323-incoming-conf-id=1292574457509 3GPP2-Prepaid-Acct-Quota = 0x0a06564f495008040002 Acct-Status-Type = One-Time Message-Authenticator = 0x6f793daff586ab35701631c5f2a48d96 why is that? It almost seems like the request was made from two different NAS. In your question to centile people, it might help to also ask whether the device has more than one radius config section. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Voip database
2010 09:27:37 CET
Acct-Status-Type = One-Time
Message-Authenticator = 0x6f793daff586ab35701631c5f2a48d96
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = 081609000, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[pgsql-voip]expand: %{User-Name} - 081609000
[pgsql-voip] sql_set_user escaped user -- '081609000'
rlm_sql (pgsql-voip): Reserving sql socket id: 21
[pgsql-voip]expand: SELECT id, UserName, Attribute, Value, Op FROM
radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT id,
UserName, Attribute, Value, Op FROM radcheck WHERE Username =
'081609000' ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 3 , fields = 5
[pgsql-voip] User found in radcheck table
[pgsql-voip]expand: SELECT id, UserName, Attribute, Value, Op FROM
radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT id,
UserName, Attribute, Value, Op FROM radreply WHERE Username =
'081609000' ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 5
[pgsql-voip]expand: SELECT GroupName FROM radusergroup WHERE
UserName='%{SQL-User-Name}' ORDER BY priority - SELECT GroupName FROM
radusergroup WHERE UserName='081609000' ORDER BY priority
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 1
[pgsql-voip]expand: SELECT id, GroupName, Attribute, Value, op FROM
radgroupcheck WHERE GroupName = '%{Sql-Group}' ORDER BY id - SELECT id,
GroupName, Attribute, Value, op FROM radgroupcheck WHERE GroupName =
'dynamic' ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 5
[pgsql-voip] User found in group dynamic
[pgsql-voip]expand: SELECT id, GroupName, Attribute, Value, op FROM
radgroupreply WHERE GroupName = '%{Sql-Group}' ORDER BY id - SELECT id,
GroupName, Attribute, Value, op FROM radgroupreply WHERE GroupName =
'dynamic' ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 4 , fields = 5
rlm_sql (pgsql-voip): Released sql socket id: 21
++[pgsql-voip] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing MD5-Password from hex encoding
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = PAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password ?Êw?
[pap] Using MD5 encryption.
[pap] Passwords don't match
++[pap] returns reject
Failed to authenticate the user.
WARNING: Unprintable characters in the password.Double-check the
shared secret on the server and the NAS!
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - 081609000
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 3 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 3
Sending Access-Reject of id 193 to 1.2.3.4 port 55121
Waking up in 3.9 seconds.
rad_recv: Access-Request packet from host 1.2.3.4 port 55121, id=193,
length=335
Sending duplicate reply to client intraswitch port 55121 - ID: 193
Sending Access-Reject of id 193 to 1.2.3.4 port 55121
Waking up in 3.9 seconds.
Cleaning up request 2 ID 139 with timestamp +728
Waking up in 1.0 seconds.
Cleaning up request 3 ID 193 with timestamp +728
Ready to process requests.
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/Voip-database-tp3295546p3309116.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Voip database
On 12/17/2010 08:58 AM, miha- wrote:
Hello,
in wireshark I can see now that the first request for access goes throught
but the second one for accounting is rejected.
Can you help me out why?
What about encryption ? The secret on the nas server and on the radius is
100% same.
Lots of people say this, and they're always wrong:
rad_recv: Access-Request packet from host 1.2.3.4 port 55121, id=193,
length=335
User-Name = 081609000
User-Password = \022\312w\014
Does that look like a valid password to you?
[pap] Normalizing MD5-Password from hex encoding
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = PAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password ?Êw?
[pap] Using MD5 encryption.
[pap] Passwords don't match
++[pap] returns reject
Failed to authenticate the user.
WARNING: Unprintable characters in the password.Double-check the
shared secret on the server and the NAS!
Check it again. Change the shared-secret to something simple and new.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Voip database
Hello,
this is user-name and password for phone that is registered on NAS. NAS is
sending authentication to freeradius server.
Is not shared secret different thing? I have shared secret entered in
clients.conf and in sql NAS table.
First he is trying with password 1122 for user name 081609000 and this is
accepted:
+- entering group PAP {...}
[pap] login attempt with password 1122
[pap] Using MD5 encryption.
[pap] User authenticated successfully
++[pap] returns ok
# Executing section post
Than he is trying with User-Password = \022\312w\014 but the password is
set on 1122
Why?
Thank you
p.s.: if I try with radtest everything goes throught!
miha
User-Password = \022\312w\014
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/Voip-database-tp3295546p3309176.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Voip database
miha- wrote: this is user-name and password for phone that is registered on NAS. NAS is sending authentication to freeradius server. We all know that. Stating the obvious is not helpful. Is not shared secret different thing? I have shared secret entered in clients.conf and in sql NAS table. In two places? Why? And re-enter it on the NAS. *Not* clients.conf, and *not* SQL. You have been told this many times, and have totally failed to understand. First he is trying with password 1122 for user name 081609000 and this is accepted: ... Why? You have been told. If you're not going to follow instructions, you should stop posting messages to this list. If you keep posting the same messages, *everyone* here will ignore you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Voip database
On 2010/12/17 11:41 AM, miha- wrote: Hello, this is user-name and password for phone that is registered on NAS. NAS is sending authentication to freeradius server. Please do NOT confuse the shared secret and the password that the phone uses. The shares secret is a secret between the NAS and Freeradius. The Phones password (in access-request) is encrypted using the shared secret. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Voip database
Hello,
I have tried with radtest from other server with the same configuration:I get
this (this is ok) :
pap] returns noopFound Auth-Type = PAP# Executing group from file
/etc/raddb/sites-enabled/default+- entering group PAP {...}[pap] login attempt
with password 12345[pap] Using clear text password 12345[pap] User
authenticated successfully++[pap] returns ok# Executing section post-auth from
file /etc/raddb/sites-enabled/default+- entering group post-auth {...}++[exec]
returns noopSending Access-Accept of id 57 to 1.2.3.4 port 56067
Framed-Compression := Van-Jacobson-TCP-IPFramed-Protocol := PPP
Service-Type := Framed-UserFinished request 0.Going to the next req
When I try with same configuration from NAS I get:I guss that is something
wrong with my NAS?
+[expiration] returns noop++[logintime] returns noop[pap] WARNING: Auth-Type
already set. Not setting to PAP++[pap] returns noopFound Auth-Type = PAP#
Executing group from file /etc/raddb/sites-enabled/default+- entering group PAP
{...}[pap] login attempt with password áø{k?[pap] Using clear text password
12345[pap] Passwords don't match++[pap] returns rejectFailed to authenticate
the user. WARNING: Unprintable characters in the password.Double-check
the shared secret on the server and the NAS!
Thank you!!!
Date: Wed, 8 Dec 2010 16:42:36 +0100
From: al...@deployingradius.com
To: freeradius-users@lists.freeradius.org
Subject: Re: Voip database
Miha Zoubek wrote:
Ok, if I set operation := I get this ( secret is 100% right)
Sorry... changing the contents of the radcheck table has *no* effect
on the shared secret for the client.
Something else is going on.
Since you previously butchered the default configuration and broke it,
my guess would be that you've broken something else, too.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Voip database
On Thu, Dec 9, 2010 at 3:51 PM, Miha Zoubek miha_zou...@hotmail.com wrote:
When I try with same configuration from NAS I get:
I guss that is something wrong with my NAS?
[pap] login attempt with password áø{k?
[pap] Using clear text password 12345
[pap] Passwords don't match
++[pap] returns reject
Failed to authenticate the user.
WARNING: Unprintable characters in the password. Double-check the
shared secret on the server and the NAS!
Did you read Alan's response?
Did you read the big WARNING?
Did you double-check both the settings on your NAS and radius to make
sure shared secret is correct?
Did you make sure that you set the shared secret in the correct place
(most people set it on clients.conf, but some configs allow the client
list to be stored in database)?
Did you try restarting both radius and the NAS, as a last step to make
sure that they read the correct shared secret settings, just in case
you just change it but forgot to restart/reload?
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Voip database
On Wed, Dec 8, 2010 at 2:55 PM, Miha Zoubek miha_zou...@hotmail.com wrote: I have replace voip-postpaid.conf with new one but still the same. I this configuration file (voip-postpaid.conf) is written: uthcheck_table = radcheck authreply_table = radreply groupcheck_table = radgroupcheck groupreply_table = radgroupreply usergroup_table = radusergroup Perhaps we started on the wrong assumptions. What do you intend to use postgresql for? Is it (a) only to store accounting data, or (b) to store user names/password AND accounting data if it's (a), then there should be nothing wrong with your first config. You simply need to place user data for 081609000 in whatever database you choose (whether it's users file, or something else). The error could simply be because you haven't define that user yet. If it's (b), then you need to forget for a moment that you're using it for voip. It doesn't really matter with regards to the problem you're facing. Get freeradius working with postgresql first. Your debug log says authorize_check_query = authorize_group_check_query = authorize_group_reply_query = when the they should not be empty. Fix that first. Worry about the rest later, after you fix that. The easiest way to do that, IMHO, is forget about voip-postpaid.conf and cisco_h323_db_schema.sql for the moment. Stick to the default sql.conf, sql/postgresql/dialup.conf, and sql/postgresql/schema.sql. AFTER you get it to work, then you can try to get that particular conf and sql scheme working. Perhaps the author might be able to help. The default sql.conf/dialup.conf and schema should work for voip or whatever. Probably not as efficient, but it'd still work. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Voip database
Thank you for your help!
I included dailup.conf in voip-postpaid.conf.Now I getting different error:
I have put this in tables:
Nas: nasname: intraswitch, shortname: intraswitch, type: other, port: 1812:
sercet: b, server: 1.2.3.4 (ip server), nad for comunity and dicription
nullRadcheck: id: 1, username: 081609000, attribure: Cleartext-Password, Value:
12345, op: :=Radreply: id:1 , username: 081609000: atributte: Fall-Through, op:
=, vaule: yes
Thank you!
ecv: Access-Request packet from host 212.13.228.58 port 38380, id=198,
length=206Acct-Multi-Session-Id = 1291817780502Cisco-Attr-130
= 0x683332332d63616c6c696e672d656e74657270726973652d69643d656e74504258
Calling-Station-Id = 81609000NAS-Identifier = intraswitch
NAS-IP-Address = 212.13.228.583GPP2-Prepaid-acct-Capability =
0x010600023GPP2-Session-Termination-Capability = 1
h323-conf-id = h323-conf-id=1291817780502Vendor-Specific = 0x0009
Event-Timestamp = Dec 8 2010 15:16:20 CETUser-Name =
081609000User-Password = 12345# Executing section authorize from
file /etc/raddb/sites-enabled/default+- entering group authorize
{...}++[preprocess] returns ok++[chap] returns noop++[mschap] returns
noop++[digest] returns noop[suffix] No '@' in User-Name = 081609000, looking
up realm NULL[suffix] No such realm NULL++[suffix] returns noop[eap] No
EAP-Message, not doing EAP++[eap] returns noop[pgsql-voip]expand:
%{User-Name} - 081609000[pgsql-voip] sql_set_user escaped user --
'081609000'rlm_sql (pgsql-voip): Reserving sql socket id: 24[pgsql-voip]
expand: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE
Username = '%{SQL-User-Name}' ORDER BY id - SELECT id, UserName, Attribute,
Value, Op FROM radcheck WHERE Username = '081609000' ORDER BY
idrlm_sql_postgresql: Status: PGRES_TUPLES_OKrlm_sql_postgresql: query affected
rows = 1 , fields = 5[pgsql-voip]expand: SELECT GroupName FROM radusergroup
WHERE UserName='%{SQL-User-Name}' ORDER BY priority - SELECT GroupName FROM
radusergroup WHERE UserName='081609000' ORDER BY priorityrlm_sql_postgresql:
Status: PGRES_TUPLES_OKrlm_sql_postgresql: query affected rows = 0 , fields =
1rlm_sql (pgsql-voip): Released sql socket id: 24[pgsql-voip] User 081609000
not found++[pgsql-voip] returns notfound++[expiration] returns
noop++[logintime] returns noop[pap] WARNING! No known good password found for
the user. Authentication may fail because of this.++[pap] returns noopERROR:
No authenticate method (Auth-Type) found for the request: Rejecting the
userFailed to authenticate the user.Using Post-Auth-Type Reject# Executing
group from file /etc/raddb/sites-enabled/default+- entering group REJECT
{...}[attr_filter.access_reject] expand: %{User-Name} - 081609000
attr_filter: Matched entry DEFAULT at line 11++[attr_filter.access_reject]
returns updatedDelaying reject of request 0 for 1 secondsGoing to the next
requestWaking up in 0.9 seconds.rad_recv: Access-Request packet from host
212.13.228.58 port 38380, id=198, length=206Waiting to send Access-Reject to
client intraswitch port 38380 - ID: 198Sending delayed reject for request
0Sending Access-Reject of id 198 to 212.13.228.58 port 38380Waking up in 4.9
seconds.
Date: Wed, 8 Dec 2010 16:29:27 +0700
Subject: Re: Voip database
From: w...@fajar.net
To: freeradius-users@lists.freeradius.org
On Wed, Dec 8, 2010 at 2:55 PM, Miha Zoubek miha_zou...@hotmail.com wrote:
I have replace voip-postpaid.conf with new one but still the same.
I this configuration file (voip-postpaid.conf) is written:
uthcheck_table = radcheck
authreply_table = radreply
groupcheck_table = radgroupcheck
groupreply_table = radgroupreply
usergroup_table = radusergroup
Perhaps we started on the wrong assumptions.
What do you intend to use postgresql for? Is it
(a) only to store accounting data, or
(b) to store user names/password AND accounting data
if it's (a), then there should be nothing wrong with your first
config. You simply need to place user data for 081609000 in whatever
database you choose (whether it's users file, or something else).
The error could simply be because you haven't define that user yet.
If it's (b), then you need to forget for a moment that you're using it
for voip. It doesn't really matter with regards to the problem you're
facing. Get freeradius working with postgresql first.
Your debug log says
authorize_check_query =
authorize_group_check_query =
authorize_group_reply_query =
when the they should not be empty. Fix that first. Worry about the
rest later, after you fix that.
The easiest way to do that, IMHO, is forget about voip-postpaid.conf
and cisco_h323_db_schema.sql for the moment. Stick to the default
sql.conf, sql/postgresql/dialup.conf, and sql/postgresql/schema.sql.
AFTER you get it to work
RE: Voip database
Ok, if I set operation := I get this ( secret is 100% right)
_sql_postgresql: query affected rows = 3 , fields = 5rlm_sql (pgsql-voip):
Released sql socket id: 11++[pgsql-voip] returns ok++[expiration] returns
noop++[logintime] returns noop[pap] WARNING: Auth-Type already set. Not
setting to PAP++[pap] returns noopFound Auth-Type = PAP# Executing group from
file /etc/raddb/sites-enabled/default+- entering group PAP {...}[pap] login
attempt with password ûñ±?[pap] Using clear text password 12345[pap]
Passwords don't match++[pap] returns rejectFailed to authenticate the user.
WARNING: Unprintable characters in the password.Double-check the shared
secret on the server and the NAS!Using Post-Auth-Type Reject# Executing group
from file /etc/raddb/sites-enabled/default+- entering group REJECT
{...}[attr_filter.access_reject] expand: %{User-Name} - 081609000
attr_filter: Matched entry DEFAULT at line 11++[attr_filter.access_reject]
returns updated
From: miha_zou...@hotmail.com
To: freeradius-users@lists.freeradius.org
Subject: RE: Voip database
Date: Wed, 8 Dec 2010 14:22:10 +
Thank you for your help!
I included dailup.conf in voip-postpaid.conf.Now I getting different error:
I have put this in tables:
Nas: nasname: intraswitch, shortname: intraswitch, type: other, port: 1812:
sercet: b, server: 1.2.3.4 (ip server), nad for comunity and dicription
nullRadcheck: id: 1, username: 081609000, attribure: Cleartext-Password, Value:
12345, op: :=Radreply: id:1 , username: 081609000: atributte: Fall-Through, op:
=, vaule: yes
Thank you!
ecv: Access-Request packet from host 212.13.228.58 port 38380, id=198,
length=206Acct-Multi-Session-Id = 1291817780502Cisco-Attr-130
= 0x683332332d63616c6c696e672d656e74657270726973652d69643d656e74504258
Calling-Station-Id = 81609000NAS-Identifier = intraswitch
NAS-IP-Address = 212.13.228.583GPP2-Prepaid-acct-Capability =
0x010600023GPP2-Session-Termination-Capability = 1
h323-conf-id = h323-conf-id=1291817780502Vendor-Specific = 0x0009
Event-Timestamp = Dec 8 2010 15:16:20 CETUser-Name =
081609000User-Password = 12345# Executing section authorize from
file /etc/raddb/sites-enabled/default+- entering group authorize
{...}++[preprocess] returns ok++[chap] returns noop++[mschap] returns
noop++[digest] returns noop[suffix] No '@' in User-Name = 081609000, looking
up realm NULL[suffix] No such realm NULL++[suffix] returns noop[eap] No
EAP-Message, not doing EAP++[eap] returns noop[pgsql-voip]expand:
%{User-Name} - 081609000[pgsql-voip] sql_set_user escaped user --
'081609000'rlm_sql (pgsql-voip): Reserving sql socket id: 24[pgsql-voip]
expand: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE
Username = '%{SQL-User-Name}' ORDER BY id - SELECT id, UserName, Attribute,
Value, Op FROM radcheck WHERE Username = '081609000' ORDER BY
idrlm_sql_postgresql: Status: PGRES_TUPLES_OKrlm_sql_postgresql: query affected
rows = 1 , fields = 5[pgsql-voip]expand: SELECT GroupName FROM radusergroup
WHERE UserName='%{SQL-User-Name}' ORDER BY priority - SELECT GroupName FROM
radusergroup WHERE UserName='081609000' ORDER BY priorityrlm_sql_postgresql:
Status: PGRES_TUPLES_OKrlm_sql_postgresql: query affected rows = 0 , fields =
1rlm_sql (pgsql-voip): Released sql socket id: 24[pgsql-voip] User 081609000
not found++[pgsql-voip] returns notfound++[expiration] returns
noop++[logintime] returns noop[pap] WARNING! No known good password found for
the user. Authentication may fail because of this.++[pap] returns noopERROR:
No authenticate method (Auth-Type) found for the request: Rejecting the
userFailed to authenticate the user.Using Post-Auth-Type Reject# Executing
group from file /etc/raddb/sites-enabled/default+- entering group REJECT
{...}[attr_filter.access_reject] expand: %{User-Name} - 081609000
attr_filter: Matched entry DEFAULT at line 11++[attr_filter.access_reject]
returns updatedDelaying reject of request 0 for 1 secondsGoing to the next
requestWaking up in 0.9 seconds.rad_recv: Access-Request packet from host
212.13.228.58 port 38380, id=198, length=206Waiting to send Access-Reject to
client intraswitch port 38380 - ID: 198Sending delayed reject for request
0Sending Access-Reject of id 198 to 212.13.228.58 port 38380Waking up in 4.9
seconds.
Date: Wed, 8 Dec 2010 16:29:27 +0700
Subject: Re: Voip database
From: w...@fajar.net
To: freeradius-users@lists.freeradius.org
On Wed, Dec 8, 2010 at 2:55 PM, Miha Zoubek miha_zou...@hotmail.com wrote:
I have replace voip-postpaid.conf with new one but still the same.
I this configuration file (voip-postpaid.conf) is written:
uthcheck_table = radcheck
authreply_table = radreply
groupcheck_table = radgroupcheck
groupreply_table = radgroupreply
usergroup_table = radusergroup
Perhaps we
Re: Voip database
Miha Zoubek wrote: Ok, if I set operation := I get this ( secret is 100% right) Sorry... changing the contents of the radcheck table has *no* effect on the shared secret for the client. Something else is going on. Since you previously butchered the default configuration and broke it, my guess would be that you've broken something else, too. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Voip database
{
type = auth
ipaddr = 127.0.0.1
port = 18120
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server
inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 1.2.3.4 port 60513, id=144,
length=206
Acct-Multi-Session-Id = 1291717568337
Cisco-Attr-130 =
0x683332332d63616c6c696e672d656e74657270726973652d69643d656e74504258
Calling-Station-Id = 81609000
NAS-Identifier = intraswitch
NAS-IP-Address = 1.2.3.4
3GPP2-Prepaid-acct-Capability = 0x01060002
3GPP2-Session-Termination-Capability = 1
h323-conf-id = h323-conf-id=1291717568337
Vendor-Specific = 0x0009
Event-Timestamp = Dec 7 2010 11:26:08 CET
User-Name = 081609000
User-Password = 12345
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = 081609000, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user. Authentication
may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting
the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - 081609000
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/Voip-database-tp3295546p3295546.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Voip database
On Tue, Dec 7, 2010 at 5:27 PM, miha- miha_zou...@hotmail.com wrote:
Hello,
I need a little help:) I am setting radius for voip. I comment sql in
default file (authorize, Authentication)
what do you mean you comment sql?
You DO know that for it to be used, the sql module needs to be
configured correctly, AND it needs to be used on authorize and
authentication section, right?
Module: Instantiating module pgsql-voip from file
/etc/raddb/sql/postgresql/voip-postpaid.conf
sql pgsql-voip {
looks like the module is instantiated correctly
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = 081609000, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user. Authentication
may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting
the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
Do you have pgsql-voip line on your authorize and authenticate
sections? Looks like you don't.
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Voip database
I have uncomment only this # Cisco VoIP specific bulk accounting pgsql-voip under accounting section. I have not found it under authorize and authenticate. Must I put it there? Thanks! -- View this message in context: http://freeradius.1045715.n5.nabble.com/Voip-database-tp3295546p3295827.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Voip database
On Tue, Dec 7, 2010 at 9:17 PM, miha- miha_zou...@hotmail.com wrote: I have uncomment only this # Cisco VoIP specific bulk accounting pgsql-voip under accounting section. I have not found it under authorize and authenticate. Must I put it there? On second thought, you might not need it in authenticate. You'd need it in authorize and authenticate. Basically it depends on what you're trying to do. If you want to use users and password stored in sql database, then you need it on authorize section. If you want to log accounting entries in sql database, then you need it on accounting section. Look at the original /etc/raddb/sites-enabled/default that comes with your distro, and see where it puts sql line. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Voip database
On Tue, Dec 7, 2010 at 9:24 PM, Fajar A. Nugraha w...@fajar.net wrote: On Tue, Dec 7, 2010 at 9:17 PM, miha- miha_zou...@hotmail.com wrote: I have uncomment only this # Cisco VoIP specific bulk accounting pgsql-voip under accounting section. I have not found it under authorize and authenticate. Must I put it there? On second thought, you might not need it in authenticate. You'd need it in authorize and authenticate. I meant to say authorize and accounting. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Voip database
On Tue, Dec 7, 2010 at 9:39 PM, Miha Zoubek miha_zou...@hotmail.com wrote:
I put it there but still the same problem:
No, it's not. It's a different problem. Look at the debug log you
posted and you'll see it's a different problem altogether.
[pgsql-voip] expand: %{User-Name} - 081609000
[pgsql-voip] sql_set_user escaped user -- '081609000'
rlm_sql (pgsql-voip): Reserving sql socket id: 24
[pgsql-voip] expand: -
[pgsql-voip] Error generating query; rejecting user
I'd focus on the last two lines.
If the contents of your sql conf file contains something like this
(as shown in your previous debug)
authorize_check_query =
authorize_group_check_query =
authorize_group_reply_query =
then the simple answer is you broke the config. Look at the original
.conf file that comes with the distro/freeradius source (should be
dialup.conf or some other file under /etc/raddb/sql or its
subdirectory).
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Voip database
I have replace voip-postpaid.conf with new one but still the same.
I this configuration file (voip-postpaid.conf) is written:
uthcheck_table = radcheckauthreply_table = radreply
groupcheck_table = radgroupcheckgroupreply_table =
radgroupreply
usergroup_table = radusergroup
But in readme file is written that I must import cisco_h323_db_schema.sql in
postgresql.
In this shema (cisco_h323_db_schema.sql) there is no rad check or radreplay,
only startvoip, etc.
Thank you very much with your help!!!
miha
Date: Tue, 7 Dec 2010 22:43:32 +0700
Subject: Re: Voip database
From: w...@fajar.net
To: freeradius-users@lists.freeradius.org
On Tue, Dec 7, 2010 at 9:39 PM, Miha Zoubek miha_zou...@hotmail.com wrote:
I put it there but still the same problem:
No, it's not. It's a different problem. Look at the debug log you
posted and you'll see it's a different problem altogether.
[pgsql-voip]expand: %{User-Name} - 081609000
[pgsql-voip] sql_set_user escaped user -- '081609000'
rlm_sql (pgsql-voip): Reserving sql socket id: 24
[pgsql-voip]expand: -
[pgsql-voip] Error generating query; rejecting user
I'd focus on the last two lines.
If the contents of your sql conf file contains something like this
(as shown in your previous debug)
authorize_check_query =
authorize_group_check_query =
authorize_group_reply_query =
then the simple answer is you broke the config. Look at the original
.conf file that comes with the distro/freeradius source (should be
dialup.conf or some other file under /etc/raddb/sql or its
subdirectory).
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
