RE: Re[6]: authentetication with mysql and NAS type= other
Actually the 5.x GHz Extreme product is a fully 16e protocol, just not WiMax certified. The 4-Motion product is fully WiMax certified as you point out. WiMax as a protocol uses EAP-TTLS/TLS and does not send the username in the outer tunnel. If you watch the debug you will see the username unencrypted in the inner-tunnel portion of the authentication. David From: freeradius-users-bounces+david.peterson=acc-corp@lists.freeradius.org [mailto:freeradius-users-bounces+david.peterson=acc-corp@lists.freeradius.org] On Behalf Of tolik_shavlov...@mail.ru Sent: Thursday, December 08, 2011 2:34 AM To: freeradius-users@lists.freeradius.org Subject: Re[6]: authentetication with mysql and NAS type= other David, usually Alvarion WIMAX 802.16 is 4M products. Extreme is 802.16 standard but for nonWiMAX band = 5 GHz. All Alvarion hexes username, like [hidden email] http://e.mail.ru/user/SendEmail.jtp?type=nodenode=5057918i=0 So, you just gess it was Extreme?)) 07 декабря 2011, 20:33 от David Peterson-19 [via FreeRadius] [hidden email] http://e.mail.ru/user/SendEmail.jtp?type=nodenode=5057918i=1 : I know it’s Extreme because we sell Alvarion WiMax for all of North America J Keepaliveusernameandpassword is a generic request coming from the BTS which can either be accepted or denied. Either response is fine. The Extreme uses EAP-TTLS as does all WiMax so the username should be something like [hidden email] David From: freeradius-users-bounces+david.peterson=[hidden email] [mailto:freeradius-users-bounces+david.peterson=[hidden email]] On Behalf Of [hidden email] Sent: Wednesday, December 07, 2011 11:03 AM To: [hidden email] Subject: Re[4]: authentetication with mysql and NAS type= other [acct_unique] Hashing 'NAS-Port = 0,Client-IP-Address = 10.152.98.23,NAS-IP-Address = 10.152.98.23,Acct-Session-Id = KeepAliveSessionId,User-Name = KeepAliveUserNameAndPassword' [acct_unique] Acct-Unique-Session-ID = d83a716ff7f93aa5. ++[acct_unique] returns ok [suffix] No '@' in User-Name = KeepAliveUserNameAndPassword, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop ++[files] returns noop # Executing section accounting from file /usr/local/etc/raddb/sites-enabled/default +- entering group accounting {...} [detail] expand: /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d - /var/log/radacct/10.152.98.23/detail-20111206 [detail] /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radacct/10.152.98.23/detail-20111206 [detail] expand: %t - Tue Dec 6 17:57:06 2011 ++[detail] returns ok ++[unix] returns fail Finished request 247. Cleaning up request 247 ID 56 with timestamp +1802 Going to the next request Ready to process requests. rad_recv: Access-Request packet from host 10.152.98.23 port 49154, id=177, length=181 User-Name = KeepAliveUserNameAndPassword NAS-IP-Address = 10.152.98.23 NAS-Port-Type = Wireless-802.16 NAS-Port = 0 Calling-Station-Id = \000\000\000\000\000 NAS-Identifier = 1137128000 WiMAX-GMT-Timezone-offset = 0 Message-Authenticator = 0x892bc16577cd6753b2a7e0c0a3499523 Acct-Session-Id = KeepAliveSessionId User-Password = KeepAliveUserNameAndPassword # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = KeepAliveUserNameAndPassword, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [sql] expand: %{User-Name} - KeepAliveUserNameAndPassword [sql] sql_set_user escaped user -- 'KeepAliveUserNameAndPassword' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'KeepAliveUserNameAndPassword' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM radusergroup WHERE username = 'KeepAliveUserNameAndPassword' ORDER BY priority rlm_sql (sql): Released sql socket id: 3 [sql] User KeepAliveUserNameAndPassword not found ++[sql] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Login incorrect: [KeepAliveUserNameAndPassword/KeepAliveUserNameAndPassword] (from client 10.152.98.23/16 port 0 cli ) === login and password are correct! ow did you jnow that its extreme by NAS identifirer? 07 декабря 2011, 19:16 от David Peterson-19 [via FreeRadius] [hidden email]: The only
Re[6]: authentetication with mysql and NAS type= other
David, usually Alvarion WIMAX 802.16 is 4M products. Extreme is 802.16 standard but for nonWiMAX band = 5 GHz. All Alvarion hexes username, like 97697...@wimax.com So, you just gess it was Extreme?)) 07 декабря 2011, 20:33 от David Peterson-19 [via FreeRadius] ml-node+s1045715n5056216...@n5.nabble.com: I know it’s Extreme because we sell Alvarion WiMax for all of North America J Keepaliveusernameandpassword is a generic request coming from the BTS which can either be accepted or denied. Either response is fine. The Extreme uses EAP-TTLS as does all WiMax so the username should be something like [hidden email] David From: freeradius-users-bounces+david.peterson=[hidden email] [mailto:freeradius-users-bounces+david.peterson=[hidden email]] On Behalf Of [hidden email] Sent: Wednesday, December 07, 2011 11:03 AM To: [hidden email] Subject: Re[4]: authentetication with mysql and NAS type= other [acct_unique] Hashing 'NAS-Port = 0,Client-IP-Address = 10.152.98.23,NAS-IP-Address = 10.152.98.23,Acct-Session-Id = KeepAliveSessionId,User-Name = KeepAliveUserNameAndPassword' [acct_unique] Acct-Unique-Session-ID = d83a716ff7f93aa5. ++[acct_unique] returns ok [suffix] No '@' in User-Name = KeepAliveUserNameAndPassword, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop ++[files] returns noop # Executing section accounting from file /usr/local/etc/raddb/sites-enabled/default +- entering group accounting {...} [detail] expand: /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d - /var/log/radacct/10.152.98.23/detail-20111206 [detail] /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radacct/10.152.98.23/detail-20111206 [detail] expand: %t - Tue Dec 6 17:57:06 2011 ++[detail] returns ok ++[unix] returns fail Finished request 247. Cleaning up request 247 ID 56 with timestamp +1802 Going to the next request Ready to process requests. rad_recv: Access-Request packet from host 10.152.98.23 port 49154, id=177, length=181 User-Name = KeepAliveUserNameAndPassword NAS-IP-Address = 10.152.98.23 NAS-Port-Type = Wireless-802.16 NAS-Port = 0 Calling-Station-Id = \000\000\000\000\000 NAS-Identifier = 1137128000 WiMAX-GMT-Timezone-offset = 0 Message-Authenticator = 0x892bc16577cd6753b2a7e0c0a3499523 Acct-Session-Id = KeepAliveSessionId User-Password = KeepAliveUserNameAndPassword # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = KeepAliveUserNameAndPassword, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [sql] expand: %{User-Name} - KeepAliveUserNameAndPassword [sql] sql_set_user escaped user -- 'KeepAliveUserNameAndPassword' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'KeepAliveUserNameAndPassword' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM radusergroup WHERE username = 'KeepAliveUserNameAndPassword' ORDER BY priority rlm_sql (sql): Released sql socket id: 3 [sql] User KeepAliveUserNameAndPassword not found ++[sql] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Login incorrect: [KeepAliveUserNameAndPassword/KeepAliveUserNameAndPassword] (from client 10.152.98.23/16 port 0 cli ) === login and password are correct! ow did you jnow that its extreme by NAS identifirer? 07 декабря 2011, 19:16 от David Peterson-19 [via FreeRadius] [hidden email]: The only requests I see are User-Name = KeepAliveUserNameAndPassword This is just a keep-alive packet all Alvarion Extreme base stations send out. I do not see the CPE attempting to authenticate. David From: freeradius-users-bounces+david.peterson=[hidden email] [mailto:freeradius-users-bounces+david.peterson=[hidden email]] On Behalf Of [hidden email] Sent: Wednesday, December 07, 2011 10:05 AM To: [hidden email] Subject: Re[2]: authentetication with mysql and NAS type= other here is debug: ad_recv: Accounting-Request packet from host 10.152.98.23 port 49157, id=10, length=135 User-Name = KeepAliveUserNameAndPassword NAS-IP-Address = 10.152.98.23 NAS-Port-Type = Wireless-802.16 NAS-Port = 0 Calling-Station-Id = \000\000\000\000\000 NAS-Identifier = 1137128000 WiMAX-GMT-Timezone-offset = 0 Acct-Status-Type = Stop
Re[6]: authentetication with mysql and NAS type= other
Hi, mysql use freeradius; Database changed mysql select * from radcheck; ++-+++--+ | id | username| attribute | op | value| ++-+++--+ | 1 | user| Password | == | user | | 3 | t...@wimax.com | Cleartext-Password | := | test | | 5 | te...@wimax.com | Cleartext-Password | := | test | | 10 | user| Simultaneous-Use | := | 1| | 8 | t...@wimax.com | Framed-Filter-Id | := | SP=data:MSF=data | | 9 | te...@wimax.com | Framed-Filter-Id | := | SP=data:MSF=data | ++-+++--+ user is for WiFi test and tes1 is for WimAX. all usernames are authenticated for WiFi. Wimax cannot. I don't know why it uses username = 'KeepAliveUserNameAndPassword', like in the debug?? when i used users file in FR with the same usernames, it was ok. I really use same usernames for auth in my Wimax CPEs. 07 декабря 2011, 20:17 от Fajar A. Nugraha l...@fajar.net: On Wed, Dec 7, 2011 at 11:02 PM, tolik_shavlov...@mail.ru tolik_shavlov...@mail.ru wrote: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'KeepAliveUserNameAndPassword' ORDER BY id SELECT groupname FROM radusergroup WHERE username = 'KeepAliveUserNameAndPassword' ORDER BY priority What do you get when you execute those two queries in mysql directly? [sql] User KeepAliveUserNameAndPassword not found the sql module says the user is not found. It doesn't lie. === login and password are correct! And how did you know that? Did you setup the tables correctly? Hint: execute those two queries above. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re[6]: authentetication with mysql and NAS type= other
2011/12/8 Толик Шавловский tolik_shavlov...@mail.ru: Hi, mysql use freeradius; Database changed mysql select * from radcheck; ++-+++--+ | id | username | attribute | op | value | ++-+++--+ | 1 | user | Password | == | user | | 3 | t...@wimax.com | Cleartext-Password | := | test | | 5 | te...@wimax.com | Cleartext-Password | := | test | | 10 | user | Simultaneous-Use | := | 1 | | 8 | t...@wimax.com | Framed-Filter-Id | := | SP=data:MSF=data | | 9 | te...@wimax.com | Framed-Filter-Id | := | SP=data:MSF=data | ++-+++--+ There's no user called 'KeepAliveUserNameAndPassword' Wimax cannot. I don't know why it uses username = 'KeepAliveUserNameAndPassword', like in the debug?? Because the NAS sends it. If you think it shouldn't, examine the NAS config. Or ask the NAS vendor. The log doesn't lie. Did you ACTUALLY test authentication with a client connecting to the NAS? Or did you just start up FR in debug mode and hope there would be a packet from the NAS? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html