RE: Re[6]: authentetication with mysql and NAS type= other
Actually the 5.x GHz Extreme product is a fully 16e protocol, just not WiMax
certified. The 4-Motion product is fully WiMax certified as you point out.
WiMax as a protocol uses EAP-TTLS/TLS and does not send the username in the
outer tunnel. If you watch the debug you will see the username unencrypted in
the inner-tunnel portion of the authentication.
David
From: freeradius-users-bounces+david.peterson=acc-corp@lists.freeradius.org
[mailto:freeradius-users-bounces+david.peterson=acc-corp@lists.freeradius.org]
On Behalf Of tolik_shavlov...@mail.ru
Sent: Thursday, December 08, 2011 2:34 AM
To: freeradius-users@lists.freeradius.org
Subject: Re[6]: authentetication with mysql and NAS type= other
David,
usually Alvarion WIMAX 802.16 is 4M products. Extreme is 802.16 standard but
for nonWiMAX band = 5 GHz. All Alvarion hexes username, like [hidden email]
http://e.mail.ru/user/SendEmail.jtp?type=nodenode=5057918i=0
So, you just gess it was Extreme?))
07 декабря 2011, 20:33 от David Peterson-19 [via FreeRadius] [hidden email]
http://e.mail.ru/user/SendEmail.jtp?type=nodenode=5057918i=1 :
I know it’s Extreme because we sell Alvarion WiMax for all of North America J
Keepaliveusernameandpassword is a generic request coming from the BTS which can
either be accepted or denied. Either response is fine.
The Extreme uses EAP-TTLS as does all WiMax so the username should be something
like [hidden email]
David
From: freeradius-users-bounces+david.peterson=[hidden email]
[mailto:freeradius-users-bounces+david.peterson=[hidden email]] On Behalf Of
[hidden email]
Sent: Wednesday, December 07, 2011 11:03 AM
To: [hidden email]
Subject: Re[4]: authentetication with mysql and NAS type= other
[acct_unique] Hashing 'NAS-Port = 0,Client-IP-Address =
10.152.98.23,NAS-IP-Address = 10.152.98.23,Acct-Session-Id =
KeepAliveSessionId,User-Name = KeepAliveUserNameAndPassword'
[acct_unique] Acct-Unique-Session-ID = d83a716ff7f93aa5.
++[acct_unique] returns ok
[suffix] No '@' in User-Name = KeepAliveUserNameAndPassword, looking up realm
NULL
[suffix] No such realm NULL
++[suffix] returns noop
++[files] returns noop
# Executing section accounting from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group accounting {...}
[detail] expand: /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d -
/var/log/radacct/10.152.98.23/detail-20111206
[detail] /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to
/var/log/radacct/10.152.98.23/detail-20111206
[detail] expand: %t - Tue Dec 6 17:57:06 2011
++[detail] returns ok
++[unix] returns fail
Finished request 247.
Cleaning up request 247 ID 56 with timestamp +1802
Going to the next request
Ready to process requests.
rad_recv: Access-Request packet from host 10.152.98.23 port 49154, id=177,
length=181
User-Name = KeepAliveUserNameAndPassword
NAS-IP-Address = 10.152.98.23
NAS-Port-Type = Wireless-802.16
NAS-Port = 0
Calling-Station-Id = \000\000\000\000\000
NAS-Identifier = 1137128000
WiMAX-GMT-Timezone-offset = 0
Message-Authenticator = 0x892bc16577cd6753b2a7e0c0a3499523
Acct-Session-Id = KeepAliveSessionId
User-Password = KeepAliveUserNameAndPassword
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = KeepAliveUserNameAndPassword, looking up realm
NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[sql] expand: %{User-Name} - KeepAliveUserNameAndPassword
[sql] sql_set_user escaped user -- 'KeepAliveUserNameAndPassword'
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE
username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute,
value, op FROM radcheck WHERE username = 'KeepAliveUserNameAndPassword' ORDER
BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username =
'%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM radusergroup
WHERE username = 'KeepAliveUserNameAndPassword' ORDER BY priority
rlm_sql (sql): Released sql socket id: 3
[sql] User KeepAliveUserNameAndPassword not found
++[sql] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user. Authentication may
fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the
user
Failed to authenticate the user.
Login incorrect: [KeepAliveUserNameAndPassword/KeepAliveUserNameAndPassword]
(from client 10.152.98.23/16 port 0 cli )
===
login and password are correct!
ow did you jnow that its extreme by NAS identifirer?
07 декабря 2011, 19:16 от David Peterson-19 [via FreeRadius] [hidden email]:
The only
Re[6]: authentetication with mysql and NAS type= other
David,
usually Alvarion WIMAX 802.16 is 4M products. Extreme is 802.16 standard but
for nonWiMAX band = 5 GHz. All Alvarion hexes username, like 97697...@wimax.com
So, you just gess it was Extreme?))
07 декабря 2011, 20:33 от David Peterson-19 [via FreeRadius]
ml-node+s1045715n5056216...@n5.nabble.com:
I know it’s Extreme because we sell Alvarion WiMax for all of North America J
Keepaliveusernameandpassword is a generic request coming from the BTS which can
either be accepted or denied. Either response is fine.
The Extreme uses EAP-TTLS as does all WiMax so the username should be something
like [hidden email]
David
From: freeradius-users-bounces+david.peterson=[hidden email]
[mailto:freeradius-users-bounces+david.peterson=[hidden email]] On Behalf Of
[hidden email]
Sent: Wednesday, December 07, 2011 11:03 AM
To: [hidden email]
Subject: Re[4]: authentetication with mysql and NAS type= other
[acct_unique] Hashing 'NAS-Port = 0,Client-IP-Address =
10.152.98.23,NAS-IP-Address = 10.152.98.23,Acct-Session-Id =
KeepAliveSessionId,User-Name = KeepAliveUserNameAndPassword'
[acct_unique] Acct-Unique-Session-ID = d83a716ff7f93aa5.
++[acct_unique] returns ok
[suffix] No '@' in User-Name = KeepAliveUserNameAndPassword, looking up realm
NULL
[suffix] No such realm NULL
++[suffix] returns noop
++[files] returns noop
# Executing section accounting from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group accounting {...}
[detail] expand: /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d -
/var/log/radacct/10.152.98.23/detail-20111206
[detail] /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to
/var/log/radacct/10.152.98.23/detail-20111206
[detail] expand: %t - Tue Dec 6 17:57:06 2011
++[detail] returns ok
++[unix] returns fail
Finished request 247.
Cleaning up request 247 ID 56 with timestamp +1802
Going to the next request
Ready to process requests.
rad_recv: Access-Request packet from host 10.152.98.23 port 49154, id=177,
length=181
User-Name = KeepAliveUserNameAndPassword
NAS-IP-Address = 10.152.98.23
NAS-Port-Type = Wireless-802.16
NAS-Port = 0
Calling-Station-Id = \000\000\000\000\000
NAS-Identifier = 1137128000
WiMAX-GMT-Timezone-offset = 0
Message-Authenticator = 0x892bc16577cd6753b2a7e0c0a3499523
Acct-Session-Id = KeepAliveSessionId
User-Password = KeepAliveUserNameAndPassword
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = KeepAliveUserNameAndPassword, looking up realm
NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[sql] expand: %{User-Name} - KeepAliveUserNameAndPassword
[sql] sql_set_user escaped user -- 'KeepAliveUserNameAndPassword'
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE
username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute,
value, op FROM radcheck WHERE username = 'KeepAliveUserNameAndPassword' ORDER
BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username =
'%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM radusergroup
WHERE username = 'KeepAliveUserNameAndPassword' ORDER BY priority
rlm_sql (sql): Released sql socket id: 3
[sql] User KeepAliveUserNameAndPassword not found
++[sql] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user. Authentication may
fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the
user
Failed to authenticate the user.
Login incorrect: [KeepAliveUserNameAndPassword/KeepAliveUserNameAndPassword]
(from client 10.152.98.23/16 port 0 cli )
===
login and password are correct!
ow did you jnow that its extreme by NAS identifirer?
07 декабря 2011, 19:16 от David Peterson-19 [via FreeRadius] [hidden email]:
The only requests I see are User-Name = KeepAliveUserNameAndPassword
This is just a keep-alive packet all Alvarion Extreme base stations send out.
I do not see the CPE attempting to authenticate.
David
From: freeradius-users-bounces+david.peterson=[hidden email]
[mailto:freeradius-users-bounces+david.peterson=[hidden email]] On Behalf Of
[hidden email]
Sent: Wednesday, December 07, 2011 10:05 AM
To: [hidden email]
Subject: Re[2]: authentetication with mysql and NAS type= other
here is debug:
ad_recv: Accounting-Request packet from host 10.152.98.23 port 49157, id=10,
length=135
User-Name = KeepAliveUserNameAndPassword
NAS-IP-Address = 10.152.98.23
NAS-Port-Type = Wireless-802.16
NAS-Port = 0
Calling-Station-Id = \000\000\000\000\000
NAS-Identifier = 1137128000
WiMAX-GMT-Timezone-offset = 0
Acct-Status-Type = Stop
Re[6]: authentetication with mysql and NAS type= other
Hi, mysql use freeradius; Database changed mysql select * from radcheck; ++-+++--+ | id | username| attribute | op | value| ++-+++--+ | 1 | user| Password | == | user | | 3 | t...@wimax.com | Cleartext-Password | := | test | | 5 | te...@wimax.com | Cleartext-Password | := | test | | 10 | user| Simultaneous-Use | := | 1| | 8 | t...@wimax.com | Framed-Filter-Id | := | SP=data:MSF=data | | 9 | te...@wimax.com | Framed-Filter-Id | := | SP=data:MSF=data | ++-+++--+ user is for WiFi test and tes1 is for WimAX. all usernames are authenticated for WiFi. Wimax cannot. I don't know why it uses username = 'KeepAliveUserNameAndPassword', like in the debug?? when i used users file in FR with the same usernames, it was ok. I really use same usernames for auth in my Wimax CPEs. 07 декабря 2011, 20:17 от Fajar A. Nugraha l...@fajar.net: On Wed, Dec 7, 2011 at 11:02 PM, tolik_shavlov...@mail.ru tolik_shavlov...@mail.ru wrote: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'KeepAliveUserNameAndPassword' ORDER BY id SELECT groupname FROM radusergroup WHERE username = 'KeepAliveUserNameAndPassword' ORDER BY priority What do you get when you execute those two queries in mysql directly? [sql] User KeepAliveUserNameAndPassword not found the sql module says the user is not found. It doesn't lie. === login and password are correct! And how did you know that? Did you setup the tables correctly? Hint: execute those two queries above. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re[6]: authentetication with mysql and NAS type= other
2011/12/8 Толик Шавловский tolik_shavlov...@mail.ru: Hi, mysql use freeradius; Database changed mysql select * from radcheck; ++-+++--+ | id | username | attribute | op | value | ++-+++--+ | 1 | user | Password | == | user | | 3 | t...@wimax.com | Cleartext-Password | := | test | | 5 | te...@wimax.com | Cleartext-Password | := | test | | 10 | user | Simultaneous-Use | := | 1 | | 8 | t...@wimax.com | Framed-Filter-Id | := | SP=data:MSF=data | | 9 | te...@wimax.com | Framed-Filter-Id | := | SP=data:MSF=data | ++-+++--+ There's no user called 'KeepAliveUserNameAndPassword' Wimax cannot. I don't know why it uses username = 'KeepAliveUserNameAndPassword', like in the debug?? Because the NAS sends it. If you think it shouldn't, examine the NAS config. Or ask the NAS vendor. The log doesn't lie. Did you ACTUALLY test authentication with a client connecting to the NAS? Or did you just start up FR in debug mode and hope there would be a packet from the NAS? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
