Re: chap rlm_sql authentication problem
Andrew Long wrote: I think I got it, I can now authenticate with ntradping, but I get an attribute dump: unknown vendor 8744, size xx='' repeated many times... From... ntradping. Is this because I am impersonating the NAS from a laptop? ie., should clear up when the NAS is actually authenticating or does this point to another misconfiguration? It means that you configured FreeRADIUS to return attributes that ntradping doesn't understand. It's OK, because ntradping doesn't understand much of anything. If you used radclient (which comes with FreeRADIUS), it would print out the attribute names, because it's well written, and uses the FreeRADIUS dictionaries. I'm a little at a loss for why people insist on using ntradping when radclient does more... Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: chap rlm_sql authentication problem
Andrew Long wrote: Now we're taking a step back because I tried changing the username on the NAS and in the SQL and can no longer authenticate with :( NTRADPING. Why use ntradping? Use radclient. And you're using CHAP... which is why it doesn't match. -- 1176 hiegalleria_cn3200 passwordPASSWORD_HERE == -- Change the attribute name to Cleartext-Password, and the operator to :=. See man users for an explanation of the operators. You're comparing the value to the User-Password in the request (which doesn't exist). So... the comparison fails. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: chap rlm_sql authentication problem
Now we're taking a step back because I tried changing the username on the NAS and in the SQL and can no longer authenticate with :( NTRADPING. Why use ntradping? Use radclient. I will in the future, but I'm in mid-stream here... And you're using CHAP... which is why it doesn't match. -- 1176hiegalleria_cn3200 password PASSWORD_HERE == -- Change the attribute name to Cleartext-Password, and the operator to :=. I have about 20 other NAS's using this identical configuration and they all authenticate... See man users for an explanation of the operators. You're comparing the value to the User-Password in the request (which doesn't exist). So... the comparison fails. Just for giggles, I restored the username to the old one in radcheck/radreply and in my ntradping request... and it authenticated properly. Can you explain this? This was done without making any changes to the operator or attribute. Andrew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: chap rlm_sql authentication problem
On Friday 30 March 2007 09:13:17 Andrew Long wrote: In NTRADPING: username: hiegalleria ... rad_recv: Access-Request packet from host 192.168.10.100:49259, id=5, length=59 User-Name = hiegalleria_cn3200 CHAP-Password = 0xac0b9199834a040866dd0050c44d4fdf35 Am I missing something obvious? How is _cn3200 getting appended to the username? -- 1176 hiegalleria_cn3200 passwordPASSWORD_HERE == -- You've heard several times that the attribute and operator need to be fixed. I'm just listing it again for emphasis. radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupch e ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'hiegalleria_cn3200' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' -- 9 colubrisService-TypeAdministrative-User == -- If this is correct, your request will not match unless you send this particular Service-Type. Looking at the request above, I don't see this attribute being sent in the access-request. Kevin Bonner pgpFB6Yq6Th26.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: chap rlm_sql authentication problem
Andrew Long wrote: ... Change the attribute name to Cleartext-Password, and the operator to :=. I have about 20 other NAS's using this identical configuration and they all authenticate... They're not using CHAP. Just for giggles, I restored the username to the old one in radcheck/radreply and in my ntradping request... and it authenticated properly. Can you explain this? See Kevin Bonners reply. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: chap rlm_sql authentication problem
Change the attribute name to Cleartext-Password, and the operator to :=. I have about 20 other NAS's using this identical configuration and they all authenticate... They're not using CHAP. Each and every one is using CHAP. Promise. ANdrew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: chap rlm_sql authentication problem
Andrew Long wrote: Each and every one is using CHAP. Promise. Then something else is making it not work... Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
chap rlm_sql authentication problem
I am adding a new MSC to our list of clients and trying to verify the config
with -X and ntradping.
I keep getting rejected.
I have the following in clients.conf:
client 192.168.10.100 (MY LAPTOP IP FOR NOW) {
secret = [EMAIL PROTECTED]
shortname = cn3200_hiegalleria
nastype = other
In NTRADPING, I am using:
username: bufhiegall_cn3200
secret: [EMAIL PROTECTED]
password: password1 (same as in radius.radcheck)
I note the could not find clear text password at bottom of reply, but am not
sure why this is so;
The password is present in radcheck.
The -X out put is as follows:
rad_recv: Access-Request packet from host 192.168.10.100:49424, id=11, length=58
User-Name = bufhiegall_cn3200
CHAP-Password = 0x8f98ab538676182e04964979e34fbc0580
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
rlm_chap: Setting 'Auth-Type := CHAP'
modcall[authorize]: module chap returns ok for request 0
modcall[authorize]: module mschap returns noop for request 0
rlm_realm: No '@' in User-Name = bufhiegall_cn3200, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 0
radius_xlat: 'bufhiegall_cn3200'
rlm_sql (sql): sql_set_user escaped user -- 'bufhiegall_cn3200'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
radcheck WHERE Username = 'bufhiegall_cn3200' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 4
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'bufhiegall_cn3200'
AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
radreply WHERE Username = 'bufhiegall_cn3200' ORDER BY id'
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = 'bufhiegall_cn3200'
AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): Released sql socket id: 4
rlm_sql (sql): No matching entry in the database for request from user
[bufhiegall_cn3200]
modcall[authorize]: module sql returns notfound for request 0
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
modcall[authorize]: module noresetcounter returns noop for request 0
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
modcall[authorize]: module dailycounter returns noop for request 0
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
modcall[authorize]: module monthlycounter returns noop for request 0
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
modcall[authorize]: module daypasscounter returns noop for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type CHAP
auth: type CHAP
Processing the authenticate section of radiusd.conf
modcall: entering group CHAP for request 0
rlm_chap: login attempt by bufhiegall_cn3200 with CHAP password
rlm_chap: Could not find clear text password for user bufhiegall_cn3200
modcall[authenticate]: module chap returns invalid for request 0
modcall: leaving group CHAP (returns invalid) for request 0
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 11 to 1
I have run all the queries manually on the server, and they all return results
as
expected (except the query to radgroupreply, as there is nothing configured
there).
Regards,
Andrew Long
** CONFIDENTIALITY NOTICE **
NOTICE: This e-mail message and all attachments transmitted with it may contain
legally
privileged and confidential information intended solely for the use of the
addressee. If the
reader of this message is not the intended recipient, you are hereby notified
that any reading,
dissemination, distribution, copying, or other use of this message or its
attachments is strictly
prohibited. If you have received this message in error, please notify the
sender immediately
and delete this message from your system. Thank you.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: chap rlm_sql authentication problem
Andrew Long wrote: I am adding a new MSC to our list of clients and trying to verify the config with -X and ntradping. I keep getting rejected. ... I note the could not find clear text password at bottom of reply, but am not sure why this is so; The password is present in radcheck. It's not found: The -X out put is as follows: ... rlm_sql (sql): No matching entry in the database for request from user [bufhiegall_cn3200] modcall[authorize]: module sql returns notfound for request 0 That's pretty definitive. I have run all the queries manually on the server, and they all return results as expected (except the query to radgroupreply, as there is nothing configured there). They may return what you expect, but not what the server needs. Please post the output from the queries here. Odds are something is misconfigured, so that the queries return data, but not anything the server can use. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: chap rlm_sql authentication problem
I think I got it, I can now authenticate with ntradping, but I get an attribute dump: unknown vendor 8744, size xx='' repeated many times... Is this because I am impersonating the NAS from a laptop? ie., should clear up when the NAS is actually authenticating or does this point to another misconfiguration? All the other request types, accounting start,stop, update, go normally. Andrew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
