Re: RE : RE : RE : freeradius, ldap error - HELP ME!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 peppeska ha scritto: > ma script to start pppoe-server is > > > debian:~# cat start-pppoe2.sh > #!/bin/bash > MAX=250 > BASE=10.67.7.1 > NAT=10.67.7.0/24 > MYIP=193.205.94.13 > iptables -A INPUT -i eth0 -s $NAT -j DROP > iptables -t nat -A POSTROUTING -s $NAT -j SNAT --to-source $MYIP > pppoe-server -T 60 -I eth1 -N $MAX -C PPPoE-R -S PPPoE-R -R $BASE > debian:~# nobody can help me? - -- -- |Giuseppe Moscato aka peppeska - Linux User - no html messages---| |[EMAIL PROTECTED] - http://peppeska.altervista.org--| |Fingerprint = 90DC 05A8 2D65 BC04 BD1B 4C07 C389 434B 3201 319D| -- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGA+6VkA6hcnFZI/YRAp2cAKCov2R+AetOdFgaJrqntCRX/ltpNACgmnoJ 3PvvnqnjYBKDyNeKkFNSr60= =7072 -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : RE : RE : freeradius, ldap error - HELP ME!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Alan DeKok ha scritto: > peppeska wrote: > ... >> Sending Access-Accept of id 50 to 127.0.0.1 port 1028 > ... >> Mar 21 19:21:41 applejack pppd[18529]: MS-CHAP authentication failed: > > PPPD is broken. > And wath I most do now? @Thibault Le Meur I use Your dictonary... the final respone is: Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:1028, id=51, length=136 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "peppeska" MS-CHAP-Challenge = 0xb6b462d0d978bcbfe51e4783f4a3dd32 MS-CHAP2-Response = 0xa0002138a2441156e5ed33506db0e19e960db1cfdb576490d5d29b54d30317856b01d0780f1d51ef5fa7 NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' modcall[authorize]: module "mschap" returns ok for request 0 rlm_realm: No '@' in User-Name = "peppeska", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 173 users: Matched entry DEFAULT at line 185 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for peppeska radius_xlat: '(cn=peppeska)' radius_xlat: 'dc=example' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=admin,dc=example/root to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=example, with filter (cn=peppeska) rlm_ldap: Added password billuzzo in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user peppeska authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type MS-CHAP auth: type "MS-CHAP" Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 0 rlm_mschap: Told to do MS-CHAPv2 for peppeska with NT-Password rlm_mschap: adding MS-CHAPv2 MPPE keys modcall[authenticate]: module "mschap" returns ok for request 0 modcall: leaving group MS-CHAP (returns ok) for request 0 Login OK: [peppeska/] (from client localhost port 0) Processing the post-auth section of radiusd.conf modcall: entering group post-auth for request 0 modcall[post-auth]: module "ldap" returns noop for request 0 modcall: leaving group post-auth (returns noop) for request 0 Sending Access-Accept of id 51 to 127.0.0.1 port 1028 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP MS-CHAP2-Success = 0xa0533d32463945383842443446423034313543303139374631363834344244424532413836423234323346 MS-MPPE-Recv-Key = 0xee31ff0993d0e3b1589a2920ac31b3d8 MS-MPPE-Send-Key = 0x61bccd9e7dbd48aa264d2117a72ed2cc MS-MPPE-Encryption-Policy = 0x0002 MS-MPPE-Encryption-Types = 0x0004 Finished request 0 Going to the next request - --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 127.0.0.1:1028, id=51, length=136 Sending duplicate reply to client localhost:1028 - ID: 51 Re-sending Access-Accept of id 51 to 127.0.0.1 port 1028 - --- Walking the entire request list --- Cleaning up request 0 ID 51 with timestamp 46018448 Nothing to do. Sleeping until we see a request. debian:/etc/freeradius# tail /var/log/messages Mar 21 19:38:15 debian -- MARK -- Mar 21 19:58:19 debian -- MARK -- Mar 21 20:15:14 debian pppd[4426]: Plugin radius.so loaded. Mar 21 20:15:14 debian pppd[4426]: RADIUS plugin initialized. Mar 21 20:15:15 debian pppd[4426]: pppd 2.4.4 started by root, uid 0 Mar 21 20:15:17 debian pppd[4426]: Using interface ppp0 Mar 21 20:15:17 debian pppd[4426]: Connect: ppp0 <--> /dev/pts/2 Mar 21 20:15:32 debian pppd[4426]: Peer peppeska failed CHAP authentication Mar 21 20:15:32 debian pppd[4426]: Connection terminated. Mar 21 20:15:33 debian pppd[4426]: Exit. debian:/etc/freeradius# ma script to start pppoe-server is debian:~# cat start-pppoe2.sh #!/bin/bash MAX=250 BASE=10.67.7.1 NAT=10.67.7.0/24 MYIP=193.205.94.13 iptables -A INPUT -i eth0 -s $NAT -j DROP iptables -t nat -A POSTROUTING -s $NAT -j SNAT --to-source $MYIP pppoe-server -T 60 -I eth1 -N $MAX -C
Re: RE : RE : RE : freeradius, ldap error - HELP ME!
> but plog: > > [EMAIL PROTECTED]:/home/peppeska# plog > Mar 21 19:21:18 applejack pppd[18527]: Plugin rp-pppoe.so loaded. > Mar 21 19:21:18 applejack pppd[18529]: pppd 2.4.4 started by root, uid 0 > Mar 21 19:21:19 applejack pppd[18529]: PPP session is 6 > Mar 21 19:21:19 applejack pppd[18529]: Using interface ppp0 > Mar 21 19:21:19 applejack pppd[18529]: Connect: ppp0 <--> tap1 > Mar 21 19:21:41 applejack pppd[18529]: MS-CHAP authentication failed: > Mar 21 19:21:41 applejack pppd[18529]: CHAP authentication failed > Mar 21 19:21:41 applejack pppd[18529]: Connection terminated. > [EMAIL PROTECTED]:/home/peppeska# poff > > UFFA!!! I promitt that I send a "Cassata Siciliana" to who resolv my > problem... > plog may not be enough: could you check the /var/log/messages Moreover, what dictionnary.microsoft file are you using ? Maybe it is lacking some attributes and radiusclient doesn't understand them. If you're not using the one I posted today, could you test with this one instead ? Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : RE : RE : freeradius, ldap error - HELP ME!
peppeska wrote: ... > Sending Access-Accept of id 50 to 127.0.0.1 port 1028 ... > Mar 21 19:21:41 applejack pppd[18529]: MS-CHAP authentication failed: PPPD is broken. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : RE : RE : freeradius, ldap error - HELP ME!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Alan DeKok ha scritto: > peppeska wrote: >> Ok!!! >> Now I have this configuration >> >> INCLUDE /etc/radiusclient/dictionary.microsoft >> INCLUDE /etc/radiusclient/dictionary.ascend >> INCLUDE /etc/radiusclient/dictionary.compat >> INCLUDE /etc/radiusclient/dictionary.merit >> $INCLUDE /usr/share/freeradius/dictionary > > No. radiusclient can't use the FreeRADIUS dictionaries. > ook now I don't have the freeradius dictionary... now the freradius: Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:1028, id=50, length=136 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "peppeska" MS-CHAP-Challenge = 0x3733ba43d6d8debb5b0302f590250afd MS-CHAP2-Response = 0x0f00997701aa0d8775038e203d7c0487880fe6ba63b22268fbe23624491c47a9744354f94591fc730a90 NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' modcall[authorize]: module "mschap" returns ok for request 0 rlm_realm: No '@' in User-Name = "peppeska", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 173 users: Matched entry DEFAULT at line 185 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for peppeska radius_xlat: '(cn=peppeska)' radius_xlat: 'dc=example' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=admin,dc=example/root to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=example, with filter (cn=peppeska) rlm_ldap: Added password billuzzo in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user peppeska authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type MS-CHAP auth: type "MS-CHAP" Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 0 rlm_mschap: Told to do MS-CHAPv2 for peppeska with NT-Password rlm_mschap: adding MS-CHAPv2 MPPE keys modcall[authenticate]: module "mschap" returns ok for request 0 modcall: leaving group MS-CHAP (returns ok) for request 0 Login OK: [peppeska/] (from client localhost port 0) Processing the post-auth section of radiusd.conf modcall: entering group post-auth for request 0 modcall[post-auth]: module "ldap" returns noop for request 0 modcall: leaving group post-auth (returns noop) for request 0 Sending Access-Accept of id 50 to 127.0.0.1 port 1028 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP MS-CHAP2-Success = 0x0f533d33344135313830413334423831353141383738414532454632414341303830394341423344393945 MS-MPPE-Recv-Key = 0x923e2c93c2156b71231ea782495f5b99 MS-MPPE-Send-Key = 0x44fe16f0095f4b51b33c59a5387f512c MS-MPPE-Encryption-Policy = 0x0002 MS-MPPE-Encryption-Types = 0x0004 Finished request 0 Going to the next request - --- Walking the entire request list --- Waking up in 6 seconds... - --- Walking the entire request list --- Cleaning up request 0 ID 50 with timestamp 4601790a Nothing to do. Sleeping until we see a request. but plog: [EMAIL PROTECTED]:/home/peppeska# plog Mar 21 19:21:18 applejack pppd[18527]: Plugin rp-pppoe.so loaded. Mar 21 19:21:18 applejack pppd[18529]: pppd 2.4.4 started by root, uid 0 Mar 21 19:21:19 applejack pppd[18529]: PPP session is 6 Mar 21 19:21:19 applejack pppd[18529]: Using interface ppp0 Mar 21 19:21:19 applejack pppd[18529]: Connect: ppp0 <--> tap1 Mar 21 19:21:41 applejack pppd[18529]: MS-CHAP authentication failed: Mar 21 19:21:41 applejack pppd[18529]: CHAP authentication failed Mar 21 19:21:41 applejack pppd[18529]: Connection terminated. [EMAIL PROTECTED]:/home/peppeska# poff UFFA!!! I promitt that I send a "Cassata Siciliana" to who resolv my problem... > - -- -- |Giuseppe Moscato aka peppeska - Linux User - no html messages---| |[EMAIL PROTECTED] - http://peppeska.altervista.org--| |Fingerprint = 90DC 05A8 2D65 BC04 BD1B
Re: RE : RE : RE : freeradius, ldap error - HELP ME!
peppeska wrote: > Ok!!! > Now I have this configuration > > INCLUDE /etc/radiusclient/dictionary.microsoft > INCLUDE /etc/radiusclient/dictionary.ascend > INCLUDE /etc/radiusclient/dictionary.compat > INCLUDE /etc/radiusclient/dictionary.merit > $INCLUDE /usr/share/freeradius/dictionary No. radiusclient can't use the FreeRADIUS dictionaries. Once freeradius-client is updated, it will use the FreeRADIUS dictionaries. But radiusclient can't. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : RE : RE : freeradius, ldap error - HELP ME!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ok!!! Now I have this configuration > INCLUDE /etc/radiusclient/dictionary.microsoft INCLUDE /etc/radiusclient/dictionary.ascend INCLUDE /etc/radiusclient/dictionary.compat INCLUDE /etc/radiusclient/dictionary.merit $INCLUDE /usr/share/freeradius/dictionary And... (same roll of drumps) rad_recv: Access-Request packet from host 127.0.0.1:1028, id=40, length=136 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "peppeska" MS-CHAP-Challenge = 0x2b05b4344fc7309510ee443fac5c90bf MS-CHAP2-Response = 0x05006a01dac8d579188fab13d4f5b10524c274aba52270d19850e5169d1e6410fe36c608d63ff061a401 NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' modcall[authorize]: module "mschap" returns ok for request 1 rlm_realm: No '@' in User-Name = "peppeska", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 1 users: Matched entry DEFAULT at line 173 users: Matched entry DEFAULT at line 185 modcall[authorize]: module "files" returns ok for request 1 rlm_ldap: - authorize rlm_ldap: performing user authorization for peppeska radius_xlat: '(cn=peppeska)' radius_xlat: 'dc=example' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=example, with filter (cn=peppeska) rlm_ldap: Added password billuzzo in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user peppeska authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 1 modcall: leaving group authorize (returns ok) for request 1 rad_check_password: Found Auth-Type MS-CHAP auth: type "MS-CHAP" Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 1 rlm_mschap: Told to do MS-CHAPv2 for peppeska with NT-Password rlm_mschap: adding MS-CHAPv2 MPPE keys modcall[authenticate]: module "mschap" returns ok for request 1 modcall: leaving group MS-CHAP (returns ok) for request 1 Login OK: [peppeska/] (from client localhost port 0) Processing the post-auth section of radiusd.conf modcall: entering group post-auth for request 1 modcall[post-auth]: module "ldap" returns noop for request 1 modcall: leaving group post-auth (returns noop) for request 1 Sending Access-Accept of id 40 to 127.0.0.1 port 1028 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP MS-CHAP2-Success = 0x05533d4638413436383038343733323138354344333539453836393339463645323432363332373143 MS-MPPE-Recv-Key = 0xeb3b2b7a46dfff70bdee5eb89a755804 MS-MPPE-Send-Key = 0xe0d003c9754115e0063f7f832015f1c6 MS-MPPE-Encryption-Policy = 0x0002 MS-MPPE-Encryption-Types = 0x0004 Finished request 1 Going to the next request - --- Walking the entire request list --- Waking up in 6 seconds... - --- Walking the entire request list --- Cleaning up request 1 ID 40 with timestamp 4601688f Nothing to do. Sleeping until we see a request. Well! it work! or not? because.. this is the pppoe-server log debian:~# plog Mar 21 18:33:54 debian pppd[4306]: sent [LCP TermAck id=0x2] Mar 21 18:33:54 debian pppd[4306]: rcvd [LCP TermAck id=0x2] Mar 21 18:33:54 debian pppd[4306]: Connection terminated. Mar 21 18:33:54 debian pppd[4306]: Waiting for 1 child processes... Mar 21 18:33:54 debian pppd[4306]: script /usr/sbin/pppoe -n -I eth1 - -e 5:32:c8:93:a2:15:29 -T 60 -S '', pid 4307 Mar 21 18:33:55 debian pppd[4306]: Script /usr/sbin/pppoe -n -I eth1 -e 5:32:c8:93:a2:15:29 -T 60 -S '' finished (pid 4307), status = 0x1 Mar 21 18:33:55 debian pppd[4306]: Exit. debian:~# boh!! I realy don't now why... > - -- -- |Giuseppe Moscato aka peppeska - Linux User - no html messages---| |[EMAIL PROTECTED] - http://peppeska.altervista.org--| |Fingerprint = 90DC 05A8 2D65 BC04 BD1B 4C07 C389 434B 3201 319D| -- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGAW0PkA6hcnFZI/YRAsv4AJ9wRB4Vl/2clx6Knw8P0zbTrZI1YQCfXmgF skR/gztg4MHbO4l/vq+xiRI= =Gb65 -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : RE : RE : RE : freeradius, ldap error - HELP ME!
> > > > MMM damn! why freeradius don't want work with me? > > It's not a Freeradius issue, but a ppp/radiusclient issue ;-) > > > > > P.S. > > without the Deafult Auth-Type in the users file...it's the > > same... If I put $INCLUDE instead INCLUDE... work like before... > > Very strange I've got several servers her using radiusclient > with the INCLUDE syntax !! Very very curious, I've checked radiusclient's original code and it seems it is "$INCLUDE" syntax that is the good one. So keep with this one for now. I just have no clue on why on my system only "INCLUDE" works !! Sorry for this wrong information ! Had you got new results ? Regards, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : RE : RE : freeradius, ldap error - HELP ME!
> > >> and in the dictonary file: > >> $INCLUDE /etc/radiusclient/dictionary.microsoft > >> $INCLUDE /etc/radiusclient/dictionary.ascend > >> $INCLUDE /etc/radiusclient/dictionary.compat > >> $INCLUDE /etc/radiusclient/dictionary.merit > >> $INCLUDE /usr/share/freeradius/dictionary > > > > Don't write "$INCLUDE" but "INCLUDE" without the "$": this is the > > syntax for radiusclient. > > Now.. without "$" > the /etc/freeradius/users file now contain: > > DEFAULT Auth-Type = "MS-CHAP" > Fall-Through = yes Not a good idea ;-) > > But this can work only if radiusclient knows the MS-CHAP Radius > > attributes, which is not the case for the momenet (see above the > > INCLUDE issue). > > > > Well.. I try now... and(roll of drumps): > > Listening on authentication *:1812 > Listening on accounting *:1813 > Ready to process requests. > > NOTHING the freeradius don't recive request (uff) That's because the NAS doesn't send packets (or because you have firewall rules droppig packets, but this shouldn't be the case since you got packets in the past). > > and: > > debian:~# plog > Mar 21 16:13:52 debian pppd[3885]: sent [LCP TermAck id=0x2] > Mar 21 16:13:52 debian pppd[3885]: rcvd [LCP TermAck id=0x2] > Mar 21 16:13:52 debian pppd[3885]: Connection terminated. Mar > 21 16:13:52 debian pppd[3885]: Waiting for 1 child processes... > Mar 21 16:13:52 debian pppd[3885]: script /usr/sbin/pppoe -n -I eth1 > - -e 2:32:c8:93:a2:15:29 -T 60 -S '', pid 3886 > Mar 21 16:13:52 debian pppd[3885]: Script /usr/sbin/pppoe -n > -I eth1 -e 2:32:c8:93:a2:15:29 -T 60 -S '' finished (pid > 3886), status = 0x1 Mar 21 16:13:52 debian pppd[3885]: Exit. debian:~# > > MMM damn! why freeradius don't want work with me? It's not a Freeradius issue, but a ppp/radiusclient issue ;-) > > P.S. > without the Deafult Auth-Type in the users file...it's the > same... If I put $INCLUDE instead INCLUDE... work like before... Very strange I've got several servers her using radiusclient with the INCLUDE syntax !! Or may it be an issue with the dictionnary files ? > >> $INCLUDE /usr/share/freeradius/dictionary Avoid this one, it shouldn't be necessary. > >> $INCLUDE /etc/radiusclient/dictionary.microsoft > >> $INCLUDE /etc/radiusclient/dictionary.ascend > >> $INCLUDE /etc/radiusclient/dictionary.compat > >> $INCLUDE /etc/radiusclient/dictionary.merit Are these dictionaries from the radiusclient distro or did you copy the dictionaries from freeradius ? Please use only dictionaries from the radiusclient distributions. (Or try the one I posted if you don't have them in the distro). Let me know, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : RE : freeradius, ldap error - HELP ME!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 >> Thibault Le Meur ha scritto: Have you setup ppp to use mschap (require-mschap-v2 option) ? Are you using the radiusclient library ? >> refuse-pap >> refuse-chap >> require-mschap >> require-mschap-v2 >> require-mppe > > > Ok so that your NAS don't have to send User-Password but a MS-CHAP challenge > instead: that's what I thought. > oook >> and in the dictonary file: >> $INCLUDE /etc/radiusclient/dictionary.microsoft >> $INCLUDE /etc/radiusclient/dictionary.ascend >> $INCLUDE /etc/radiusclient/dictionary.compat >> $INCLUDE /etc/radiusclient/dictionary.merit >> $INCLUDE /usr/share/freeradius/dictionary > > Don't write "$INCLUDE" but "INCLUDE" without the "$": this is the syntax for > radiusclient. Now.. without "$" > > >> But... whitout declaretion of Default Auth-Type in the users file: >> >> rlm_ldap: user peppeska authorized to use remote access >> rlm_ldap: ldap_release_conn: Release Id: 0 >> modcall[authorize]: module "ldap" returns ok for request 0 >> modcall: leaving group authorize (returns ok) for request 0 >> auth: No authenticate method (Auth-Type) configuration found for the >> request: Rejecting the user >> auth: Failed to validate the user. >> Login incorrect: [peppeska/] >> (from client localhost port 0) Delaying request 0 for 1 >> seconds Finished request 0 > > Sure, because Auth-Type must be set to MS-CHAP (automatically, don't use > Auth-Type:=): this will be the case if FR receives MS-CHAP challenge. > k the /etc/freeradius/users file now contain: DEFAULT Auth-Type = "MS-CHAP" Fall-Through = yes > But this can work only if radiusclient knows the MS-CHAP Radius attributes, > which is not the case for the momenet (see above the INCLUDE issue). > Well.. I try now... and(roll of drumps): Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. NOTHING the freeradius don't recive request (uff) and: debian:~# plog Mar 21 16:13:52 debian pppd[3885]: sent [LCP TermAck id=0x2] Mar 21 16:13:52 debian pppd[3885]: rcvd [LCP TermAck id=0x2] Mar 21 16:13:52 debian pppd[3885]: Connection terminated. Mar 21 16:13:52 debian pppd[3885]: Waiting for 1 child processes... Mar 21 16:13:52 debian pppd[3885]: script /usr/sbin/pppoe -n -I eth1 - -e 2:32:c8:93:a2:15:29 -T 60 -S '', pid 3886 Mar 21 16:13:52 debian pppd[3885]: Script /usr/sbin/pppoe -n -I eth1 -e 2:32:c8:93:a2:15:29 -T 60 -S '' finished (pid 3886), status = 0x1 Mar 21 16:13:52 debian pppd[3885]: Exit. debian:~# MMM damn! why freeradius don't want work with me? P.S. without the Deafult Auth-Type in the users file...it's the same... If I put $INCLUDE instead INCLUDE... work like before... and now? - -- -- |Giuseppe Moscato aka peppeska - Linux User - no html messages---| |[EMAIL PROTECTED] - http://peppeska.altervista.org--| |Fingerprint = 90DC 05A8 2D65 BC04 BD1B 4C07 C389 434B 3201 319D| -- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGAU0RkA6hcnFZI/YRAtfvAJ4nxFC9JTgLR1FEJ6E1eyMxP/yXWwCeKDYZ sFZqyoJilQMJxh7wxCHoWyI= =ZmIX -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : RE : freeradius, ldap error - HELP ME!
Hi, Very strange I didn't get this email ? See my comments below: > > Thibault Le Meur ha scritto: > >> >> But the output now is: > >> >> > >> >> rad_recv: Access-Request packet from host > 127.0.0.1:1030, id=65, > >> >> length=54 > >> >> Service-Type = Framed-User > >> >> Framed-Protocol = PPP > >> >> User-Name = "peppeska" > >> >> NAS-IP-Address = 127.0.0.1 > >> >> NAS-Port = 0 > >> >> > >> >> ^ > >> >> - ->Where is User-Password attribute? > >> >> - > > > > > > A good question indeed, that one should be asked to your NAS ;-) > > > > > > It's up to the NAS to send User-Password: unless it is setup to do > something > > > else (for instance MSCHAP). > > > > > > Have you setup ppp to use mschap (require-mschap-v2 option) ? Are > > > you using the radiusclient library ? > > refuse-pap > refuse-chap > require-mschap > require-mschap-v2 > require-mppe Ok so that your NAS don't have to send User-Password but a MS-CHAP challenge instead: that's what I thought. > > > If yes, could you check that you radiusclient dictionnary file > > > includes Microsoft attributes: > > > * check the "dictionary " line of > > > /etc/radiusclient-ng/radiusclient.conf file (or > > > /etc/radiusclient/radiusclient.conf file) > > > * check that the file contains a reference to > > > other dictionnary files such as: INCLUDE > > > /usr/share/radiusclient-ng/dictionary.merit > > > INCLUDE /usr/share/radiusclient-ng/dictionary.microsoft > > > * check that you have these 2 extra dictionnary files (especially > > > the microsoft one) ==> I've attached the two files > > in my radiusclient.conf there is: > > # dictionary of allowed attributes and values > # just like in the normal RADIUS distributions > dictionary /etc/radiusclient/dictionary > > and in the dictonary file: > $INCLUDE /etc/radiusclient/dictionary.microsoft > $INCLUDE /etc/radiusclient/dictionary.ascend > $INCLUDE /etc/radiusclient/dictionary.compat > $INCLUDE /etc/radiusclient/dictionary.merit > $INCLUDE /usr/share/freeradius/dictionary Don't write "$INCLUDE" but "INCLUDE" without the "$": this is the syntax for radiusclient. > But... whitout declaretion of Default Auth-Type in the users file: > > rlm_ldap: user peppeska authorized to use remote access > rlm_ldap: ldap_release_conn: Release Id: 0 > modcall[authorize]: module "ldap" returns ok for request 0 > modcall: leaving group authorize (returns ok) for request 0 > auth: No authenticate method (Auth-Type) configuration found for the > request: Rejecting the user > auth: Failed to validate the user. > Login incorrect: [peppeska/] > (from client localhost port 0) Delaying request 0 for 1 > seconds Finished request 0 Sure, because Auth-Type must be set to MS-CHAP (automatically, don't use Auth-Type:=): this will be the case if FR receives MS-CHAP challenge. But this can work only if radiusclient knows the MS-CHAP Radius attributes, which is not the case for the momenet (see above the INCLUDE issue). Regards, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : freeradius, ldap error - HELP ME!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Thibault Le Meur ha scritto: > >> -Message d'origine- >> De : >> [EMAIL PROTECTED] >> radius.org >> [mailto:[EMAIL PROTECTED] >> sts.freeradius.org] De la part de peppeska >> Envoyé : mercredi 21 mars 2007 13:44 >> À : FreeRadius users mailing list >> Objet : Re: freeradius, ldap error - HELP ME! >> >> >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA1 >> >> Michael Mitchell ha scritto: >>> peppeska wrote: >> rad_recv: Access-Request packet from host 127.0.0.1:1030, id=65, >> length=54 >>> ^^ >>> >> ->Where is User-Password attribute? > Ask the NAS. > what? >>> In this case I have a suspicion the "NAS" could be radclient... >>> >>> How are you sending requests to freeRADIUS? >>> >> Freeradius recive request from pppoe-server, I try to connect >> to pppoe-server from a linux box > > > Is your pppoe-server a linux server ? > Is your pppoe client or pppoe server configured to use ms-chap > authentication ? > > If your pppoe server is a linux box, have you checked that the radiusclient > library contains the microsoft dictionnary as I described in my previous > email ? Thibault Le Meur ha scritto: >> >> But the output now is: >> >> >> >> rad_recv: Access-Request packet from host 127.0.0.1:1030, >> >> id=65, length=54 >> >> Service-Type = Framed-User >> >> Framed-Protocol = PPP >> >> User-Name = "peppeska" >> >> NAS-IP-Address = 127.0.0.1 >> >> NAS-Port = 0 >> >> >> >> ^ >> >> - ->Where is User-Password attribute? >> >> - > > > > A good question indeed, that one should be asked to your NAS ;-) > > > > It's up to the NAS to send User-Password: unless it is setup to do something > > else (for instance MSCHAP). > > > > Have you setup ppp to use mschap (require-mschap-v2 option) ? > > Are you using the radiusclient library ? refuse-pap refuse-chap require-mschap require-mschap-v2 require-mppe > > > > If yes, could you check that you radiusclient dictionnary file includes > > Microsoft attributes: > > * check the "dictionary " line of > > /etc/radiusclient-ng/radiusclient.conf file (or > > /etc/radiusclient/radiusclient.conf file) > > * check that the file contains a reference to other > > dictionnary files such as: > > INCLUDE /usr/share/radiusclient-ng/dictionary.merit > > INCLUDE /usr/share/radiusclient-ng/dictionary.microsoft > > * check that you have these 2 extra dictionnary files (especially the > > microsoft one) > > ==> I've attached the two files in my radiusclient.conf there is: # dictionary of allowed attributes and values # just like in the normal RADIUS distributions dictionary /etc/radiusclient/dictionary and in the dictonary file: $INCLUDE /etc/radiusclient/dictionary.microsoft $INCLUDE /etc/radiusclient/dictionary.ascend $INCLUDE /etc/radiusclient/dictionary.compat $INCLUDE /etc/radiusclient/dictionary.merit $INCLUDE /usr/share/freeradius/dictionary But... whitout declaretion of Default Auth-Type in the users file: rlm_ldap: user peppeska authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [peppeska/] (from client localhost port 0) Delaying request 0 for 1 seconds Finished request 0 - -- -- |Giuseppe Moscato aka peppeska - Linux User - no html messages---| |[EMAIL PROTECTED] - http://peppeska.altervista.org--| |Fingerprint = 90DC 05A8 2D65 BC04 BD1B 4C07 C389 434B 3201 319D| -- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGATavkA6hcnFZI/YRAtO2AKCvLofpLFkKzqJ3pHWgCB5WfU+PZQCdFCKU 5BM2fsuNTyacCHdX5z6hCjA= =y9bX -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : RE : freeradius, ldap error - HELP ME!
> > rlm_ldap: ldap_get_conn: Checking Id: 0 > > rlm_ldap: ldap_get_conn: Got Id: 0 > > rlm_ldap: attempting LDAP reconnection > > rlm_ldap: (re)connect to localhost:389, authentication 0 > > rlm_ldap: bind as cn=admin,dc=example/root to localhost:389 > > rlm_ldap: waiting for bind result ... > > rlm_ldap: Bind was successful > > rlm_ldap: performing search in dc=example, with filter (cn=peppeska) > > rlm_ldap: no dialupAccess attribute - access denied by default > > > > Comment this line in your ldap section of radiusd.conf: > # access_attr = "dialupAccess" And comment this one too, like this : # access_attr_used_for_allow = yes > > HTH, > Thibault > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
