Re: chap rlm_sql authentication problem
Andrew Long wrote: > Each and every one is using CHAP. Promise. Then something else is making it not work... Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: chap rlm_sql authentication problem
> >> Change the attribute name to Cleartext-Password, and the > operator > >> to ":=". > > > > I have about 20 other NAS's using this identical configuration and > > they all authenticate... > > They're not using CHAP. Each and every one is using CHAP. Promise. ANdrew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: chap rlm_sql authentication problem
Andrew Long wrote: ... >> Change the attribute name to Cleartext-Password, and the >> operator to ":=". > > I have about 20 other NAS's using this identical configuration and they all > authenticate... They're not using CHAP. > Just for giggles, I restored the username to the old one in > radcheck/radreply and > in my ntradping request... and it authenticated properly. Can you explain > this? See Kevin Bonners reply. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: chap rlm_sql authentication problem
On Friday 30 March 2007 09:13:17 Andrew Long wrote: > In NTRADPING: > username: hiegalleria ... > rad_recv: Access-Request packet from host 192.168.10.100:49259, id=5, > length=59 > User-Name = "hiegalleria_cn3200" > CHAP-Password = 0xac0b9199834a040866dd0050c44d4fdf35 Am I missing something obvious? How is "_cn3200" getting appended to the username? > -- > 1176 hiegalleria_cn3200 passwordPASSWORD_HERE == > -- You've heard several times that the attribute and operator need to be fixed. I'm just listing it again for emphasis. > radius_xlat: 'SELECT > radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupch >e ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE > usergroup.Username = 'hiegalleria_cn3200' AND usergroup.GroupName = > radgroupcheck.GroupName ORDER BY radgroupcheck.id' > -- > 9 colubrisService-TypeAdministrative-User == > -- If this is correct, your request will not match unless you send this particular Service-Type. Looking at the request above, I don't see this attribute being sent in the access-request. Kevin Bonner pgpFB6Yq6Th26.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: chap rlm_sql authentication problem
> > Now we're taking a step back because I tried changing the > username on > > the NAS and in the SQL and can no longer authenticate with > :( NTRADPING. > > Why use ntradping? Use radclient. I will in the future, but I'm in mid-stream here... > And you're using CHAP... which is why it doesn't match. > > > -- > > 1176hiegalleria_cn3200 password > PASSWORD_HERE == > > -- > > Change the attribute name to Cleartext-Password, and the > operator to ":=". I have about 20 other NAS's using this identical configuration and they all authenticate... > See "man users" for an explanation of the operators. > You're comparing the value to the User-Password in the > request (which doesn't exist). > So... the comparison fails. Just for giggles, I restored the username to the old one in radcheck/radreply and in my ntradping request... and it authenticated properly. Can you explain this? This was done without making any changes to the operator or attribute. Andrew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: chap rlm_sql authentication problem
Andrew Long wrote: > Now we're taking a step back because I tried changing the username > on the NAS and in the SQL and can no longer authenticate with :( NTRADPING. Why use ntradping? Use radclient. And you're using CHAP... which is why it doesn't match. > -- > 1176 hiegalleria_cn3200 passwordPASSWORD_HERE == > -- Change the attribute name to Cleartext-Password, and the operator to ":=". See "man users" for an explanation of the operators. You're comparing the value to the User-Password in the request (which doesn't exist). So... the comparison fails. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: chap rlm_sql authentication problem
Now we're taking a step back because I tried changing the username on the NAS and in the SQL and can no longer authenticate with :( NTRADPING. In NTRADPING: username: hiegalleria password: PASSWORD_HERE secret: unchanged, matches clients.conf Had this working yesterday... All I changed was username in radreply, username in radcheck, username in usergroup rad_recv: Access-Request packet from host 192.168.10.100:49259, id=5, length=59 User-Name = "hiegalleria_cn3200" CHAP-Password = 0xac0b9199834a040866dd0050c44d4fdf35 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 13 modcall[authorize]: module "preprocess" returns ok for request 13 rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module "chap" returns ok for request 13 modcall[authorize]: module "mschap" returns noop for request 13 rlm_realm: No '@' in User-Name = "hiegalleria_cn3200", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 13 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 13 radius_xlat: 'hiegalleria_cn3200' rlm_sql (sql): sql_set_user escaped user --> 'hiegalleria_cn3200' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'hiegalleria_cn3200' ORDER BY id' -- 1176hiegalleria_cn3200 passwordPASSWORD_HERE == -- rlm_sql (sql): Reserving sql socket id: 1 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'hiegalleria_cn3200' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' -- 9 colubrisService-TypeAdministrative-User == -- radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'hiegalleria_cn3200' ORDER BY id' -- 195 hiegalleria_cn3200 Colubris-AVPair access-list=loginserver,ACCEPT,tcp,xx.yy.zz.aa,all += 196 hiegalleria_cn3200 Colubris-AVPair default-user-smtp-redirect=xx.yy.zz.aa += 197 hiegalleria_cn3200 Colubris-AVPair fail-page=http://xx.yy.zz.aa/hotspots/hiegalleria/fail.html += 198 hiegalleria_cn3200 Colubris-AVPair login-url=http://xx.yy.zz.aa/hotspots/hiegalleria/terms.html?loginurl=%l += 199 hiegalleria_cn3200 Colubris-AVPair logo=http://xx.yy.zz.aa/hotspots/hiegalleria/escapewire.gif += 200 hiegalleria_cn3200 Colubris-AVPair mac-address=00-0A-B7-9D-4A-0B,bufctAP4,escapewire += 202 hiegalleria_cn3200 Colubris-AVPair mac-address=00-40-96-36-09-9B,bufctAP5,escapewire += 203 hiegalleria_cn3200 Colubris-AVPair mac-address=00-40-96-36-5B-8C,bufctAP8,escapewire += 204 hiegalleria_cn3200 Colubris-AVPair mac-address=00-40-96-36-60-93,bufctAP7,escapewire += 205 hiegalleria_cn3200 Colubris-AVPair mac-address=00-40-96-36-6D-1A,bufctAP1,escapewire += 206 hiegalleria_cn3200 Colubris-AVPair mac-address=00-40-96-36-6D-FB,bufctAP6,escapewire += 207 hiegalleria_cn3200 Colubris-AVPair mac-address=00-40-96-36-76-CF,bufctAP2,escapewire += 208 hiegalleria_cn3200 Colubris-AVPair mac-address=00-40-96-43-35-00,bufctAP3,escapewire += 212 hiegalleria_cn3200 Colubris-AVPair mac-address=44-45-53-54-00-00,bufmt_linksys,connect += 213 hiegalleria_cn3200 Colubris-AVPair session-page=http://xx.yy.zz.aa/hotspots/hiegalleria/session.html += 214 hiegalleria_cn3200 Colubris-AVPair transport-page=http://xx.yy.zz.aa/hotspots/hiegalleria/transport.html += 215 hiegalleria_cn3200 Colubris-AVPair use-access-list=loginserver += 216 hiegalleria_cn3200 Colubris-AVPair welcome-url=http://www..com/h/d/ex/1/en/hotel/bufct?irs=null+= - radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'hiegalleria_cn3200' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' - NULL - rlm_sql (sql): Released sql socket id: 1 rlm_sql (sql): No matching entry in the database for request from user [hiegalleria_cn3200] modcall[authorize]: module "sql" returns notfound for request 13 rlm_sqlcounter: Enteri
Re: chap rlm_sql authentication problem
Andrew Long wrote: > I think I got it, I can now authenticate with ntradping, but I get an > attribute dump: > > "unknown vendor 8744, size xx=''" repeated many times... From... ntradping. > Is this because I am impersonating the NAS from a laptop? ie., should > clear up when the NAS is actually authenticating or does this point to > another misconfiguration? It means that you configured FreeRADIUS to return attributes that ntradping doesn't understand. It's OK, because ntradping doesn't understand much of anything. If you used radclient (which comes with FreeRADIUS), it would print out the attribute names, because it's well written, and uses the FreeRADIUS dictionaries. I'm a little at a loss for why people insist on using ntradping when radclient does more... Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: chap rlm_sql authentication problem
I think I got it, I can now authenticate with ntradping, but I get an attribute dump: "unknown vendor 8744, size xx=''" repeated many times... Is this because I am impersonating the NAS from a laptop? ie., should clear up when the NAS is actually authenticating or does this point to another misconfiguration? All the other request types, accounting start,stop, update, go normally. Andrew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: chap rlm_sql authentication problem
Andrew Long wrote: > I am adding a new MSC to our list of clients and trying to verify the config > with -X and ntradping. > I keep getting rejected. ... > I note the "could not find clear text password" at bottom of reply, but am > not sure why this is so; > The password is present in radcheck. It's not found: > The -X out put is as follows: ... > rlm_sql (sql): No matching entry in the database for request from user > [bufhiegall_cn3200] > modcall[authorize]: module "sql" returns notfound for request 0 That's pretty definitive. > I have run all the queries manually on the server, and they all return > results as > expected (except the query to radgroupreply, as there is nothing configured > there). They may return what you expect, but not what the server needs. Please post the output from the queries here. Odds are something is misconfigured, so that the queries return data, but not anything the server can use. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
