CIsco Pix and FreeRadius....

Sills, Tripp tripp at dmenet.com
Tue Jan 17 18:21:16 CET 2006



Notice the first request that comes from the 10.2.0.69...It is using the
test aaa-server from the PIX itself.  The other 2 are when I am
connecting to the VPN client and trying to authenicate.  It says Auth
Type unknown.  Any ideas Alan?



Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: ../etc/raddb/proxy.conf
Config:   including file: ../etc/raddb/clients.conf
Config:   including file: ../etc/raddb/snmp.conf
Config:   including file: ../etc/raddb/eap.conf
Config:   including file: ../etc/raddb/sql.conf
 main: prefix = ".."
 main: localstatedir = "../var"
 main: logdir = "../var/log/radius"
 main: libdir = "../lib"
 main: radacctdir = "../var/log/radius/radacct"
 main: hostname_lookups = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 0
 main: allow_core_dumps = no
 main: log_stripped_names = yes
 main: log_file = "../var/log/radius/radius.log"
 main: log_auth = yes
 main: log_auth_badpass = yes
 main: log_auth_goodpass = yes
 main: pidfile = "../var/run/radiusd/radiusd.pid"
 main: user = "(null)"
 main: group = "(null)"
 main: usercollide = no
 main: lower_user = "no"
 main: lower_pass = "no"
 main: nospace_user = "no"
 main: nospace_pass = "no"
 main: checkrad = "../bin/checkrad"
 main: proxy_requests = yes
 proxy: retry_delay = 5
 proxy: retry_count = 3
 proxy: synchronous = no
 proxy: default_fallback = yes
 proxy: dead_time = 120
 proxy: post_proxy_authorize = yes
 proxy: wake_all_if_all_dead = no
 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = no
 main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
read_config_files:  reading realms
radiusd:  entering modules setup
Module: Library search path is ../lib
Module: Loaded exec 
 exec: wait = yes
 exec: program = "(null)"
 exec: input_pairs = "request"
 exec: output_pairs = "(null)"
 exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec) 
Module: Loaded expr 
Module: Instantiated expr (expr) 
Module: Loaded PAP 
 pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap) 
Module: Loaded CHAP 
Module: Instantiated chap (chap) 
Module: Loaded MS-CHAP 
 mschap: use_mppe = yes
 mschap: require_encryption = no
 mschap: require_strong = no
 mschap: with_ntdomain_hack = no
 mschap: passwd = "(null)"
 mschap: authtype = "MS-CHAP"
 mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap) 
Module: Loaded System 
 unix: cache = no
 unix: passwd = "(null)"
 unix: shadow = "(null)"
 unix: group = "(null)"
 unix: radwtmp = "../var/log/radius/radwtmp"
 unix: usegroup = no
 unix: cache_reload = 600
Module: Instantiated unix (unix) 
Module: Loaded eap 
 eap: default_eap_type = "tls"
 eap: timer_expire = 60
 eap: ignore_unknown_eap_types = no
 eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
 gtc: challenge = "Password: "
 gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
 tls: rsa_key_exchange = no
 tls: dh_key_exchange = yes
 tls: rsa_key_length = 512
 tls: dh_key_length = 512
 tls: verify_depth = 0
 tls: CA_path = "(null)"
 tls: pem_file_type = yes
 tls: private_key_file =
"../etc/raddb/certs/FreeRADIUS.net/DemoCerts/FreeRADIUS.net-Server.pem"
 tls: certificate_file =
"../etc/raddb/certs/FreeRADIUS.net/DemoCerts/FreeRADIUS.net-Server.crt"
 tls: CA_file =
"../etc/raddb/certs/FreeRADIUS.net/DemoCerts/FreeRADIUS.net-Root.crt"
 tls: private_key_password = "demo"
 tls: dh_file = "../etc/raddb/certs/FreeRADIUS.net/DemoCerts/dh"
 tls: random_file = "../etc/raddb/certs/FreeRADIUS.net/DemoCerts/random"
 tls: fragment_size = 1024
 tls: include_length = yes
 tls: check_crl = no
 tls: check_cert_cn = "%{User-Name}"
rlm_eap: Loaded and initialized type tls
 ttls: default_eap_type = "md5"
 ttls: copy_request_to_tunnel = no
 ttls: use_tunneled_reply = no
rlm_eap: Loaded and initialized type ttls
 peap: default_eap_type = "mschapv2"
 peap: copy_request_to_tunnel = no
 peap: use_tunneled_reply = no
 peap: proxy_tunneled_request_as_eap = yes
rlm_eap: Loaded and initialized type peap
 mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap) 
Module: Loaded preprocess 
 preprocess: huntgroups = "../etc/raddb/huntgroups"
 preprocess: hints = "../etc/raddb/hints"
 preprocess: with_ascend_hack = no
 preprocess: ascend_channels_per_line = 23
 preprocess: with_ntdomain_hack = no
 preprocess: with_specialix_jetstream_hack = no
 preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess) 
Module: Loaded realm 
 realm: format = "suffix"
 realm: delimiter = "@"
 realm: ignore_default = no
 realm: ignore_null = no
Module: Instantiated realm (suffix) 
Module: Loaded files 
 files: usersfile = "../etc/raddb/users"
 files: acctusersfile = "../etc/raddb/acct_users"
 files: preproxy_usersfile = "../etc/raddb/preproxy_users"
 files: compat = "no"
Module: Instantiated files (files) 
Module: Loaded Acct-Unique-Session-Id 
 acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique) 
Module: Loaded detail 
 detail: detailfile =
"../var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
 detail: detailperm = 384
 detail: dirperm = 493
 detail: locking = no
Module: Instantiated detail (detail) 
Module: Loaded radutmp 
 radutmp: filename = "../var/log/radius/radutmp"
 radutmp: username = "%{User-Name}"
 radutmp: case_sensitive = yes
 radutmp: check_with_nas = yes
 radutmp: perm = 384
 radutmp: callerid = yes
Module: Instantiated radutmp (radutmp) 
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
rad_recv: Access-Request packet from host 10.2.0.69:1025, id=85,
length=93
	User-Name = "tripp"
	User-Password = "tripp"
	NAS-IP-Address = 10.2.0.69
	NAS-Port-Type = Virtual
	Cisco-AVPair = "ip:source-ip=000.000.000.000"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
    rlm_realm: No '@' in User-Name = "tripp", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 0
    users: Matched entry tripp at line 224
  modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns ok for request 0
  rad_check_password:  Found Auth-Type Local
auth: type Local
auth: user supplied User-Password matches local User-Password
Login OK: [tripp/tripp] (from client BorderPatrol port 0)
Sending Access-Accept of id 85 to 10.2.0.69:1025
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 85 with timestamp 43cd26ed
Nothing to do.  Sleeping until we see a request.
rad_recv: Access-Request packet from host 10.2.0.69:1025, id=86,
length=154
	User-Name = "tripp"
	User-Password = "tripp"
	NAS-Port = 739
	Service-Type = Framed-User
	Framed-Protocol = PPP
	Called-Station-Id = "68.208.135.26"
	Calling-Station-Id = "24.73.134.236"
	Tunnel-Client-Endpoint:0 = "24.73.134.236"
	NAS-IP-Address = 10.2.0.69
	NAS-Port-Type = Virtual
	Cisco-AVPair = "ip:source-ip=24.73.134.236"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
  modcall[authorize]: module "preprocess" returns ok for request 1
  modcall[authorize]: module "chap" returns noop for request 1
  modcall[authorize]: module "mschap" returns noop for request 1
    rlm_realm: No '@' in User-Name = "tripp", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 1
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 1
    users: Matched entry DEFAULT at line 179
    users: Matched entry DEFAULT at line 191
  modcall[authorize]: module "files" returns ok for request 1
modcall: group authorize returns ok for request 1
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Login incorrect: [tripp/tripp] (from client BorderPatrol port 739 cli
24.73.134.236)
Delaying request 1 for 1 seconds
Finished request 1
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 86 to 10.2.0.69:1025
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 1 ID 86 with timestamp 43cd273a
Nothing to do.  Sleeping until we see a request.
rad_recv: Access-Request packet from host 10.2.0.69:1025, id=87,
length=154
	User-Name = "tripp"
	User-Password = "tripp"
	NAS-Port = 739
	Service-Type = Framed-User
	Framed-Protocol = PPP
	Called-Station-Id = "68.208.135.26"
	Calling-Station-Id = "24.73.134.236"
	Tunnel-Client-Endpoint:0 = "24.73.134.236"
	NAS-IP-Address = 10.2.0.69
	NAS-Port-Type = Virtual
	Cisco-AVPair = "ip:source-ip=24.73.134.236"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
  modcall[authorize]: module "preprocess" returns ok for request 2
  modcall[authorize]: module "chap" returns noop for request 2
  modcall[authorize]: module "mschap" returns noop for request 2
    rlm_realm: No '@' in User-Name = "tripp", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 2
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 2
    users: Matched entry DEFAULT at line 179
    users: Matched entry DEFAULT at line 191
  modcall[authorize]: module "files" returns ok for request 2
modcall: group authorize returns ok for request 2
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Login incorrect: [tripp/tripp] (from client BorderPatrol port 739 cli
24.73.134.236)
Delaying request 2 for 1 seconds
Finished request 2
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 87 to 10.2.0.69:1025
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 2 ID 87 with timestamp 43cd2740
Nothing to do.  Sleeping until we see a request.
Terminate batch job (Y/N)?
-----Original Message-----
From: freeradius-users-bounces+tripp=dmenet.com at lists.freeradius.org
[mailto:freeradius-users-bounces+tripp=dmenet.com at lists.freeradius.org]
On Behalf Of Alan DeKok
Sent: Monday, January 16, 2006 10:33 PM
To: FreeRadius users mailing list
Subject: Re: CIsco Pix and FreeRadius.... 

"Sills, Tripp" <tripp at dmenet.com> wrote:
> It says Auth-Type found Local but when I run with the VPN client it
> says unknown auth type.  Please any help would be great!

  Help us help you.  Read the README, INSTALL, and FAQ.  Then follow
the instructions there for debugging the server.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html





More information about the Freeradius-Users mailing list