Server logs say users authenticate, but they don't (Now with more details!)

Paul Khavkine paul.khavkine at distributel.ca
Fri Nov 3 23:36:24 CET 2006


Is the server multihomed ?
It often happends that the server will recieve a request on one IP address and send out a reply using a different address with a multihomed system.

If your system has multiple IP addresses, u can set "bind_address" to the one you want to use.

Cheers
Paul


-----Original Message-----
From: freeradius-users-bounces+paul.khavkine=distributel.ca at lists.freeradius.org on behalf of Ernie Dunbar
Sent: Fri 11/3/2006 2:02 PM
To: freeradius-users at lists.freeradius.org
Subject: Server logs say users authenticate, but they don't (Now with more details!)
 
This isn't a duplicate, I've just included more information about our
configuration.

We have a Cisco AS5300 for our dialup pool. It is able to log into our new
FreeRadius server and make authentication requests, but users are not able
to authenticate.

It's very strange, because FreeRadius produces logs like this:

Thu Nov  2 11:06:24 2006 : Auth: Login OK: [XXXXXX/XXXXXX] (from client
dialup port 8)

But the client gets "Error 691: Your username or password are incorrect".

I can tell that it's authenticating properly, because when a user gets
their password wrong, I see this instead:

Thu Nov  2 11:02:20 2006 : Auth: Login incorrect: [user1/somepass] (from
client dialup port 13)
Thu Nov  2 11:02:20 2006 : Auth: Login incorrect: [user1/somepass] (from
client dialup port 13)

We're using FreeRadius' mysql support for authentication, and I'm
absolutely positive that part is working fine. It even creates accounting
data in the database.

This is what we have in the users file:

DEFAULT Framed-Protocol == PPP, Simultaneous-Use == 1
        Framed-Protocol = PPP,
        Framed-Compression = Van-Jacobson-TCP-IP

and this is what radiusd.conf looks like without the comments:

prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/freeradius
log_file = ${logdir}/radius.log
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/freeradius.pid

user = freerad
group = freerad

max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 256
bind_address = *
port = 0

hostname_lookups = no
allow_core_dumps = no

regular_expressions     = yes
extended_expressions    = yes

log_stripped_names = yes
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = yes

usercollide = no

lower_user = no
lower_pass = no

nospace_user = after
nospace_pass = after

checkrad = ${sbindir}/checkrad

security {
        max_attributes = 200
        reject_delay = 1
        status_server = no
}

proxy_requests  = off
$INCLUDE  ${confdir}/proxy.conf

# proxy.conf has:
# realm LOCAL {
#        type            = radius
#        authhost        = LOCAL
#        accthost        = LOCAL
#}

$INCLUDE  ${confdir}/clients.conf

# clients.conf has:
# client XXX.XXX.XXX.XXX {
#        secret = XXXXXX
#        nastype = cisco
#        shortname = dialup
#}

$INCLUDE  ${confdir}/snmp.conf

# snmp.conf has nothing.

snmp    = no

thread pool {
        start_servers = 5
        max_servers = 32
        min_spare_servers = 3
        max_spare_servers = 10
        max_requests_per_server = 0
}

modules {
        pap {
                encryption_scheme = crypt
        }

        chap {
                authtype = CHAP
        }

        pam {
                pam_auth = radiusd
        }

        unix {
                cache = no
                cache_reload = 600
                shadow = /etc/shadow
                radwtmp = ${logdir}/radwtmp
        }

$INCLUDE ${confdir}/eap.conf

# eap.conf has:
#         eap {
#                default_eap_type = md5
#                timer_expire     = 60
#                ignore_unknown_eap_types = no
#                cisco_accounting_username_bug = no
#
#                md5 {
#                }
#
#                leap {
#                }
#
#                gtc {
#                        auth_type = PAP
#                }
#
#                mschapv2 {
#                }
#        }

        mschap {
                authtype = MS-CHAP
        }

        realm suffix {
                format = suffix
                delimiter = "@"
                ignore_default = no
                ignore_null = no
        }

        checkval {
                item-name = Calling-Station-Id
                check-name = Calling-Station-Id
                data-type = string
        }

        preprocess {
                huntgroups = ${confdir}/huntgroups
                hints = ${confdir}/hints
                with_ascend_hack = no
                ascend_channels_per_line = 23
                with_ntdomain_hack = no
                with_specialix_jetstream_hack = no
                with_cisco_vsa_hack = no
        }

        files {
                usersfile = ${confdir}/users
                acctusersfile = ${confdir}/acct_users
                compat = no
        }

        detail {
                detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
                detailperm = 0600
        }

        acct_unique {
                key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
        }

        $INCLUDE  ${confdir}/sql.conf

# sql.conf has:
#
#sql {
#
#        driver = "rlm_sql_mysql"
#        server = "localhost"
#        login = "XXXXXX"
#        radius_db = "XXXXXX"
#	password = "XXXXXX"
#        acct_table1 = "radacct"
#        acct_table2 = "radacct"
#        postauth_table = "radpostauth"
#        authcheck_table = "radcheck"
#        authreply_table = "radreply"
#        groupcheck_table = "radgroupcheck"
#        groupreply_table = "radgroupreply"
#        usergroup_table = "usergroup"
#        deletestalesessions = yes
#        sqltrace = yes
#        sqltracefile = /var/log/freeradius/sqltrace.sql
#        num_sql_socks = 5
#        connect_failure_retry_delay = 60
#        safe-characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
#        sql_user_name = "%{User-Name}"
#
#        authorize_check_query = "SELECT id,UserName,Attribute,Value,op
FROM ${authcheck_table} WHERE Username = '%{SQL-User-Name}' ORDER BY id"
#        authorize_reply_query = "SELECT id,UserName,Attribute,Value,op
FROM ${authreply_table} WHERE Username = '%{SQL-User-Name}' ORDER BY id"
#        authorize_group_check_query = "SELECT
${groupcheck_table}.id,${groupcheck_table}.GroupName,${groupcheck_table}.Attribute,${groupcheck_table}.Value,${groupcheck_table}.op
 FROM ${groupcheck_table},${usergroup_table} WHERE
${usergroup_table}.Username = '%{SQL-User-Name}' AND
${usergroup_table}.GroupName = ${groupcheck_table}.GroupName ORDER BY
${groupcheck_table}.id"
#        authorize_group_reply_query = "SELECT
${groupreply_table}.id,${groupreply_table}.GroupName,${groupreply_table}.Attribute,${groupreply_table}.Value,${groupreply_table}.op
 FROM ${groupreply_table},${usergroup_table} WHERE
${usergroup_table}.Username = '%{SQL-User-Name}' AND
${usergroup_table}.GroupName = ${groupreply_table}.GroupName ORDER BY
${groupreply_table}.id"
#        accounting_onoff_query = "UPDATE ${acct_table1} SET
AcctStopTime='%S', AcctSessionTime=unix_timestamp('%S') -
unix_timestamp(AcctStartTime),
AcctTerminateCause='%{Acct-Terminate-Cause}', AcctStopDelay =
'%{Acct-Delay-Time}' WHERE AcctSessionTime=0 AND AcctStopTime=0 AND
NASIPAddress= '%{NAS-IP-Address}' AND AcctStartTime <= '%S'"
#
#        accounting_update_query = "UPDATE ${acct_table1} \
#         SET FramedIPAddress = '%{Framed-IP-Address}', \
#         AcctSessionTime = '%{Acct-Session-Time}', \
#         AcctInputOctets = '%{Acct-Input-Octets}', \
#         AcctOutputOctets = '%{Acct-Output-Octets}' \
#         WHERE AcctSessionId = '%{Acct-Session-Id}' \
#         AND UserName = '%{SQL-User-Name}' \
#         AND NASIPAddress= '%{NAS-IP-Address}'"
#
#        accounting_update_query_alt = "INSERT into ${acct_table1}
(AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId,
NASPortType, AcctStartTime, AcctSessionTime, AcctAuthentic,
ConnectInfo_start, AcctInputOctets, AcctOutputOctets, CalledStationId,
CallingStationId, ServiceType, FramedProtocol, FramedIPAddress,
AcctStartDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',
'%{NAS-Port-Type}', DATE_SUB('%S',INTERVAL (%{Acct-Session-Time:-0} +
%{Acct-Delay-Time:-0}) SECOND), '%{Acct-Session-Time}',
'%{Acct-Authentic}', '', '%{Acct-Input-Octets}', '%{Acct-Output-Octets}',
'%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}',
'%{Framed-Protocol}', '%{Framed-IP-Address}', '0')"
#        accounting_start_query = "INSERT into ${acct_table1}
(AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId,
NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic,
ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets,
CalledStationId, CallingStationId, AcctTerminateCause, ServiceType,
FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay)
values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',
'%{NAS-Port-Type}', '%S', '0', '0', '%{Acct-Authentic}',
'%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}',
'%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}',
'%{Framed-IP-Address}', '%{Acct-Delay-Time}', '0')"
#        accounting_start_query_alt  = "UPDATE ${acct_table1} SET
AcctStartTime = '%S', AcctStartDelay = '%{Acct-Delay-Time}',
ConnectInfo_start = '%{Connect-Info}' WHERE AcctSessionId =
'%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress =
'%{NAS-IP-Address}'"
#        accounting_stop_query = "UPDATE ${acct_table2} SET AcctStopTime =
'%S', AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets =
'%{Acct-Input-Octets}', AcctOutputOctets = '%{Acct-Output-Octets}',
AcctTerminateCause = '%{Acct-Terminate-Cause}', AcctStopDelay =
'%{Acct-Delay-Time}', ConnectInfo_stop = '%{Connect-Info}' WHERE
AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND
NASIPAddress = '%{NAS-IP-Address}'"
#        accounting_stop_query_alt = "INSERT into ${acct_table2}
(AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId,
NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic,
ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets,
CalledStationId, CallingStationId, AcctTerminateCause, ServiceType,
FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay)
values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',
'%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{Acct-Session-Time:-0} +
%{Acct-Delay-Time:-0}) SECOND), '%S', '%{Acct-Session-Time}',
'%{Acct-Authentic}', '', '%{Connect-Info}', '%{Acct-Input-Octets}',
'%{Acct-Output-Octets}', '%{Called-Station-Id}', '%{Calling-Station-Id}',
'%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}',
'%{Framed-IP-Address}', '0', '%{Acct-Delay-Time}')"
#        simul_count_query = "SELECT COUNT(*) FROM ${acct_table1} WHERE
UserName='%{SQL-User-Name}' AND AcctStopTime = 0"
#        simul_verify_query = "SELECT RadAcctId, AcctSessionId, UserName,
NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol
FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND AcctStopTime =
0"
#        group_membership_query = "SELECT GroupName FROM
${usergroup_table} WHERE UserName='%{SQL-User-Name}'"
#        postauth_query = "INSERT into ${postauth_table} (id, user, pass,
reply, date) values ('', '%{User-Name}',
'%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', NOW())"
#
#}

        radutmp {
                filename = ${logdir}/radutmp
                username = %{User-Name}
                case_sensitive = yes
                check_with_nas = yes
                perm = 0600
                callerid = "yes"
        }

        radutmp sradutmp {
                filename = ${logdir}/sradutmp
                perm = 0644
                callerid = "no"
        }

        attr_filter {
                attrsfile = ${confdir}/attrs
        }

        counter daily {
                filename = ${raddbdir}/db.daily
                key = User-Name
                count-attribute = Acct-Session-Time
                reset = daily
                counter-name = Daily-Session-Time
                check-name = Max-Daily-Session
                allowed-servicetype = Framed-User
                cache-size = 5000
        }

        always fail {
                rcode = fail
        }

        always reject {
                rcode = reject
        }

        always ok {
                rcode = ok
                simulcount = 0
                mpp = no
        }

        expr {
        }

        digest {
        }

        exec {
                wait = yes
                input_pairs = request
        }

        exec echo {
                wait = yes
                program = "/bin/echo %{User-Name}"
                input_pairs = request
                output_pairs = reply
        }

        ippool main_pool {
                range-start = 192.168.1.1
                range-stop = 192.168.3.254
                netmask = 255.255.255.0
                cache-size = 800
                session-db = ${raddbdir}/db.ippool
                ip-index = ${raddbdir}/db.ipindex
                override = no
                maximum-timeout = 0
        }
}

instantiate {
        exec
        expr
}

authorize {
        preprocess
        sql
}



authenticate {
        Auth-Type PAP {
                pap
        }

        Auth-Type CHAP {
                chap
        }

        Auth-Type MS-CHAP {
                mschap
        }
}


preacct {
        preprocess
        suffix
}

accounting {
        detail
        radutmp
        sql
}

session {
        sql
}

post-auth {
}

pre-proxy {
}

post-proxy {
        eap
}

## END OF CONFIG ##

If you've actually gotten this far, I salute you. :)

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20061103/6ba83441/attachment.html>


More information about the Freeradius-Users mailing list