ERROR at testing freeradius
Clive Allen
cliveallen0907 at gmx.com
Thu Nov 20 19:35:11 CET 2014
Stop and restart radiusd -X
Also looks like you have an extra space in there
Sent from my iPhone
> On 20 Nov 2014, at 17:38, Tania Romero <tania.romero.aramayo at gmail.com> wrote:
>
> This is the first time I install and test Freeradius.
> This is the version of freeradius:
>
> -- freeradius -v
>
> freeradius: FreeRADIUS Version 2.1.10, for host i686-pc-linux-gnu, built on Feb 24 2014 at 15:16:51
> Copyright (C) 1999-2010 The FreeRADIUS server project and contributors.
> There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
> PARTICULAR PURPOSE.
> You may redistribute copies of FreeRADIUS under the terms of the
> GNU General Public License.
> For more information about these matters, see the file named COPYRIGHT.
>
>
> This user is one of the default users, and I just uncommented that user line in /etc/freeradius/users:
>
> *******************************************************************************
> #
> # Please read the documentation file ../doc/processing_users_file,
> # or 'man 5 users' (after installing the server) for more information.
> #
> # This file contains authentication security and configuration
> # information for each user. Accounting requests are NOT processed
> # through this file. Instead, see 'acct_users', in this directory.
> #
> # The first field is the user's name and can be up to
> # 253 characters in length. This is followed (on the same line) with
> # the list of authentication requirements for that user. This can
> # include password, comm server name, comm server port number, protocol
> # type (perhaps set by the "hints" file), and huntgroup name (set by
> # the "huntgroups" file).
> #
> # If you are not sure why a particular reply is being sent by the
> # server, then run the server in debugging mode (radiusd -X), and
> # you will see which entries in this file are matched.
> #
> # When an authentication request is received from the comm server,
> # these values are tested. Only the first match is used unless the
> # "Fall-Through" variable is set to "Yes".
> #
> # A special user named "DEFAULT" matches on all usernames.
> # You can have several DEFAULT entries. All entries are processed
> # in the order they appear in this file. The first entry that
> # matches the login-request will stop processing unless you use
> # the Fall-Through variable.
> #
> # If you use the database support to turn this file into a .db or .dbm
> # file, the DEFAULT entries _have_ to be at the end of this file and
> # you can't have multiple entries for one username.
> #
> # Indented (with the tab character) lines following the first
> # line indicate the configuration values to be passed back to
> # the comm server to allow the initiation of a user session.
> # This can include things like the PPP configuration values
> # or the host to log the user onto.
> #
> # You can include another `users' file with `$INCLUDE users.other'
> #
>
> #
> # For a list of RADIUS attributes, and links to their definitions,
> # see:
> #
> # http://www.freeradius.org/rfc/attributes.html
> #
>
> #
> # Deny access for a specific user. Note that this entry MUST
> # be before any other 'Auth-Type' attribute which results in the user
> # being authenticated.
> #
> # Note that there is NO 'Fall-Through' attribute, so the user will not
> # be given any additional resources.
> #
> #lameuser Auth-Type := Reject
> # Reply-Message = "Your account has been disabled."
>
> #
> # Deny access for a group of users.
> #
> # Note that there is NO 'Fall-Through' attribute, so the user will not
> # be given any additional resources.
> #
> #DEFAULT Group == "disabled", Auth-Type := Reject
> # Reply-Message = "Your account has been disabled."
> #
>
> #
> # This is a complete entry for "steve". Note that there is no Fall-Through
> # entry so that no DEFAULT entry will be used, and the user will NOT
> # get any attributes in addition to the ones listed here.
> #
> steve Cleartext-Password := "testing"
> # Service-Type = Framed-User,
> # Framed-Protocol = PPP,
> # Framed-IP-Address = 172.16.3.33,
> # Framed-IP-Netmask = 255.255.255.0,
> # Framed-Routing = Broadcast-Listen,
> # Framed-Filter-Id = "std.ppp",
> # Framed-MTU = 1500,
> # Framed-Compression = Van-Jacobsen-TCP-IP
>
> #
> # This is an entry for a user with a space in their name.
> # Note the double quotes surrounding the name.
> #
> #"John Doe" Cleartext-Password := "hello"
> # Reply-Message = "Hello, %{User-Name}"
>
> #
> # Dial user back and telnet to the default host for that port
> #
> #Deg Cleartext-Password := "ge55ged"
> # Service-Type = Callback-Login-User,
> # Login-IP-Host = 0.0.0.0,
> # Callback-Number = "9,5551212",
> # Login-Service = Telnet,
> # Login-TCP-Port = Telnet
>
> #
> # Another complete entry. After the user "dialbk" has logged in, the
> # connection will be broken and the user will be dialed back after which
> # he will get a connection to the host "timeshare1".
> #
> #dialbk Cleartext-Password := "callme"
> # Service-Type = Callback-Login-User,
> # Login-IP-Host = timeshare1,
> # Login-Service = PortMaster,
> # Callback-Number = "9,1-800-555-1212"
>
> #
> # user "swilson" will only get a static IP number if he logs in with
> # a framed protocol on a terminal server in Alphen (see the huntgroups file).
> #
> # Note that by setting "Fall-Through", other attributes will be added from
> # the following DEFAULT entries
> #
> #swilson Service-Type == Framed-User, Huntgroup-Name == "alphen"
> # Framed-IP-Address = 192.168.1.65,
> # Fall-Through = Yes
>
> #
> # If the user logs in as 'username.shell', then authenticate them
> # using the default method, give them shell access, and stop processing
> # the rest of the file.
> #
> #DEFAULT Suffix == ".shell"
> # Service-Type = Login-User,
> # Login-Service = Telnet,
> # Login-IP-Host = your.shell.machine
>
>
> #
> # The rest of this file contains the several DEFAULT entries.
> # DEFAULT entries match with all login names.
> # Note that DEFAULT entries can also Fall-Through (see first entry).
> # A name-value pair from a DEFAULT entry will _NEVER_ override
> # an already existing name-value pair.
> #
>
> #
> # Set up different IP address pools for the terminal servers.
> # Note that the "+" behind the IP address means that this is the "base"
> # IP address. The Port-Id (S0, S1 etc) will be added to it.
> #
> #DEFAULT Service-Type == Framed-User, Huntgroup-Name == "alphen"
> # Framed-IP-Address = 192.168.1.32+,
> # Fall-Through = Yes
>
> #DEFAULT Service-Type == Framed-User, Huntgroup-Name == "delft"
> # Framed-IP-Address = 192.168.2.32+,
> # Fall-Through = Yes
>
> #
> # Sample defaults for all framed connections.
> #
> #DEFAULT Service-Type == Framed-User
> # Framed-IP-Address = 255.255.255.254,
> # Framed-MTU = 576,
> # Service-Type = Framed-User,
> # Fall-Through = Yes
>
> #
> # Default for PPP: dynamic IP address, PPP mode, VJ-compression.
> # NOTE: we do not use Hint = "PPP", since PPP might also be auto-detected
> # by the terminal server in which case there may not be a "P" suffix.
> # The terminal server sends "Framed-Protocol = PPP" for auto PPP.
> #
> DEFAULT Framed-Protocol == PPP
> Framed-Protocol = PPP,
> Framed-Compression = Van-Jacobson-TCP-IP
>
> #
> # Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression.
> #
> DEFAULT Hint == "CSLIP"
> Framed-Protocol = SLIP,
> Framed-Compression = Van-Jacobson-TCP-IP
>
> #
> # Default for SLIP: dynamic IP address, SLIP mode.
> #
> DEFAULT Hint == "SLIP"
> Framed-Protocol = SLIP
>
> #
> # Last default: rlogin to our main server.
> #
> #DEFAULT
> # Service-Type = Login-User,
> # Login-Service = Rlogin,
> # Login-IP-Host = shellbox.ispdomain.com
>
> # #
> # # Last default: shell on the local terminal server.
> # #
> # DEFAULT
> # Service-Type = Administrative-User
>
> # On no match, the user is denied access.
>
> *******************************************************************************
>
>
> I have a terminal where I see the debugging messages, and another where I entered the following commands:
>
>
> -- radtest steve testing 127.0.0.1 0 testing123
>
> This is the outcome:
>
> Sending Access-Request Id 79 from 0.0.0.0:37440 to 127.0.0.1:1812
> User-Name = 'steve'
> User-Password = 'testing'
> NAS-IP-Address = 127.0.0.1
> NAS-Port = 0
> Message-Authenticator = 0x00
> Received Access-Reject Id 79 from 127.0.0.1:1812 to 127.0.0.1:37440 length 20
> (0) -: Expected Access-Accept got Access-Reject
>
>
>
> In the debug console, this is the result:
>
> *******************************************************************************
> rad_recv: Access-Request packet from host 127.0.0.1 port 37440, id=79, length=75
> User-Name = "steve"
> User-Password = "testing"
> NAS-IP-Address = 127.0.0.1
> NAS-Port = 0
> Message-Authenticator = 0x57890edab06058e2770c96eea02e0d0a
> # Executing section authorize from file /etc/freeradius/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "steve", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] No EAP-Message, not doing EAP
> ++[eap] returns noop
> ++[files] returns noop
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
> ++[pap] returns noop
> ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user
> Failed to authenticate the user.
> Using Post-Auth-Type Reject
> # Executing group from file /etc/freeradius/sites-enabled/default
> +- entering group REJECT {...}
> [attr_filter.access_reject] expand: %{User-Name} -> steve
> attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] returns updated
> Delaying reject of request 22 for 1 seconds
> Going to the next request
> Waking up in 0.9 seconds.
> Sending delayed reject for request 22
> Sending Access-Reject of id 79 to 127.0.0.1 port 37440
> Waking up in 4.9 seconds.
> Cleaning up request 22 ID 79 with timestamp +9927
> Ready to process requests.
> *******************************************************************************
>
>
> I'm not sure if that's the file where I have to enable the "steve" user, because for what I've read this line:
> ++[files] returns noop
> Indicates that Freeradius hasn't found my user configuration.
> Is it possible that I've been configuring the wrong file?
> Any other ideas of why Freeradius keeps rejecting my request?
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20141120/df3b3106/attachment-0001.html>
More information about the Freeradius-Users
mailing list