<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7638.1">
<TITLE>RE: Server logs say users authenticate, but they don't (Now with more details!)</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->
<BR>
<P><FONT SIZE=2>Is the server multihomed ?<BR>
It often happends that the server will recieve a request on one IP address and send out a reply using a different address with a multihomed system.<BR>
<BR>
If your system has multiple IP addresses, u can set "bind_address" to the one you want to use.<BR>
<BR>
Cheers<BR>
Paul<BR>
<BR>
<BR>
-----Original Message-----<BR>
From: freeradius-users-bounces+paul.khavkine=distributel.ca@lists.freeradius.org on behalf of Ernie Dunbar<BR>
Sent: Fri 11/3/2006 2:02 PM<BR>
To: freeradius-users@lists.freeradius.org<BR>
Subject: Server logs say users authenticate, but they don't (Now with more details!)<BR>
<BR>
This isn't a duplicate, I've just included more information about our<BR>
configuration.<BR>
<BR>
We have a Cisco AS5300 for our dialup pool. It is able to log into our new<BR>
FreeRadius server and make authentication requests, but users are not able<BR>
to authenticate.<BR>
<BR>
It's very strange, because FreeRadius produces logs like this:<BR>
<BR>
Thu Nov 2 11:06:24 2006 : Auth: Login OK: [XXXXXX/XXXXXX] (from client<BR>
dialup port 8)<BR>
<BR>
But the client gets "Error 691: Your username or password are incorrect".<BR>
<BR>
I can tell that it's authenticating properly, because when a user gets<BR>
their password wrong, I see this instead:<BR>
<BR>
Thu Nov 2 11:02:20 2006 : Auth: Login incorrect: [user1/somepass] (from<BR>
client dialup port 13)<BR>
Thu Nov 2 11:02:20 2006 : Auth: Login incorrect: [user1/somepass] (from<BR>
client dialup port 13)<BR>
<BR>
We're using FreeRadius' mysql support for authentication, and I'm<BR>
absolutely positive that part is working fine. It even creates accounting<BR>
data in the database.<BR>
<BR>
This is what we have in the users file:<BR>
<BR>
DEFAULT Framed-Protocol == PPP, Simultaneous-Use == 1<BR>
Framed-Protocol = PPP,<BR>
Framed-Compression = Van-Jacobson-TCP-IP<BR>
<BR>
and this is what radiusd.conf looks like without the comments:<BR>
<BR>
prefix = /usr<BR>
exec_prefix = /usr<BR>
sysconfdir = /etc<BR>
localstatedir = /var<BR>
sbindir = ${exec_prefix}/sbin<BR>
logdir = /var/log/freeradius<BR>
raddbdir = /etc/freeradius<BR>
radacctdir = ${logdir}/radacct<BR>
confdir = ${raddbdir}<BR>
run_dir = ${localstatedir}/run/freeradius<BR>
log_file = ${logdir}/radius.log<BR>
libdir = /usr/lib/freeradius<BR>
pidfile = ${run_dir}/freeradius.pid<BR>
<BR>
user = freerad<BR>
group = freerad<BR>
<BR>
max_request_time = 30<BR>
delete_blocked_requests = no<BR>
cleanup_delay = 5<BR>
max_requests = 256<BR>
bind_address = *<BR>
port = 0<BR>
<BR>
hostname_lookups = no<BR>
allow_core_dumps = no<BR>
<BR>
regular_expressions = yes<BR>
extended_expressions = yes<BR>
<BR>
log_stripped_names = yes<BR>
log_auth = yes<BR>
log_auth_badpass = yes<BR>
log_auth_goodpass = yes<BR>
<BR>
usercollide = no<BR>
<BR>
lower_user = no<BR>
lower_pass = no<BR>
<BR>
nospace_user = after<BR>
nospace_pass = after<BR>
<BR>
checkrad = ${sbindir}/checkrad<BR>
<BR>
security {<BR>
max_attributes = 200<BR>
reject_delay = 1<BR>
status_server = no<BR>
}<BR>
<BR>
proxy_requests = off<BR>
$INCLUDE ${confdir}/proxy.conf<BR>
<BR>
# proxy.conf has:<BR>
# realm LOCAL {<BR>
# type = radius<BR>
# authhost = LOCAL<BR>
# accthost = LOCAL<BR>
#}<BR>
<BR>
$INCLUDE ${confdir}/clients.conf<BR>
<BR>
# clients.conf has:<BR>
# client XXX.XXX.XXX.XXX {<BR>
# secret = XXXXXX<BR>
# nastype = cisco<BR>
# shortname = dialup<BR>
#}<BR>
<BR>
$INCLUDE ${confdir}/snmp.conf<BR>
<BR>
# snmp.conf has nothing.<BR>
<BR>
snmp = no<BR>
<BR>
thread pool {<BR>
start_servers = 5<BR>
max_servers = 32<BR>
min_spare_servers = 3<BR>
max_spare_servers = 10<BR>
max_requests_per_server = 0<BR>
}<BR>
<BR>
modules {<BR>
pap {<BR>
encryption_scheme = crypt<BR>
}<BR>
<BR>
chap {<BR>
authtype = CHAP<BR>
}<BR>
<BR>
pam {<BR>
pam_auth = radiusd<BR>
}<BR>
<BR>
unix {<BR>
cache = no<BR>
cache_reload = 600<BR>
shadow = /etc/shadow<BR>
radwtmp = ${logdir}/radwtmp<BR>
}<BR>
<BR>
$INCLUDE ${confdir}/eap.conf<BR>
<BR>
# eap.conf has:<BR>
# eap {<BR>
# default_eap_type = md5<BR>
# timer_expire = 60<BR>
# ignore_unknown_eap_types = no<BR>
# cisco_accounting_username_bug = no<BR>
#<BR>
# md5 {<BR>
# }<BR>
#<BR>
# leap {<BR>
# }<BR>
#<BR>
# gtc {<BR>
# auth_type = PAP<BR>
# }<BR>
#<BR>
# mschapv2 {<BR>
# }<BR>
# }<BR>
<BR>
mschap {<BR>
authtype = MS-CHAP<BR>
}<BR>
<BR>
realm suffix {<BR>
format = suffix<BR>
delimiter = "@"<BR>
ignore_default = no<BR>
ignore_null = no<BR>
}<BR>
<BR>
checkval {<BR>
item-name = Calling-Station-Id<BR>
check-name = Calling-Station-Id<BR>
data-type = string<BR>
}<BR>
<BR>
preprocess {<BR>
huntgroups = ${confdir}/huntgroups<BR>
hints = ${confdir}/hints<BR>
with_ascend_hack = no<BR>
ascend_channels_per_line = 23<BR>
with_ntdomain_hack = no<BR>
with_specialix_jetstream_hack = no<BR>
with_cisco_vsa_hack = no<BR>
}<BR>
<BR>
files {<BR>
usersfile = ${confdir}/users<BR>
acctusersfile = ${confdir}/acct_users<BR>
compat = no<BR>
}<BR>
<BR>
detail {<BR>
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d<BR>
detailperm = 0600<BR>
}<BR>
<BR>
acct_unique {<BR>
key = "User-Name, Acct-Session-Id, NAS-IP-Address,<BR>
Client-IP-Address, NAS-Port"<BR>
}<BR>
<BR>
$INCLUDE ${confdir}/sql.conf<BR>
<BR>
# sql.conf has:<BR>
#<BR>
#sql {<BR>
#<BR>
# driver = "rlm_sql_mysql"<BR>
# server = "localhost"<BR>
# login = "XXXXXX"<BR>
# radius_db = "XXXXXX"<BR>
# password = "XXXXXX"<BR>
# acct_table1 = "radacct"<BR>
# acct_table2 = "radacct"<BR>
# postauth_table = "radpostauth"<BR>
# authcheck_table = "radcheck"<BR>
# authreply_table = "radreply"<BR>
# groupcheck_table = "radgroupcheck"<BR>
# groupreply_table = "radgroupreply"<BR>
# usergroup_table = "usergroup"<BR>
# deletestalesessions = yes<BR>
# sqltrace = yes<BR>
# sqltracefile = /var/log/freeradius/sqltrace.sql<BR>
# num_sql_socks = 5<BR>
# connect_failure_retry_delay = 60<BR>
# safe-characters =<BR>
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"<BR>
# sql_user_name = "%{User-Name}"<BR>
#<BR>
# authorize_check_query = "SELECT id,UserName,Attribute,Value,op<BR>
FROM ${authcheck_table} WHERE Username = '%{SQL-User-Name}' ORDER BY id"<BR>
# authorize_reply_query = "SELECT id,UserName,Attribute,Value,op<BR>
FROM ${authreply_table} WHERE Username = '%{SQL-User-Name}' ORDER BY id"<BR>
# authorize_group_check_query = "SELECT<BR>
${groupcheck_table}.id,${groupcheck_table}.GroupName,${groupcheck_table}.Attribute,${groupcheck_table}.Value,${groupcheck_table}.op<BR>
FROM ${groupcheck_table},${usergroup_table} WHERE<BR>
${usergroup_table}.Username = '%{SQL-User-Name}' AND<BR>
${usergroup_table}.GroupName = ${groupcheck_table}.GroupName ORDER BY<BR>
${groupcheck_table}.id"<BR>
# authorize_group_reply_query = "SELECT<BR>
${groupreply_table}.id,${groupreply_table}.GroupName,${groupreply_table}.Attribute,${groupreply_table}.Value,${groupreply_table}.op<BR>
FROM ${groupreply_table},${usergroup_table} WHERE<BR>
${usergroup_table}.Username = '%{SQL-User-Name}' AND<BR>
${usergroup_table}.GroupName = ${groupreply_table}.GroupName ORDER BY<BR>
${groupreply_table}.id"<BR>
# accounting_onoff_query = "UPDATE ${acct_table1} SET<BR>
AcctStopTime='%S', AcctSessionTime=unix_timestamp('%S') -<BR>
unix_timestamp(AcctStartTime),<BR>
AcctTerminateCause='%{Acct-Terminate-Cause}', AcctStopDelay =<BR>
'%{Acct-Delay-Time}' WHERE AcctSessionTime=0 AND AcctStopTime=0 AND<BR>
NASIPAddress= '%{NAS-IP-Address}' AND AcctStartTime <= '%S'"<BR>
#<BR>
# accounting_update_query = "UPDATE ${acct_table1} \<BR>
# SET FramedIPAddress = '%{Framed-IP-Address}', \<BR>
# AcctSessionTime = '%{Acct-Session-Time}', \<BR>
# AcctInputOctets = '%{Acct-Input-Octets}', \<BR>
# AcctOutputOctets = '%{Acct-Output-Octets}' \<BR>
# WHERE AcctSessionId = '%{Acct-Session-Id}' \<BR>
# AND UserName = '%{SQL-User-Name}' \<BR>
# AND NASIPAddress= '%{NAS-IP-Address}'"<BR>
#<BR>
# accounting_update_query_alt = "INSERT into ${acct_table1}<BR>
(AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId,<BR>
NASPortType, AcctStartTime, AcctSessionTime, AcctAuthentic,<BR>
ConnectInfo_start, AcctInputOctets, AcctOutputOctets, CalledStationId,<BR>
CallingStationId, ServiceType, FramedProtocol, FramedIPAddress,<BR>
AcctStartDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',<BR>
'%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',<BR>
'%{NAS-Port-Type}', DATE_SUB('%S',INTERVAL (%{Acct-Session-Time:-0} +<BR>
%{Acct-Delay-Time:-0}) SECOND), '%{Acct-Session-Time}',<BR>
'%{Acct-Authentic}', '', '%{Acct-Input-Octets}', '%{Acct-Output-Octets}',<BR>
'%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}',<BR>
'%{Framed-Protocol}', '%{Framed-IP-Address}', '0')"<BR>
# accounting_start_query = "INSERT into ${acct_table1}<BR>
(AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId,<BR>
NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic,<BR>
ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets,<BR>
CalledStationId, CallingStationId, AcctTerminateCause, ServiceType,<BR>
FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay)<BR>
values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',<BR>
'%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',<BR>
'%{NAS-Port-Type}', '%S', '0', '0', '%{Acct-Authentic}',<BR>
'%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}',<BR>
'%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}',<BR>
'%{Framed-IP-Address}', '%{Acct-Delay-Time}', '0')"<BR>
# accounting_start_query_alt = "UPDATE ${acct_table1} SET<BR>
AcctStartTime = '%S', AcctStartDelay = '%{Acct-Delay-Time}',<BR>
ConnectInfo_start = '%{Connect-Info}' WHERE AcctSessionId =<BR>
'%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress =<BR>
'%{NAS-IP-Address}'"<BR>
# accounting_stop_query = "UPDATE ${acct_table2} SET AcctStopTime =<BR>
'%S', AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets =<BR>
'%{Acct-Input-Octets}', AcctOutputOctets = '%{Acct-Output-Octets}',<BR>
AcctTerminateCause = '%{Acct-Terminate-Cause}', AcctStopDelay =<BR>
'%{Acct-Delay-Time}', ConnectInfo_stop = '%{Connect-Info}' WHERE<BR>
AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND<BR>
NASIPAddress = '%{NAS-IP-Address}'"<BR>
# accounting_stop_query_alt = "INSERT into ${acct_table2}<BR>
(AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId,<BR>
NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic,<BR>
ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets,<BR>
CalledStationId, CallingStationId, AcctTerminateCause, ServiceType,<BR>
FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay)<BR>
values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',<BR>
'%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',<BR>
'%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{Acct-Session-Time:-0} +<BR>
%{Acct-Delay-Time:-0}) SECOND), '%S', '%{Acct-Session-Time}',<BR>
'%{Acct-Authentic}', '', '%{Connect-Info}', '%{Acct-Input-Octets}',<BR>
'%{Acct-Output-Octets}', '%{Called-Station-Id}', '%{Calling-Station-Id}',<BR>
'%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}',<BR>
'%{Framed-IP-Address}', '0', '%{Acct-Delay-Time}')"<BR>
# simul_count_query = "SELECT COUNT(*) FROM ${acct_table1} WHERE<BR>
UserName='%{SQL-User-Name}' AND AcctStopTime = 0"<BR>
# simul_verify_query = "SELECT RadAcctId, AcctSessionId, UserName,<BR>
NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol<BR>
FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND AcctStopTime =<BR>
0"<BR>
# group_membership_query = "SELECT GroupName FROM<BR>
${usergroup_table} WHERE UserName='%{SQL-User-Name}'"<BR>
# postauth_query = "INSERT into ${postauth_table} (id, user, pass,<BR>
reply, date) values ('', '%{User-Name}',<BR>
'%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', NOW())"<BR>
#<BR>
#}<BR>
<BR>
radutmp {<BR>
filename = ${logdir}/radutmp<BR>
username = %{User-Name}<BR>
case_sensitive = yes<BR>
check_with_nas = yes<BR>
perm = 0600<BR>
callerid = "yes"<BR>
}<BR>
<BR>
radutmp sradutmp {<BR>
filename = ${logdir}/sradutmp<BR>
perm = 0644<BR>
callerid = "no"<BR>
}<BR>
<BR>
attr_filter {<BR>
attrsfile = ${confdir}/attrs<BR>
}<BR>
<BR>
counter daily {<BR>
filename = ${raddbdir}/db.daily<BR>
key = User-Name<BR>
count-attribute = Acct-Session-Time<BR>
reset = daily<BR>
counter-name = Daily-Session-Time<BR>
check-name = Max-Daily-Session<BR>
allowed-servicetype = Framed-User<BR>
cache-size = 5000<BR>
}<BR>
<BR>
always fail {<BR>
rcode = fail<BR>
}<BR>
<BR>
always reject {<BR>
rcode = reject<BR>
}<BR>
<BR>
always ok {<BR>
rcode = ok<BR>
simulcount = 0<BR>
mpp = no<BR>
}<BR>
<BR>
expr {<BR>
}<BR>
<BR>
digest {<BR>
}<BR>
<BR>
exec {<BR>
wait = yes<BR>
input_pairs = request<BR>
}<BR>
<BR>
exec echo {<BR>
wait = yes<BR>
program = "/bin/echo %{User-Name}"<BR>
input_pairs = request<BR>
output_pairs = reply<BR>
}<BR>
<BR>
ippool main_pool {<BR>
range-start = 192.168.1.1<BR>
range-stop = 192.168.3.254<BR>
netmask = 255.255.255.0<BR>
cache-size = 800<BR>
session-db = ${raddbdir}/db.ippool<BR>
ip-index = ${raddbdir}/db.ipindex<BR>
override = no<BR>
maximum-timeout = 0<BR>
}<BR>
}<BR>
<BR>
instantiate {<BR>
exec<BR>
expr<BR>
}<BR>
<BR>
authorize {<BR>
preprocess<BR>
sql<BR>
}<BR>
<BR>
<BR>
<BR>
authenticate {<BR>
Auth-Type PAP {<BR>
pap<BR>
}<BR>
<BR>
Auth-Type CHAP {<BR>
chap<BR>
}<BR>
<BR>
Auth-Type MS-CHAP {<BR>
mschap<BR>
}<BR>
}<BR>
<BR>
<BR>
preacct {<BR>
preprocess<BR>
suffix<BR>
}<BR>
<BR>
accounting {<BR>
detail<BR>
radutmp<BR>
sql<BR>
}<BR>
<BR>
session {<BR>
sql<BR>
}<BR>
<BR>
post-auth {<BR>
}<BR>
<BR>
pre-proxy {<BR>
}<BR>
<BR>
post-proxy {<BR>
eap<BR>
}<BR>
<BR>
## END OF CONFIG ##<BR>
<BR>
If you've actually gotten this far, I salute you. :)<BR>
<BR>
-<BR>
List info/subscribe/unsubscribe? See <A HREF="http://www.freeradius.org/list/users.html">http://www.freeradius.org/list/users.html</A><BR>
<BR>
</FONT>
</P>
</BODY>
</HTML>