<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7235.2">
<TITLE> No authenticate method using Mysql</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->
<BR>
<P><FONT SIZE=2>Hello,<BR>
<BR>
I am trying to use mysql and Freeradius for AAA. The communication between freeradius and mysql server seems OK, since Freeradius is getting the clients from radclients table.<BR>
When I do a test from the command line:<BR>
<BR>
"radtest user1 pass localhost 1812 shared"<BR>
<BR>
I got the output:<BR>
<BR>
"rad_recv: Access-Request packet from host 127.0.0.1 port 56962, id=152, length=57<BR>
User-Name = "user1"<BR>
User-Password = "pass"<BR>
NAS-IP-Address = 127.0.1.1<BR>
NAS-Port = 1812<BR>
Mon Feb 16 17:22:09 2009 : Info: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user<BR>
Mon Feb 16 17:22:09 2009 : Info: Failed to authenticate the user.<BR>
Mon Feb 16 17:22:09 2009 : Info: Using Post-Auth-Type Reject<BR>
Mon Feb 16 17:22:09 2009 : Debug: WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested action.<BR>
Mon Feb 16 17:22:09 2009 : Info: Delaying reject of request 1 for 1 seconds<BR>
Mon Feb 16 17:22:09 2009 : Debug: Going to the next request<BR>
Mon Feb 16 17:22:09 2009 : Debug: Waking up in 0.9 seconds.<BR>
Mon Feb 16 17:22:11 2009 : Info: Sending delayed reject for request 1<BR>
Sending Access-Reject of id 152 to 127.0.0.1 port 56962<BR>
Mon Feb 16 17:22:11 2009 : Debug: Waking up in 4.9 seconds.<BR>
"<BR>
Following is my configuration file(please note that this is only the file in sites-avaiable dir, note radiusd.conf):<BR>
<BR>
"######################################################################<BR>
#<BR>
# As of 2.0.0, FreeRADIUS supports virtual hosts using the<BR>
# "server" section, and configuration directives.<BR>
#<BR>
# Virtual hosts should be put into the "sites-available"<BR>
# directory. Soft links should be created in the "sites-enabled"<BR>
# directory to these files. This is done in a normal installation.<BR>
#<BR>
# $Id$<BR>
#<BR>
######################################################################<BR>
#<BR>
# Read "man radiusd" before editing this file. See the section<BR>
# titled DEBUGGING. It outlines a method where you can quickly<BR>
# obtain the configuration you want, without running into<BR>
# trouble. See also "man unlang", which documents the format<BR>
# of this file.<BR>
#<BR>
# This configuration is designed to work in the widest possible<BR>
# set of circumstances, with the widest possible number of<BR>
# authentication methods. This means that in general, you should<BR>
# need to make very few changes to this file.<BR>
#<BR>
# The best way to configure the server for your local system<BR>
# is to CAREFULLY edit this file. Most attempts to make large<BR>
# edits to this file will BREAK THE SERVER. Any edits should<BR>
# be small, and tested by running the server with "radiusd -X".<BR>
# Once the edits have been verified to work, save a copy of these<BR>
# configuration files somewhere. (e.g. as a "tar" file). Then,<BR>
# make more edits, and test, as above.<BR>
#<BR>
# There are many "commented out" references to modules such<BR>
# as ldap, sql, etc. These references serve as place-holders.<BR>
# If you need the functionality of that module, then configure<BR>
# it in radiusd.conf, and un-comment the references to it in<BR>
# this file. In most cases, those small changes will result<BR>
# in the server being able to connect to the DB, and to<BR>
# authenticate users.<BR>
#<BR>
######################################################################<BR>
<BR>
<BR>
server intelitiva.com {<BR>
#<BR>
# In 1.x, the "authorize", etc. sections were global in<BR>
# radiusd.conf. As of 2.0, they SHOULD be in a server section.<BR>
#<BR>
# The server section with no virtual server name is the "default"<BR>
# section. It is used when no server name is specified.<BR>
#<BR>
# We don't indent the rest of this file, because doing so<BR>
# would make it harder to read.<BR>
#<BR>
<BR>
# Authorization. First preprocess (hints and huntgroups files),<BR>
# then realms, and finally look in the "users" file.<BR>
#<BR>
# The order of the realm modules will determine the order that<BR>
# we try to find a matching realm.<BR>
#<BR>
# Make *sure* that 'preprocess' comes before any realm if you<BR>
# need to setup hints for the remote radius server<BR>
authorize {<BR>
#<BR>
# The preprocess module takes care of sanitizing some bizarre<BR>
# attributes in the request, and turning them into attributes<BR>
# which are more standard.<BR>
#<BR>
# It takes care of processing the 'raddb/hints' and the<BR>
# 'raddb/huntgroups' files.<BR>
#<BR>
# It also adds the %{Client-IP-Address} attribute to the request.<BR>
preprocess<BR>
<BR>
#<BR>
# If you want to have a log of authentication requests,<BR>
# un-comment the following line, and the 'detail auth_log'<BR>
# section, above.<BR>
#auth_log<BR>
<BR>
#<BR>
# The chap module will set 'Auth-Type := CHAP' if we are<BR>
# handling a CHAP request and Auth-Type has not already been set<BR>
chap<BR>
<BR>
#<BR>
# If the users are logging in with an MS-CHAP-Challenge<BR>
# attribute for authentication, the mschap module will find<BR>
# the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'<BR>
# to the request, which will cause the server to then use<BR>
# the mschap module for authentication.<BR>
mschap<BR>
<BR>
#<BR>
# If you have a Cisco SIP server authenticating against<BR>
# FreeRADIUS, uncomment the following line, and the 'digest'<BR>
# line in the 'authenticate' section.<BR>
# digest<BR>
<BR>
#<BR>
# Look for IPASS style 'realm/', and if not found, look for<BR>
# '@realm', and decide whether or not to proxy, based on<BR>
# that.<BR>
# IPASS<BR>
<BR>
#<BR>
# If you are using multiple kinds of realms, you probably<BR>
# want to set "ignore_null = yes" for all of them.<BR>
# Otherwise, when the first style of realm doesn't match,<BR>
# the other styles won't be checked.<BR>
#<BR>
# suffix<BR>
# ntdomain<BR>
<BR>
#<BR>
# This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP<BR>
# authentication.<BR>
#<BR>
# It also sets the EAP-Type attribute in the request<BR>
# attribute list to the EAP type from the packet.<BR>
#<BR>
# As of 2.0, the EAP module returns "ok" in the authorize stage<BR>
# for TTLS and PEAP. In 1.x, it never returned "ok" here, so<BR>
# this change is compatible with older configurations.<BR>
#<BR>
# The example below uses module failover to avoid querying all<BR>
# of the following modules if the EAP module returns "ok".<BR>
# Therefore, your LDAP and/or SQL servers will not be queried<BR>
# for the many packets that go back and forth to set up TTLS<BR>
# or PEAP. The load on those servers will therefore be reduced.<BR>
#<BR>
# eap {<BR>
# ok = return<BR>
# }<BR>
<BR>
#<BR>
# Look in an SQL database. The schema of the database<BR>
# is meant to mirror the "users" file.<BR>
#<BR>
# See "Authorization Queries" in sql.conf<BR>
sql<BR>
<BR>
#<BR>
# Pull crypt'd passwords from /etc/passwd or /etc/shadow,<BR>
# using the system API's to get the password. If you want<BR>
# to read /etc/passwd or /etc/shadow directly, see the<BR>
# passwd module in radiusd.conf.<BR>
#<BR>
# unix<BR>
<BR>
#<BR>
# Read the 'users' file<BR>
# files<BR>
<BR>
#<BR>
# If you are using /etc/smbpasswd, and are also doing<BR>
# mschap authentication, the un-comment this line, and<BR>
# configure the 'etc_smbpasswd' module, above.<BR>
# etc_smbpasswd<BR>
<BR>
#<BR>
# The ldap module will set Auth-Type to LDAP if it has not<BR>
# already been set<BR>
# ldap<BR>
<BR>
#<BR>
# Enforce daily limits on time spent logged in.<BR>
# daily<BR>
<BR>
#<BR>
# Use the checkval module<BR>
# checkval<BR>
<BR>
# expiration<BR>
# logintime<BR>
<BR>
#<BR>
# If no other module has claimed responsibility for<BR>
# authentication, then try to use PAP. This allows the<BR>
# other modules listed above to add a "known good" password<BR>
# to the request, and to do nothing else. The PAP module<BR>
# will then see that password, and use it to do PAP<BR>
# authentication.<BR>
#<BR>
# This module should be listed last, so that the other modules<BR>
# get a chance to set Auth-Type for themselves.<BR>
#<BR>
# pap<BR>
<BR>
#<BR>
# If "status_server = yes", then Status-Server messages are passed<BR>
# through the following section, and ONLY the following section.<BR>
# This permits you to do DB queries, for example. If the modules<BR>
# listed here return "fail", then NO response is sent.<BR>
#<BR>
# Autz-Type Status-Server {<BR>
#<BR>
# }<BR>
}<BR>
<BR>
<BR>
# Authentication.<BR>
#<BR>
#<BR>
# This section lists which modules are available for authentication.<BR>
# Note that it does NOT mean 'try each module in order'. It means<BR>
# that a module from the 'authorize' section adds a configuration<BR>
# attribute 'Auth-Type := FOO'. That authentication type is then<BR>
# used to pick the apropriate module from the list below.<BR>
#<BR>
<BR>
# In general, you SHOULD NOT set the Auth-Type attribute. The server<BR>
# will figure it out on its own, and will do the right thing. The<BR>
# most common side effect of erroneously setting the Auth-Type<BR>
# attribute is that one authentication method will work, but the<BR>
# others will not.<BR>
#<BR>
# The common reasons to set the Auth-Type attribute by hand<BR>
# is to either forcibly reject the user (Auth-Type := Reject),<BR>
# or to or forcibly accept the user (Auth-Type := Accept).<BR>
#<BR>
# Note that Auth-Type := Accept will NOT work with EAP.<BR>
#<BR>
# Please do not put "unlang" configurations into the "authenticate"<BR>
# section. Put them in the "post-auth" section instead. That's what<BR>
# the post-auth section is for.<BR>
#<BR>
authenticate {<BR>
<BR>
#<BR>
# PAP authentication, when a back-end database listed<BR>
# in the 'authorize' section supplies a password. The<BR>
# password can be clear-text, or encrypted.<BR>
Auth-Type PAP {<BR>
pap<BR>
}<BR>
<BR>
#<BR>
# Most people want CHAP authentication<BR>
# A back-end database listed in the 'authorize' section<BR>
# MUST supply a CLEAR TEXT password. Encrypted passwords<BR>
# won't work.<BR>
Auth-Type CHAP {<BR>
chap<BR>
}<BR>
<BR>
#<BR>
# MSCHAP authentication.<BR>
Auth-Type MS-CHAP {<BR>
mschap<BR>
}<BR>
<BR>
#<BR>
# If you have a Cisco SIP server authenticating against<BR>
# FreeRADIUS, uncomment the following line, and the 'digest'<BR>
# line in the 'authorize' section.<BR>
# digest<BR>
<BR>
#<BR>
# Pluggable Authentication Modules.<BR>
# pam<BR>
<BR>
#<BR>
# See 'man getpwent' for information on how the 'unix'<BR>
# module checks the users password. Note that packets<BR>
# containing CHAP-Password attributes CANNOT be authenticated<BR>
# against /etc/passwd! See the FAQ for details.<BR>
#<BR>
# unix<BR>
<BR>
# Uncomment it if you want to use ldap for authentication<BR>
#<BR>
# Note that this means "check plain-text password against<BR>
# the ldap database", which means that EAP won't work,<BR>
# as it does not supply a plain-text password.<BR>
# Auth-Type LDAP {<BR>
# ldap<BR>
# }<BR>
<BR>
#<BR>
# Allow EAP authentication.<BR>
# eap<BR>
}<BR>
<BR>
<BR>
#<BR>
# Pre-accounting. Decide which accounting type to use.<BR>
#<BR>
preacct {<BR>
preprocess<BR>
<BR>
#<BR>
# Ensure that we have a semi-unique identifier for every<BR>
# request, and many NAS boxes are broken.<BR>
acct_unique<BR>
<BR>
#<BR>
# Look for IPASS-style 'realm/', and if not found, look for<BR>
# '@realm', and decide whether or not to proxy, based on<BR>
# that.<BR>
#<BR>
# Accounting requests are generally proxied to the same<BR>
# home server as authentication requests.<BR>
# IPASS<BR>
suffix<BR>
# ntdomain<BR>
<BR>
#<BR>
# Read the 'acct_users' file<BR>
files<BR>
}<BR>
<BR>
#<BR>
# Accounting. Log the accounting data.<BR>
#<BR>
accounting {<BR>
#<BR>
# Create a 'detail'ed log of the packets.<BR>
# Note that accounting requests which are proxied<BR>
# are also logged in the detail file.<BR>
detail<BR>
# daily<BR>
<BR>
# Update the wtmp file<BR>
#<BR>
# If you don't use "radlast", you can delete this line.<BR>
unix<BR>
<BR>
#<BR>
# For Simultaneous-Use tracking.<BR>
#<BR>
# Due to packet losses in the network, the data here<BR>
# may be incorrect. There is little we can do about it.<BR>
radutmp<BR>
# sradutmp<BR>
<BR>
# Return an address to the IP Pool when we see a stop record.<BR>
# main_pool<BR>
<BR>
#<BR>
# Log traffic to an SQL database.<BR>
#<BR>
# See "Accounting queries" in sql.conf<BR>
sql<BR>
<BR>
#<BR>
# Instead of sending the query to the SQL server,<BR>
# write it into a log file.<BR>
#<BR>
# sql_log<BR>
<BR>
# Cisco VoIP specific bulk accounting<BR>
# pgsql-voip<BR>
<BR>
# Filter attributes from the accounting response.<BR>
attr_filter.accounting_response<BR>
<BR>
#<BR>
# See "Autz-Type Status-Server" for how this works.<BR>
#<BR>
# Acct-Type Status-Server {<BR>
#<BR>
# }<BR>
}<BR>
<BR>
<BR>
# Session database, used for checking Simultaneous-Use. Either the radutmp<BR>
# or rlm_sql module can handle this.<BR>
# The rlm_sql module is *much* faster<BR>
session {<BR>
radutmp<BR>
<BR>
#<BR>
# See "Simultaneous Use Checking Queries" in sql.conf<BR>
sql<BR>
}<BR>
<BR>
<BR>
# Post-Authentication<BR>
# Once we KNOW that the user has been authenticated, there are<BR>
# additional steps we can take.<BR>
post-auth {<BR>
# Get an address from the IP Pool.<BR>
# main_pool<BR>
<BR>
#<BR>
# If you want to have a log of authentication replies,<BR>
# un-comment the following line, and the 'detail reply_log'<BR>
# section, above.<BR>
# reply_log<BR>
<BR>
#<BR>
# After authenticating the user, do another SQL query.<BR>
#<BR>
# See "Authentication Logging Queries" in sql.conf<BR>
sql<BR>
<BR>
#<BR>
# Instead of sending the query to the SQL server,<BR>
# write it into a log file.<BR>
#<BR>
# sql_log<BR>
<BR>
#<BR>
# Un-comment the following if you have set<BR>
# 'edir_account_policy_check = yes' in the ldap module sub-section of<BR>
# the 'modules' section.<BR>
#<BR>
# ldap<BR>
<BR>
exec<BR>
<BR>
#<BR>
# Access-Reject packets are sent through the REJECT sub-section of the<BR>
# post-auth section.<BR>
#<BR>
# Add the ldap module name (or instance) if you have set<BR>
# 'edir_account_policy_check = yes' in the ldap module configuration<BR>
#<BR>
Post-Auth-Type REJECT {<BR>
attr_filter.access_reject<BR>
}<BR>
}<BR>
<BR>
#<BR>
# When the server decides to proxy a request to a home server,<BR>
# the proxied request is first passed through the pre-proxy<BR>
# stage. This stage can re-write the request, or decide to<BR>
# cancel the proxy.<BR>
#<BR>
# Only a few modules currently have this method.<BR>
#<BR>
pre-proxy {<BR>
# attr_rewrite<BR>
<BR>
# Uncomment the following line if you want to change attributes<BR>
# as defined in the preproxy_users file.<BR>
# files<BR>
<BR>
# Uncomment the following line if you want to filter requests<BR>
# sent to remote servers based on the rules defined in the<BR>
# 'attrs.pre-proxy' file.<BR>
# attr_filter.pre-proxy<BR>
<BR>
# If you want to have a log of packets proxied to a home<BR>
# server, un-comment the following line, and the<BR>
# 'detail pre_proxy_log' section, above.<BR>
# pre_proxy_log<BR>
}<BR>
<BR>
#<BR>
# When the server receives a reply to a request it proxied<BR>
# to a home server, the request may be massaged here, in the<BR>
# post-proxy stage.<BR>
#<BR>
post-proxy {<BR>
<BR>
# If you want to have a log of replies from a home server,<BR>
# un-comment the following line, and the 'detail post_proxy_log'<BR>
# section, above.<BR>
# post_proxy_log<BR>
<BR>
# attr_rewrite<BR>
<BR>
# Uncomment the following line if you want to filter replies from<BR>
# remote proxies based on the rules defined in the 'attrs' file.<BR>
# attr_filter.post-proxy<BR>
<BR>
#<BR>
# If you are proxying LEAP, you MUST configure the EAP<BR>
# module, and you MUST list it here, in the post-proxy<BR>
# stage.<BR>
#<BR>
# You MUST also use the 'nostrip' option in the 'realm'<BR>
# configuration. Otherwise, the User-Name attribute<BR>
# in the proxied request will not match the user name<BR>
# hidden inside of the EAP packet, and the end server will<BR>
# reject the EAP request.<BR>
#<BR>
eap<BR>
<BR>
#<BR>
# If the server tries to proxy a request and fails, then the<BR>
# request is processed through the modules in this section.<BR>
#<BR>
# The main use of this section is to permit robust proxying<BR>
# of accounting packets. The server can be configured to<BR>
# proxy accounting packets as part of normal processing.<BR>
# Then, if the home server goes down, accounting packets can<BR>
# be logged to a local "detail" file, for processing with<BR>
# radrelay. When the home server comes back up, radrelay<BR>
# will read the detail file, and send the packets to the<BR>
# home server.<BR>
#<BR>
# With this configuration, the server always responds to<BR>
# Accounting-Requests from the NAS, but only writes<BR>
# accounting packets to disk if the home server is down.<BR>
#<BR>
# Post-Proxy-Type Fail {<BR>
# detail<BR>
# }<BR>
<BR>
}<BR>
<BR>
}"<BR>
<BR>
Any ideas?<BR>
<BR>
Thanks in advance,<BR>
Pedro Mazzoni<BR>
</FONT>
</P>
</BODY>
</HTML>