Hello again.<br><br><div class="gmail_quote">On Thu, Feb 19, 2009 at 7:16 PM, <span dir="ltr"><<a href="mailto:tnt@kalik.net">tnt@kalik.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="Ih2E3d">>Freeradius don't authenticate with mysql, so it uses another ways like EAP,<br>
>PAP an others.<br>
><br>
>I had been edited the users file in the attribute auth-type with various<br>
>values: Local, EAP, PAP, System...<br>
><br>
<br>
</div>Why? All the freeradius documentation says that you *shouldn't* force<br>
the Auth-Type.<br>
<div class="Ih2E3d"><br>
>As you see, the user juanpal authenticate with mysql but the next step stop<br>
>him<br>
><br>
>My user file has this:<br>
><br>
>DEFAULT Auth-Type := Local, Crypt-password = User-Password<br>
> Fall-Through = yes<br>
<br>
</div>Delete that. Follow the sql howto from the wiki.<br>
<br>
Ivan Kalik<br>
Kalik Informatika ISP<br>
<br>
-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br>
</blockquote></div><br>i didn't force any authentication, I left the users file by default, when i tried to login i got this:<br><br>rad_recv: Access-Request packet from host 127.0.0.1 port 32769, id=4, length=212<br>
Vendor-14559-Attr-8 = 0x312e302e3132<br> User-Name = "juanpal"<br> User-Password = "juanpal"<br> NAS-IP-Address = 192.168.181.1<br> Service-Type = Login-User<br> Framed-IP-Address = 192.168.181.2<br>
Calling-Station-Id = "08-00-27-0A-F7-67"<br> Called-Station-Id = "08-00-27-C0-08-85"<br> NAS-Identifier = "nas01"<br> Acct-Session-Id = "499e664400000001"<br>
NAS-Port-Type = Wireless-802.11<br> NAS-Port = 1<br> WISPr-Logoff-URL = "<a href="http://192.168.181.1:3990/logoff">http://192.168.181.1:3990/logoff</a>"<br> Message-Authenticator = 0x158efa3c2616f5104a2401d082f73222<br>
+- entering group authorize<br>++[preprocess] returns ok<br> expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/<a href="http://127.0.0.1/auth-detail-20090220">127.0.0.1/auth-detail-20090220</a><br>
rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/<a href="http://127.0.0.1/auth-detail-20090220">127.0.0.1/auth-detail-20090220</a><br> expand: %t -> Fri Feb 20 03:14:15 2009<br>
++[auth_log] returns ok<br> expand: %{Realm} -><br>++[attr_filter] returns noop<br>++[chap] returns noop<br>++[mschap] returns noop<br> rlm_realm: No '@' in User-Name = "juanpal", looking up realm NULL<br>
rlm_realm: No such realm "NULL"<br>++[suffix] returns noop<br> rlm_eap: No EAP-Message, not doing EAP<br>++[eap] returns noop<br>++[files] returns noop<br> expand: %{User-Name} -> juanpal<br>rlm_sql (sql): sql_set_user escaped user --> 'juanpal'<br>
rlm_sql (sql): Reserving sql socket id: 1<br> expand: SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'juanpal' ORDER BY id<br>
rlm_sql (sql): User found in radcheck table<br> expand: SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'juanpal' ORDER BY id<br>
expand: SELECT GroupName FROM usergroup WHERE UserName='%{SQL-User-Name}' -> SELECT GroupName FROM usergroup WHERE UserName='juanpal'<br>rlm_sql (sql): Released sql socket id: 1<br>++[sql] returns ok<br>
auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user<br>auth: Failed to validate the user.<br>Login incorrect: [juanpal/juanpal] (from client localhost port 1 cli 08-00-27-0A-F7-67)<br>
Delaying reject of request 2 for 1 seconds<br>Going to the next request<br>Waking up in 0.8 seconds.<br>Sending delayed reject for request 2<br>Sending Access-Reject of id 4 to 127.0.0.1 port 32769<br> Session-Timeout := 2400<br>
Waking up in 4.9 seconds.<br>Cleaning up request 2 ID 4 with timestamp +169<br>Ready to process requests.<br><br><br><br>now, the user file by default: <br><br>#<br># Please read the documentation file ../doc/processing_users_file,<br>
# or 'man 5 users' (after installing the server) for more information.<br>#<br># This file contains authentication security and configuration<br># information for each user. Accounting requests are NOT processed<br>
# through this file. Instead, see 'acct_users', in this directory.<br>#<br># The first field is the user's name and can be up to<br># 253 characters in length. This is followed (on the same line) with<br>
# the list of authentication requirements for that user. This can<br># include password, comm server name, comm server port number, protocol<br># type (perhaps set by the "hints" file), and huntgroup name (set by<br>
# the "huntgroups" file).<br>#<br># If you are not sure why a particular reply is being sent by the<br># server, then run the server in debugging mode (radiusd -X), and<br># you will see which entries in this file are matched.<br>
#<br># When an authentication request is received from the comm server,<br># these values are tested. Only the first match is used unless the<br># "Fall-Through" variable is set to "Yes".<br>
#<br># A special user named "DEFAULT" matches on all usernames.<br># You can have several DEFAULT entries. All entries are processed<br># in the order they appear in this file. The first entry that<br>
# matches the login-request will stop processing unless you use<br># the Fall-Through variable.<br>#<br># If you use the database support to turn this file into a .db or .dbm<br># file, the DEFAULT entries _have_ to be at the end of this file and<br>
# you can't have multiple entries for one username.<br>#<br># Indented (with the tab character) lines following the first<br># line indicate the configuration values to be passed back to<br># the comm server to allow the initiation of a user session.<br>
# This can include things like the PPP configuration values<br># or the host to log the user onto.<br>#<br># You can include another `users' file with `$INCLUDE users.other'<br>#<br><br>#<br># For a list of RADIUS attributes, and links to their definitions,<br>
# see:<br>#<br># <a href="http://www.freeradius.org/rfc/attributes.html">http://www.freeradius.org/rfc/attributes.html</a><br>#<br><br>#<br># Deny access for a specific user. Note that this entry MUST<br># be before any other 'Auth-Type' attribute which results in the user<br>
# being authenticated.<br>#<br># Note that there is NO 'Fall-Through' attribute, so the user will not<br># be given any additional resources.<br>#<br>#lameuser Auth-Type := Reject<br># Reply-Message = "Your account has been disabled."<br>
<br>#<br># Deny access for a group of users.<br>#<br># Note that there is NO 'Fall-Through' attribute, so the user will not<br># be given any additional resources.<br>#<br>#DEFAULT Group == "disabled", Auth-Type := Reject<br>
# Reply-Message = "Your account has been disabled."<br>#<br><br>#<br># This is a complete entry for "steve". Note that there is no Fall-Through<br># entry so that no DEFAULT entry will be used, and the user will NOT<br>
# get any attributes in addition to the ones listed here.<br>#<br>#steve Cleartext-Password := "testing"<br># Service-Type = Framed-User,<br># Framed-Protocol = PPP,<br># Framed-IP-Address = 172.16.3.33,<br>
# Framed-IP-Netmask = 255.255.255.0,<br># Framed-Routing = Broadcast-Listen,<br># Framed-Filter-Id = "std.ppp",<br># Framed-MTU = 1500,<br># Framed-Compression = Van-Jacobsen-TCP-IP<br>
<br>#<br># This is an entry for a user with a space in their name.<br># Note the double quotes surrounding the name.<br>#<br>#"John Doe" Cleartext-Password := "hello"<br># Reply-Message = "Hello, %{User-Name}"<br>
<br>#<br># Dial user back and telnet to the default host for that port<br>#<br>#Deg Cleartext-Password := "ge55ged"<br># Service-Type = Callback-Login-User,<br># Login-IP-Host = 0.0.0.0,<br># Callback-Number = "9,5551212",<br>
# Login-Service = Telnet,<br># Login-TCP-Port = Telnet<br><br>#<br># Another complete entry. After the user "dialbk" has logged in, the<br># connection will be broken and the user will be dialed back after which<br>
# he will get a connection to the host "timeshare1".<br>#<br>#dialbk Cleartext-Password := "callme"<br># Service-Type = Callback-Login-User,<br># Login-IP-Host = timeshare1,<br># Login-Service = PortMaster,<br>
# Callback-Number = "9,1-800-555-1212"<br><br>#<br># user "swilson" will only get a static IP number if he logs in with<br># a framed protocol on a terminal server in Alphen (see the huntgroups file).<br>
#<br># Note that by setting "Fall-Through", other attributes will be added from<br># the following DEFAULT entries<br>#<br>#swilson Service-Type == Framed-User, Huntgroup-Name == "alphen"<br># Framed-IP-Address = 192.168.1.65,<br>
# Fall-Through = Yes<br><br>#<br># If the user logs in as 'username.shell', then authenticate them<br># using the default method, give them shell access, and stop processing<br># the rest of the file.<br>
#<br>#DEFAULT Suffix == ".shell"<br># Service-Type = Login-User,<br># Login-Service = Telnet,<br># Login-IP-Host = your.shell.machine<br><br><br>#<br># The rest of this file contains the several DEFAULT entries.<br>
# DEFAULT entries match with all login names.<br># Note that DEFAULT entries can also Fall-Through (see first entry).<br># A name-value pair from a DEFAULT entry will _NEVER_ override<br># an already existing name-value pair.<br>
#<br><br>#<br># Set up different IP address pools for the terminal servers.<br># Note that the "+" behind the IP address means that this is the "base"<br># IP address. The Port-Id (S0, S1 etc) will be added to it.<br>
#<br>#DEFAULT Service-Type == Framed-User, Huntgroup-Name == "alphen"<br># Framed-IP-Address = 192.168.1.32+,<br># Fall-Through = Yes<br><br>#DEFAULT Service-Type == Framed-User, Huntgroup-Name == "delft"<br>
# Framed-IP-Address = 192.168.2.32+,<br># Fall-Through = Yes<br><br>#<br># Sample defaults for all framed connections.<br>#<br>#DEFAULT Service-Type == Framed-User<br># Framed-IP-Address = 255.255.255.254,<br>
# Framed-MTU = 576,<br># Service-Type = Framed-User,<br># Fall-Through = Yes<br><br>#<br># Default for PPP: dynamic IP address, PPP mode, VJ-compression.<br># NOTE: we do not use Hint = "PPP", since PPP might also be auto-detected<br>
# by the terminal server in which case there may not be a "P" suffix.<br># The terminal server sends "Framed-Protocol = PPP" for auto PPP.<br>#<br>DEFAULT Framed-Protocol == PPP<br> Framed-Protocol = PPP,<br>
Framed-Compression = Van-Jacobson-TCP-IP<br><br>#<br># Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression.<br>#<br>DEFAULT Hint == "CSLIP"<br> Framed-Protocol = SLIP,<br> Framed-Compression = Van-Jacobson-TCP-IP<br>
<br>#<br># Default for SLIP: dynamic IP address, SLIP mode.<br>#<br>DEFAULT Hint == "SLIP"<br> Framed-Protocol = SLIP<br><br>#<br># Last default: rlogin to our main server.<br>#<br>#DEFAULT<br># Service-Type = Login-User,<br>
# Login-Service = Rlogin,<br># Login-IP-Host = <a href="http://shellbox.ispdomain.com">shellbox.ispdomain.com</a><br><br># #<br># # Last default: shell on the local terminal server.<br># #<br># DEFAULT<br># Service-Type = Administrative-User<br>
<br># On no match, the user is denied access.<br><br>Thanks<br><br><br><br clear="all"><br>-- <br>Juan Pablo Botero<br>Administrador de Sistemas informáticos<br><a href="http://jpill.wordpress.com">http://jpill.wordpress.com</a><br>
eSSuX: <a href="http://slcolombia.org/eSSuX">http://slcolombia.org/eSSuX</a><br>Linux Registered user #435293<br>