<div dir="ltr">Hi,<div><br></div><div><span style="font-family:arial,sans-serif;font-size:13px">"If you check rad client from remote machine the case will be different."</span><br></div><div><span style="font-family:arial,sans-serif;font-size:13px"><br></span></div><div><span style="font-family:arial,sans-serif;font-size:13px">I have binded my Radius client ip and port in clients.conf and in radiusd.conf.</span></div><div><span style="font-family:arial,sans-serif;font-size:13px"><br></span></div><div><span style="font-family:arial,sans-serif;font-size:13px">My radius server and client is present in two different PCs. Will that be a prob?</span></div><div><span style="font-family:arial,sans-serif;font-size:13px"><br></span></div><div><span style="font-family:arial,sans-serif;font-size:13px">Now in debug mode log looks like this: </span></div><div><span style="font-family:arial,sans-serif;font-size:13px"><br></span></div><div><div style><font face="arial, sans-serif">Cleaning up request 33 ID 108 with timestamp 541fd188</font></div><div style><font face="arial, sans-serif">Nothing to do. Sleeping until we see a request.</font></div><div style><font face="arial, sans-serif">rad_recv: Access-Request packet from host <a href="http://10.253.6.11:1645">10.253.6.11:1645</a>, id=1, length=53</font></div><div style><font face="arial, sans-serif"> NAS-IP-Address = 11.6.253.10</font></div><div style><font face="arial, sans-serif"> User-Name = "raduser"</font></div><div style><font face="arial, sans-serif"> User-Password = "k\014%\220\2779\213\203\307\030\222\364\004qM\223"</font></div><div style><font face="arial, sans-serif"> Processing the authorize section of radiusd.conf</font></div><div style><font face="arial, sans-serif">modcall: entering group authorize for request 34</font></div><div style><font face="arial, sans-serif"> modcall[authorize]: module "preprocess" returns ok for request 34</font></div><div style><font face="arial, sans-serif">radius_xlat: '../var/log/radius/radacct/<a href="http://10.253.6.11/auth-detail-20140922.log">10.253.6.11/auth-detail-20140922.log</a>'</font></div><div style><font face="arial, sans-serif">rlm_detail: ../var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d.log expands to ../var/log/radius/radacct/<a href="http://10.253.6.11/auth-detail-20140922.l">10.253.6.11/auth-detail-20140922.l</a></font></div><div style><font face="arial, sans-serif"> modcall[authorize]: module "auth_log" returns ok for request 34</font></div><div style><font face="arial, sans-serif"> modcall[authorize]: module "chap" returns noop for request 34</font></div><div style><font face="arial, sans-serif"> modcall[authorize]: module "mschap" returns noop for request 34</font></div><div style><font face="arial, sans-serif"> rlm_realm: No '@' in User-Name = "raduser", looking up realm NULL</font></div><div style><font face="arial, sans-serif"> rlm_realm: No such realm "NULL"</font></div><div style><font face="arial, sans-serif"> modcall[authorize]: module "suffix" returns noop for request 34</font></div><div style><font face="arial, sans-serif"> rlm_eap: No EAP-Message, not doing EAP</font></div><div style><font face="arial, sans-serif"> modcall[authorize]: module "eap" returns noop for request 34</font></div><div style><font face="arial, sans-serif"> users: Matched entry DEFAULT at line 170</font></div><div style><font face="arial, sans-serif"> modcall[authorize]: module "files" returns ok for request 34</font></div><div style><font face="arial, sans-serif">rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this.</font></div><div style><font face="arial, sans-serif"> modcall[authorize]: module "pap" returns noop for request 34</font></div><div style><font face="arial, sans-serif">modcall: leaving group authorize (returns ok) for request 34</font></div><div style><font face="arial, sans-serif"> rad_check_password: Found Auth-Type System</font></div><div style><font face="arial, sans-serif">auth: type "System"</font></div><div style><font face="arial, sans-serif"> ERROR: Unknown value specified for Auth-Type. Cannot perform requested action.</font></div><div style><font face="arial, sans-serif">auth: Failed to validate the user.</font></div><div style><font face="arial, sans-serif">Login incorrect: [raduser/k\014%\220\2779\213\203\307\030\222\364\004qM\223] (from client private-network-3 port 0)</font></div><div style><font face="arial, sans-serif"> WARNING: Unprintable characters in the password. ? Double-check the shared secret on the server and the NAS!</font></div><div style><font face="arial, sans-serif">Delaying request 34 for 1 seconds</font></div><div style><font face="arial, sans-serif">Finished request 34</font></div><div style><font face="arial, sans-serif">Going to the next request</font></div><div style><font face="arial, sans-serif">--- Walking the entire request list ---</font></div><div style><font face="arial, sans-serif">Waking up in 1 seconds...</font></div><div style><font face="arial, sans-serif">--- Walking the entire request list ---</font></div><div style><font face="arial, sans-serif">Waking up in 1 seconds...</font></div><div style><font face="arial, sans-serif">--- Walking the entire request list ---</font></div><div style><font face="arial, sans-serif">Sending Access-Reject of id 1 to 10.253.6.11 port 1645</font></div><div style><font face="arial, sans-serif">Waking up in 4 seconds...</font></div><div style><font face="arial, sans-serif">rad_recv: Access-Request packet from host <a href="http://10.253.6.11:1645">10.253.6.11:1645</a>, id=1, length=53</font></div><div style><font face="arial, sans-serif">Sending duplicate reply to client private-network-3:1645 - ID: 1</font></div><div style><font face="arial, sans-serif">Re-sending Access-Reject of id 1 to 10.253.6.11 port 1645</font></div><div style><font face="arial, sans-serif">--- Walking the entire request list ---</font></div><div style><font face="arial, sans-serif">Waking up in 3 seconds...</font></div><div style><font face="arial, sans-serif">--- Walking the entire request list ---</font></div><div style><font face="arial, sans-serif">Cleaning up request 34 ID 1 with timestamp 541fd3a6</font></div><div style><font face="arial, sans-serif">Nothing to do. Sleeping until we see a request.</font></div><div style="font-family:arial,sans-serif;font-size:13px"><br></div></div><div style="font-family:arial,sans-serif;font-size:13px"><br></div><div><span style="font-family:arial,sans-serif;font-size:13px">Thanks,</span></div><div><span style="font-family:arial,sans-serif;font-size:13px">Kavya</span></div><div><span style="font-family:arial,sans-serif;font-size:13px"><br></span></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Sep 22, 2014 at 1:57 PM, <span dir="ltr"><<a href="mailto:freeradius-users-request@lists.freeradius.org" target="_blank">freeradius-users-request@lists.freeradius.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Send Freeradius-Users mailing list submissions to<br>
<a href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a><br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
<a href="http://lists.freeradius.org/mailman/listinfo/freeradius-users" target="_blank">http://lists.freeradius.org/mailman/listinfo/freeradius-users</a><br>
or, via email, send a message with subject or body 'help' to<br>
<a href="mailto:freeradius-users-request@lists.freeradius.org">freeradius-users-request@lists.freeradius.org</a><br>
<br>
You can reach the person managing the list at<br>
<a href="mailto:freeradius-users-owner@lists.freeradius.org">freeradius-users-owner@lists.freeradius.org</a><br>
<br>
When replying, please edit your Subject line so it is more specific<br>
than "Re: Contents of Freeradius-Users digest..."<br>
<br>
<br>
Today's Topics:<br>
<br>
1. Re: Beginner need help (Himanshu Pandey) (KAVYA PRABHAKAR)<br>
2. Re: Beginner need help (Himanshu Pandey) (Amit Linux)<br>
3. 3.0.4: proxy-to-vserver and proxied post-auth? (Stefan Winter)<br>
4. Re: Beginner need help (Himanshu Pandey) (<a href="mailto:A.L.M.Buxey@lboro.ac.uk">A.L.M.Buxey@lboro.ac.uk</a>)<br>
<br>
<br>
----------------------------------------------------------------------<br>
<br>
Message: 1<br>
Date: Mon, 22 Sep 2014 13:10:54 +0530<br>
From: KAVYA PRABHAKAR <<a href="mailto:kavyamelinmaneprabhakar@gmail.com">kavyamelinmaneprabhakar@gmail.com</a>><br>
To: <a href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a><br>
Subject: Re: Beginner need help (Himanshu Pandey)<br>
Message-ID:<br>
<CANpdVrz8yFuvUP55vtjdiX0hBRq6RQQ5wajb94LsJ=-<a href="mailto:2XWHYxw@mail.gmail.com">2XWHYxw@mail.gmail.com</a>><br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
Hi,<br>
<br>
I am beginner. I installed Freeradius in my windows PC.<br>
With default configuration it works as expected.<br>
<br>
Now I have a RADIUS client which will send request to server and I want<br>
server to authenticate the same.<br>
<br>
I should be changing users.conf<br>
<br>
raduser User-Password == "Password"<br>
where User-name = "raduser" and Password = "Password"<br>
<br>
I will have to change clients.conf as well.<br>
<br>
client <ipaddr/mask>{<br>
secret = secret<br>
shortname = client name # what is the significance of shortname<br>
}<br>
<br>
In radiusd.conf, I have changed to which Ip and port RADIUS server has to<br>
listen to. (optional)<br>
<br>
After doing respective changes, I will execute following command:<br>
<br>
radtest raduser Password 10.253.6.11 1812 Password<br>
<br>
The result is as follows:<br>
<br>
C:\FreeRADIUS.net\bin>radclient.exe -d ..\etc\raddb -f radtest.txt -x -s<br>
127.1 au<br>
th testing123<br>
Sending Access-Request of id 108 to 127.0.0.1 port 1812<br>
User-Name = "testuser"<br>
User-Password = "testpw"<br>
NAS-IP-Address = 127.0.0.1<br>
NAS-Port = 123<br>
rad_recv: Access-Accept packet from host <a href="http://127.0.0.1:1812" target="_blank">127.0.0.1:1812</a>, id=108, length=20<br>
<br>
Total approved auths: 1<br>
Total denied auths: 0<br>
Total lost auths: 0<br>
<br>
Here I would like to know why am I getting reply from 127.0.0.1 when I have<br>
explicitly asked to receive from 10.253.6.11<br>
<br>
PFA the debug log.<br>
<br>
Thanks in advance,<br>
Kavya<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140922/f9c75785/attachment-0001.html" target="_blank">http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140922/f9c75785/attachment-0001.html</a>><br>
<br>
------------------------------<br>
<br>
Message: 2<br>
Date: Mon, 22 Sep 2014 13:40:23 +0530<br>
From: Amit Linux <<a href="mailto:amitbutere64@gmail.com">amitbutere64@gmail.com</a>><br>
To: FreeRadius users mailing list<br>
<<a href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a>><br>
Subject: Re: Beginner need help (Himanshu Pandey)<br>
Message-ID: <<a href="mailto:1A3C9BD9-2C19-419E-9A8D-2C7FD6DF5ABD@gmail.com">1A3C9BD9-2C19-419E-9A8D-2C7FD6DF5ABD@gmail.com</a>><br>
Content-Type: text/plain; charset="us-ascii"<br>
<br>
Hi Kavya,<br>
<br>
You can bind radius on specific ip to have response from particular ip.<br>
If you check rad client from remote machine the case will be different.<br>
<br>
Regards<br>
Amit B.<br>
HTH<br>
Sent from my iPhone<br>
<br>
> On 22-Sep-2014, at 13:10, KAVYA PRABHAKAR <<a href="mailto:kavyamelinmaneprabhakar@gmail.com">kavyamelinmaneprabhakar@gmail.com</a>> wrote:<br>
><br>
> Hi,<br>
><br>
> I am beginner. I installed Freeradius in my windows PC.<br>
> With default configuration it works as expected.<br>
><br>
> Now I have a RADIUS client which will send request to server and I want server to authenticate the same.<br>
><br>
> I should be changing users.conf<br>
><br>
> raduser User-Password == "Password"<br>
> where User-name = "raduser" and Password = "Password"<br>
><br>
> I will have to change clients.conf as well.<br>
><br>
> client <ipaddr/mask>{<br>
> secret = secret<br>
> shortname = client name # what is the significance of shortname<br>
> }<br>
><br>
> In radiusd.conf, I have changed to which Ip and port RADIUS server has to listen to. (optional)<br>
><br>
> After doing respective changes, I will execute following command:<br>
><br>
> radtest raduser Password 10.253.6.11 1812 Password<br>
><br>
> The result is as follows:<br>
><br>
> C:\FreeRADIUS.net\bin>radclient.exe -d ..\etc\raddb -f radtest.txt -x -s 127.1 au<br>
> th testing123<br>
> Sending Access-Request of id 108 to 127.0.0.1 port 1812<br>
> User-Name = "testuser"<br>
> User-Password = "testpw"<br>
> NAS-IP-Address = 127.0.0.1<br>
> NAS-Port = 123<br>
> rad_recv: Access-Accept packet from host <a href="http://127.0.0.1:1812" target="_blank">127.0.0.1:1812</a>, id=108, length=20<br>
><br>
> Total approved auths: 1<br>
> Total denied auths: 0<br>
> Total lost auths: 0<br>
><br>
> Here I would like to know why am I getting reply from 127.0.0.1 when I have explicitly asked to receive from 10.253.6.11<br>
><br>
> PFA the debug log.<br>
><br>
> Thanks in advance,<br>
> Kavya<br>
> -<br>
> List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140922/ceed896b/attachment-0001.html" target="_blank">http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140922/ceed896b/attachment-0001.html</a>><br>
<br>
------------------------------<br>
<br>
Message: 3<br>
Date: Mon, 22 Sep 2014 10:24:35 +0200<br>
From: Stefan Winter <<a href="mailto:stefan.winter@restena.lu">stefan.winter@restena.lu</a>><br>
To: FreeRadius users mailing list<br>
<<a href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a>><br>
Subject: 3.0.4: proxy-to-vserver and proxied post-auth?<br>
Message-ID: <<a href="mailto:541FDCC3.8040602@restena.lu">541FDCC3.8040602@restena.lu</a>><br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
Hello,<br>
<br>
I've migrated almost all my virtual servers - but one - to 3.0.4.<br>
<br>
There's one thing which I had expected to work, but it doesn't, but I do<br>
recall some discussions around this on the list; but not what the final<br>
verdict was.<br>
<br>
My proxied-to vserver needs to do some stuff in post-auth. However it<br>
looks like post-auth is not actually called; instead, only the post-auth<br>
of the original vserver is.<br>
<br>
Is that desired/expected behaviour in 3.0.4?<br>
<br>
The symptoms of this boils down to these two lines:<br>
<br>
Debug: (55) modsingle[authenticate]: returned from pap (rlm_pap) for<br>
request 55<br>
Debug: (55) [pap] = ok<br>
Debug: (55) } # Auth-Type PAP = ok<br>
Debug: (55) Empty post-proxy section. Using default return values.<br>
Debug: (55) Found Auth-Type = Accept<br>
Debug: (55) Auth-Type = Accept, accepting the user<br>
Debug: (55) # Executing section post-auth from file<br>
/usr/local/freeradius/config/raddb/sites-enabled/AAI<br>
<br>
The PAP instance there is the one from the proxied-to vserver; must be,<br>
as it knows my password and the retrieval of that password is unique to<br>
the vserver in question.<br>
<br>
The next line speaks about empty post-proxy; that looks like the initial<br>
vserver kicks in right after authenticate { } with its PAP is finished.<br>
<br>
It then executes post-auth from the initial vserver, not the one from<br>
proxied-to (the proxied-to vserver is called "staff", not "AAI"). That's<br>
not helpful for my setup :-(<br>
<br>
So... just wondering if this is a bug or if I'm going to need a majorish<br>
rethink of my post-auth logic here...<br>
<br>
Greetings,<br>
<br>
Stefan Winter<br>
<br>
--<br>
Stefan WINTER<br>
Ingenieur de Recherche<br>
Fondation RESTENA - R?seau T?l?informatique de l'Education Nationale et<br>
de la Recherche<br>
6, rue Richard Coudenhove-Kalergi<br>
L-1359 Luxembourg<br>
<br>
Tel: +352 424409 1<br>
Fax: +352 422473<br>
<br>
PGP key updated to 4096 Bit RSA - I will encrypt all mails if the<br>
recipient's key is known to me<br>
<br>
<a href="http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66" target="_blank">http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66</a><br>
-------------- next part --------------<br>
A non-text attachment was scrubbed...<br>
Name: 0x8A39DC66.asc<br>
Type: application/pgp-keys<br>
Size: 3243 bytes<br>
Desc: not available<br>
URL: <<a href="http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140922/31a29f11/attachment-0001.key" target="_blank">http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140922/31a29f11/attachment-0001.key</a>><br>
-------------- next part --------------<br>
A non-text attachment was scrubbed...<br>
Name: signature.asc<br>
Type: application/pgp-signature<br>
Size: 836 bytes<br>
Desc: OpenPGP digital signature<br>
URL: <<a href="http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140922/31a29f11/attachment-0001.pgp" target="_blank">http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140922/31a29f11/attachment-0001.pgp</a>><br>
<br>
------------------------------<br>
<br>
Message: 4<br>
Date: Mon, 22 Sep 2014 08:27:20 +0000<br>
From: <a href="mailto:A.L.M.Buxey@lboro.ac.uk">A.L.M.Buxey@lboro.ac.uk</a><br>
To: FreeRadius users mailing list<br>
<<a href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a>><br>
Subject: Re: Beginner need help (Himanshu Pandey)<br>
Message-ID: <<a href="mailto:20140922082720.GA2282@lboro.ac.uk">20140922082720.GA2282@lboro.ac.uk</a>><br>
Content-Type: text/plain; charset=us-ascii<br>
<br>
Hi,<br>
<br>
> Here I would like to know why am I getting reply from 127.0.0.1 when I<br>
> have explicitly asked to receive from 10.253.6.11<br>
<br>
no you havent. you've just added 10.253.6.11 as a possible client. if you only want to<br>
receive from the interface/IP then change the listen directive in the config so that it<br>
doesnt listen on 127.0.0.1<br>
<br>
alan<br>
<br>
<br>
------------------------------<br>
<br>
-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br>
<br>
End of Freeradius-Users Digest, Vol 113, Issue 86<br>
*************************************************<br>
</blockquote></div><br></div>