On Mon, Jul 16, 2012 at 2:33 PM, alan buxey <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
rad_recv: Access-Request packet from host 10.0.0.1 port 1645, id=3, length=162 User-Name = "0015c5537baa" User-Password = "0015c5537baa"
note those 2 lines - the USer-Name is the MAC address in that format. the passwors is the same.
[eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request:
so, you havent got any module configured for this request - either in users file, or SQL et (in fact, you arent even calling SQL - so if the SQL is all set up, then its not being used....edit your default virtual server to enable SQL functionality..and the dialup.conf with appropriate settings).
quick test
put this at the top of the 'users' file and restart the server
0015c5537baa Cleartext-Password := "0015c5537baa" Tunnel-Type:0 = VLAN, Tunnel-Medium-Type:0 = IEEE-802, Tunnel-Private-Group-Id:0 = "3", Tunnel-Preference = 0x000000
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Poking around in the radiusd.conf file I checked the section modules which looks like this: [...] # MODULE CONFIGURATION # # The names and configuration of each module is located in this section. # # After the modules are defined here, they may be referred to by name, # in other sections of this configuration file. # modules { # # Each module has a configuration as follows: # # name [ instance ] { # config_item = value # ... # } # # The 'name' is used to load the 'rlm_name' library # which implements the functionality of the module. # # The 'instance' is optional. To have two different instances # of a module, it first must be referred to by 'name'. # The different copies of the module are then created by # inventing two 'instance' names, e.g. 'instance1' and 'instance2' # # The instance names can then be used in later configuration # INSTEAD of the original 'name'. See the 'radutmp' configuration # for an example. # # # As of 2.0.5, most of the module configurations are in a # sub-directory. Files matching the regex /[a-zA-Z0-9_.]+/ # are loaded. The modules are initialized ONLY if they are # referenced in a processing section, such as authorize, # authenticate, accounting, pre/post-proxy, etc. # $INCLUDE ${confdir}/modules/ # Extensible Authentication Protocol # # For all EAP related authentications. # Now in another file, because it is very large. # $INCLUDE eap.conf # Include another file that has the SQL-related configuration. # This is another file only because it tends to be big. # $INCLUDE sql.conf # # This module is an SQL enabled version of the counter module. # # Rather than maintaining seperate (GDBM) databases of # accounting info for each counter, this module uses the data # stored in the raddacct table by the sql modules. This # module NEVER does any database INSERTs or UPDATEs. It is # totally dependent on the SQL module to process Accounting # packets. # # $INCLUDE sql/mysql/counter.conf # # IP addresses managed in an SQL table. # # $INCLUDE sqlippool.conf } [...] The modules look like so: raddb]# ls modules/ acct_unique counter dynamic_clients files mac2vlan pap realm unix always cui echo inner-eap mschap passwd smbpasswd wimax attr_filter detail etc_group ippool ntlm_auth perl smsotp attr_rewrite detail.example.com exec linelog opendirectory policy sqlcounter_expire_on_login chap detail.log expiration logintime otp preprocess sql_log checkval digest expr mac2ip pam radutmp sradutmp I don't see a mysql module in there. By placing the entry you suggested at the top of the /etc/raddb/users file and restarting the server I got this: Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/raddb/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /etc/raddb/modules/detail detail { detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating module "attr_filter.accounting_response" from file /etc/raddb/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "control" listen { socket = "/var/run/radiusd/radiusd.sock" } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 10.0.0.1 port 1645, id=104, length=162 User-Name = "0015c5537baa" User-Password = "0015c5537baa" Service-Type = Call-Check Framed-MTU = 1500 Called-Station-Id = "00-1B-8F-60-AB-8D" Calling-Station-Id = "00-15-C5-53-7B-AA" Message-Authenticator = 0x8a054d90202217a1e4d81aa3e5e61f2f NAS-Identifier = "1" NAS-Port-Type = Ethernet NAS-Port = 50013 NAS-Port-Id = "GigabitEthernet0/13" NAS-IP-Address = 10.0.0.1 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "0015c5537baa", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> 0015c5537baa attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 104 to 10.0.0.1 port 1645 Waking up in 4.9 seconds. Cleaning up request 0 ID 104 with timestamp +13 Ready to process requests. I am assuming that "Tunnel-Private-Group-Id:0 = "3"," means VLAN 3?? If so I should change it to 20 as that's what has been configured on the switch! Regards, Kaya