Hi everybody We have been using freeradius to authenticate about 1000 network users for quite some years without any issues. Last week we experienced problems with one of the NAS our network providers use. Please be aware of the fact that we do not have direct influence on the configuration of this machine. While roughly 100 NASs use PAP for authentication against our LDAP-datastore getting an access accept, this NAS uses CHAP, leading radius to reject the request. In consequence the network users frequenting this NAS fall back on a more expensive means of connection, creating additional cost for us. In parallel to requesting the provider to fix this issue we are investigating now how to make LDAP work with CHAP. We followed FAQ to this link and others in this section http://wiki.freeradius.org/guide/FAQ#how-do-i_how-do-i-make-chap-work-with-l... but found no real clue. We recreated the scenario in our testing environment and one guess so far is : vt1radius:/etc/raddb # cat sites-enabled/vt1pppoe_localhost # WEINM 2015-01-21 : vt1pppoe login realization server vt1pppoe_login { # WEINM 2015-01-21 : listen on 1825, auth only no acct listen { type = auth ipaddr = 127.0.0.1 port = 1825 } authorize { ldap_vt1pppoe if ((ok || updated) && (User-Password || CHAP-Password)) { update { control:Auth-Type = LDAP } } } authenticate { Auth-Type LDAP { ldap } } } vt1radius:/etc/raddb # cat mods-enabled/ldap_vt1pppoe ldap ldap_vt1pppoe { server = 10.193.1.144 identity = "cn=admin,dc=lotto-rlp,dc=de" password = secret update { control:Password-With-Header += 'userPassword' control:Cleartext-Password := 'userPassword' } user { base_dn = "ou=vt1pppoe-users,ou=radius,dc=lotto-rlp, dc=de" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" } tls { start_tls = no } pool { # Number of connections to start start = 1 min = 1 max = ${thread[pool].max_servers} spare = 10 uses = 300 lifetime = 0 idle_timeout = 60 } } resulting to vt1radius:/etc/raddb/sites-enabled # radiusd -X radiusd: FreeRADIUS Version 3.0.3, for host x86_64-suse-linux-gnu, built on Dec 3 2014 at 10:31 Copyright (C) 1999-2014 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... including dictionary file /usr/share/freeradius/dictionary including dictionary file /usr/share/freeradius/dictionary.dhcp including dictionary file /usr/share/freeradius/dictionary.vqp including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/mods-enabled/ including configuration file /etc/raddb/mods-enabled/ldap_dtag including configuration file /etc/raddb/mods-enabled/exec including configuration file /etc/raddb/mods-enabled/chap including configuration file /etc/raddb/mods-enabled/preprocess including configuration file /etc/raddb/mods-enabled/always including configuration file /etc/raddb/mods-enabled/ldap including configuration file /etc/raddb/mods-enabled/realm including configuration file /etc/raddb/mods-enabled/ldap_vt1pppoe including configuration file /etc/raddb/mods-enabled/expr including configuration file /etc/raddb/mods-enabled/ldap_ptlux including configuration file /etc/raddb/mods-enabled/ldap_arcor including files in directory /etc/raddb/policy.d/ including configuration file /etc/raddb/policy.d/accounting including configuration file /etc/raddb/policy.d/operator-name including configuration file /etc/raddb/policy.d/control including configuration file /etc/raddb/policy.d/dhcp including configuration file /etc/raddb/policy.d/eap including configuration file /etc/raddb/policy.d/canonicalization including configuration file /etc/raddb/policy.d/filter including configuration file /etc/raddb/policy.d/cui including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/ptlux_localhost including configuration file /etc/raddb/sites-enabled/dtag_localhost including configuration file /etc/raddb/sites-enabled/vt1pppoe_localhost including configuration file /etc/raddb/sites-enabled/arcor_localhost including configuration file /etc/raddb/sites-enabled/proxy_decode_realm main { security { allow_core_dumps = no } } main { name = "radiusd" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/radius" run_dir = "/var/run/radiusd" libdir = "/usr/lib64/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 10 cleanup_delay = 2 max_requests = 30720 pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = yes auth_badpass = no auth_goodpass = no msg_denied = "You are already logged in - access denied" } security { max_attributes = 200 reject_delay = 1 status_server = yes allow_vulnerable_openssl = "no" } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = <<< secret >>> response_window = 5 max_outstanding = 65536 zombie_period = 20 status_check = "status-server" ping_interval = 30 check_interval = 7 num_answers_to_alive = 4 revive_interval = 300 status_check_timeout = 4 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } } home_server dtag_localhost { ipaddr = 127.0.0.1 port = 1822 type = "auth" secret = <<< secret >>> response_window = 5 max_outstanding = 65536 zombie_period = 20 status_check = "status-server" ping_interval = 30 check_interval = 7 num_answers_to_alive = 4 revive_interval = 300 status_check_timeout = 4 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } } home_server arcor_localhost { ipaddr = 127.0.0.1 port = 1823 type = "auth" secret = <<< secret >>> response_window = 5 max_outstanding = 65536 zombie_period = 20 status_check = "status-server" ping_interval = 30 check_interval = 7 num_answers_to_alive = 4 revive_interval = 300 status_check_timeout = 4 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } } home_server ptlux_localhost { ipaddr = 127.0.0.1 port = 1824 type = "auth" secret = <<< secret >>> response_window = 5 max_outstanding = 65536 zombie_period = 20 status_check = "status-server" ping_interval = 30 check_interval = 7 num_answers_to_alive = 4 revive_interval = 300 status_check_timeout = 4 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } } home_server vt1pppoe_localhost { ipaddr = 127.0.0.1 port = 1825 type = "auth" secret = <<< secret >>> response_window = 5 max_outstanding = 65536 zombie_period = 20 status_check = "status-server" ping_interval = 30 check_interval = 7 num_answers_to_alive = 4 revive_interval = 300 status_check_timeout = 4 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } } home_server_pool dtag_pool { type = fail-over home_server = dtag_localhost } realm lotto-rlp { auth_pool = dtag_pool } home_server_pool arcor_pool { type = fail-over home_server = arcor_localhost } realm lotto-rlp.de { auth_pool = arcor_pool } home_server_pool ptlux_pool { type = fail-over home_server = ptlux_localhost } realm pt.lotto-rlp.de { auth_pool = ptlux_pool } home_server_pool vt1pppoe_pool { type = fail-over home_server = vt1pppoe_localhost } realm lotto-rlp.vt1 { auth_pool = vt1pppoe_pool } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = <<< secret >>> shortname = "localhost" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client vt1pppoe1 { ipaddr = 10.193.1.51 require_message_authenticator = no secret = <<< secret >>> shortname = "vt1pppoe1" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } radiusd: #### Instantiating modules #### # Loaded module rlm_ldap # Instantiating module "ldap_dtag" from file /etc/raddb/mods-enabled/ldap_dtag ldap ldap_dtag { server = "10.193.1.144" port = 389 password = <<< secret >>> identity = "cn=admin,dc=lotto-rlp,dc=de" user { filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" scope = "sub" base_dn = "ou=dtag-users,ou=radius,dc=lotto-rlp, dc=de" access_positive = yes } group { scope = "sub" base_dn = "" name_attribute = "cn" cacheable_name = no cacheable_dn = no } client { scope = "sub" base_dn = "" attribute { identifier = "host" shortname = "cn" } } profile { filter = "(&)" } options { ldap_debug = 0 net_timeout = 10 res_timeout = 20 srv_timelimit = 20 idle = 60 probes = 3 interval = 30 } tls { start_tls = no } } rlm_ldap (ldap_dtag): Couldn't find configuration for accounting, will return NOOP for calls from this section rlm_ldap (ldap_dtag): Couldn't find configuration for post-auth, will return NOOP for calls from this section rlm_ldap (ldap_dtag): Initialising connection pool pool { start = 1 min = 1 max = 130 spare = 10 uses = 300 lifetime = 0 cleanup_interval = 30 idle_timeout = 60 retry_delay = 1 spread = no } rlm_ldap (ldap_dtag): Opening additional connection (0) rlm_ldap (ldap_dtag): Connecting to 10.193.1.144:389 rlm_ldap (ldap_dtag): Waiting for bind result... rlm_ldap (ldap_dtag): Bind successful # Loaded module rlm_exec # Instantiating module "exec" from file /etc/raddb/mods-enabled/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } # Loaded module rlm_chap # Instantiating module "chap" from file /etc/raddb/mods-enabled/chap # Loaded module rlm_preprocess # Instantiating module "preprocess" from file /etc/raddb/mods-enabled/preprocess preprocess { huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups" hints = "/etc/raddb/mods-config/preprocess/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups reading pairlist file /etc/raddb/mods-config/preprocess/hints # Loaded module rlm_always # Instantiating module "reject" from file /etc/raddb/mods-enabled/always always reject { rcode = "reject" simulcount = 0 mpp = no } # Instantiating module "fail" from file /etc/raddb/mods-enabled/always always fail { rcode = "fail" simulcount = 0 mpp = no } # Instantiating module "ok" from file /etc/raddb/mods-enabled/always always ok { rcode = "ok" simulcount = 0 mpp = no } # Instantiating module "handled" from file /etc/raddb/mods-enabled/always always handled { rcode = "handled" simulcount = 0 mpp = no } # Instantiating module "invalid" from file /etc/raddb/mods-enabled/always always invalid { rcode = "invalid" simulcount = 0 mpp = no } # Instantiating module "userlock" from file /etc/raddb/mods-enabled/always always userlock { rcode = "userlock" simulcount = 0 mpp = no } # Instantiating module "notfound" from file /etc/raddb/mods-enabled/always always notfound { rcode = "notfound" simulcount = 0 mpp = no } # Instantiating module "noop" from file /etc/raddb/mods-enabled/always always noop { rcode = "noop" simulcount = 0 mpp = no } # Instantiating module "updated" from file /etc/raddb/mods-enabled/always always updated { rcode = "updated" simulcount = 0 mpp = no } # Instantiating module "ldap" from file /etc/raddb/mods-enabled/ldap ldap { server = "10.193.1.144" port = 389 password = <<< secret >>> identity = "cn=admin,dc=lotto-rlp,dc=de" user { filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" scope = "sub" base_dn = "ou=dtag-users,ou=radius,dc=lotto-rlp, dc=de" access_positive = yes } group { scope = "sub" base_dn = "" name_attribute = "cn" cacheable_name = no cacheable_dn = no } client { scope = "sub" base_dn = "" attribute { identifier = "host" shortname = "cn" } } profile { filter = "(&)" } options { ldap_debug = 0 net_timeout = 10 res_timeout = 20 srv_timelimit = 20 idle = 60 probes = 3 interval = 30 } tls { start_tls = no } } rlm_ldap (ldap): Couldn't find configuration for accounting, will return NOOP for calls from this section rlm_ldap (ldap): Couldn't find configuration for post-auth, will return NOOP for calls from this section rlm_ldap (ldap): Initialising connection pool rlm_ldap (ldap): Opening additional connection (0) rlm_ldap (ldap): Connecting to 10.193.1.144:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Opening additional connection (1) rlm_ldap (ldap): Connecting to 10.193.1.144:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Opening additional connection (2) rlm_ldap (ldap): Connecting to 10.193.1.144:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Opening additional connection (3) rlm_ldap (ldap): Connecting to 10.193.1.144:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Opening additional connection (4) rlm_ldap (ldap): Connecting to 10.193.1.144:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful # Loaded module rlm_realm # Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm realm IPASS { format = "prefix" delimiter = "/" ignore_default = no ignore_null = no } # Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } # Instantiating module "realmpercent" from file /etc/raddb/mods-enabled/realm realm realmpercent { format = "suffix" delimiter = "%" ignore_default = no ignore_null = no } # Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm realm ntdomain { format = "prefix" delimiter = "\" ignore_default = no ignore_null = no } # Instantiating module "ldap_vt1pppoe" from file /etc/raddb/mods-enabled/ldap_vt1pppoe ldap ldap_vt1pppoe { server = "10.193.1.144" port = 389 password = <<< secret >>> identity = "cn=admin,dc=lotto-rlp,dc=de" user { filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" scope = "sub" base_dn = "ou=vt1pppoe-users,ou=radius,dc=lotto-rlp, dc=de" access_positive = yes } group { scope = "sub" base_dn = "" name_attribute = "cn" cacheable_name = no cacheable_dn = no } client { scope = "sub" base_dn = "" attribute { identifier = "host" shortname = "cn" } } profile { filter = "(&)" } options { ldap_debug = 0 net_timeout = 10 res_timeout = 20 srv_timelimit = 20 idle = 60 probes = 3 interval = 30 } tls { start_tls = no } } rlm_ldap (ldap_vt1pppoe): Couldn't find configuration for accounting, will return NOOP for calls from this section rlm_ldap (ldap_vt1pppoe): Couldn't find configuration for post-auth, will return NOOP for calls from this section rlm_ldap (ldap_vt1pppoe): Initialising connection pool pool { start = 1 min = 1 max = 130 spare = 10 uses = 300 lifetime = 0 cleanup_interval = 30 idle_timeout = 60 retry_delay = 1 spread = no } rlm_ldap (ldap_vt1pppoe): Opening additional connection (0) rlm_ldap (ldap_vt1pppoe): Connecting to 10.193.1.144:389 rlm_ldap (ldap_vt1pppoe): Waiting for bind result... rlm_ldap (ldap_vt1pppoe): Bind successful # Loaded module rlm_expr # Instantiating module "expr" from file /etc/raddb/mods-enabled/expr expr { safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" } # Instantiating module "ldap_ptlux" from file /etc/raddb/mods-enabled/ldap_ptlux ldap ldap_ptlux { server = "10.193.1.144" port = 389 password = <<< secret >>> identity = "cn=admin,dc=lotto-rlp,dc=de" user { filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" scope = "sub" base_dn = "ou=ptlux-users,ou=radius,dc=lotto-rlp, dc=de" access_positive = yes } group { scope = "sub" base_dn = "" name_attribute = "cn" cacheable_name = no cacheable_dn = no } client { scope = "sub" base_dn = "" attribute { identifier = "host" shortname = "cn" } } profile { filter = "(&)" } options { ldap_debug = 0 net_timeout = 10 res_timeout = 20 srv_timelimit = 20 idle = 60 probes = 3 interval = 30 } tls { start_tls = no } } rlm_ldap (ldap_ptlux): Couldn't find configuration for accounting, will return NOOP for calls from this section rlm_ldap (ldap_ptlux): Couldn't find configuration for post-auth, will return NOOP for calls from this section rlm_ldap (ldap_ptlux): Initialising connection pool pool { start = 1 min = 1 max = 130 spare = 10 uses = 300 lifetime = 0 cleanup_interval = 30 idle_timeout = 60 retry_delay = 1 spread = no } rlm_ldap (ldap_ptlux): Opening additional connection (0) rlm_ldap (ldap_ptlux): Connecting to 10.193.1.144:389 rlm_ldap (ldap_ptlux): Waiting for bind result... rlm_ldap (ldap_ptlux): Bind successful # Instantiating module "ldap_arcor" from file /etc/raddb/mods-enabled/ldap_arcor ldap ldap_arcor { server = "10.193.1.144" port = 389 password = <<< secret >>> identity = "cn=admin,dc=lotto-rlp,dc=de" user { filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" scope = "sub" base_dn = "ou=arcor-users,ou=radius,dc=lotto-rlp, dc=de" access_positive = yes } group { scope = "sub" base_dn = "" name_attribute = "cn" cacheable_name = no cacheable_dn = no } client { scope = "sub" base_dn = "" attribute { identifier = "host" shortname = "cn" } } profile { filter = "(&)" } options { ldap_debug = 0 net_timeout = 10 res_timeout = 20 srv_timelimit = 20 idle = 60 probes = 3 interval = 30 } tls { start_tls = no } } rlm_ldap (ldap_arcor): Couldn't find configuration for accounting, will return NOOP for calls from this section rlm_ldap (ldap_arcor): Couldn't find configuration for post-auth, will return NOOP for calls from this section rlm_ldap (ldap_arcor): Initialising connection pool pool { start = 1 min = 1 max = 130 spare = 10 uses = 300 lifetime = 0 cleanup_interval = 30 idle_timeout = 60 retry_delay = 1 spread = no } rlm_ldap (ldap_arcor): Opening additional connection (0) rlm_ldap (ldap_arcor): Connecting to 10.193.1.144:389 rlm_ldap (ldap_arcor): Waiting for bind result... rlm_ldap (ldap_arcor): Bind successful radiusd: #### Loading Virtual Servers #### server { # from file /etc/raddb/radiusd.conf } # server server default { # from file /etc/raddb/sites-enabled/default # Loading authenticate {...} # Loading authorize {...} } # server default server ptlux_login { # from file /etc/raddb/sites-enabled/ptlux_localhost # Creating Auth-Type = LDAP # Loading authenticate {...} # Loading authorize {...} } # server ptlux_login server dtag_login { # from file /etc/raddb/sites-enabled/dtag_localhost # Loading authenticate {...} # Loading authorize {...} # Loading post-auth {...} } # server dtag_login server vt1pppoe_login { # from file /etc/raddb/sites-enabled/vt1pppoe_localhost # Loading authenticate {...} # Loading authorize {...} } # server vt1pppoe_login server arcor_login { # from file /etc/raddb/sites-enabled/arcor_localhost # Loading authenticate {...} # Loading authorize {...} } # server arcor_login server decode_realm { # from file /etc/raddb/sites-enabled/proxy_decode_realm # Loading authorize {...} } # server decode_realm radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = 127.0.0.1 port = 1824 } listen { type = "auth" ipaddr = 127.0.0.1 port = 1822 } listen { type = "auth" ipaddr = 127.0.0.1 port = 1825 } listen { type = "auth" ipaddr = 127.0.0.1 port = 1823 } listen { type = "auth" ipaddr = * port = 1812 } Listening on auth address 127.0.0.1 port 1824 as server ptlux_login Listening on auth address 127.0.0.1 port 1822 as server dtag_login Listening on auth address 127.0.0.1 port 1825 as server vt1pppoe_login Listening on auth address 127.0.0.1 port 1823 as server arcor_login Listening on auth address * port 1812 as server decode_realm Opening new proxy socket 'proxy address * port 0' Listening on proxy address * port 47272 Ready to process requests. A PAP request to this server gets accepted : client: vt1radius:/etc/raddb # echo "User-Name = 88078@lotto-rlp.vt1 , USER-Password = jWd53332J0jCtWu , Framed-Protocol = PPP" | radclient -r 1 -xs localhost:1812 auth testing123 Sending Access-Request Id 53 from 0.0.0.0:57005 to 127.0.0.1:1812 User-Name = '88078@lotto-rlp.vt1' User-Password = 'jWd53332J0jCtWu' Framed-Protocol = PPP Received Access-Accept Id 53 from 127.0.0.1:1812 to 127.0.0.1:57005 length 20 Packet summary: Access-Accepts : 1 Access-Rejects : 0 Lost : 0 Passed filter : 1 Failed filter : 0 server: Received Access-Request Id 53 from 127.0.0.1:57005 to 127.0.0.1:1812 length 65 User-Name = '88078@lotto-rlp.vt1' User-Password = 'jWd53332J0jCtWu' Framed-Protocol = PPP (0) # Executing section authorize from file /etc/raddb/sites-enabled/proxy_decode_realm (0) authorize { (0) filter_username filter_username { (0) if (User-Name != "%{tolower:%{User-Name}}") (0) EXPAND %{tolower:%{User-Name}} (0) --> 88078@lotto-rlp.vt1 (0) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (0) if (User-Name =~ / /) (0) if (User-Name =~ / /) -> FALSE (0) if (User-Name =~ /@.*@/ ) (0) if (User-Name =~ /@.*@/ ) -> FALSE (0) if (User-Name =~ /\\.\\./ ) (0) if (User-Name =~ /\\.\\./ ) -> FALSE (0) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (0) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (0) if (User-Name =~ /\\.$/) (0) if (User-Name =~ /\\.$/) -> FALSE (0) if (User-Name =~ /@\\./) (0) if (User-Name =~ /@\\./) -> FALSE (0) } # filter_username filter_username = notfound (0) [preprocess] = ok (0) IPASS : No '/' in User-Name = "88078@lotto-rlp.vt1", looking up realm NULL (0) IPASS : No such realm "NULL" (0) [IPASS] = noop (0) suffix : Looking up realm "lotto-rlp.vt1" for User-Name = "88078@lotto-rlp.vt1" (0) suffix : Found realm "lotto-rlp.vt1" (0) suffix : Adding Stripped-User-Name = "88078" (0) suffix : Adding Realm = "lotto-rlp.vt1" (0) suffix : Proxying request from user 88078 to realm lotto-rlp.vt1 (0) suffix : Preparing to proxy authentication request to realm "lotto-rlp.vt1" (0) [suffix] = updated (0) } # authorize = updated (0) Proxying request to home server 127.0.0.1 port 1825 Sending Access-Request Id 121 from 0.0.0.0:47272 to 127.0.0.1:1825 User-Name = '88078' User-Password = 'jWd53332J0jCtWu' Framed-Protocol = PPP Service-Type = Framed-User NAS-IP-Address = 127.0.0.1 Message-Authenticator := 0x00 Proxy-State = 0x3533 Waking up in 0.3 seconds. Received Access-Request Id 121 from 127.0.0.1:47272 to 127.0.0.1:1825 length 85 User-Name = '88078' User-Password = 'jWd53332J0jCtWu' Framed-Protocol = PPP Service-Type = Framed-User NAS-IP-Address = 127.0.0.1 Message-Authenticator = 0xa02d25ed4e815243b4aea79c8c70682c Proxy-State = 0x3533 (1) # Executing section authorize from file /etc/raddb/sites-enabled/vt1pppoe_localhost (1) authorize { rlm_ldap (ldap_vt1pppoe): Reserved connection (0) (1) ldap_vt1pppoe : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (1) ldap_vt1pppoe : --> (uid=88078) (1) ldap_vt1pppoe : EXPAND ou=vt1pppoe-users,ou=radius,dc=lotto-rlp, dc=de (1) ldap_vt1pppoe : --> ou=vt1pppoe-users,ou=radius,dc=lotto-rlp, dc=de (1) ldap_vt1pppoe : Performing search in 'ou=vt1pppoe-users,ou=radius,dc=lotto-rlp, dc=de' with filter '(uid=88078)', scope 'sub' (1) ldap_vt1pppoe : Waiting for search result... (1) ldap_vt1pppoe : User object found at DN "uid=88078,ou=vt1pppoe-users,ou=radius,dc=lotto-rlp,dc=de" (1) ldap_vt1pppoe : Processing user attributes (1) ldap_vt1pppoe : control:Password-With-Header += ''jWd53332J0jCtWu'' (1) ldap_vt1pppoe : control:Cleartext-Password := ''jWd53332J0jCtWu'' rlm_ldap (ldap_vt1pppoe): Released connection (0) (1) [ldap_vt1pppoe] = ok (1) if ((ok || updated) && (User-Password || CHAP-Password)) (1) if ((ok || updated) && (User-Password || CHAP-Password)) -> TRUE (1) if ((ok || updated) && (User-Password || CHAP-Password)) { (1) update { (1) control:Auth-Type = LDAP (1) } # update = noop (1) } # if ((ok || updated) && (User-Password || CHAP-Password)) = noop (1) } # authorize = ok (1) Found Auth-Type = LDAP (1) # Executing group from file /etc/raddb/sites-enabled/vt1pppoe_localhost (1) Auth-Type LDAP { (1) ldap : Login attempt by "88078" rlm_ldap (ldap): Reserved connection (4) (1) ldap : Using user DN from request "uid=88078,ou=vt1pppoe-users,ou=radius,dc=lotto-rlp,dc=de" (1) ldap : Waiting for bind result... (1) ldap : Bind successful (1) ldap : Bind as user "uid=88078,ou=vt1pppoe-users,ou=radius,dc=lotto-rlp,dc=de" was successful rlm_ldap (ldap): Released connection (4) rlm_ldap (ldap): Closing connection (3): Hit idle_timeout, was idle for 92 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): Closing connection (2): Hit idle_timeout, was idle for 92 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): Closing connection (1): Hit idle_timeout, was idle for 92 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): Closing connection (0): Hit idle_timeout, was idle for 92 seconds rlm_ldap (ldap): You probably need to lower "min" (1) [ldap] = ok (1) } # Auth-Type LDAP = ok (1) Login OK: [88078] (from client localhost port 0) Sending Access-Accept Id 121 from 127.0.0.1:1825 to 127.0.0.1:47272 Proxy-State = 0x3533 (1) Finished request Waking up in 0.3 seconds. Received Access-Accept Id 121 from 127.0.0.1:1825 to 127.0.0.1:47272 length 24 Proxy-State = 0x3533 (0) Found Auth-Type = Accept (0) Auth-Type = Accept, accepting the user (0) Login OK: [88078@lotto-rlp.vt1] (from client localhost port 0) Sending Access-Accept Id 53 from 127.0.0.1:1812 to 127.0.0.1:57005 (0) Finished request Waking up in 0.3 seconds. Waking up in 1.6 seconds. (1) Cleaning up request packet ID 121 with timestamp +92 (0) Cleaning up request packet ID 53 with timestamp +92 Ready to process requests. Doing the same with CHAP instead leads to a reject client: vt1radius:/etc/raddb # echo "User-Name = 88078@lotto-rlp.vt1 , CHAP-Password = jWd53332J0jCtWu , Framed-Protocol = PPP" | radclient -r 1 -xs localhost:1812 auth testing123 Sending Access-Request Id 12 from 0.0.0.0:57335 to 127.0.0.1:1812 User-Name = '88078@lotto-rlp.vt1' CHAP-Password = 0xb17a77b9f6401f7b06bb5e9f3e78351cac Framed-Protocol = PPP Received Access-Reject Id 12 from 127.0.0.1:1812 to 127.0.0.1:57335 length 20 (0) Expected Access-Accept got Access-Reject Packet summary: Access-Accepts : 0 Access-Rejects : 1 Lost : 0 Passed filter : 0 Failed filter : 1 server : Received Access-Request Id 12 from 127.0.0.1:57335 to 127.0.0.1:1812 length 66 User-Name = '88078@lotto-rlp.vt1' CHAP-Password = 0xb17a77b9f6401f7b06bb5e9f3e78351cac Framed-Protocol = PPP (2) # Executing section authorize from file /etc/raddb/sites-enabled/proxy_decode_realm (2) authorize { (2) filter_username filter_username { (2) if (User-Name != "%{tolower:%{User-Name}}") (2) EXPAND %{tolower:%{User-Name}} (2) --> 88078@lotto-rlp.vt1 (2) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (2) if (User-Name =~ / /) (2) if (User-Name =~ / /) -> FALSE (2) if (User-Name =~ /@.*@/ ) (2) if (User-Name =~ /@.*@/ ) -> FALSE (2) if (User-Name =~ /\\.\\./ ) (2) if (User-Name =~ /\\.\\./ ) -> FALSE (2) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (2) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (2) if (User-Name =~ /\\.$/) (2) if (User-Name =~ /\\.$/) -> FALSE (2) if (User-Name =~ /@\\./) (2) if (User-Name =~ /@\\./) -> FALSE (2) } # filter_username filter_username = notfound (2) [preprocess] = ok (2) IPASS : No '/' in User-Name = "88078@lotto-rlp.vt1", looking up realm NULL (2) IPASS : No such realm "NULL" (2) [IPASS] = noop (2) suffix : Looking up realm "lotto-rlp.vt1" for User-Name = "88078@lotto-rlp.vt1" (2) suffix : Found realm "lotto-rlp.vt1" (2) suffix : Adding Stripped-User-Name = "88078" (2) suffix : Adding Realm = "lotto-rlp.vt1" (2) suffix : Proxying request from user 88078 to realm lotto-rlp.vt1 (2) suffix : Preparing to proxy authentication request to realm "lotto-rlp.vt1" (2) [suffix] = updated (2) } # authorize = updated (2) Proxying request to home server 127.0.0.1 port 1825 Sending Access-Request Id 95 from 0.0.0.0:47272 to 127.0.0.1:1825 User-Name = '88078' CHAP-Password = 0xb17a77b9f6401f7b06bb5e9f3e78351cac Framed-Protocol = PPP Service-Type = Framed-User NAS-IP-Address = 127.0.0.1 CHAP-Challenge = 0x52d88f63c38460ffbfb0f8d5c456c555 Message-Authenticator := 0x00 Proxy-State = 0x3132 Waking up in 0.3 seconds. Received Access-Request Id 95 from 127.0.0.1:47272 to 127.0.0.1:1825 length 104 User-Name = '88078' CHAP-Password = 0xb17a77b9f6401f7b06bb5e9f3e78351cac Framed-Protocol = PPP Service-Type = Framed-User NAS-IP-Address = 127.0.0.1 CHAP-Challenge = 0x52d88f63c38460ffbfb0f8d5c456c555 Message-Authenticator = 0x3b9362d72f7dcf5365986f984cda2d43 Proxy-State = 0x3132 (3) # Executing section authorize from file /etc/raddb/sites-enabled/vt1pppoe_localhost (3) authorize { rlm_ldap (ldap_vt1pppoe): Reserved connection (0) (3) ldap_vt1pppoe : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (3) ldap_vt1pppoe : --> (uid=88078) (3) ldap_vt1pppoe : EXPAND ou=vt1pppoe-users,ou=radius,dc=lotto-rlp, dc=de (3) ldap_vt1pppoe : --> ou=vt1pppoe-users,ou=radius,dc=lotto-rlp, dc=de (3) ldap_vt1pppoe : Performing search in 'ou=vt1pppoe-users,ou=radius,dc=lotto-rlp, dc=de' with filter '(uid=88078)', scope 'sub' (3) ldap_vt1pppoe : Waiting for search result... (3) ldap_vt1pppoe : User object found at DN "uid=88078,ou=vt1pppoe-users,ou=radius,dc=lotto-rlp,dc=de" (3) ldap_vt1pppoe : Processing user attributes (3) ldap_vt1pppoe : control:Password-With-Header += ''jWd53332J0jCtWu'' (3) ldap_vt1pppoe : control:Cleartext-Password := ''jWd53332J0jCtWu'' rlm_ldap (ldap_vt1pppoe): Released connection (0) (3) [ldap_vt1pppoe] = ok (3) if ((ok || updated) && (User-Password || CHAP-Password)) (3) if ((ok || updated) && (User-Password || CHAP-Password)) -> TRUE (3) if ((ok || updated) && (User-Password || CHAP-Password)) { (3) update { (3) control:Auth-Type = LDAP (3) } # update = noop (3) } # if ((ok || updated) && (User-Password || CHAP-Password)) = noop (3) } # authorize = ok (3) Found Auth-Type = LDAP (3) # Executing group from file /etc/raddb/sites-enabled/vt1pppoe_localhost (3) Auth-Type LDAP { (3) WARNING: ldap : You have set "Auth-Type := LDAP" somewhere. (3) WARNING: ldap : ********************************************* (3) WARNING: ldap : * THAT CONFIGURATION IS WRONG. DELETE IT. (3) WARNING: ldap : * YOU ARE PREVENTING THE SERVER FROM WORKING. (3) WARNING: ldap : ********************************************* (3) ERROR: ldap : Attribute "User-Password" is required for authentication. (3) [ldap] = invalid (3) } # Auth-Type LDAP = invalid (3) Failed to authenticate the user. (3) Login incorrect (ldap: Attribute "User-Password" is required for authentication.): [88078] (from client localhost port 0) (3) Using Post-Auth-Type Reject (3) Delaying response for 1 seconds Waking up in 0.3 seconds. Waking up in 0.4 seconds. (2) Expecting proxy response no later than 5 seconds from now Waking up in 0.1 seconds. (3) Sending delayed response Sending Access-Reject Id 95 from 127.0.0.1:1825 to 127.0.0.1:47272 Proxy-State = 0x3132 Waking up in 0.9 seconds. Received Access-Reject Id 95 from 127.0.0.1:1825 to 127.0.0.1:47272 length 24 Proxy-State = 0x3132 (2) Login incorrect (Home Server says so): [88078@lotto-rlp.vt1] (from client localhost port 0) (2) Using Post-Auth-Type Reject (2) Delaying response for 1 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (3) Cleaning up request packet ID 95 with timestamp +227 (2) Sending delayed response Sending Access-Reject Id 12 from 127.0.0.1:1812 to 127.0.0.1:57335 Waking up in 0.9 seconds. (2) Cleaning up request packet ID 12 with timestamp +227 Ready to process requests. Another line of approach is vt1radius:/etc/raddb/sites-enabled # cat vt1pppoe_localhost | grep "[a-z,A_Z,\}]" # WEINM 2015-01-21 : vt1pppoe login realization server vt1pppoe_login { # WEINM 2015-01-21 : listen on 1825, auth only no acct listen { type = auth ipaddr = 127.0.0.1 port = 1825 } authorize { ldap_vt1pppoe if ((ok || updated) && User-Password) { update { control:Auth-Type = LDAP } } if ((ok || updated) && CHAP-Password) { update { control:Auth-Type = CHAP } } } authenticate { Auth-Type LDAP { ldap } } } vt1radius:/etc/raddb/sites-enabled # radiusd -X radiusd: FreeRADIUS Version 3.0.3, for host x86_64-suse-linux-gnu, built on Dec 3 2014 at 10:31 Copyright (C) 1999-2014 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... including dictionary file /usr/share/freeradius/dictionary including dictionary file /usr/share/freeradius/dictionary.dhcp including dictionary file /usr/share/freeradius/dictionary.vqp including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/mods-enabled/ including configuration file /etc/raddb/mods-enabled/ldap_dtag including configuration file /etc/raddb/mods-enabled/exec including configuration file /etc/raddb/mods-enabled/chap including configuration file /etc/raddb/mods-enabled/preprocess including configuration file /etc/raddb/mods-enabled/always including configuration file /etc/raddb/mods-enabled/ldap including configuration file /etc/raddb/mods-enabled/realm including configuration file /etc/raddb/mods-enabled/ldap_vt1pppoe including configuration file /etc/raddb/mods-enabled/expr including configuration file /etc/raddb/mods-enabled/ldap_ptlux including configuration file /etc/raddb/mods-enabled/ldap_arcor including files in directory /etc/raddb/policy.d/ including configuration file /etc/raddb/policy.d/accounting including configuration file /etc/raddb/policy.d/operator-name including configuration file /etc/raddb/policy.d/control including configuration file /etc/raddb/policy.d/dhcp including configuration file /etc/raddb/policy.d/eap including configuration file /etc/raddb/policy.d/canonicalization including configuration file /etc/raddb/policy.d/filter including configuration file /etc/raddb/policy.d/cui including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/ptlux_localhost including configuration file /etc/raddb/sites-enabled/dtag_localhost including configuration file /etc/raddb/sites-enabled/vt1pppoe_localhost including configuration file /etc/raddb/sites-enabled/arcor_localhost including configuration file /etc/raddb/sites-enabled/proxy_decode_realm main { security { allow_core_dumps = no } } main { name = "radiusd" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/radius" run_dir = "/var/run/radiusd" libdir = "/usr/lib64/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 10 cleanup_delay = 2 max_requests = 30720 pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = yes auth_badpass = no auth_goodpass = no msg_denied = "You are already logged in - access denied" } security { max_attributes = 200 reject_delay = 1 status_server = yes allow_vulnerable_openssl = "no" } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = <<< secret >>> response_window = 5 max_outstanding = 65536 zombie_period = 20 status_check = "status-server" ping_interval = 30 check_interval = 7 num_answers_to_alive = 4 revive_interval = 300 status_check_timeout = 4 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } } home_server dtag_localhost { ipaddr = 127.0.0.1 port = 1822 type = "auth" secret = <<< secret >>> response_window = 5 max_outstanding = 65536 zombie_period = 20 status_check = "status-server" ping_interval = 30 check_interval = 7 num_answers_to_alive = 4 revive_interval = 300 status_check_timeout = 4 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } } home_server arcor_localhost { ipaddr = 127.0.0.1 port = 1823 type = "auth" secret = <<< secret >>> response_window = 5 max_outstanding = 65536 zombie_period = 20 status_check = "status-server" ping_interval = 30 check_interval = 7 num_answers_to_alive = 4 revive_interval = 300 status_check_timeout = 4 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } } home_server ptlux_localhost { ipaddr = 127.0.0.1 port = 1824 type = "auth" secret = <<< secret >>> response_window = 5 max_outstanding = 65536 zombie_period = 20 status_check = "status-server" ping_interval = 30 check_interval = 7 num_answers_to_alive = 4 revive_interval = 300 status_check_timeout = 4 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } } home_server vt1pppoe_localhost { ipaddr = 127.0.0.1 port = 1825 type = "auth" secret = <<< secret >>> response_window = 5 max_outstanding = 65536 zombie_period = 20 status_check = "status-server" ping_interval = 30 check_interval = 7 num_answers_to_alive = 4 revive_interval = 300 status_check_timeout = 4 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } } home_server_pool dtag_pool { type = fail-over home_server = dtag_localhost } realm lotto-rlp { auth_pool = dtag_pool } home_server_pool arcor_pool { type = fail-over home_server = arcor_localhost } realm lotto-rlp.de { auth_pool = arcor_pool } home_server_pool ptlux_pool { type = fail-over home_server = ptlux_localhost } realm pt.lotto-rlp.de { auth_pool = ptlux_pool } home_server_pool vt1pppoe_pool { type = fail-over home_server = vt1pppoe_localhost } realm lotto-rlp.vt1 { auth_pool = vt1pppoe_pool } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = <<< secret >>> shortname = "localhost" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client vt1pppoe1 { ipaddr = 10.193.1.51 require_message_authenticator = no secret = <<< secret >>> shortname = "vt1pppoe1" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } radiusd: #### Instantiating modules #### # Loaded module rlm_ldap # Instantiating module "ldap_dtag" from file /etc/raddb/mods-enabled/ldap_dtag ldap ldap_dtag { server = "10.193.1.144" port = 389 password = <<< secret >>> identity = "cn=admin,dc=lotto-rlp,dc=de" user { filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" scope = "sub" base_dn = "ou=dtag-users,ou=radius,dc=lotto-rlp, dc=de" access_positive = yes } group { scope = "sub" base_dn = "" name_attribute = "cn" cacheable_name = no cacheable_dn = no } client { scope = "sub" base_dn = "" attribute { identifier = "host" shortname = "cn" } } profile { filter = "(&)" } options { ldap_debug = 0 net_timeout = 10 res_timeout = 20 srv_timelimit = 20 idle = 60 probes = 3 interval = 30 } tls { start_tls = no } } rlm_ldap (ldap_dtag): Couldn't find configuration for accounting, will return NOOP for calls from this section rlm_ldap (ldap_dtag): Couldn't find configuration for post-auth, will return NOOP for calls from this section rlm_ldap (ldap_dtag): Initialising connection pool pool { start = 1 min = 1 max = 130 spare = 10 uses = 300 lifetime = 0 cleanup_interval = 30 idle_timeout = 60 retry_delay = 1 spread = no } rlm_ldap (ldap_dtag): Opening additional connection (0) rlm_ldap (ldap_dtag): Connecting to 10.193.1.144:389 rlm_ldap (ldap_dtag): Waiting for bind result... rlm_ldap (ldap_dtag): Bind successful # Loaded module rlm_exec # Instantiating module "exec" from file /etc/raddb/mods-enabled/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } # Loaded module rlm_chap # Instantiating module "chap" from file /etc/raddb/mods-enabled/chap # Loaded module rlm_preprocess # Instantiating module "preprocess" from file /etc/raddb/mods-enabled/preprocess preprocess { huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups" hints = "/etc/raddb/mods-config/preprocess/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups reading pairlist file /etc/raddb/mods-config/preprocess/hints # Loaded module rlm_always # Instantiating module "reject" from file /etc/raddb/mods-enabled/always always reject { rcode = "reject" simulcount = 0 mpp = no } # Instantiating module "fail" from file /etc/raddb/mods-enabled/always always fail { rcode = "fail" simulcount = 0 mpp = no } # Instantiating module "ok" from file /etc/raddb/mods-enabled/always always ok { rcode = "ok" simulcount = 0 mpp = no } # Instantiating module "handled" from file /etc/raddb/mods-enabled/always always handled { rcode = "handled" simulcount = 0 mpp = no } # Instantiating module "invalid" from file /etc/raddb/mods-enabled/always always invalid { rcode = "invalid" simulcount = 0 mpp = no } # Instantiating module "userlock" from file /etc/raddb/mods-enabled/always always userlock { rcode = "userlock" simulcount = 0 mpp = no } # Instantiating module "notfound" from file /etc/raddb/mods-enabled/always always notfound { rcode = "notfound" simulcount = 0 mpp = no } # Instantiating module "noop" from file /etc/raddb/mods-enabled/always always noop { rcode = "noop" simulcount = 0 mpp = no } # Instantiating module "updated" from file /etc/raddb/mods-enabled/always always updated { rcode = "updated" simulcount = 0 mpp = no } # Instantiating module "ldap" from file /etc/raddb/mods-enabled/ldap ldap { server = "10.193.1.144" port = 389 password = <<< secret >>> identity = "cn=admin,dc=lotto-rlp,dc=de" user { filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" scope = "sub" base_dn = "ou=dtag-users,ou=radius,dc=lotto-rlp, dc=de" access_positive = yes } group { scope = "sub" base_dn = "" name_attribute = "cn" cacheable_name = no cacheable_dn = no } client { scope = "sub" base_dn = "" attribute { identifier = "host" shortname = "cn" } } profile { filter = "(&)" } options { ldap_debug = 0 net_timeout = 10 res_timeout = 20 srv_timelimit = 20 idle = 60 probes = 3 interval = 30 } tls { start_tls = no } } rlm_ldap (ldap): Couldn't find configuration for accounting, will return NOOP for calls from this section rlm_ldap (ldap): Couldn't find configuration for post-auth, will return NOOP for calls from this section rlm_ldap (ldap): Initialising connection pool rlm_ldap (ldap): Opening additional connection (0) rlm_ldap (ldap): Connecting to 10.193.1.144:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Opening additional connection (1) rlm_ldap (ldap): Connecting to 10.193.1.144:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Opening additional connection (2) rlm_ldap (ldap): Connecting to 10.193.1.144:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Opening additional connection (3) rlm_ldap (ldap): Connecting to 10.193.1.144:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Opening additional connection (4) rlm_ldap (ldap): Connecting to 10.193.1.144:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful # Loaded module rlm_realm # Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm realm IPASS { format = "prefix" delimiter = "/" ignore_default = no ignore_null = no } # Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } # Instantiating module "realmpercent" from file /etc/raddb/mods-enabled/realm realm realmpercent { format = "suffix" delimiter = "%" ignore_default = no ignore_null = no } # Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm realm ntdomain { format = "prefix" delimiter = "\" ignore_default = no ignore_null = no } # Instantiating module "ldap_vt1pppoe" from file /etc/raddb/mods-enabled/ldap_vt1pppoe ldap ldap_vt1pppoe { server = "10.193.1.144" port = 389 password = <<< secret >>> identity = "cn=admin,dc=lotto-rlp,dc=de" user { filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" scope = "sub" base_dn = "ou=vt1pppoe-users,ou=radius,dc=lotto-rlp, dc=de" access_positive = yes } group { scope = "sub" base_dn = "" name_attribute = "cn" cacheable_name = no cacheable_dn = no } client { scope = "sub" base_dn = "" attribute { identifier = "host" shortname = "cn" } } profile { filter = "(&)" } options { ldap_debug = 0 net_timeout = 10 res_timeout = 20 srv_timelimit = 20 idle = 60 probes = 3 interval = 30 } tls { start_tls = no } } rlm_ldap (ldap_vt1pppoe): Couldn't find configuration for accounting, will return NOOP for calls from this section rlm_ldap (ldap_vt1pppoe): Couldn't find configuration for post-auth, will return NOOP for calls from this section rlm_ldap (ldap_vt1pppoe): Initialising connection pool pool { start = 1 min = 1 max = 130 spare = 10 uses = 300 lifetime = 0 cleanup_interval = 30 idle_timeout = 60 retry_delay = 1 spread = no } rlm_ldap (ldap_vt1pppoe): Opening additional connection (0) rlm_ldap (ldap_vt1pppoe): Connecting to 10.193.1.144:389 rlm_ldap (ldap_vt1pppoe): Waiting for bind result... rlm_ldap (ldap_vt1pppoe): Bind successful # Loaded module rlm_expr # Instantiating module "expr" from file /etc/raddb/mods-enabled/expr expr { safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" } # Instantiating module "ldap_ptlux" from file /etc/raddb/mods-enabled/ldap_ptlux ldap ldap_ptlux { server = "10.193.1.144" port = 389 password = <<< secret >>> identity = "cn=admin,dc=lotto-rlp,dc=de" user { filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" scope = "sub" base_dn = "ou=ptlux-users,ou=radius,dc=lotto-rlp, dc=de" access_positive = yes } group { scope = "sub" base_dn = "" name_attribute = "cn" cacheable_name = no cacheable_dn = no } client { scope = "sub" base_dn = "" attribute { identifier = "host" shortname = "cn" } } profile { filter = "(&)" } options { ldap_debug = 0 net_timeout = 10 res_timeout = 20 srv_timelimit = 20 idle = 60 probes = 3 interval = 30 } tls { start_tls = no } } rlm_ldap (ldap_ptlux): Couldn't find configuration for accounting, will return NOOP for calls from this section rlm_ldap (ldap_ptlux): Couldn't find configuration for post-auth, will return NOOP for calls from this section rlm_ldap (ldap_ptlux): Initialising connection pool pool { start = 1 min = 1 max = 130 spare = 10 uses = 300 lifetime = 0 cleanup_interval = 30 idle_timeout = 60 retry_delay = 1 spread = no } rlm_ldap (ldap_ptlux): Opening additional connection (0) rlm_ldap (ldap_ptlux): Connecting to 10.193.1.144:389 rlm_ldap (ldap_ptlux): Waiting for bind result... rlm_ldap (ldap_ptlux): Bind successful # Instantiating module "ldap_arcor" from file /etc/raddb/mods-enabled/ldap_arcor ldap ldap_arcor { server = "10.193.1.144" port = 389 password = <<< secret >>> identity = "cn=admin,dc=lotto-rlp,dc=de" user { filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" scope = "sub" base_dn = "ou=arcor-users,ou=radius,dc=lotto-rlp, dc=de" access_positive = yes } group { scope = "sub" base_dn = "" name_attribute = "cn" cacheable_name = no cacheable_dn = no } client { scope = "sub" base_dn = "" attribute { identifier = "host" shortname = "cn" } } profile { filter = "(&)" } options { ldap_debug = 0 net_timeout = 10 res_timeout = 20 srv_timelimit = 20 idle = 60 probes = 3 interval = 30 } tls { start_tls = no } } rlm_ldap (ldap_arcor): Couldn't find configuration for accounting, will return NOOP for calls from this section rlm_ldap (ldap_arcor): Couldn't find configuration for post-auth, will return NOOP for calls from this section rlm_ldap (ldap_arcor): Initialising connection pool pool { start = 1 min = 1 max = 130 spare = 10 uses = 300 lifetime = 0 cleanup_interval = 30 idle_timeout = 60 retry_delay = 1 spread = no } rlm_ldap (ldap_arcor): Opening additional connection (0) rlm_ldap (ldap_arcor): Connecting to 10.193.1.144:389 rlm_ldap (ldap_arcor): Waiting for bind result... rlm_ldap (ldap_arcor): Bind successful radiusd: #### Loading Virtual Servers #### server { # from file /etc/raddb/radiusd.conf } # server server default { # from file /etc/raddb/sites-enabled/default # Loading authenticate {...} # Loading authorize {...} } # server default server ptlux_login { # from file /etc/raddb/sites-enabled/ptlux_localhost # Creating Auth-Type = LDAP # Loading authenticate {...} # Loading authorize {...} } # server ptlux_login server dtag_login { # from file /etc/raddb/sites-enabled/dtag_localhost # Loading authenticate {...} # Loading authorize {...} # Loading post-auth {...} } # server dtag_login server vt1pppoe_login { # from file /etc/raddb/sites-enabled/vt1pppoe_localhost # Loading authenticate {...} # Loading authorize {...} } # server vt1pppoe_login server arcor_login { # from file /etc/raddb/sites-enabled/arcor_localhost # Loading authenticate {...} # Loading authorize {...} } # server arcor_login server decode_realm { # from file /etc/raddb/sites-enabled/proxy_decode_realm # Loading authorize {...} } # server decode_realm radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = 127.0.0.1 port = 1824 } listen { type = "auth" ipaddr = 127.0.0.1 port = 1822 } listen { type = "auth" ipaddr = 127.0.0.1 port = 1825 } listen { type = "auth" ipaddr = 127.0.0.1 port = 1823 } listen { type = "auth" ipaddr = * port = 1812 } Listening on auth address 127.0.0.1 port 1824 as server ptlux_login Listening on auth address 127.0.0.1 port 1822 as server dtag_login Listening on auth address 127.0.0.1 port 1825 as server vt1pppoe_login Listening on auth address 127.0.0.1 port 1823 as server arcor_login Listening on auth address * port 1812 as server decode_realm Opening new proxy socket 'proxy address * port 0' Listening on proxy address * port 36069 Ready to process requests. Reject as seen from client vt1radius:/etc/raddb # echo "User-Name = 88078@lotto-rlp.vt1 , CHAP-Password = jWd53332J0jCtWu , Framed-Protocol = PPP" | radclient -r 1 -xs localhost:1812 auth testing123 Sending Access-Request Id 57 from 0.0.0.0:38849 to 127.0.0.1:1812 User-Name = '88078@lotto-rlp.vt1' CHAP-Password = 0x679cdd78fcdd041a354d207cb081023188 Framed-Protocol = PPP Received Access-Reject Id 57 from 127.0.0.1:1812 to 127.0.0.1:38849 length 20 (0) Expected Access-Accept got Access-Reject Packet summary: Access-Accepts : 0 Access-Rejects : 1 Lost : 0 Passed filter : 0 Failed filter : 1 server : Received Access-Request Id 57 from 127.0.0.1:38849 to 127.0.0.1:1812 length 66 User-Name = '88078@lotto-rlp.vt1' CHAP-Password = 0x679cdd78fcdd041a354d207cb081023188 Framed-Protocol = PPP (0) # Executing section authorize from file /etc/raddb/sites-enabled/proxy_decode_realm (0) authorize { (0) filter_username filter_username { (0) if (User-Name != "%{tolower:%{User-Name}}") (0) EXPAND %{tolower:%{User-Name}} (0) --> 88078@lotto-rlp.vt1 (0) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (0) if (User-Name =~ / /) (0) if (User-Name =~ / /) -> FALSE (0) if (User-Name =~ /@.*@/ ) (0) if (User-Name =~ /@.*@/ ) -> FALSE (0) if (User-Name =~ /\\.\\./ ) (0) if (User-Name =~ /\\.\\./ ) -> FALSE (0) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (0) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (0) if (User-Name =~ /\\.$/) (0) if (User-Name =~ /\\.$/) -> FALSE (0) if (User-Name =~ /@\\./) (0) if (User-Name =~ /@\\./) -> FALSE (0) } # filter_username filter_username = notfound (0) [preprocess] = ok (0) IPASS : No '/' in User-Name = "88078@lotto-rlp.vt1", looking up realm NULL (0) IPASS : No such realm "NULL" (0) [IPASS] = noop (0) suffix : Looking up realm "lotto-rlp.vt1" for User-Name = "88078@lotto-rlp.vt1" (0) suffix : Found realm "lotto-rlp.vt1" (0) suffix : Adding Stripped-User-Name = "88078" (0) suffix : Adding Realm = "lotto-rlp.vt1" (0) suffix : Proxying request from user 88078 to realm lotto-rlp.vt1 (0) suffix : Preparing to proxy authentication request to realm "lotto-rlp.vt1" (0) [suffix] = updated (0) } # authorize = updated (0) Proxying request to home server 127.0.0.1 port 1825 Sending Access-Request Id 214 from 0.0.0.0:36069 to 127.0.0.1:1825 User-Name = '88078' CHAP-Password = 0x679cdd78fcdd041a354d207cb081023188 Framed-Protocol = PPP Service-Type = Framed-User NAS-IP-Address = 127.0.0.1 CHAP-Challenge = 0x843194cd5adeebeedf6b33dfab7a7873 Message-Authenticator := 0x00 Proxy-State = 0x3537 Waking up in 0.3 seconds. Received Access-Request Id 214 from 127.0.0.1:36069 to 127.0.0.1:1825 length 104 User-Name = '88078' CHAP-Password = 0x679cdd78fcdd041a354d207cb081023188 Framed-Protocol = PPP Service-Type = Framed-User NAS-IP-Address = 127.0.0.1 CHAP-Challenge = 0x843194cd5adeebeedf6b33dfab7a7873 Message-Authenticator = 0x4eb73a374b5f5b8752e00b60f989d407 Proxy-State = 0x3537 (1) # Executing section authorize from file /etc/raddb/sites-enabled/vt1pppoe_localhost (1) authorize { rlm_ldap (ldap_vt1pppoe): Reserved connection (0) (1) ldap_vt1pppoe : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (1) ldap_vt1pppoe : --> (uid=88078) (1) ldap_vt1pppoe : EXPAND ou=vt1pppoe-users,ou=radius,dc=lotto-rlp, dc=de (1) ldap_vt1pppoe : --> ou=vt1pppoe-users,ou=radius,dc=lotto-rlp, dc=de (1) ldap_vt1pppoe : Performing search in 'ou=vt1pppoe-users,ou=radius,dc=lotto-rlp, dc=de' with filter '(uid=88078)', scope 'sub' (1) ldap_vt1pppoe : Waiting for search result... (1) ldap_vt1pppoe : User object found at DN "uid=88078,ou=vt1pppoe-users,ou=radius,dc=lotto-rlp,dc=de" (1) ldap_vt1pppoe : Processing user attributes (1) ldap_vt1pppoe : control:Password-With-Header += ''jWd53332J0jCtWu'' (1) ldap_vt1pppoe : control:Cleartext-Password := ''jWd53332J0jCtWu'' rlm_ldap (ldap_vt1pppoe): Released connection (0) (1) [ldap_vt1pppoe] = ok (1) if ((ok || updated) && User-Password) (1) if ((ok || updated) && User-Password) -> FALSE (1) if ((ok || updated) && CHAP-Password) (1) if ((ok || updated) && CHAP-Password) -> TRUE (1) if ((ok || updated) && CHAP-Password) { (1) update { (1) control:Auth-Type = CHAP (1) } # update = noop (1) } # if ((ok || updated) && CHAP-Password) = noop (1) } # authorize = ok (1) Found Auth-Type = CHAP (1) # Executing group from file /etc/raddb/sites-enabled/vt1pppoe_localhost (1) Failed to authenticate the user. (1) Login incorrect: [88078] (from client localhost port 0) (1) Using Post-Auth-Type Reject (1) Delaying response for 1 seconds Waking up in 0.3 seconds. Waking up in 0.4 seconds. (0) Expecting proxy response no later than 5 seconds from now Waking up in 0.1 seconds. (1) Sending delayed response Sending Access-Reject Id 214 from 127.0.0.1:1825 to 127.0.0.1:36069 Proxy-State = 0x3537 Waking up in 0.9 seconds. Received Access-Reject Id 214 from 127.0.0.1:1825 to 127.0.0.1:36069 length 24 Proxy-State = 0x3537 (0) Login incorrect (Home Server says so): [88078@lotto-rlp.vt1] (from client localhost port 0) (0) Using Post-Auth-Type Reject (0) Delaying response for 1 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (1) Cleaning up request packet ID 214 with timestamp +58 (0) Sending delayed response Sending Access-Reject Id 57 from 127.0.0.1:1812 to 127.0.0.1:38849 Waking up in 0.9 seconds. (0) Cleaning up request packet ID 57 with timestamp +58 Ready to process requests. Now we are somewhat at a loss. Are we missing something Best regards Michael Wein