Dusty Doris wrote:
The only part the does not work is the chap authentication all other authentication works as it should. Our wholesale provider says we are doing PAP just fine but no chap. They had very old instructions for Freeradius but decided to start out with a totally clean install.
This user below is in mysql database, and the system passwd/shadow files.
He will not authenticate with the mysql database when we include a realm @domain and chap password.
It gets the slipstream false from the database so I'm not sure why it won't authenticate the rest.
Thread 1 handling request 0, (1 handled so far) User-Name = "rniclh@surftheusa.com" User-Password = "test123" NAS-IP-Address = 255.255.255.255 NAS-Port = 100
I don't see a CHAP password in there.
Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 hints: Matched other at 80
You matched on the hints file on line 80 - what does your hints file say?
DEFAULT Suffix == ".ppp", Strip-User-Name = Yes Hint = "PPP", Service-Type = Framed-User, Framed-Protocol = PPP DEFAULT Suffix == ".slip", Strip-User-Name = Yes Hint = "SLIP", Service-Type = Framed-User, Framed-Protocol = SLIP DEFAULT Suffix == ".cslip", Strip-User-Name = Yes Hint = "CSLIP", Service-Type = Framed-User, Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP other Suffix == "@surftheusa.com", Strip-User-Name = Yes Hint = "PPP", Service-Type = Framed-User, Framed-Protocol = PPP
modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "attr_filter" returns noop for request 0 modcall[authorize]: module "chap" returns noop for request 0 rlm_realm: No '@' in User-Name = "rniclh", skipping NULL due to config. modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 159 users: Matched entry DEFAULT at line 178 users: Matched entry DEFAULT at line 190
You matched the users file in three seperate lines, 159, 178, and 190. What does your users file say on each of those lines?
# First setup all accounts to be checked against the UNIX /etc/passwd. # (Unless a password was already given earlier in this file). # DEFAULT Auth-Type == System Fall-Through = 1 # Defaults for all framed connections. # DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes # # Default for PPP: dynamic IP address, PPP mode, VJ-compression. # NOTE: we do not use Hint = "PPP", since PPP might also be auto-detected # by the terminal server in which case there may not be a "P" suffix. # The terminal server sends "Framed-Protocol = PPP" for auto PPP. # DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP # # Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression. # DEFAULT Hint == "CSLIP" Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP # # Default for SLIP: dynamic IP address, SLIP mode. # DEFAULT Hint == "SLIP" Framed-Protocol = SLIP
modcall[authorize]: module "files" returns ok for request 0 radius_xlat: 'rniclh' rlm_sql (sql): sql_set_user escaped user --> 'rniclh'
...
modcall[authorize]: module "sql" returns ok for request 0 modcall: group authorize returns ok for request 0
Your sql call returned OK, that means the sql part worked.
rad_check_password: Found Auth-Type System auth: type "System"
Now it just got changed to Auth-Type System. Is this from your users file?
Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_unix: [rniclh]: invalid password
You authenticated with the unix module, is that what you want? The user failed because the password did not match your /etc/passwd file.
modcall[authenticate]: module "unix" returns reject for request 0 modcall: group authenticate returns reject for request 0 auth: Failed to validate the user.
I would look at your hints file and your users file to the lines it matched at - post them here if you want us to take a look at it. Also, if you don't want to use /etc/passwd, then disable the unix module in the authentication section.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html