Hello Still trying to use freeradius with chillispot I still have problems I'm trying to use mixed authentication MAC addresses for some video devices in the "users" file as follows : 00-06-F4-0D-08-66 Auth-Type := Local, User-Password == "xxxxxxxx" Framed-IP-Address = 192.168.182.213, Fall-Through = Yes LDAP backend for "real" users at the end of the "users" file I have this statement DEFAULT Auth-Type = LDAP Fall-Through = 1 This configuration were working well on a very old debian machine which died suddenly When I try to access the the chilli portal it ask radius for authentication but it dows not work. See below the debug trace of radius daemon. Help greatly appreciated, thank you. Wed Aug 31 16:52:39 2011 : Debug: Processing the authorize section of radiusd.conf Wed Aug 31 16:52:39 2011 : Debug: modcall: entering group authorize for request 15 Wed Aug 31 16:52:39 2011 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 15 Wed Aug 31 16:52:39 2011 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 15 Wed Aug 31 16:52:39 2011 : Debug: modcall[authorize]: module "preprocess" returns ok for request 15 Wed Aug 31 16:52:39 2011 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 15 Wed Aug 31 16:52:39 2011 : Debug: rlm_eap: No EAP-Message, not doing EAP Wed Aug 31 16:52:39 2011 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 15 Wed Aug 31 16:52:39 2011 : Debug: modcall[authorize]: module "eap" returns noop for request 15 Wed Aug 31 16:52:39 2011 : Debug: modsingle[authorize]: calling files (rlm_files) for request 15 Wed Aug 31 16:52:39 2011 : Debug: users: Matched entry DEFAULT at line 398 Wed Aug 31 16:52:39 2011 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 15 Wed Aug 31 16:52:39 2011 : Debug: modcall[authorize]: module "files" returns ok for request 15 Wed Aug 31 16:52:39 2011 : Debug: modsingle[authorize]: calling ldap (rlm_ldap) for request 15 Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: - authorize Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: performing user authorization for xxxxxxxx Wed Aug 31 16:52:39 2011 : Debug: radius_xlat: '(uid=xxx)' Wed Aug 31 16:52:39 2011 : Debug: radius_xlat: 'ou=Users,dc=esiee,dc=fr' Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: performing search in ou=Users,dc=esiee,dc=fr, with filter (uid=hrazdira) Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: checking if remote access for xxxxxxxx is allowed by uid Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: looking for check items in directory... Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: looking for reply items in directory... Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: user xxxxxxxx authorized to use remote access Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Wed Aug 31 16:52:39 2011 : Debug: modsingle[authorize]: returned from ldap (rlm_ldap) for request 15 Wed Aug 31 16:52:39 2011 : Debug: modcall[authorize]: module "ldap" returns ok for request 15 Wed Aug 31 16:52:39 2011 : Debug: modsingle[authorize]: calling pap (rlm_pap) for request 15 Wed Aug 31 16:52:39 2011 : Debug: rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. Wed Aug 31 16:52:39 2011 : Debug: modsingle[authorize]: returned from pap (rlm_pap) for request 15 Wed Aug 31 16:52:39 2011 : Debug: modcall[authorize]: module "pap" returns noop for request 15 Wed Aug 31 16:52:39 2011 : Debug: modcall: leaving group authorize (returns ok) for request 15 Wed Aug 31 16:52:39 2011 : Debug: rad_check_password: Found Auth-Type LDAP Wed Aug 31 16:52:39 2011 : Debug: auth: type "LDAP" Wed Aug 31 16:52:39 2011 : Debug: Processing the authenticate section of radiusd.conf Wed Aug 31 16:52:39 2011 : Debug: modcall: entering group authenticate for request 15 Wed Aug 31 16:52:39 2011 : Debug: modsingle[authenticate]: calling ldap (rlm_ldap) for request 15 Wed Aug 31 16:52:39 2011 : Debug: rlm_ldap: - authenticate Wed Aug 31 16:52:39 2011 : Auth: rlm_ldap: Attribute "User-Password" is required for authentication. Cannot use "CHAP-Password". Wed Aug 31 16:52:39 2011 : Debug: modsingle[authenticate]: returned from ldap (rlm_ldap) for request 15 Wed Aug 31 16:52:39 2011 : Debug: modcall[authenticate]: module "ldap" returns invalid for request 15 Wed Aug 31 16:52:39 2011 : Debug: modcall: leaving group authenticate (returns invalid) for request 15 Wed Aug 31 16:52:39 2011 : Debug: auth: Failed to validate the user. Wed Aug 31 16:52:39 2011 : Debug: Delaying request 15 for 1 seconds Wed Aug 31 16:52:39 2011 : Debug: Finished request 15 Wed Aug 31 16:52:39 2011 : Debug: Going to the next request Wed Aug 31 16:52:39 2011 : Debug: --- Walking the entire request list ---
Frank Bonnet wrote:
MAC addresses for some video devices in the "users" file as follows :
00-06-F4-0D-08-66 Auth-Type := Local, User-Password == "xxxxxxxx"
That's wrong. See the debug output for reasons why. See the FAQ for correct examples.
LDAP backend for "real" users at the end of the "users" file I have this statement
DEFAULT Auth-Type = LDAP Fall-Through = 1
That's not needed.
Wed Aug 31 16:52:39 2011 : Auth: rlm_ldap: Attribute "User-Password" is required for authentication. Cannot use "CHAP-Password".
That's pretty clear. The NAS is sending a CHAP request. You can't do that with "Auth-Type LDAP" Instead, list "ldap" in the "authorize" section. Don't set Auth-Type. It's almost always wrong. Alan DeKok.
participants (2)
-
Alan DeKok -
Frank Bonnet