Hi, i am trying to setup radius auth for my AP. i've followed wiki instructions and it must be i overseen something my session printout and config files are below. I need your expert help with this one. Have anyone seen this kind of behaviour? br, jura root@zgpc-radius:~# /usr/sbin/freeradius -X FreeRADIUS Version 2.1.10, for host i686-pc-linux-gnu, built on May 19 2011 at 15:42:57 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/dynamic_clients including configuration file /etc/freeradius/modules/ntlm_auth including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/opendirectory including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/inner-tunnel main { user = "freerad" group = "freerad" allow_core_dumps = no } including dictionary file /etc/freeradius/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = no log { stripped_names = no auth = yes auth_badpass = yes auth_goodpass = yes msg_badpass = "Holly shit your password is bad!" } security { max_attributes = 200 reject_delay = 3 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "0123456789ABCDEF" nastype = "other" } client 192.168.113.0/24 { require_message_authenticator = no secret = "0123456789ABCDEF" shortname = "BLMOVI" } client 10.222.72.0/24 { require_message_authenticator = no secret = "0123456789ABCDEF" shortname = "ONTOVI" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/freeradius/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/freeradius/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/freeradius/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/freeradius/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/freeradius/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/freeradius/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/freeradius/modules/unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/freeradius/eap.conf eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/freeradius/modules/files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" } } # modules } # server server { # from file /etc/freeradius/radiusd.conf modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_always Module: Instantiating module "ok" from file /etc/freeradius/modules/always always ok { rcode = "ok" simulcount = 0 mpp = no } Module: Checking authorize {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating module "authorized_macs" from file /etc/freeradius/modules/files files authorized_macs { usersfile = "/etc/freeradius/authorized_macs" compat = "no" key = "%{Calling-Station-ID}" } Module: Instantiating module "reject" from file /etc/freeradius/modules/always always reject { rcode = "reject" simulcount = 0 mpp = no } } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on authentication address * port 1812 Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Ready to process requests. rad_recv: Access-Request packet from host 10.222.72.112 port 65534, id=26, length=143 NAS-IP-Address = 100.1.1.1 NAS-Port-Id = "1.1" Framed-MTU = 1024 User-Name = "64-31-50-81-CB-2F" Calling-Station-Id = "64-31-50-81-CB-2F" Message-Authenticator = 0x55e71eef2d8919739367e5026db3bc16 EAP-Message = 0x020200110167706f6e2d48505c67706f6e NAS-Identifier = "BLM12" Ericsson-Attr-101 = 0x4552494353534f4e # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} [eap] EAP packet type response id 2 length 17 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++? if ((Service-Type == 'Call-Check') || (User-Name =~ /^%{Calling-Station-ID}$/i)) (Attribute Service-Type was not found) ?? Evaluating (Service-Type == 'Call-Check') -> FALSE expand: ^%{Calling-Station-ID}$ -> ^64-31-50-81-CB-2F$ ?? Evaluating (User-Name =~ /^%{Calling-Station-ID}$/i) -> TRUE ++? if ((Service-Type == 'Call-Check') || (User-Name =~ /^%{Calling-Station-ID}$/i)) -> TRUE ++- entering if ((Service-Type == 'Call-Check') || (User-Name =~ /^%{Calling-Station-ID}$/i)) {...} +++[control] returns updated ++- if ((Service-Type == 'Call-Check') || (User-Name =~ /^%{Calling-Station-ID}$/i)) returns updated Found Auth-Type = EAP WARNING: Unknown value specified for Auth-Type. Cannot perform requested action. # Executing group from file /etc/freeradius/sites-enabled/default Failed to authenticate the user. expand: Crap your password is bad! -> Crap your password is bad! Login incorrect: [64-31-50-81-CB-2F/<via Auth-Type = EAP>] (from client ONTOVI port 0 cli 64-31-50-81-CB-2F) Holly shit your password is bad! Using Post-Auth-Type Reject WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested action. # Executing group from file /etc/freeradius/sites-enabled/default Delaying reject of request 0 for 3 seconds Going to the next request Waking up in 0.9 seconds. Waking up in 1.9 seconds. rad_recv: Access-Request packet from host 10.222.72.112 port 65534, id=26, length=143 Waiting to send Access-Reject to client ONTOVI port 65534 - ID: 26 Waking up in 1.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 26 to 10.222.72.112 port 65534 rad_recv: Access-Request packet from host 10.222.72.112 port 65534, id=26, length=143 Sending duplicate reply to client ONTOVI port 65534 - ID: 26 Sending Access-Reject of id 26 to 10.222.72.112 port 65534 Waking up in 4.9 seconds. Cleaning up request 0 ID 26 with timestamp +43 Ready to process requests. ---------------------------------------------------------------------------- root@zgpc-radius:/etc/freeradius/sites-enabled# grep -v '#' ../clients.conf client localhost { ipaddr = 127.0.0.1 secret = 0123456789ABCDEF require_message_authenticator = no } client 10.222.72.0/24 { secret = 0123456789ABCDEF shortname = ONTOVI require_message_authenticator = no } ----------------------------------------------------------------------------- root@zgpc-radius:/etc/freeradius/sites-enabled# grep -v '#' ../radiusd.conf prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = /var/log/freeradius raddbdir = /etc/freeradius radacctdir = ${logdir}/radacct name = freeradius confdir = ${raddbdir} run_dir = ${localstatedir}/run/${name} db_dir = ${raddbdir} libdir = /usr/lib/freeradius pidfile = ${run_dir}/${name}.pid user = freerad group = freerad max_request_time = 30 cleanup_delay = 5 max_requests = 1024 listen { type = auth ipaddr = * port = 0 } hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log { destination = files file = ${logdir}/radius.log syslog_facility = daemon stripped_names = no auth = yes auth_badpass = yes auth_goodpass = yes msg_badpass = "Crap your password is bad!" } checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 3 status_server = yes } proxy_requests = no $INCLUDE clients.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { $INCLUDE ${confdir}/modules/ $INCLUDE eap.conf } instantiate { exec expr expiration logintime } $INCLUDE policy.conf $INCLUDE sites-enabled/ root@zgpc-radius:/etc/freeradius/sites-enabled# --------------------------------------------------------------------------- root@zgpc-radius:/etc/freeradius/sites-enabled# grep -v '#' ../policy.conf policy { forbid_eap { if (EAP-Message) { reject } } permit_only_eap { if (!EAP-Message) { if (!"%{outer.request:EAP-Message}") { reject } } } deny_realms { if (User-Name =~ /@|\\/) { reject } } do_not_respond { update control { Response-Packet-Type := Do-Not-Respond } handled } cui_authorize { update request { Chargeable-User-Identity:='\\000' } } cui_postauth { if (FreeRadius-Proxied-To == 127.0.0.1) { if (outer.request:Chargeable-User-Identity) { update outer.reply { Chargeable-User-Identity:="%{md5:%{config:cui_hash_key}%{User-Name}}" } } } else { if (Chargeable-User-Identity) { update reply { Chargeable-User-Identity="%{md5:%{config:cui_hash_key}%{User-Name}}" } } } } cui_updatedb { if (reply:Chargeable-User-Identity) { cui } } cui_accounting { if (!Chargeable-User-Identity) { update control { Chargable-User-Identity := "%{cui: SELECT cui FROM cui WHERE clientipaddress = '%{Client-IP-Address}' AND callingstationid = '%{Calling-Station-Id}' AND username = '%{User-Name}'}" } } if (Chargeable-User-Identity && (Chargeable-User-Identity != "")) { cui } } rewrite_calling_station_id { if (Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i){ update request { Calling-Station-Id := "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" } } else { noop } } } ------------------------------------------------------------------------------------------------------ root@zgpc-radius:/etc/freeradius/sites-enabled# grep -v '#' /etc/freeradius/eap.conf eap { default_eap_type = md5 timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 md5 { } } -- View this message in context: http://freeradius.1045715.n5.nabble.com/webauth-and-macauth-tp5703328.html Sent from the FreeRadius - User mailing list archive at Nabble.com.
On 11/05/12 16:24, djura wrote:
Hi,
i am trying to setup radius auth for my AP.
i've followed wiki instructions and it must be i overseen something my session printout and config files are below.
I need your expert help with this one. Have anyone seen this kind of behaviour?
Your config looks horribly broken; you've edited it and done something badly wrong:
Found Auth-Type = EAP WARNING: Unknown value specified for Auth-Type. Cannot perform requested action. # Executing group from file /etc/freeradius/sites-enabled/default Failed to authenticate the user. expand: Crap your password is bad! -> Crap your password is bad! Login incorrect: [64-31-50-81-CB-2F/<via Auth-Type = EAP>] (from client ONTOVI port 0 cli 64-31-50-81-CB-2F) Holly shit your password is bad! Using Post-Auth-Type Reject WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested action.
Go back to the default configs and start again. Follow the tutorial here: http://deployingradius.com/ Make small changes. Take the default config and put it in version control. Commit changes at each step once you have them working. Roll them back if you break it.
Hi Phil, you were right my config was terrible...i started over and followed instructions from wiki on how to setup macauth and 8021x, now my config looks better, but i still have the issue as shown below. It says that mac address is not in authorised_macs but it is, 64-31-50-81-cb-2f Reply-Message = "Device with MAC Address %{Calling-Station-Id} authorized for network access" also in raddb/modules/files, i added section authorized_macs, I read the forum and consulted google, but still strugle with this...please help. .... Listening on authentication address 10.222.72.100 port 1812 Listening on proxy address 10.222.72.100 port 1814 Ready to process requests. rad_recv: Access-Request packet from host 10.222.72.112 port 65534, id=27, length=143 NAS-IP-Address = 100.1.1.1 NAS-Port-Id = "1.1" Framed-MTU = 1024 User-Name = "64-31-50-81-CB-2F" Calling-Station-Id = "64-31-50-81-CB-2F" Message-Authenticator = 0x4dffe7f21d146b2832db0fdb6678d135 EAP-Message = 0x02ce00110167706f6e2d48505c67706f6e NAS-Identifier = "BLM12_SINGTEL" Ericsson-Attr-101 = 0x4552494353534f4e # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++- entering policy rewrite_calling_station_id {...} +++? if (Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) ? Evaluating (Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) -> TRUE +++? if (Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) -> TRUE +++- entering if (Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) {...} expand: %{1}-%{2}-%{3}-%{4}-%{5}-%{6} -> 64-31-50-81-CB-2F expand: %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} -> 64-31-50-81-cb-2f ++++[request] returns ok +++- if (Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) returns ok +++ ... skipping else for request 0: Preceding "if" was taken ++- policy rewrite_calling_station_id returns ok [authorized_macs] expand: %{Calling-Station-ID} -> 64-31-50-81-cb-2f ++[authorized_macs] returns noop ++? if (!ok) ? Evaluating !(ok) -> TRUE ++? if (!ok) -> TRUE ++- entering if (!ok) {...} +++[reject] returns reject ++- if (!ok) returns reject expand: %{User-Name}, %{Password} -> 64-31-50-81-CB-2F, Invalid user: [64-31-50-81-CB-2F/<no User-Password attribute>] (from client be-lem-12 port 0 cli 64-31-50-81-cb-2f) 64-31-50-81-CB-2F, Using Post-Auth-Type Reject # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> 64-31-50-81-CB-2F attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 27 to 10.222.72.112 port 65534 Waking up in 4.9 seconds. Cleaning up request 0 ID 27 with timestamp +23 Ready to process requests. ... -- View this message in context: http://freeradius.1045715.n5.nabble.com/webauth-and-macauth-tp5703328p571002... Sent from the FreeRadius - User mailing list archive at Nabble.com.
On 15/05/12 14:38, djura wrote:
Hi Phil,
you were right my config was terrible...i started over and followed instructions from wiki on how to setup macauth and 8021x, now my config looks better, but i still have the issue as shown below.
It says that mac address is not in authorised_macs but it is,
64-31-50-81-cb-2f Reply-Message = "Device with MAC Address %{Calling-Station-Id} authorized for network access"
also in
raddb/modules/files, i added section authorized_macs,
I don't know what this means. What is "authorized_macs" - an instance of the "files" module?
I read the forum and consulted google, but still strugle with this...please help.
Help yourself - send a full debug, not a trimmed debug.
[authorized_macs] expand: %{Calling-Station-ID} -> 64-31-50-81-cb-2f ++[authorized_macs] returns noop
Your "authorized_macs" module isn't doing anything. You have configured it wrong, or not put the right data in the file (if it's a "users" file)
I've done the changes as stated in wiki, first i changed default file, added this section / ----------------------------------start of default file------------------------------------ authorize { preprocess ############# mac auth part ##############3 rewrite_calling_station_id # now check against the authorized_macs file authorized_macs # if (ok) { # update control { # Auth-Type := Accept # } # } # if (!ok) { reject } # If this is NOT 802.1x, mac-auth if (!EAP-Message) { # mac has already been checked, accept update control { Auth-Type := Accept } } else { # normal FreeRadius virtual server config goes here e.g. eap } ################# end of mac auth part ############## eap { ok = return } # # Read the 'users' file files Autz-Type Status-Server { } } ..... ----------------------------------------end of default file ------------------------------ / I added "authorized_macs" is module in files module. now files module looks like this, / --------------------------------start of files module-------------------------------- # -*- text -*- # # $Id$ # Livingston-style 'users' file # files { # The default key attribute to use for matches. The content # of this attribute is used to match the "name" of the # entry. #key = "%{Stripped-User-Name:-%{User-Name}}" usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users preproxy_usersfile = ${confdir}/preproxy_users # If you want to use the old Cistron 'users' file # with FreeRADIUS, you should change the next line # to 'compat = cistron'. You can the copy your 'users' # file from Cistron. compat = no } # An example which defines a second instance of the "files" module. # This instance is named "second_files". In order for it to be used # in a virtual server, it needs to be listed as "second_files" # inside of the "authorize" section (or other section). If you just # list "files", that will refer to the configuration defined above. # # The two names here mean: # "files" - this is a configuration for the "rlm_files" module # "second_files" - this is a named configuration, which isn't # the default configuration. files authorized_macs { # The default key attribute to use for matches. The content # of this attribute is used to match the "name" of the # entry. key = "%{Calling-Station-ID}" usersfile = ${confdir}/authorized_macs # If you want to use the old Cistron 'users' file # with FreeRADIUS, you should change the next line # to 'compat = cistron'. You can the copy your 'users' # file from Cistron. compat = no } -------------------------end of files module---------------------------- / in users file i have entries looking like this / --------------------------start of users file--------------------------- 64-31-50-81-cb-2f Cleartext-Password := "63-31-50-81-cb-2f" -----------------------------end of users file------------------------ / also here is the output from radiusd debug / ------------------------------------- start of debug output ----------------------------------- FreeRADIUS Version 2.1.12, for host i386-portbld-freebsd8.1, built on Jan 3 2012 at 23:44:16 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/modules/ including configuration file /usr/local/etc/raddb/modules/wimax including configuration file /usr/local/etc/raddb/modules/always including configuration file /usr/local/etc/raddb/modules/attr_filter including configuration file /usr/local/etc/raddb/modules/attr_rewrite including configuration file /usr/local/etc/raddb/modules/chap including configuration file /usr/local/etc/raddb/modules/checkval including configuration file /usr/local/etc/raddb/modules/counter including configuration file /usr/local/etc/raddb/modules/cui including configuration file /usr/local/etc/raddb/modules/detail including configuration file /usr/local/etc/raddb/modules/detail.example.com including configuration file /usr/local/etc/raddb/modules/detail.log including configuration file /usr/local/etc/raddb/modules/digest including configuration file /usr/local/etc/raddb/modules/dynamic_clients including configuration file /usr/local/etc/raddb/modules/echo including configuration file /usr/local/etc/raddb/modules/etc_group including configuration file /usr/local/etc/raddb/modules/exec including configuration file /usr/local/etc/raddb/modules/expiration including configuration file /usr/local/etc/raddb/modules/expr including configuration file /usr/local/etc/raddb/modules/files including configuration file /usr/local/etc/raddb/modules/inner-eap including configuration file /usr/local/etc/raddb/modules/ippool including configuration file /usr/local/etc/raddb/modules/krb5 including configuration file /usr/local/etc/raddb/modules/ldap including configuration file /usr/local/etc/raddb/modules/linelog including configuration file /usr/local/etc/raddb/modules/logintime including configuration file /usr/local/etc/raddb/modules/mac2ip including configuration file /usr/local/etc/raddb/modules/mschap including configuration file /usr/local/etc/raddb/modules/mac2vlan including configuration file /usr/local/etc/raddb/modules/ntlm_auth including configuration file /usr/local/etc/raddb/modules/opendirectory including configuration file /usr/local/etc/raddb/modules/otp including configuration file /usr/local/etc/raddb/modules/pam including configuration file /usr/local/etc/raddb/modules/pap including configuration file /usr/local/etc/raddb/modules/passwd including configuration file /usr/local/etc/raddb/modules/perl including configuration file /usr/local/etc/raddb/modules/policy including configuration file /usr/local/etc/raddb/modules/preprocess including configuration file /usr/local/etc/raddb/modules/radutmp including configuration file /usr/local/etc/raddb/modules/realm including configuration file /usr/local/etc/raddb/modules/redis including configuration file /usr/local/etc/raddb/modules/rediswho including configuration file /usr/local/etc/raddb/modules/replicate including configuration file /usr/local/etc/raddb/modules/smbpasswd including configuration file /usr/local/etc/raddb/modules/smsotp including configuration file /usr/local/etc/raddb/modules/soh including configuration file /usr/local/etc/raddb/modules/sql_log including configuration file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /usr/local/etc/raddb/modules/sradutmp including configuration file /usr/local/etc/raddb/modules/unix including configuration file /usr/local/etc/raddb/modules/acct_unique including configuration file /usr/local/etc/raddb/modules/motp including configuration file /usr/local/etc/raddb/modules/datacounter_acct including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/policy.conf including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/default including configuration file /usr/local/etc/raddb/sites-enabled/default_b4_promjene main { allow_core_dumps = no } including dictionary file /usr/local/etc/raddb/dictionary main { name = "radiusd" prefix = "/usr/local" localstatedir = "/var" sbindir = "/usr/local/sbin" logdir = "/var/log" run_dir = "/var/run" libdir = "/usr/local/lib/freeradius-2.1.12" radacctdir = "/var/log/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/radiusd.pid" checkrad = "/usr/local/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = yes auth = yes auth_badpass = yes auth_goodpass = yes msg_badpass = "%{User-Name}, %{Password}" msg_goodpass = "%{User-Name}" } security { max_attributes = 200 reject_delay = 1 status_server = no } } radiusd: #### Loading Realms and Home Servers #### radiusd: #### Loading Clients #### client be-lem-12 { ipaddr = 10.222.72.112 require_message_authenticator = yes secret = "0123456789ABCDEF" shortname = "be-lem-12" nastype = "other" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /usr/local/etc/raddb/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /usr/local/etc/raddb/modules/expr Module: Linked to module rlm_counter Module: Instantiating module "daily" from file /usr/local/etc/raddb/modules/counter counter daily { filename = "/var/log/radacct/timecounter/db.daily" key = "User-Name" reset = "daily" count-attribute = "Acct-Session-Time" counter-name = "Daily-Session-Time" check-name = "Max-Daily-Session" reply-name = "Session-Timeout" cache-size = 5000 } rlm_counter: Counter attribute Daily-Session-Time is number 11273 rlm_counter: Current Time: 1337091664 [2012-05-15 16:21:04], Next reset 1337119200 [2012-05-16 00:00:00] Module: Instantiating module "weekly" from file /usr/local/etc/raddb/modules/counter counter weekly { filename = "/var/log/radacct/timecounter/db.weekly" key = "User-Name" reset = "weekly" count-attribute = "Acct-Session-Time" counter-name = "Weekly-Session-Time" check-name = "Max-Weekly-Session" reply-name = "Session-Timeout" cache-size = 5000 } rlm_counter: Counter attribute Weekly-Session-Time is number 11275 rlm_counter: Current Time: 1337091664 [2012-05-15 16:21:04], Next reset 1337464800 [2012-05-20 00:00:00] Module: Instantiating module "monthly" from file /usr/local/etc/raddb/modules/counter counter monthly { filename = "/var/log/radacct/timecounter/db.monthly" key = "User-Name" reset = "monthly" count-attribute = "Acct-Session-Time" counter-name = "Monthly-Session-Time" check-name = "Max-Monthly-Session" reply-name = "Session-Timeout" cache-size = 5000 } rlm_counter: Counter attribute Monthly-Session-Time is number 11277 rlm_counter: Current Time: 1337091664 [2012-05-15 16:21:04], Next reset 1338501600 [2012-06-01 00:00:00] Module: Instantiating module "forever" from file /usr/local/etc/raddb/modules/counter counter forever { filename = "/var/log/radacct/timecounter/db.forever" key = "User-Name" reset = "never" count-attribute = "Acct-Session-Time" counter-name = "Forever-Session-Time" check-name = "Max-Forever-Session" reply-name = "Session-Timeout" cache-size = 5000 } rlm_counter: Counter attribute Forever-Session-Time is number 11279 rlm_counter: Current Time: 1337091664 [2012-05-15 16:21:04], Next reset 0 [2012-05-15 16:00:00] Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /usr/local/etc/raddb/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /usr/local/etc/raddb/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { # from file /usr/local/etc/raddb/radiusd.conf modules { Module: Creating Auth-Type = MOTP Module: Creating Auth-Type = digest Module: Creating Autz-Type = Status-Server Module: Creating Acct-Type = Status-Server Module: Creating Post-Auth-Type = REJECT Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /usr/local/etc/raddb/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /usr/local/etc/raddb/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /usr/local/etc/raddb/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes allow_retry = yes } Module: Instantiating module "motp" from file /usr/local/etc/raddb/modules/motp exec motp { wait = yes program = "/usr/local/bin/bash /usr/local/etc/raddb/scripts/otpverify.sh %{request:User-Name} %{request:User-Password} %{reply:MOTP-Init-Secret} %{reply:MOTP-PIN} %{reply:MOTP-Offset}" input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /usr/local/etc/raddb/modules/digest Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /usr/local/etc/raddb/modules/unix unix { radwtmp = "/var/log/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /usr/local/etc/raddb/eap.conf eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/usr/local/etc/raddb/certs" pem_file_type = yes private_key_file = "/usr/local/etc/raddb/certs/server.pem" certificate_file = "/usr/local/etc/raddb/certs/server.pem" CA_file = "/usr/local/etc/raddb/certs/ca.pem" private_key_password = "whatever" dh_file = "/usr/local/etc/raddb/certs/dh" random_file = "/usr/local/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = no url = "http://127.0.0.1/ocsp/" } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes soh = no } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /usr/local/etc/raddb/modules/preprocess preprocess { huntgroups = "/usr/local/etc/raddb/huntgroups" hints = "/usr/local/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Loading virtual module rewrite_calling_station_id Module: Linked to module rlm_always Module: Instantiating module "noop" from file /usr/local/etc/raddb/modules/always always noop { rcode = "noop" simulcount = 0 mpp = no } Module: Linked to module rlm_files Module: Instantiating module "authorized_macs" from file /usr/local/etc/raddb/modules/files files authorized_macs { usersfile = "/usr/local/etc/raddb/authorized_macs" compat = "no" key = "%{Calling-Station-ID}" } Module: Instantiating module "reject" from file /usr/local/etc/raddb/modules/always always reject { rcode = "reject" simulcount = 0 mpp = no } Module: Checking preacct {...} for more modules to load Module: Loading virtual module rewrite_calling_station_id Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /usr/local/etc/raddb/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /usr/local/etc/raddb/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = yes } Module: Instantiating module "ntdomain" from file /usr/local/etc/raddb/modules/realm realm ntdomain { format = "prefix" delimiter = "\" ignore_default = no ignore_null = yes } Module: Instantiating module "files" from file /usr/local/etc/raddb/modules/files files { usersfile = "/usr/local/etc/raddb/users" acctusersfile = "/usr/local/etc/raddb/acct_users" preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" compat = "no" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /usr/local/etc/raddb/modules/detail detail { detailfile = "/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating module "datacounterdaily" from file /usr/local/etc/raddb/modules/datacounter_acct exec datacounterdaily { wait = yes program = "/bin/sh /usr/local/etc/raddb/scripts/datacounter_acct.sh %{request:User-Name} daily %{request:Acct-Input-Octets} %{request:Acct-Output-Octets}" input_pairs = "request" shell_escape = yes } Module: Instantiating module "datacounterweekly" from file /usr/local/etc/raddb/modules/datacounter_acct exec datacounterweekly { wait = yes program = "/bin/sh /usr/local/etc/raddb/scripts/datacounter_acct.sh %{request:User-Name} weekly %{request:Acct-Input-Octets} %{request:Acct-Output-Octets}" input_pairs = "request" shell_escape = yes } Module: Instantiating module "datacountermonthly" from file /usr/local/etc/raddb/modules/datacounter_acct exec datacountermonthly { wait = yes program = "/bin/sh /usr/local/etc/raddb/scripts/datacounter_acct.sh %{request:User-Name} monthly %{request:Acct-Input-Octets} %{request:Acct-Output-Octets}" input_pairs = "request" shell_escape = yes } Module: Instantiating module "datacounterforever" from file /usr/local/etc/raddb/modules/datacounter_acct exec datacounterforever { wait = yes program = "/bin/sh /usr/local/etc/raddb/scripts/datacounter_acct.sh %{request:User-Name} forever %{request:Acct-Input-Octets} %{request:Acct-Output-Octets}" input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /usr/local/etc/raddb/modules/radutmp radutmp { filename = "/var/log/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.accounting_response" from file /usr/local/etc/raddb/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/usr/local/etc/raddb/attrs.accounting_response" key = "%{User-Name}" relaxed = no } Module: Checking session {...} for more modules to load Module: Checking pre-proxy {...} for more modules to load Module: Instantiating module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/modules/attr_filter attr_filter attr_filter.pre-proxy { attrsfile = "/usr/local/etc/raddb/attrs.pre-proxy" key = "%{Realm}" relaxed = no } Module: Checking post-proxy {...} for more modules to load Module: Instantiating module "attr_filter.post-proxy" from file /usr/local/etc/raddb/modules/attr_filter attr_filter attr_filter.post-proxy { attrsfile = "/usr/local/etc/raddb/attrs" key = "%{Realm}" relaxed = no } Module: Checking post-auth {...} for more modules to load Module: Instantiating module "attr_filter.access_reject" from file /usr/local/etc/raddb/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/usr/local/etc/raddb/attrs.access_reject" key = "%{User-Name}" relaxed = no } } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = 10.222.72.100 port = 1812 } Listening on authentication address 10.222.72.100 port 1812 Listening on proxy address 10.222.72.100 port 1814 Ready to process requests. rad_recv: Access-Request packet from host 10.222.72.112 port 65534, id=27, length=143 NAS-IP-Address = 100.1.1.1 NAS-Port-Id = "1.1" Framed-MTU = 1024 User-Name = "64-31-50-81-CB-2F" Calling-Station-Id = "64-31-50-81-CB-2F" Message-Authenticator = 0x4dffe7f21d146b2832db0fdb6678d135 EAP-Message = 0x02ce00110167706f6e2d48505c67706f6e NAS-Identifier = "BLM12_SINGTEL" Ericsson-Attr-101 = 0x4552494353534f4e # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++- entering policy rewrite_calling_station_id {...} +++? if (Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) ? Evaluating (Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) -> TRUE +++? if (Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) -> TRUE +++- entering if (Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) {...} expand: %{1}-%{2}-%{3}-%{4}-%{5}-%{6} -> 64-31-50-81-CB-2F expand: %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} -> 64-31-50-81-cb-2f ++++[request] returns ok +++- if (Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) returns ok +++ ... skipping else for request 0: Preceding "if" was taken ++- policy rewrite_calling_station_id returns ok [authorized_macs] expand: %{Calling-Station-ID} -> 64-31-50-81-cb-2f ++[authorized_macs] returns noop ++? if (!ok) ? Evaluating !(ok) -> TRUE ++? if (!ok) -> TRUE ++- entering if (!ok) {...} +++[reject] returns reject ++- if (!ok) returns reject expand: %{User-Name}, %{Password} -> 64-31-50-81-CB-2F, Invalid user: [64-31-50-81-CB-2F/<no User-Password attribute>] (from client be-lem-12 port 0 cli 64-31-50-81-cb-2f) 64-31-50-81-CB-2F, Using Post-Auth-Type Reject # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> 64-31-50-81-CB-2F attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 27 to 10.222.72.112 port 65534 Waking up in 4.9 seconds. Cleaning up request 0 ID 27 with timestamp +23 Ready to process requests. --------------------------------------end of debug output-------------------------------- / -- View this message in context: http://freeradius.1045715.n5.nabble.com/webauth-and-macauth-tp5703328p571010... Sent from the FreeRadius - User mailing list archive at Nabble.com.
On 15/05/12 15:56, djura wrote:
I've done the changes as stated in wiki,
Which wiki page? This page: http://wiki.freeradius.org/Mac%20Auth ...doesn't tell you to use your method. So you're looking at another page, or copying it from somewhere older.
in users file i have entries looking like this / --------------------------start of users file---------------------------
64-31-50-81-cb-2f Cleartext-Password := "63-31-50-81-cb-2f"
You must have done something wrong, either a typo or you're editing the wrong file, because FreeRADIUS is not finding that entry:
[authorized_macs] expand: %{Calling-Station-ID} -> 64-31-50-81-cb-2f ++[authorized_macs] returns noop
"noop" from the "files" module means "not found". So, you're doing something wrong. Check your config again. Read it carefully. Better yet, follow the actual docs on the wiki.
participants (3)
-
Alan DeKok -
djura -
Phil Mayers