freeradius 1.0.4 + mysql cannot authincate
I am running freeradius 1.0.4 + mysql 4.1.16. I have use the mysql database schema from the freeradius tar ball. Everything seems to be setup correctly I can authenticate from flat text files but not from any database usernames. Here is the output from my /usr/sbin/radiusd -X: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 1645 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = "/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "radiusd" main: group = "radiusd" main: usercollide = no main: lower_user = "before" main: lower_pass = "no" main: nospace_user = "before" main: nospace_pass = "before" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Listening on authentication *:1645 Listening on accounting *:1646 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:32784, id=125, length=58 User-Name = "scooby" User-Password = "scooby" NAS-IP-Address = 255.255.255.255 NAS-Port = 10 rad_lowerpair: User-Name now 'scooby' rad_rmspace_pair: User-Name now 'scooby' rad_rmspace_pair: User-Password now 'scooby' auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [scooby/scooby] (from client localhost port 10) Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 125 to 127.0.0.1:32784 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 125 with timestamp 43c3dc9c Nothing to do. Sleeping until we see a request. Here is my syntax for radtest: radtest scooby scooby localhost:1645 10 secret My entries in the mysql table radcheck: mysql> select * from radcheck; +----+----------+---------------+----+----------+ | id | UserName | Attribute | op | Value | +----+----------+---------------+----+----------+ | 1 | scooby | User-Password | := | scooby | +----+----------+---------------+----+----------+ Do I have my information specified wrong in my database or not enough information in my database? I can not figure out why I get authentications errors when running radtest. I am not sure where I should specify the auth-type. Any help would be appreciated. Thanks, -- Jonathan Carpenter Linux System Administrator Windows System Administrator <The Unix Geek>
Jonathan Carpenter wrote:
Config: including file: /etc/raddb/sql.conf
That's good.
rad_recv: Access-Request packet from host 127.0.0.1:32784 <http://127.0.0.1:32784>, id=125, length=58 User-Name = "scooby" User-Password = "scooby" NAS-IP-Address = 255.255.255.255 <http://255.255.255.255> NAS-Port = 10 rad_lowerpair: User-Name now 'scooby' rad_rmspace_pair: User-Name now 'scooby' rad_rmspace_pair: User-Password now 'scooby' auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [scooby/scooby] (from client localhost port 10)
So, looks like it has all that info about how to login to your MySQL server and what queries to use, but you never told it to actually use it. Hint: look at the authorize section towards the bottom of your radius.conf. There should be a line like: # sql Uncomment it. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com
Here is the entry from my radius.conf authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } } # # Pre-accounting. Decide which accounting type to use. # preacct { preprocess acct_unique suffix #files } # # Accounting. Log the accounting data. # accounting { acct_unique detail unix sql radutmp sql } # Session database, used for checking Simultaneous-Use. Either the radutmp # or rlm_sql module can handle this. # The rlm_sql module is *much* faster session { radutmp sql } # Post-Authentication # Once we KNOW that the user has been authenticated, there are # additional steps we can take. post-auth { sql } } Do I just add sql to the authincate like so? authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } sql <------- } Thanks, On 1/10/06, Dennis Skinner <dskinner@bluefrog.com> wrote:
Jonathan Carpenter wrote:
Config: including file: /etc/raddb/sql.conf
That's good.
rad_recv: Access-Request packet from host 127.0.0.1:32784 <http://127.0.0.1:32784>, id=125, length=58 User-Name = "scooby" User-Password = "scooby" NAS-IP-Address = 255.255.255.255 <http://255.255.255.255> NAS-Port = 10 rad_lowerpair: User-Name now 'scooby' rad_rmspace_pair: User-Name now 'scooby' rad_rmspace_pair: User-Password now 'scooby' auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [scooby/scooby] (from client localhost port 10)
So, looks like it has all that info about how to login to your MySQL server and what queries to use, but you never told it to actually use it.
Hint: look at the authorize section towards the bottom of your radius.conf. There should be a line like:
# sql
Uncomment it.
-- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Jonathan Carpenter Linux System Administrator Windows System Administrator <The Unix Geek>
I have the authorize section in my radius.conf, what other authorize section do I need? On 1/10/06, Alan DeKok <aland@ox.org> wrote:
Jonathan Carpenter <jonathan.carpenter@gmail.com> wrote:
Here is the entry from my radius.conf ...
And no "authorize" section. From the debug log you posted, it looks like you deleted it completely.
Don't do that.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Jonathan Carpenter Linux System Administrator Windows System Administrator <The Unix Geek>
Hi All, I tried to compile freeradius-1.0.5 on Debian and got following compilation error: -I/usr/local/mysql/include/mysql -I/usr/local/src/freeradius-1.0.5/libltdl -o rlm_sql_mysql.la -rpath /usr/local/radius5/lib sql_mysql.lo -L/usr/local/mysql/lib/mysql -lmysqlclient -lcrypt -lnsl -lm ../zlib/libz.la libtool: link: cannot find the library '../zlib/libz.la' i felt it pretty weired since i have successfully compiled freeradius-1.0.5 on a couple of Debian servers and never encountered such error.and i cannot tell what's the difference between those servers and this problematic one. is there anyth to do with environment variables? my $PATH is /usr/local/bin:/usr/local/sbin:/bin:/usr/bin:/usr/X11/bin:/usr/games:/sbin:/usr/sbin:/opt/gnome/bin:/opt/www/htdig/bin: opt/kde/bin:/usr/share/texmf/bin:/usr/openwin/bin:/usr/local/java/bin:/usr/local/samba/bin:/usr/local/mysql/bin:/usr/local/mysql /libexec:/usr/local/radius/bin:/usr/local/etc:/usr/local/snips/bin:/usr/local/java/bin any advice? thanks in advance. Rgds QZ
I am running freeradius-1.0.2-5.5 and need a solution for the following problem: we want to achieve that freeradius sends back an IP-Address if there is one for that user in LDAP. If the value is empty freeradius shouldnt send back an IP-Address and the NAS should choose one from his own ip-pool. is this possible to realize? greetings, Stefan -- DSL-Aktion wegen gro�er Nachfrage bis 28.2.2006 verl�ngert: GMX DSL-Flatrate 1 Jahr kostenlos* http://www.gmx.net/de/go/dsl
Hi, YES... it is possible ( at least in my case it is ). I've used Framed-IP-Address attribute which I mapped to an attribute in my LDAP directory. As "NAS" I use Poptop daemon ( MS PPTP Server for Linux ). Regards, Edvin -----Original Message----- From: freeradius-users-bounces+edvin.seferovic=kolp.at@lists.freeradius.org [mailto:freeradius-users-bounces+edvin.seferovic=kolp.at@lists.freeradius.or g] On Behalf Of tschaos@gmx.net Sent: Mittwoch, 11. Jänner 2006 09:16 To: FreeRadius users mailing list Subject: IP-Address assignment - NAS Pool if value is empty in LDAP I am running freeradius-1.0.2-5.5 and need a solution for the following problem: we want to achieve that freeradius sends back an IP-Address if there is one for that user in LDAP. If the value is empty freeradius shouldnt send back an IP-Address and the NAS should choose one from his own ip-pool. is this possible to realize? greetings, Stefan -- DSL-Aktion wegen gro_er Nachfrage bis 28.2.2006 verldngert: GMX DSL-Flatrate 1 Jahr kostenlos* http://www.gmx.net/de/go/dsl - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi, that means you configured the NAS to ignore an empty IP value? cause freeradius would send back the empty value to the NAS..this is what i want to avert. but i dont know how :( regards, stefan
--- Ursprüngliche Nachricht --- Von: "Seferovic Edvin" <edvin.seferovic@kolp.at> An: "'FreeRadius users mailing list'" <freeradius-users@lists.freeradius.org> Betreff: RE: IP-Address assignment - NAS Pool if value is empty in LDAP Datum: Wed, 11 Jan 2006 09:37:29 +0100
Hi,
YES... it is possible ( at least in my case it is ). I've used Framed-IP-Address attribute which I mapped to an attribute in my LDAP directory. As "NAS" I use Poptop daemon ( MS PPTP Server for Linux ).
Regards,
Edvin
-----Original Message----- From: freeradius-users-bounces+edvin.seferovic=kolp.at@lists.freeradius.org
[mailto:freeradius-users-bounces+edvin.seferovic=kolp.at@lists.freeradius.or
g] On Behalf Of tschaos@gmx.net Sent: Mittwoch, 11. Jänner 2006 09:16 To: FreeRadius users mailing list Subject: IP-Address assignment - NAS Pool if value is empty in LDAP
I am running freeradius-1.0.2-5.5 and need a solution for the following problem:
we want to achieve that freeradius sends back an IP-Address if there is one for that user in LDAP. If the value is empty freeradius shouldnt send back an IP-Address and the NAS should choose one from his own ip-pool.
is this possible to realize?
greetings, Stefan
-- DSL-Aktion wegen gro_er Nachfrage bis 28.2.2006 verldngert: GMX DSL-Flatrate 1 Jahr kostenlos* http://www.gmx.net/de/go/dsl - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Lust, ein paar Euro nebenbei zu verdienen? Ohne Kosten, ohne Risiko! Satte Provisionen für GMX Partner: http://www.gmx.net/de/go/partner
I am running freeradius-1.0.2-5.5 and need a solution for the following problem:
we want to achieve that freeradius sends back an IP-Address if there is one for that user in LDAP. If the value is empty freeradius shouldnt send back an IP-Address and the NAS should choose one from his own ip-pool.
That will work out of the box. Make sure in ldap.attrmap you have replyItem Framed-IP-Address radiusFramedIPAddress replyItem Framed-IP-Netmask radiusFramedIPNetmask **You can change those to whatever you store it as in ldap. Then in the user, you put the IP. dn: uid=someuser,ou=..... radiusFramedIPAddress: 1.1.1.1 radiusFramedIPNetmask: 255.255.255.0 Then rlm_ldap, will look for an attribute of radiusFramedIPAddress and radiusFramedIPNetmask in ldap. If it exists, it will send it back in the access-accept as a reply item. If it doesn't exist, it won't send anything. Did you try this yet? If so and it isn't working for you, please send debug output (radiusd -X).
Jonathan Carpenter <jonathan.carpenter@gmail.com> wrote:
I have the authorize section in my radius.conf, what other authorize section do I need?
It wasn't included in the debug output, or in the snippets from radiusd.conf. So one of two situations exist: a) it wasn't in radiusd.conf b) you edited the debug output & radiusd.conf to remove it If (a), then it explains why the server doesn't do what you want. If (b), then you've gone out of your way to remove information that is needed to help you solve the problem. Alan DeKok.
Jonathan Carpenter wrote:
Here is the entry from my radius.conf
authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } }
Read what I wrote below. It says "authorize" section. That is the 1 section you did not show us. As Alan said, you are either missing it or making it hard for ppl to help you.
Hint: look at the authorize section towards the bottom of your radius.conf. There should be a line like:
# sql
Uncomment it.
-- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com
Jonathan Carpenter wrote:
auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. This doesn't look promising.
-- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841
participants (9)
-
Alan DeKok -
Chaos Commander -
Dennis Skinner -
Dusty Doris -
Jonathan Carpenter -
Lewis Bergman -
Qin Zhen -
Seferovic Edvin -
tschaos@gmx.net