Because of the issues I've been having with authentication with Freeradius I started from scratch and used RPM to remove Freeradius and then re-installed the latest version. I needed to be able to accept both PAP and CHAP authentication, however I couldn't get it to do both and had to by default to get it to auth everyone no matter what the password should be. But I don't see this as ideal. Since I took over the radius server from someone else I'm guessing it had been changed by the previous person to the extend where only a re-install would solve the problem. I read that out of the box Freeradius would accept both PAP and CHAP authentication as long as the password was in clear text and I used "Password ==". So I re-installed Freeradius version freeradius-1.0.1-3.RHEL4.3 and convert all the entries from Auth-Type := Accept to "Password == <password>" where <password> was the users password. On testing I found users still couldn't authenticate by PAP or CHAP, I run "radiusd -X" and from what I could see its because of the Default setting: DEFAULT Auth-Type = System Fall-Through = 1 The NAS is a Cisco 7204VXR and the line for the authentication is: ppp authentication pap chap callin Here is the debug from radius ################ Ready to process requests. rad_recv: Access-Request packet from host 10.0.0.3:1645, id=142, length=95 Framed-Protocol = PPP User-Name = "user1@bb.adslco.com" User-Password = "deabercyap" NAS-Port-Type = Virtual NAS-Port = 1074 Service-Type = Framed-User NAS-IP-Address = 10.0.0.3 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: Looking up realm "bb.adslco.com" for User-Name = "user1@bb.adslco.com" rlm_realm: No such realm "bb.adslco.com" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched DEFAULT at 152 users: Matched DEFAULT at 171 users: Matched DEFAULT at 183 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 modcall[authenticate]: module "unix" returns notfound for request 0 modcall: group authenticate returns notfound for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 142 to 10.0.0.3:1645 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 142 with timestamp 443377fc Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 10.0.0.3:1645, id=143, length=95 Framed-Protocol = PPP User-Name = "user1@bb.adslco.com" User-Password = "" NAS-Port-Type = Virtual NAS-Port = 643 Service-Type = Framed-User NAS-IP-Address = 10.0.0.3 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: Looking up realm "bb.adslco.com" for User-Name = "user1@bb.adslco.com" rlm_realm: No such realm "bb.adslco.com" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 1 users: Matched DEFAULT at 152 users: Matched DEFAULT at 171 users: Matched DEFAULT at 183 modcall[authorize]: module "files" returns ok for request 1 modcall: group authorize returns ok for request 1 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 modcall[authenticate]: module "unix" returns notfound for request 1 modcall: group authenticate returns notfound for request 1 auth: Failed to validate the user. Delaying request 1 for 1 seconds Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 143 to 10.0.0.3:1645 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 143 with timestamp 44337809 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 10.0.0.3:1645, id=144, length=95 Framed-Protocol = PPP User-Name = "user2@bb.adslco.com" User-Password = "" NAS-Port-Type = Virtual NAS-Port = 1154 Service-Type = Framed-User NAS-IP-Address = 10.0.0.3 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "chap" returns noop for request 2 modcall[authorize]: module "mschap" returns noop for request 2 rlm_realm: Looking up realm "bb.adslco.com" for User-Name = "user2@bb.adslco.com" rlm_realm: No such realm "bb.adslco.com" modcall[authorize]: module "suffix" returns noop for request 2 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 2 users: Matched DEFAULT at 152 users: Matched DEFAULT at 171 users: Matched DEFAULT at 183 modcall[authorize]: module "files" returns ok for request 2 modcall: group authorize returns ok for request 2 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 modcall[authenticate]: module "unix" returns notfound for request 2 modcall: group authenticate returns notfound for request 2 auth: Failed to validate the user. Delaying request 2 for 1 seconds Finished request 2 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 144 to 10.0.0.3:1645 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 2 ID 144 with timestamp 44337821 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 10.0.0.3:1645, id=145, length=95 Framed-Protocol = PPP User-Name = "user2@bb.adslco.com" User-Password = "wewyam" NAS-Port-Type = Virtual NAS-Port = 108 Service-Type = Framed-User NAS-IP-Address = 10.0.0.3 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 modcall[authorize]: module "chap" returns noop for request 3 modcall[authorize]: module "mschap" returns noop for request 3 rlm_realm: Looking up realm "bb.adslco.com" for User-Name = "user2@bb.adslco.com" rlm_realm: No such realm "bb.adslco.com" modcall[authorize]: module "suffix" returns noop for request 3 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 3 users: Matched DEFAULT at 152 users: Matched DEFAULT at 171 users: Matched DEFAULT at 183 modcall[authorize]: module "files" returns ok for request 3 modcall: group authorize returns ok for request 3 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 modcall[authenticate]: module "unix" returns notfound for request 3 modcall: group authenticate returns notfound for request 3 auth: Failed to validate the user. Delaying request 3 for 1 seconds Finished request 3 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 145 to 10.0.0.3:1645 Waking up in 4 seconds... ####################### What do I need to change to get Freeradius to accept both PAP and CHAP authentication? Thanks Tony -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Tony Spencer wrote:
On testing I found users still couldn't authenticate by PAP or CHAP, I run "radiusd -X" and from what I could see its because of the Default setting:
DEFAULT Auth-Type = System
Fall-Through = 1
That is no longer in the default config in CVS. If/when it'll make it into a release version, one of the developers would have to reply.
What do I need to change to get Freeradius to accept both PAP and CHAP authentication?
Remove that entry for a start. FR 1.0.1 isn't a version I have installed or the source knocking around for, but at least in current versions (fixed in CVS) the handling of PAP and Auth-Type is a little inconsistent - there's no authorize handler for PAP. You want something like: modules { pap { encryption_scheme = clear } chap { authtype = CHAP } # .. rest of modules } authorize { preprocess chap files } authenticate { Auth-Type CHAP { chap } Auth-Type PAP { pap } } ...and in "users": username User-Password := "string", Auth-Type = PAP ...since the Auth-Type is set using "=" if Auth-Type is ALREADY CHAP from the chap module, it won't be changed. If it isn't set, it'll be set to PAP and executed appropriately.
Phil Thanks for that. I'll do some testing out of hours this evening and see how it goes. Tony -----Original Message----- From: freeradius-users-bounces+tony=games-master.co.uk@lists.freeradius.org [mailto:freeradius-users-bounces+tony=games-master.co.uk@lists.freeradius.or g] On Behalf Of Phil Mayers Sent: 05 April 2006 09:46 To: FreeRadius users mailing list Subject: Re: FreeRadius out of the box.... Tony Spencer wrote:
On testing I found users still couldn't authenticate by PAP or CHAP, I run "radiusd -X" and from what I could see its because of the Default setting:
DEFAULT Auth-Type = System
Fall-Through = 1
That is no longer in the default config in CVS. If/when it'll make it into a release version, one of the developers would have to reply.
What do I need to change to get Freeradius to accept both PAP and CHAP authentication?
Remove that entry for a start. FR 1.0.1 isn't a version I have installed or the source knocking around for, but at least in current versions (fixed in CVS) the handling of PAP and Auth-Type is a little inconsistent - there's no authorize handler for PAP. You want something like: modules { pap { encryption_scheme = clear } chap { authtype = CHAP } # .. rest of modules } authorize { preprocess chap files } authenticate { Auth-Type CHAP { chap } Auth-Type PAP { pap } } ...and in "users": username User-Password := "string", Auth-Type = PAP ...since the Auth-Type is set using "=" if Auth-Type is ALREADY CHAP from the chap module, it won't be changed. If it isn't set, it'll be set to PAP and executed appropriately. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Hello All, I am trying to test the freeradius to work with postgresql database. Just installed freeradius 1.1.0 on debian system via 'aptitude install' command of debian. The radiusd.conf file was modified to work with postgresql and the postgresql.conf file also put in the position for FR to use. However, when I issued command to start the FR, the radius server did not start! In the log file, it shows: Error: rlm_sql (sql): Could not link driver rlm_sql_postgresql: rlm_sql_postgresql.so: cannot open shared object file: No such file or directory Error: rlm_sql (sql): Make sure it (and all its dependent libraries!) are in the search path of your system's ld. Error: radiusd.conf[6]: sql: Module instantiation failed. Error: radiusd.conf[1111] Unknown module "sql". Error: radiusd.conf[1106] Failed to parse authorize section. The last three entries seems like just the consiquences of cannot find the postgresql driver. But the first two entries make me panic! In my postgresql.conf file, the driver is listed as driver="rlm_sql_postgresql" as indicated by FR. But why I got the err of 'cannot open shared object file: No such file or directory'? Please can anyone tell what is happenning? And what should I do now?? Where is the rlm_sql_postgresql driver?? pretty panic:( Help!! Highly appreciate any help from you!! Thanks!!! leo __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
I tried that way and it's still failing. The debug shows: ### Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 10.0.0.1:1645, id=91, length=97 Framed-Protocol = PPP User-Name = "user1@dsl.adslco.com" User-Password = "password" NAS-Port-Type = Virtual NAS-Port = 267 Service-Type = Framed-User NAS-IP-Address = 10.0.0.1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 13 modcall[authorize]: module "preprocess" returns ok for request 13 modcall[authorize]: module "chap" returns noop for request 13 rlm_realm: Looking up realm "dsl.adslco.com" for User-Name = "user1@dsl.adslco.com" rlm_realm: No such realm "dsl.adslco.com" modcall[authorize]: module "suffix" returns noop for request 13 users: Matched DEFAULT at 168 users: Matched DEFAULT at 180 modcall[authorize]: module "files" returns ok for request 13 modcall: group authorize returns ok for request 13 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [user1@dsl.adslco.com/password] (from client l2tp-tunnel port 267) Delaying request 13 for 1 seconds Finished request 13 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 91 to 10.0.0.1:1645 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 13 ID 91 with timestamp 4434a5b6 Nothing to do. Sleeping until we see a request. ### It looks like because I removed: ### DEFAULT Auth-Type = System Fall-Through = 1 ### It's failing because no Auth-Type is set. Tony -----Original Message----- From: freeradius-users-bounces+tony=games-master.co.uk@lists.freeradius.org [mailto:freeradius-users-bounces+tony=games-master.co.uk@lists.freeradius.or g] On Behalf Of Phil Mayers Sent: 05 April 2006 09:46 To: FreeRadius users mailing list Subject: Re: FreeRadius out of the box.... Tony Spencer wrote:
On testing I found users still couldn't authenticate by PAP or CHAP, I run "radiusd -X" and from what I could see its because of the Default setting:
DEFAULT Auth-Type = System
Fall-Through = 1
That is no longer in the default config in CVS. If/when it'll make it into a release version, one of the developers would have to reply.
What do I need to change to get Freeradius to accept both PAP and CHAP authentication?
Remove that entry for a start. FR 1.0.1 isn't a version I have installed or the source knocking around for, but at least in current versions (fixed in CVS) the handling of PAP and Auth-Type is a little inconsistent - there's no authorize handler for PAP. You want something like: modules { pap { encryption_scheme = clear } chap { authtype = CHAP } # .. rest of modules } authorize { preprocess chap files } authenticate { Auth-Type CHAP { chap } Auth-Type PAP { pap } } ...and in "users": username User-Password := "string", Auth-Type = PAP ...since the Auth-Type is set using "=" if Auth-Type is ALREADY CHAP from the chap module, it won't be changed. If it isn't set, it'll be set to PAP and executed appropriately. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
On Wed, 2006-05-04 at 09:07 +0100, Tony Spencer wrote:
Because of the issues I've been having with authentication with Freeradius I started from scratch and used RPM to remove Freeradius and then re-installed the latest version.
I needed to be able to accept both PAP and CHAP authentication, however I couldn't get it to do both and had to by default to get it to auth everyone no matter what the password should be. But I don't see this as ideal.
Since I took over the radius server from someone else I'm guessing it had been changed by the previous person to the extend where only a re- install would solve the problem.
I read that out of the box Freeradius would accept both PAP and CHAP authentication as long as the password was in clear text and I used "Password ==".
So I re-installed Freeradius version freeradius-1.0.1-3.RHEL4.3 and convert all the entries from Auth-Type := Accept to "Password == <password>" where <password> was the users password. ...snip...
DEFAULT Auth-Type = System
Fall-Through = 1 ...snip...
Auth-Type = System is for reading the user names from the password file IIRC. Try : Auth-Type = Local
participants (4)
-
Guy Fraser -
lmyho -
Phil Mayers -
Tony Spencer