Hello, I need a little help:) I am setting radius for voip. I comment sql in default file (authorize, Authentication) and I enable voip-postpaid for postgresql. I have import filw for databases in /etc/raddb/sql/postgresql/shema.sql. Please help me out! thanks! I have put users in table but I am getting this error: Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/ntlm_auth including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/dynamic_clients including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/opendirectory including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/sql/postgresql/voip-postpaid.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/inner-tunnel including configuration file /etc/raddb/sites-enabled/control-socket including configuration file /etc/raddb/sites-enabled/default main { user = "radiusd" group = "radiusd" allow_core_dumps = no } including dictionary file /etc/raddb/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/radius" libdir = "/usr/lib64/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 irt = 2 mrt = 16 mrc = 5 mrd = 30 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client 1.2.3.4 { require_message_authenticator = no secret = "b" shortname = "intraswitch" nastype = "cisco" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/raddb/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/raddb/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/raddb/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/raddb/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/raddb/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/raddb/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/raddb/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/raddb/modules/unix unix { radwtmp = "/var/log/radius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/raddb/eap.conf eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/etc/raddb/certs" pem_file_type = yes private_key_file = "/etc/raddb/certs/server.pem" certificate_file = "/etc/raddb/certs/server.pem" CA_file = "/etc/raddb/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/raddb/certs/dh" random_file = "/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" cache { enable = no lifetime = 24 max_entries = 255 } verify { } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/raddb/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/raddb/modules/files files { usersfile = "/etc/raddb/users" acctusersfile = "/etc/raddb/acct_users" preproxy_usersfile = "/etc/raddb/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/raddb/modules/radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.access_reject" from file /etc/raddb/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/raddb/attrs.access_reject" key = "%{User-Name}" } } # modules } # server server { # from file /etc/raddb/radiusd.conf modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /etc/raddb/modules/digest Module: Linked to module rlm_pam Module: Instantiating module "pam" from file /etc/raddb/modules/pam pam { pam_auth = "radiusd" } Module: Instantiating module "attr_filter.access_challenge" from file /etc/raddb/modules/attr_filter attr_filter attr_filter.access_challenge { attrsfile = "/etc/raddb/attrs.access_challenge" key = "%{User-Name}" } Module: Linked to module rlm_always Module: Instantiating module "handled" from file /etc/raddb/modules/always always handled { rcode = "handled" simulcount = 0 mpp = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/raddb/modules/preprocess preprocess { huntgroups = "/etc/raddb/huntgroups" hints = "/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/raddb/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /etc/raddb/modules/detail detail { detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating module "ok" from file /etc/raddb/modules/always always ok { rcode = "ok" simulcount = 0 mpp = no } Module: Linked to module rlm_sql Module: Instantiating module "pgsql-voip" from file /etc/raddb/sql/postgresql/voip-postpaid.conf sql pgsql-voip { driver = "rlm_sql_postgresql" server = "localhost" port = "" login = "softnet" password = "soft1234" radius_db = "radius" read_groups = yes sqltrace = no sqltracefile = "/var/log/radius/sqltrace.sql" readclients = no deletestalesessions = yes num_sql_socks = 25 lifetime = 0 max_queries = 0 sql_user_name = "%{User-Name}" default_user_profile = "" nas_query = "SELECT id,nasname,shortname,type,secret FROM nas" authorize_check_query = "" authorize_group_check_query = "" authorize_group_reply_query = "" accounting_onoff_query = "" accounting_update_query = "" accounting_update_query_alt = "" accounting_start_query = "INSERT into Start%{h323-call-type} (RadiusServerName, UserName, NASIPAddress, AcctTime, CalledStationId, CallingStationId, AcctDelayTime, h323gwid, h323callorigin, h323setuptime, H323ConnectTime, callid) values('FreeRADIUS', '%{SQL-User-Name}', '%{NAS-IP-Address}', now(), '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Delay-Time:-0}', '%{h323-gw-id}', '%{h323-call-origin}', strip_dot('%{h323-setup-time}'), strip_dot('%{h323-connect-time}'), pick_id('%{h323-conf-id}', '%{call-id}'))" accounting_start_query_alt = "" accounting_stop_query = "INSERT into Stop%{h323-call-type} (RadiusServerName, UserName, NASIPAddress, AcctTime, AcctSessionTime, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctDelayTime, H323RemoteAddress, H323VoiceQuality, CiscoNASPort, h323callorigin, callid, h323connecttime, h323disconnectcause, h323disconnecttime, h323gwid, h323setuptime) values('FreeRADIUS', '%{SQL-User-Name}', '%{NAS-IP-Address}', now(), '%{Acct-Session-Time:-0}', '%{Acct-Input-Octets:-0}', '%{Acct-Output-Octets:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Delay-Time:-0}', NULLIF('%{h323-remote-address}', '')::inet, NULLIF('%{h323-voice-quality}','')::integer, NULLIF('%{Cisco-NAS-Port}', ''), '%{h323-call-origin}', pick_id('%{h323-conf-id}', '%{call-id}'), strip_dot('%{h323-connect-time}'), '%{h323-disconnect-cause}', strip_dot('%{h323-disconnect-time}'), '%{h323-gw-id}', strip_dot('%{h323-setup-time}'))" accounting_stop_query_alt = "" connect_failure_retry_delay = 60 simul_count_query = "" simul_verify_query = "" postauth_query = "" safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" } rlm_sql Creating new attribute pgsql-voip-SQL-Group rlm_sql (pgsql-voip): Driver rlm_sql_postgresql (module rlm_sql_postgresql) loaded and linked rlm_sql (pgsql-voip): Attempting to connect to softnet@localhost:/radius rlm_sql (pgsql-voip): starting 0 rlm_sql (pgsql-voip): Attempting to connect rlm_sql_postgresql #0 rlm_sql (pgsql-voip): Connected new DB handle, #0 rlm_sql (pgsql-voip): starting 1 rlm_sql (pgsql-voip): Attempting to connect rlm_sql_postgresql #1 rlm_sql (pgsql-voip): Connected new DB handle, #1 rlm_sql (pgsql-voip): starting 2 rlm_sql (pgsql-voip): Attempting to connect rlm_sql_postgresql #2 rlm_sql (pgsql-voip): Connected new DB handle, #2 rlm_sql (pgsql-voip): starting 3 rlm_sql (pgsql-voip): Attempting to connect rlm_sql_postgresql #3 rlm_sql (pgsql-voip): Connected new DB handle, #3 rlm_sql (pgsql-voip): starting 4 rlm_sql (pgsql-voip): Attempting to connect rlm_sql_postgresql #4 rlm_sql (pgsql-voip): Connected new DB handle, #4 rlm_sql (pgsql-voip): starting 5 rlm_sql (pgsql-voip): Attempting to connect rlm_sql_postgresql #5 rlm_sql (pgsql-voip): Connected new DB handle, #5 rlm_sql (pgsql-voip): starting 6 rlm_sql (pgsql-voip): Attempting to connect rlm_sql_postgresql #6 rlm_sql (pgsql-voip): Connected new DB handle, #6 rlm_sql (pgsql-voip): starting 7 rlm_sql (pgsql-voip): Attempting to connect rlm_sql_postgresql #7 rlm_sql (pgsql-voip): Connected new DB handle, #7 rlm_sql (pgsql-voip): starting 8 rlm_sql (pgsql-voip): Attempting to connect rlm_sql_postgresql #8 rlm_sql (pgsql-voip): Connected new DB handle, #8 rlm_sql (pgsql-voip): starting 9 rlm_sql (pgsql-voip): Attempting to connect rlm_sql_postgresql #9 rlm_sql (pgsql-voip): Connected new DB handle, #9 rlm_sql (pgsql-voip): starting 10 rlm_sql (pgsql-voip): Attempting to connect rlm_sql_postgresql #10 rlm_sql (pgsql-voip): Connected new DB handle, #10 rlm_sql (pgsql-voip): starting 11 rlm_sql (pgsql-voip): Attempting to connect rlm_sql_postgresql #11 rlm_sql (pgsql-voip): Connected new DB handle, #11 rlm_sql (pgsql-voip): starting 12 rlm_sql (pgsql-voip): Attempting to connect rlm_sql_postgresql #12 rlm_sql (pgsql-voip): Connected new DB handle, #12 rlm_sql (pgsql-voip): starting 13 rlm_sql (pgsql-voip): Attempting to connect rlm_sql_postgresql #13 rlm_sql (pgsql-voip): Connected new DB handle, #13 rlm_sql (pgsql-voip): starting 14 rlm_sql (pgsql-voip): Attempting to connect rlm_sql_postgresql #14 rlm_sql (pgsql-voip): Connected new DB handle, #14 rlm_sql (pgsql-voip): starting 15 rlm_sql (pgsql-voip): Attempting to connect rlm_sql_postgresql #15 rlm_sql (pgsql-voip): Connected new DB handle, #15 rlm_sql (pgsql-voip): starting 16 rlm_sql (pgsql-voip): Attempting to connect rlm_sql_postgresql #16 rlm_sql (pgsql-voip): Connected new DB handle, #16 rlm_sql (pgsql-voip): starting 17 rlm_sql (pgsql-voip): Attempting to connect rlm_sql_postgresql #17 rlm_sql (pgsql-voip): Connected new DB handle, #17 rlm_sql (pgsql-voip): starting 18 rlm_sql (pgsql-voip): Attempting to connect rlm_sql_postgresql #18 rlm_sql (pgsql-voip): Connected new DB handle, #18 rlm_sql (pgsql-voip): starting 19 rlm_sql (pgsql-voip): Attempting to connect rlm_sql_postgresql #19 rlm_sql (pgsql-voip): Connected new DB handle, #19 rlm_sql (pgsql-voip): starting 20 rlm_sql (pgsql-voip): Attempting to connect rlm_sql_postgresql #20 rlm_sql (pgsql-voip): Connected new DB handle, #20 rlm_sql (pgsql-voip): starting 21 rlm_sql (pgsql-voip): Attempting to connect rlm_sql_postgresql #21 rlm_sql (pgsql-voip): Connected new DB handle, #21 rlm_sql (pgsql-voip): starting 22 rlm_sql (pgsql-voip): Attempting to connect rlm_sql_postgresql #22 rlm_sql (pgsql-voip): Connected new DB handle, #22 rlm_sql (pgsql-voip): starting 23 rlm_sql (pgsql-voip): Attempting to connect rlm_sql_postgresql #23 rlm_sql (pgsql-voip): Connected new DB handle, #23 rlm_sql (pgsql-voip): starting 24 rlm_sql (pgsql-voip): Attempting to connect rlm_sql_postgresql #24 rlm_sql (pgsql-voip): Connected new DB handle, #24 Module: Instantiating module "attr_filter.accounting_response" from file /etc/raddb/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "control" listen { socket = "/var/run/radiusd/radiusd.sock" } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 1.2.3.4 port 60513, id=144, length=206 Acct-Multi-Session-Id = "1291717568337" Cisco-Attr-130 = 0x683332332d63616c6c696e672d656e74657270726973652d69643d656e74504258 Calling-Station-Id = "81609000" NAS-Identifier = "intraswitch" NAS-IP-Address = 1.2.3.4 3GPP2-Prepaid-acct-Capability = 0x010600000002 3GPP2-Session-Termination-Capability = 1 h323-conf-id = "h323-conf-id=1291717568337" Vendor-Specific = 0x00000009 Event-Timestamp = "Dec 7 2010 11:26:08 CET" User-Name = "081609000" User-Password = "12345" # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "081609000", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> 081609000 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Voip-database-tp3295546p3295546.html Sent from the FreeRadius - User mailing list archive at Nabble.com.
On Tue, Dec 7, 2010 at 5:27 PM, miha- <miha_zoubek@hotmail.com> wrote:
Hello,
I need a little help:) I am setting radius for voip. I comment sql in default file (authorize, Authentication)
what do you mean you "comment sql"? You DO know that for it to be used, the sql module needs to be configured correctly, AND it needs to be used on authorize and authentication section, right?
Module: Instantiating module "pgsql-voip" from file /etc/raddb/sql/postgresql/voip-postpaid.conf sql pgsql-voip {
looks like the module is instantiated correctly
# Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "081609000", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject
Do you have "pgsql-voip" line on your authorize and authenticate sections? Looks like you don't. -- Fajar
I have uncomment only this # Cisco VoIP specific bulk accounting pgsql-voip under accounting section. I have not found it under authorize and authenticate. Must I put it there? Thanks! -- View this message in context: http://freeradius.1045715.n5.nabble.com/Voip-database-tp3295546p3295827.html Sent from the FreeRadius - User mailing list archive at Nabble.com.
On Tue, Dec 7, 2010 at 9:17 PM, miha- <miha_zoubek@hotmail.com> wrote:
I have uncomment only this # Cisco VoIP specific bulk accounting pgsql-voip under accounting section. I have not found it under authorize and authenticate.
Must I put it there?
On second thought, you might not need it in authenticate. You'd need it in authorize and authenticate. Basically it depends on what you're trying to do. If you want to use users and password stored in sql database, then you need it on authorize section. If you want to log accounting entries in sql database, then you need it on accounting section. Look at the original /etc/raddb/sites-enabled/default that comes with your distro, and see where it puts "sql" line. -- Fajar
On Tue, Dec 7, 2010 at 9:24 PM, Fajar A. Nugraha <work@fajar.net> wrote:
On Tue, Dec 7, 2010 at 9:17 PM, miha- <miha_zoubek@hotmail.com> wrote:
I have uncomment only this # Cisco VoIP specific bulk accounting pgsql-voip under accounting section. I have not found it under authorize and authenticate.
Must I put it there?
On second thought, you might not need it in authenticate. You'd need it in authorize and authenticate.
I meant to say "authorize and accounting". -- Fajar
Thank you!!! I put it there but still the same problem: authorize { # # The preprocess module takes care of sanitizing some bizarre # attributes in the request, and turning them into attributes # which are more standard. # # It takes care of processing the 'raddb/hints' and the # 'raddb/huntgroups' files. preprocess # # If you want to have a log of authentication requests, # un-comment the following line, and the 'detail auth_log' # section, above.# auth_log # # The chap module will set 'Auth-Type := CHAP' if we are # handling a CHAP request and Auth-Type has not already been set chap # # If the users are logging in with an MS-CHAP-Challenge # attribute for authentication, the mschap module will find # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP' # to the request, which will cause the server to then use # the mschap module for authentication. mschap # # If you have a Cisco SIP server authenticating against # FreeRADIUS, uncomment the following line, and the 'digest' # line in the 'authenticate' section. digest # # The WiMAX specification says that the Calling-Station-Id # is 6 octets of the MAC. This definition conflicts with # RFC 3580, and all common RADIUS practices. Un-commenting # the "wimax" module here means that it will fix the # Calling-Station-Id attribute to the normal format as # specified in RFC 3580 Section 3.21# wimax # # Look for IPASS style 'realm/', and if not found, look for # '@realm', and decide whether or not to proxy, based on # that.# IPASS # # If you are using multiple kinds of realms, you probably # want to set "ignore_null = yes" for all of them. # Otherwise, when the first style of realm doesn't match, # the other styles won't be checked. # suffix# ntdomain # # This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP # authentication. # # It also sets the EAP-Type attribute in the request # attribute list to the EAP type from the packet. # # As of 2.0, the EAP module returns "ok" in the authorize stage # for TTLS and PEAP. In 1.x, it never returned "ok" here, so # this change is compatible with older configurations. # # The example below uses module failover to avoid querying all # of the following modules if the EAP module returns "ok". # Therefore, your LDAP and/or SQL servers will not be queried # for the many packets that go back and forth to set up TTLS # or PEAP. The load on those servers will therefore be reduced. # eap { ok = return } # # Pull crypt'd passwords from /etc/passwd or /etc/shadow, # using the system API's to get the password. If you want # to read /etc/passwd or /etc/shadow directly, see the # passwd module in radiusd.conf. ## unix # # Read the 'users' file #files # # Look in an SQL database. The schema of the database # is meant to mirror the "users" file. # # See "Authorization Queries" in sql.conf #sql pgsql-voip # # If you are using /etc/smbpasswd, and are also doing # mschap authentication, the un-comment this line, and # configure the 'etc_smbpasswd' module, above.# etc_smbpasswd # # The ldap module will set Auth-Type to LDAP if it has not # already been set# ldap # # Enforce daily limits on time spent logged in.# daily # # Use the checkval module# checkval expiration logintime pap # Autz-Type Status-Server {## }} #authenticate { # # PAP authentication, when a back-end database listed # in the 'authorize' section supplies a password. The # password can be clear-text, or encrypted. #Auth-Type PAP { # pap #} # # Most people want CHAP authentication # A back-end database listed in the 'authorize' section # MUST supply a CLEAR TEXT password. Encrypted passwords # won't work. Auth-Type CHAP { chap } # # MSCHAP authentication. Auth-Type MS-CHAP { mschap } # # If you have a Cisco SIP server authenticating against # FreeRADIUS, uncomment the following line, and the 'digest' # line in the 'authorize' section. digest # # Pluggable Authentication Modules. pam # # See 'man getpwent' for information on how the 'unix' # module checks the users password. Note that packets # containing CHAP-Password attributes CANNOT be authenticated # against /etc/passwd! See the FAQ for details. # # For normal "crypt" authentication, the "pap" module should # be used instead of the "unix" module. The "unix" module should # be used for authentication ONLY for compatibility with legacy # FreeRADIUS configurations. # unix # Uncomment it if you want to use ldap for authentication # # Note that this means "check plain-text password against # the ldap database", which means that EAP won't work, # as it does not supply a plain-text password.# Auth-Type LDAP {# ldap# } # # Allow EAP authentication. eap # # The older configurations sent a number of attributes in # Access-Challenge packets, which wasn't strictly correct. # If you want to filter out these attributes, uncomment # the following lines. # Auth-Type eap { eap { handled = 1 } if (handled && (Response-Packet-Type == Access-Challenge)) { attr_filter.access_challenge.post-auth handled # override the "updated" code from attr_filter } }} ## Pre-accounting. Decide which accounting type to use.#preacct { preprocess # # Session start times are *implied* in RADIUS. # The NAS never sends a "start time". Instead, it sends # a start packet, *possibly* with an Acct-Delay-Time. # The server is supposed to conclude that the start time # was "Acct-Delay-Time" seconds in the past. # # The code below creates an explicit start time, which can # then be used in other modules. # # The start time is: NOW - delay - session_length # # update request {# FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}"# } # # Ensure that we have a semi-unique identifier for every # request, and many NAS boxes are broken. acct_unique # # Look for IPASS-style 'realm/', and if not found, look for # '@realm', and decide whether or not to proxy, based on # that. # # Accounting requests are generally proxied to the same # home server as authentication requests.# IPASS suffix# ntdomain # # Read the 'acct_users' file #files} ## Accounting. Log the accounting data.#accounting { if (noop) { ok } } session { radutmp } post-auth { # ldap exec # } edir_account_policy_check = yes' in the ldap module configuration # Post-Auth-Type REJECT { # log failed authentications in SQL, too.# sql attr_filter.access_reject }} pre-proxy { } post-proxy { # post_proxy_log # attr_rewrite # attr_filter.post-proxy # eap # Post-Proxy-Type Fail {# detail# }} }Listening on authentication address * port 1812Listening on accounting address * port 1813Listening on command file /var/run/radiusd/radiusd.sockListening on authentication address 127.0.0.1 port 18120 as server inner-tunnelListening on proxy address * port 1814Ready to process requests.rad_recv: Access-Request packet from host 212.13.228.58 port 49883, id=136, length=206 Acct-Multi-Session-Id = "1291732743095" Cisco-Attr-130 = 0x683332332d63616c6c696e672d656e74657270726973652d69643d656e74504258 Calling-Station-Id = "81609000" NAS-Identifier = "intraswitch" NAS-IP-Address = 212.13.228.58 3GPP2-Prepaid-acct-Capability = 0x010600000002 3GPP2-Session-Termination-Capability = 1 h323-conf-id = "h323-conf-id=1291732743095" Vendor-Specific = 0x00000009 Event-Timestamp = "Dec 7 2010 15:39:03 CET" User-Name = "081609000" User-Password = "12345"# Executing section authorize from file /etc/raddb/sites-enabled/default+- entering group authorize {...}++[preprocess] returns ok++[chap] returns noop++[mschap] returns noop++[digest] returns noop[suffix] No '@' in User-Name = "081609000", looking up realm NULL[suffix] No such realm "NULL"++[suffix] returns noop[eap] No EAP-Message, not doing EAP++[eap] returns noop[pgsql-voip] expand: %{User-Name} -> 081609000[pgsql-voip] sql_set_user escaped user --> '081609000'rlm_sql (pgsql-voip): Reserving sql socket id: 24[pgsql-voip] expand: -> [pgsql-voip] Error generating query; rejecting userrlm_sql (pgsql-voip): Released sql socket id: 24++[pgsql-voip] returns failUsing Post-Auth-Type Reject# Executing group from file /etc/raddb/sites-enabled/default+- entering group REJECT {...}[attr_filter.access_reject] expand: %{User-Name} -> 081609000 attr_filter: Matched entry DEFAULT at line 11++[attr_filter.access_reject] returns updatedDelaying reject of request 0 for 1 secondsGoing to the next requestWaking up in 0.9 seconds.
Date: Tue, 7 Dec 2010 21:26:18 +0700 Subject: Re: Voip database From: work@fajar.net To: freeradius-users@lists.freeradius.org
On Tue, Dec 7, 2010 at 9:24 PM, Fajar A. Nugraha <work@fajar.net> wrote:
On Tue, Dec 7, 2010 at 9:17 PM, miha- <miha_zoubek@hotmail.com> wrote:
I have uncomment only this # Cisco VoIP specific bulk accounting pgsql-voip under accounting section. I have not found it under authorize and authenticate.
Must I put it there?
On second thought, you might not need it in authenticate. You'd need it in authorize and authenticate.
I meant to say "authorize and accounting".
-- Fajar
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Tue, Dec 7, 2010 at 9:39 PM, Miha Zoubek <miha_zoubek@hotmail.com> wrote:
I put it there but still the same problem:
No, it's not. It's a different problem. Look at the debug log you posted and you'll see it's a different problem altogether.
[pgsql-voip] expand: %{User-Name} -> 081609000 [pgsql-voip] sql_set_user escaped user --> '081609000' rlm_sql (pgsql-voip): Reserving sql socket id: 24 [pgsql-voip] expand: -> [pgsql-voip] Error generating query; rejecting user
I'd focus on the last two lines. If the contents of your sql conf file contains something like this (as shown in your previous debug) authorize_check_query = "" authorize_group_check_query = "" authorize_group_reply_query = "" then the simple answer is you broke the config. Look at the original .conf file that comes with the distro/freeradius source (should be dialup.conf or some other file under /etc/raddb/sql or its subdirectory). -- Fajar
I have replace voip-postpaid.conf with new one but still the same. I this configuration file (voip-postpaid.conf) is written: uthcheck_table = "radcheck" authreply_table = "radreply" groupcheck_table = "radgroupcheck" groupreply_table = "radgroupreply" usergroup_table = "radusergroup" But in readme file is written that I must import cisco_h323_db_schema.sql in postgresql. In this shema (cisco_h323_db_schema.sql) there is no rad check or radreplay, only startvoip, etc. Thank you very much with your help!!! miha
Date: Tue, 7 Dec 2010 22:43:32 +0700 Subject: Re: Voip database From: work@fajar.net To: freeradius-users@lists.freeradius.org
On Tue, Dec 7, 2010 at 9:39 PM, Miha Zoubek <miha_zoubek@hotmail.com> wrote:
I put it there but still the same problem:
No, it's not. It's a different problem. Look at the debug log you posted and you'll see it's a different problem altogether.
[pgsql-voip] expand: %{User-Name} -> 081609000 [pgsql-voip] sql_set_user escaped user --> '081609000' rlm_sql (pgsql-voip): Reserving sql socket id: 24 [pgsql-voip] expand: -> [pgsql-voip] Error generating query; rejecting user
I'd focus on the last two lines. If the contents of your sql conf file contains something like this (as shown in your previous debug)
authorize_check_query = "" authorize_group_check_query = "" authorize_group_reply_query = ""
then the simple answer is you broke the config. Look at the original .conf file that comes with the distro/freeradius source (should be dialup.conf or some other file under /etc/raddb/sql or its subdirectory).
-- Fajar
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Wed, Dec 8, 2010 at 2:55 PM, Miha Zoubek <miha_zoubek@hotmail.com> wrote:
I have replace voip-postpaid.conf with new one but still the same. I this configuration file (voip-postpaid.conf) is written: uthcheck_table = "radcheck" authreply_table = "radreply" groupcheck_table = "radgroupcheck" groupreply_table = "radgroupreply" usergroup_table = "radusergroup"
Perhaps we started on the wrong assumptions. What do you intend to use postgresql for? Is it (a) only to store accounting data, or (b) to store user names/password AND accounting data if it's (a), then there should be nothing wrong with your first config. You simply need to place user data for "081609000" in whatever "database" you choose (whether it's users file, or something else). The error could simply be because you haven't define that user yet. If it's (b), then you need to forget for a moment that you're using it for voip. It doesn't really matter with regards to the problem you're facing. Get freeradius working with postgresql first. Your debug log says authorize_check_query = "" authorize_group_check_query = "" authorize_group_reply_query = "" when the they should not be empty. Fix that first. Worry about the rest later, after you fix that. The easiest way to do that, IMHO, is forget about voip-postpaid.conf and cisco_h323_db_schema.sql for the moment. Stick to the default sql.conf, sql/postgresql/dialup.conf, and sql/postgresql/schema.sql. AFTER you get it to work, then you can try to get that particular conf and sql scheme working. Perhaps the author might be able to help. The default sql.conf/dialup.conf and schema should work for voip or whatever. Probably not as efficient, but it'd still work. -- Fajar
Thank you for your help! I included dailup.conf in voip-postpaid.conf.Now I getting different error: I have put this in tables: Nas: nasname: intraswitch, shortname: intraswitch, type: other, port: 1812: sercet: b, server: 1.2.3.4 (ip server), nad for comunity and dicription nullRadcheck: id: 1, username: 081609000, attribure: Cleartext-Password, Value: 12345, op: :=Radreply: id:1 , username: 081609000: atributte: Fall-Through, op: =, vaule: yes Thank you! ecv: Access-Request packet from host 212.13.228.58 port 38380, id=198, length=206 Acct-Multi-Session-Id = "1291817780502" Cisco-Attr-130 = 0x683332332d63616c6c696e672d656e74657270726973652d69643d656e74504258 Calling-Station-Id = "81609000" NAS-Identifier = "intraswitch" NAS-IP-Address = 212.13.228.58 3GPP2-Prepaid-acct-Capability = 0x010600000002 3GPP2-Session-Termination-Capability = 1 h323-conf-id = "h323-conf-id=1291817780502" Vendor-Specific = 0x00000009 Event-Timestamp = "Dec 8 2010 15:16:20 CET" User-Name = "081609000" User-Password = "12345"# Executing section authorize from file /etc/raddb/sites-enabled/default+- entering group authorize {...}++[preprocess] returns ok++[chap] returns noop++[mschap] returns noop++[digest] returns noop[suffix] No '@' in User-Name = "081609000", looking up realm NULL[suffix] No such realm "NULL"++[suffix] returns noop[eap] No EAP-Message, not doing EAP++[eap] returns noop[pgsql-voip] expand: %{User-Name} -> 081609000[pgsql-voip] sql_set_user escaped user --> '081609000'rlm_sql (pgsql-voip): Reserving sql socket id: 24[pgsql-voip] expand: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '081609000' ORDER BY idrlm_sql_postgresql: Status: PGRES_TUPLES_OKrlm_sql_postgresql: query affected rows = 1 , fields = 5[pgsql-voip] expand: SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority -> SELECT GroupName FROM radusergroup WHERE UserName='081609000' ORDER BY priorityrlm_sql_postgresql: Status: PGRES_TUPLES_OKrlm_sql_postgresql: query affected rows = 0 , fields = 1rlm_sql (pgsql-voip): Released sql socket id: 24[pgsql-voip] User 081609000 not found++[pgsql-voip] returns notfound++[expiration] returns noop++[logintime] returns noop[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.++[pap] returns noopERROR: No authenticate method (Auth-Type) found for the request: Rejecting the userFailed to authenticate the user.Using Post-Auth-Type Reject# Executing group from file /etc/raddb/sites-enabled/default+- entering group REJECT {...}[attr_filter.access_reject] expand: %{User-Name} -> 081609000 attr_filter: Matched entry DEFAULT at line 11++[attr_filter.access_reject] returns updatedDelaying reject of request 0 for 1 secondsGoing to the next requestWaking up in 0.9 seconds.rad_recv: Access-Request packet from host 212.13.228.58 port 38380, id=198, length=206Waiting to send Access-Reject to client intraswitch port 38380 - ID: 198Sending delayed reject for request 0Sending Access-Reject of id 198 to 212.13.228.58 port 38380Waking up in 4.9 seconds.
Date: Wed, 8 Dec 2010 16:29:27 +0700 Subject: Re: Voip database From: work@fajar.net To: freeradius-users@lists.freeradius.org
On Wed, Dec 8, 2010 at 2:55 PM, Miha Zoubek <miha_zoubek@hotmail.com> wrote:
I have replace voip-postpaid.conf with new one but still the same. I this configuration file (voip-postpaid.conf) is written: uthcheck_table = "radcheck" authreply_table = "radreply" groupcheck_table = "radgroupcheck" groupreply_table = "radgroupreply" usergroup_table = "radusergroup"
Perhaps we started on the wrong assumptions. What do you intend to use postgresql for? Is it (a) only to store accounting data, or (b) to store user names/password AND accounting data
if it's (a), then there should be nothing wrong with your first config. You simply need to place user data for "081609000" in whatever "database" you choose (whether it's users file, or something else). The error could simply be because you haven't define that user yet.
If it's (b), then you need to forget for a moment that you're using it for voip. It doesn't really matter with regards to the problem you're facing. Get freeradius working with postgresql first.
Your debug log says
authorize_check_query = "" authorize_group_check_query = "" authorize_group_reply_query = ""
when the they should not be empty. Fix that first. Worry about the rest later, after you fix that.
The easiest way to do that, IMHO, is forget about voip-postpaid.conf and cisco_h323_db_schema.sql for the moment. Stick to the default sql.conf, sql/postgresql/dialup.conf, and sql/postgresql/schema.sql.
AFTER you get it to work, then you can try to get that particular conf and sql scheme working. Perhaps the author might be able to help.
The default sql.conf/dialup.conf and schema should work for voip or whatever. Probably not as efficient, but it'd still work.
-- Fajar
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ok, if I set operation := I get this ( secret is 100% right) _sql_postgresql: query affected rows = 3 , fields = 5rlm_sql (pgsql-voip): Released sql socket id: 11++[pgsql-voip] returns ok++[expiration] returns noop++[logintime] returns noop[pap] WARNING: Auth-Type already set. Not setting to PAP++[pap] returns noopFound Auth-Type = PAP# Executing group from file /etc/raddb/sites-enabled/default+- entering group PAP {...}[pap] login attempt with password " ûñ±?"[pap] Using clear text password "12345"[pap] Passwords don't match++[pap] returns rejectFailed to authenticate the user. WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!Using Post-Auth-Type Reject# Executing group from file /etc/raddb/sites-enabled/default+- entering group REJECT {...}[attr_filter.access_reject] expand: %{User-Name} -> 081609000 attr_filter: Matched entry DEFAULT at line 11++[attr_filter.access_reject] returns updated From: miha_zoubek@hotmail.com To: freeradius-users@lists.freeradius.org Subject: RE: Voip database Date: Wed, 8 Dec 2010 14:22:10 +0000 Thank you for your help! I included dailup.conf in voip-postpaid.conf.Now I getting different error: I have put this in tables: Nas: nasname: intraswitch, shortname: intraswitch, type: other, port: 1812: sercet: b, server: 1.2.3.4 (ip server), nad for comunity and dicription nullRadcheck: id: 1, username: 081609000, attribure: Cleartext-Password, Value: 12345, op: :=Radreply: id:1 , username: 081609000: atributte: Fall-Through, op: =, vaule: yes Thank you! ecv: Access-Request packet from host 212.13.228.58 port 38380, id=198, length=206 Acct-Multi-Session-Id = "1291817780502" Cisco-Attr-130 = 0x683332332d63616c6c696e672d656e74657270726973652d69643d656e74504258 Calling-Station-Id = "81609000" NAS-Identifier = "intraswitch" NAS-IP-Address = 212.13.228.58 3GPP2-Prepaid-acct-Capability = 0x010600000002 3GPP2-Session-Termination-Capability = 1 h323-conf-id = "h323-conf-id=1291817780502" Vendor-Specific = 0x00000009 Event-Timestamp = "Dec 8 2010 15:16:20 CET" User-Name = "081609000" User-Password = "12345"# Executing section authorize from file /etc/raddb/sites-enabled/default+- entering group authorize {...}++[preprocess] returns ok++[chap] returns noop++[mschap] returns noop++[digest] returns noop[suffix] No '@' in User-Name = "081609000", looking up realm NULL[suffix] No such realm "NULL"++[suffix] returns noop[eap] No EAP-Message, not doing EAP++[eap] returns noop[pgsql-voip] expand: %{User-Name} -> 081609000[pgsql-voip] sql_set_user escaped user --> '081609000'rlm_sql (pgsql-voip): Reserving sql socket id: 24[pgsql-voip] expand: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '081609000' ORDER BY idrlm_sql_postgresql: Status: PGRES_TUPLES_OKrlm_sql_postgresql: query affected rows = 1 , fields = 5[pgsql-voip] expand: SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority -> SELECT GroupName FROM radusergroup WHERE UserName='081609000' ORDER BY priorityrlm_sql_postgresql: Status: PGRES_TUPLES_OKrlm_sql_postgresql: query affected rows = 0 , fields = 1rlm_sql (pgsql-voip): Released sql socket id: 24[pgsql-voip] User 081609000 not found++[pgsql-voip] returns notfound++[expiration] returns noop++[logintime] returns noop[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.++[pap] returns noopERROR: No authenticate method (Auth-Type) found for the request: Rejecting the userFailed to authenticate the user.Using Post-Auth-Type Reject# Executing group from file /etc/raddb/sites-enabled/default+- entering group REJECT {...}[attr_filter.access_reject] expand: %{User-Name} -> 081609000 attr_filter: Matched entry DEFAULT at line 11++[attr_filter.access_reject] returns updatedDelaying reject of request 0 for 1 secondsGoing to the next requestWaking up in 0.9 seconds.rad_recv: Access-Request packet from host 212.13.228.58 port 38380, id=198, length=206Waiting to send Access-Reject to client intraswitch port 38380 - ID: 198Sending delayed reject for request 0Sending Access-Reject of id 198 to 212.13.228.58 port 38380Waking up in 4.9 seconds.
Date: Wed, 8 Dec 2010 16:29:27 +0700 Subject: Re: Voip database From: work@fajar.net To: freeradius-users@lists.freeradius.org
On Wed, Dec 8, 2010 at 2:55 PM, Miha Zoubek <miha_zoubek@hotmail.com> wrote:
I have replace voip-postpaid.conf with new one but still the same. I this configuration file (voip-postpaid.conf) is written: uthcheck_table = "radcheck" authreply_table = "radreply" groupcheck_table = "radgroupcheck" groupreply_table = "radgroupreply" usergroup_table = "radusergroup"
Perhaps we started on the wrong assumptions. What do you intend to use postgresql for? Is it (a) only to store accounting data, or (b) to store user names/password AND accounting data
if it's (a), then there should be nothing wrong with your first config. You simply need to place user data for "081609000" in whatever "database" you choose (whether it's users file, or something else). The error could simply be because you haven't define that user yet.
If it's (b), then you need to forget for a moment that you're using it for voip. It doesn't really matter with regards to the problem you're facing. Get freeradius working with postgresql first.
Your debug log says
authorize_check_query = "" authorize_group_check_query = "" authorize_group_reply_query = ""
when the they should not be empty. Fix that first. Worry about the rest later, after you fix that.
The easiest way to do that, IMHO, is forget about voip-postpaid.conf and cisco_h323_db_schema.sql for the moment. Stick to the default sql.conf, sql/postgresql/dialup.conf, and sql/postgresql/schema.sql.
AFTER you get it to work, then you can try to get that particular conf and sql scheme working. Perhaps the author might be able to help.
The default sql.conf/dialup.conf and schema should work for voip or whatever. Probably not as efficient, but it'd still work.
-- Fajar
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Miha Zoubek wrote:
Ok, if I set operation := I get this ( secret is 100% right)
Sorry... changing the contents of the "radcheck" table has *no* effect on the shared secret for the client. Something else is going on. Since you previously butchered the default configuration and broke it, my guess would be that you've broken something else, too. Alan DeKok.
Hello, I have tried with radtest from other server with the same configuration:I get this (this is ok) : pap] returns noopFound Auth-Type = PAP# Executing group from file /etc/raddb/sites-enabled/default+- entering group PAP {...}[pap] login attempt with password "12345"[pap] Using clear text password "12345"[pap] User authenticated successfully++[pap] returns ok# Executing section post-auth from file /etc/raddb/sites-enabled/default+- entering group post-auth {...}++[exec] returns noopSending Access-Accept of id 57 to 1.2.3.4 port 56067 Framed-Compression := Van-Jacobson-TCP-IP Framed-Protocol := PPP Service-Type := Framed-UserFinished request 0.Going to the next req When I try with same configuration from NAS I get:I guss that is something wrong with my NAS? +[expiration] returns noop++[logintime] returns noop[pap] WARNING: Auth-Type already set. Not setting to PAP++[pap] returns noopFound Auth-Type = PAP# Executing group from file /etc/raddb/sites-enabled/default+- entering group PAP {...}[pap] login attempt with password "áø{k?"[pap] Using clear text password "12345"[pap] Passwords don't match++[pap] returns rejectFailed to authenticate the user. WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! Thank you!!!
Date: Wed, 8 Dec 2010 16:42:36 +0100 From: aland@deployingradius.com To: freeradius-users@lists.freeradius.org Subject: Re: Voip database
Miha Zoubek wrote:
Ok, if I set operation := I get this ( secret is 100% right)
Sorry... changing the contents of the "radcheck" table has *no* effect on the shared secret for the client.
Something else is going on.
Since you previously butchered the default configuration and broke it, my guess would be that you've broken something else, too.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Thu, Dec 9, 2010 at 3:51 PM, Miha Zoubek <miha_zoubek@hotmail.com> wrote:
When I try with same configuration from NAS I get: I guss that is something wrong with my NAS?
[pap] login attempt with password "áø{k?" [pap] Using clear text password "12345" [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!
Did you read Alan's response? Did you read the big WARNING? Did you double-check both the settings on your NAS and radius to make sure shared secret is correct? Did you make sure that you set the shared secret in the correct place (most people set it on clients.conf, but some configs allow the client list to be stored in database)? Did you try restarting both radius and the NAS, as a last step to make sure that they read the correct shared secret settings, just in case you just change it but forgot to restart/reload? -- Fajar
Hello, in wireshark I can see now that the first request for access goes throught but the second one for accounting is rejected. Can you help me out why? What about encryption ? The secret on the nas server and on the radius is 100% same. Where can I look for this? I have chacked everything you said for now. Thanks! Miha Cleaning up request 1 ID 176 with timestamp +12 Ready to process requests. rad_recv: Access-Request packet from host 1.2.3.4 port 55983, id=139, length=206 Acct-Multi-Session-Id = "1292574457509" Cisco-Attr-130 = 0x683332332d63616c6c696e672d656e74657270726973652d69643d656e74504258 Calling-Station-Id = "81609000" NAS-Identifier = "intraswitch" NAS-IP-Address = 1.2.3.4 3GPP2-Prepaid-acct-Capability = 0x010600000002 3GPP2-Session-Termination-Capability = 1 h323-conf-id = "h323-conf-id=1292574457509" Vendor-Specific = 0x00000009 Event-Timestamp = "Dec 17 2010 09:27:37 CET" User-Name = "081609000" User-Password = "1122" # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "081609000", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [pgsql-voip] expand: %{User-Name} -> 081609000 [pgsql-voip] sql_set_user escaped user --> '081609000' rlm_sql (pgsql-voip): Reserving sql socket id: 22 [pgsql-voip] expand: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '081609000' ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 3 , fields = 5 [pgsql-voip] User found in radcheck table [pgsql-voip] expand: SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE Username = '081609000' ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 1 , fields = 5 [pgsql-voip] expand: SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority -> SELECT GroupName FROM radusergroup WHERE UserName='081609000' ORDER BY priority rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 1 , fields = 1 [pgsql-voip] expand: SELECT id, GroupName, Attribute, Value, op FROM radgroupcheck WHERE GroupName = '%{Sql-Group}' ORDER BY id -> SELECT id, GroupName, Attribute, Value, op FROM radgroupcheck WHERE GroupName = 'dynamic' ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 1 , fields = 5 [pgsql-voip] User found in group dynamic [pgsql-voip] expand: SELECT id, GroupName, Attribute, Value, op FROM radgroupreply WHERE GroupName = '%{Sql-Group}' ORDER BY id -> SELECT id, GroupName, Attribute, Value, op FROM radgroupreply WHERE GroupName = 'dynamic' ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 4 , fields = 5 rlm_sql (pgsql-voip): Released sql socket id: 22 ++[pgsql-voip] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing MD5-Password from hex encoding [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = PAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group PAP {...} [pap] login attempt with password "1122" [pap] Using MD5 encryption. [pap] User authenticated successfully ++[pap] returns ok # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 139 to 1.2.3.4 port 55983 Vendor-Specific := 0x3347505032 3GPP2-Prepaid-acct-Capability := 0x303130363030303030303032 3GPP2-Session-Termination-Capability := 1 3GPP2-Release-Indicator := 0 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 1.2.3.4 port 55121, id=193, length=335 User-Name = "081609000" User-Password = "\022\312w\014" Cisco-Attr-130 = 0x683332332d63616c6c696e672d656e74657270726973652d69643d656e74504258 Acct-Multi-Session-Id = "1292574457509" Calling-Station-Id = "81609000" Called-Station-Id = "38651357952" Cisco-AVPair = "h323-called-enterprise-id=External" h323-remote-address = "h323-remote-address=unknown" Acct-Session-Id = "129257445750920" h323-conf-id = "h323-conf-id=1292574457509" h323-incoming-conf-id = "h323-incoming-conf-id=1292574457509" 3GPP2-Prepaid-Acct-Quota = 0x0a06564f495008040002 Event-Timestamp = "Dec 17 2010 09:27:37 CET" Acct-Status-Type = One-Time Message-Authenticator = 0x6f793daff586ab35701631c5f2a48d96 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "081609000", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [pgsql-voip] expand: %{User-Name} -> 081609000 [pgsql-voip] sql_set_user escaped user --> '081609000' rlm_sql (pgsql-voip): Reserving sql socket id: 21 [pgsql-voip] expand: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '081609000' ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 3 , fields = 5 [pgsql-voip] User found in radcheck table [pgsql-voip] expand: SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE Username = '081609000' ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 1 , fields = 5 [pgsql-voip] expand: SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority -> SELECT GroupName FROM radusergroup WHERE UserName='081609000' ORDER BY priority rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 1 , fields = 1 [pgsql-voip] expand: SELECT id, GroupName, Attribute, Value, op FROM radgroupcheck WHERE GroupName = '%{Sql-Group}' ORDER BY id -> SELECT id, GroupName, Attribute, Value, op FROM radgroupcheck WHERE GroupName = 'dynamic' ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 1 , fields = 5 [pgsql-voip] User found in group dynamic [pgsql-voip] expand: SELECT id, GroupName, Attribute, Value, op FROM radgroupreply WHERE GroupName = '%{Sql-Group}' ORDER BY id -> SELECT id, GroupName, Attribute, Value, op FROM radgroupreply WHERE GroupName = 'dynamic' ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 4 , fields = 5 rlm_sql (pgsql-voip): Released sql socket id: 21 ++[pgsql-voip] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing MD5-Password from hex encoding [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = PAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group PAP {...} [pap] login attempt with password "?Êw?" [pap] Using MD5 encryption. [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> 081609000 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 3 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 3 Sending Access-Reject of id 193 to 1.2.3.4 port 55121 Waking up in 3.9 seconds. rad_recv: Access-Request packet from host 1.2.3.4 port 55121, id=193, length=335 Sending duplicate reply to client intraswitch port 55121 - ID: 193 Sending Access-Reject of id 193 to 1.2.3.4 port 55121 Waking up in 3.9 seconds. Cleaning up request 2 ID 139 with timestamp +728 Waking up in 1.0 seconds. Cleaning up request 3 ID 193 with timestamp +728 Ready to process requests. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Voip-database-tp3295546p3309116.html Sent from the FreeRadius - User mailing list archive at Nabble.com.
On 12/17/2010 08:58 AM, miha- wrote:
Hello,
in wireshark I can see now that the first request for access goes throught but the second one for accounting is rejected.
Can you help me out why?
What about encryption ? The secret on the nas server and on the radius is 100% same.
Lots of people say this, and they're always wrong:
rad_recv: Access-Request packet from host 1.2.3.4 port 55121, id=193, length=335 User-Name = "081609000" User-Password = "\022\312w\014"
Does that look like a valid password to you?
[pap] Normalizing MD5-Password from hex encoding [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = PAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group PAP {...} [pap] login attempt with password "?Êw?" [pap] Using MD5 encryption. [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!
Check it again. Change the shared-secret to something simple and new.
Hello, this is user-name and password for phone that is registered on NAS. NAS is sending authentication to freeradius server. Is not shared secret different thing? I have shared secret entered in clients.conf and in sql NAS table. First he is trying with password 1122 for user name 081609000 and this is accepted: +- entering group PAP {...} [pap] login attempt with password "1122" [pap] Using MD5 encryption. [pap] User authenticated successfully ++[pap] returns ok # Executing section post Than he is trying with User-Password = "\022\312w\014 but the password is set on 1122 Why? Thank you!!!! p.s.: if I try with radtest everything goes throught! miha User-Password = "\022\312w\014" -- View this message in context: http://freeradius.1045715.n5.nabble.com/Voip-database-tp3295546p3309176.html Sent from the FreeRadius - User mailing list archive at Nabble.com.
miha- wrote:
this is user-name and password for phone that is registered on NAS. NAS is sending authentication to freeradius server.
We all know that. Stating the obvious is not helpful.
Is not shared secret different thing? I have shared secret entered in clients.conf and in sql NAS table.
In two places? Why? And re-enter it on the NAS. *Not* clients.conf, and *not* SQL. You have been told this many times, and have totally failed to understand.
First he is trying with password 1122 for user name 081609000 and this is accepted: ... Why?
You have been told. If you're not going to follow instructions, you should stop posting messages to this list. If you keep posting the same messages, *everyone* here will ignore you. Alan DeKok.
On 2010/12/17 11:41 AM, miha- wrote:
Hello,
this is user-name and password for phone that is registered on NAS. NAS is sending authentication to freeradius server.
Please do NOT confuse the shared secret and the password that the phone uses. The shares secret is a secret between the NAS and Freeradius. The Phones password (in access-request) is encrypted using the shared secret. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782
Thank you @Johan Meiring for that. It is not my intend to spam the group and asking same question again and again. Belive me that I have done everything that you said (I changed secret on the NAS and ond the radius and I restarted both,...). So please help me out with this problem. I can see that the secret is wrong. But why? First request goes through: +- entering group PAP {...} [pap] login attempt with password "1122" [pap] Using clear text password "1122" [pap] User authenticated successfully But the second what is rejected due to wrong secret. User-Name = "081609000" User-Password = "\257+\360\350" [pap] login attempt with password "¯+ðè" [pap] Using clear text password "1122" [pap] Passwords don't match SO this I am asking. If the first time secret is right and for the second request is wrong. Could the different encryption (the is sending nas) is causing the problem? I have also looked at the AVP pairs that the freeradius is sending to nas. IF I looked at the AVP pairs which are send from our radius (Ibill solution) to NAS I see that the freeradius is not sending all AVP pairs. Could this be cause of problem? I am realy greadful for you help! miha -- View this message in context: http://freeradius.1045715.n5.nabble.com/Voip-database-tp3295546p3313123.html Sent from the FreeRadius - User mailing list archive at Nabble.com.
On 2010/12/21 10:01 AM, miha- wrote:
Thank you @Johan Meiring for that. It is not my intend to spam the group and asking same question again and again. Belive me that I have done everything that you said (I changed secret on the NAS and ond the radius and I restarted both,...).
So please help me out with this problem. I can see that the secret is wrong. But why? First request goes through: +- entering group PAP {...} [pap] login attempt with password "1122" [pap] Using clear text password "1122" [pap] User authenticated successfully
But the second what is rejected due to wrong secret.
User-Name = "081609000" User-Password = "\257+\360\350"
[pap] login attempt with password "¯+ðè" [pap] Using clear text password "1122" [pap] Passwords don't match
SO this I am asking. If the first time secret is right and for the second request is wrong. Could the different encryption (the is sending nas) is causing the problem?
Answer the following: 1) What is the NAS's IP? 2) Post the section in clients.conf defining the NAS 3) Post the NAS config. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782
1. My ip 1.2.3.4 (if will not post right one for security reasons) 2. Configuration on NAS ##----- Activate RADIUS connection setProperty com.centile.connectors.aaa.watchdog.enable false setProperty com.centile.connectors.aaa radius setProperty com.centile.connectors.aaa.localserv intraswitch setProperty com.centile.connectors.aaa.localpass 1122 setProperty com.centile.connectors.aaa.remotserv 1.2.3.5 (ip of freeradius) setProperty com.centile.connectors.aaa.remotport 1812 setProperty com.centile.connectors.aaa.calltype any 3. clients.conf client 1.2.3.4 (ip nas) { secret = 1122 shortname = intraswitch nastype = cisco # require_message_authenticator = no } Thanks!!!! -- View this message in context: http://freeradius.1045715.n5.nabble.com/Voip-database-tp3295546p3313149.html Sent from the FreeRadius - User mailing list archive at Nabble.com.
miha- wrote:
##----- Activate RADIUS connection setProperty com.centile.connectors.aaa.watchdog.enable false setProperty com.centile.connectors.aaa radius setProperty com.centile.connectors.aaa.localserv intraswitch setProperty com.centile.connectors.aaa.localpass 1122 setProperty com.centile.connectors.aaa.remotserv 1.2.3.5 (ip of freeradius) setProperty com.centile.connectors.aaa.remotport 1812 setProperty com.centile.connectors.aaa.calltype any
Go ask the centile.com people why their RADIUS client doesn't work. It is *not* our problem. FreeRADIUS works with Cisco, Juniper, HP, SIP servers, firewalls, switches, routers, open source, closed source, etc. Let me guess: in all of your time taken posting to this list, you haven't bothered asking the centile.com people any questions. Alan DeKok.
Belive me that I am asking centile people to. And to let you know I have begun asking centile.com before I made first post on this forum. thanks!
Date: Tue, 21 Dec 2010 09:44:47 +0100 From: aland@deployingradius.com To: freeradius-users@lists.freeradius.org Subject: Re: Voip database
miha- wrote:
##----- Activate RADIUS connection setProperty com.centile.connectors.aaa.watchdog.enable false setProperty com.centile.connectors.aaa radius setProperty com.centile.connectors.aaa.localserv intraswitch setProperty com.centile.connectors.aaa.localpass 1122 setProperty com.centile.connectors.aaa.remotserv 1.2.3.5 (ip of freeradius) setProperty com.centile.connectors.aaa.remotport 1812 setProperty com.centile.connectors.aaa.calltype any
Go ask the centile.com people why their RADIUS client doesn't work.
It is *not* our problem.
FreeRADIUS works with Cisco, Juniper, HP, SIP servers, firewalls, switches, routers, open source, closed source, etc.
Let me guess: in all of your time taken posting to this list, you haven't bothered asking the centile.com people any questions.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Miha Zoubek wrote:
Belive me that I am asking centile people to. And to let you know I have begun asking centile.com before I made first post on this forum.
OK, that's better. But.... FreeRADIUS works. It really does. Try it with "ntradping" on another machine. There *only* issues are with the centile.com NAS. Alan DeKok.
On Tue, Dec 21, 2010 at 3:52 PM, Miha Zoubek <miha_zoubek@hotmail.com> wrote:
Belive me that I am asking centile people to. And to let you know I have begun asking centile.com before I made first post on this forum.
I noticed from you earlier debug output that the NAS is sending different attributes. The working one (I selected some attributes only): NAS-Identifier = "intraswitch" NAS-IP-Address = 1.2.3.4 3GPP2-Prepaid-acct-Capability = 0x010600000002 3GPP2-Session-Termination-Capability = 1 h323-conf-id = "h323-conf-id=1292574457509" Vendor-Specific = 0x00000009 the non working one Called-Station-Id = "38651357952" Cisco-AVPair = "h323-called-enterprise-id=External" h323-remote-address = "h323-remote-address=unknown" Acct-Session-Id = "129257445750920" h323-conf-id = "h323-conf-id=1292574457509" h323-incoming-conf-id = "h323-incoming-conf-id=1292574457509" 3GPP2-Prepaid-Acct-Quota = 0x0a06564f495008040002 Acct-Status-Type = One-Time Message-Authenticator = 0x6f793daff586ab35701631c5f2a48d96 why is that? It almost seems like the request was made from two different NAS. In your question to centile people, it might help to also ask whether the device has more than one radius config section. -- Fajar
Thank you very much for you help!!! I will ask them that and that I will report back! Thanks guys! miha
Date: Tue, 21 Dec 2010 18:11:21 +0700 Subject: Re: Voip database From: work@fajar.net To: freeradius-users@lists.freeradius.org
On Tue, Dec 21, 2010 at 3:52 PM, Miha Zoubek <miha_zoubek@hotmail.com> wrote:
Belive me that I am asking centile people to. And to let you know I have begun asking centile.com before I made first post on this forum.
I noticed from you earlier debug output that the NAS is sending different attributes. The working one (I selected some attributes only):
NAS-Identifier = "intraswitch" NAS-IP-Address = 1.2.3.4 3GPP2-Prepaid-acct-Capability = 0x010600000002 3GPP2-Session-Termination-Capability = 1 h323-conf-id = "h323-conf-id=1292574457509" Vendor-Specific = 0x00000009
the non working one
Called-Station-Id = "38651357952" Cisco-AVPair = "h323-called-enterprise-id=External" h323-remote-address = "h323-remote-address=unknown" Acct-Session-Id = "129257445750920" h323-conf-id = "h323-conf-id=1292574457509" h323-incoming-conf-id = "h323-incoming-conf-id=1292574457509" 3GPP2-Prepaid-Acct-Quota = 0x0a06564f495008040002 Acct-Status-Type = One-Time Message-Authenticator = 0x6f793daff586ab35701631c5f2a48d96
why is that? It almost seems like the request was made from two different NAS. In your question to centile people, it might help to also ask whether the device has more than one radius config section.
-- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hello :) I got this from centile guys? I am now installing freeradius on different server with different equipment to see which section (equipment) is adding this fields to massagas. I have only one quastion. I am running freeradius on ESXi as a Vmware machine. Could this be the cause of the problem? THanks!!! According to the log, first step is done correctly. Issue is located on the second request, due to password received: User-Password = "{" It seems that Radius server receives a request which is not formatted correctly. Do you have any equipment used as proxy between IntraSwitch and Radius ? Some fields not provided by IntraSwitch are added into messages as the following: Cisco-Attr-130 = 0x683332332d63616c6c696e672d656e74657270726973652d69643d656e74504258 Do you have a specific architecture which would cause such behavior ? -- View this message in context: http://freeradius.1045715.n5.nabble.com/Voip-database-tp3295546p3319133.html Sent from the FreeRadius - User mailing list archive at Nabble.com.
miha- wrote:
I got this from centile guys?
<shrug> It changes nothing. The shared secret is still wrong, and no amount of email back and forth changes that.
I have only one quastion. I am running freeradius on ESXi as a Vmware machine. Could this be the cause of the problem?
No. Alan DeKok.
Hello, I got answere what should I do that the freeradius will work with centile. Can you help me out where can I customized this settings? Thanks!!! miha Currently, there is a password matching issue because the User-Password encoding is different during the Authentication from the Authorization. During the Authentication step, the Centile's radius client send a User-Password encrypted with the secret. But during the Authorization step, we don't expect the Radius server to check again this password (which is sent anyway, I don't know if this is a bug or if it is required by Eyebill...). The Authorization request contains the attribute Acct-Status-Type with the value 17 that means "authorize only". It also contains the attribute Message-Authenticator with the digest value. So Freeradius should use those two attributes to accept or reject the request instead of the User-Name and User-Password. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Voip-database-tp3295546p3326679.html Sent from the FreeRadius - User mailing list archive at Nabble.com.
On Tue, Jan 4, 2011 at 2:40 PM, miha- <miha_zoubek@hotmail.com> wrote:
Currently, there is a password matching issue because the User-Password encoding is different during the Authentication from the Authorization. During the Authentication step, the Centile's radius client send a User-Password encrypted with the secret. But during the Authorization step, we don't expect the Radius server to check again this password (which is sent anyway, I don't know if this is a bug or if it is required by Eyebill...).
So they deliberately do NOT encrypt password with the secret? That's just silly. They need to fix it.
The Authorization request contains the attribute Acct-Status-Type with the value 17 that means "authorize only".
Shouldn't it be RADIUS Attribute 6, Service-Type? http://www.ietf.org/assignments/radius-types/radius-types.xml
It also contains the attribute Message-Authenticator with the digest value. So Freeradius should use those two attributes to accept or reject the request instead of the User-Name and User-Password.
If only "pap" is involved (which, from your debug log seems to be the case), you might be able to play with unlang and set Auth-Type := Accept for certain conditions (e.g. check whether Message-Authenticator exists, and whether it matches a certain value). http://wiki.freeradius.org/index.php/FAQ#How_do_I_permit_access_to_any_user_... http://freeradius.org/radiusd/man/unlang.html -- Fajar
miha- wrote:
Hello,
I got answere what should I do that the freeradius will work with centile. Can you help me out where can I customized this settings? ... Currently, there is a password matching issue because the User-Password encoding is different during the Authentication from the Authorization.
The vendor's behavior is idiotic. Throw their software in the garbage, and buy something that works. Go ask them how to make FreeRADIUS work with their product that violates the RADIUS specifications. It's not our problem. Alan DeKok.
Thanks @Alan DeKok-2 and @Fajar A. Nugraha for your help! After exchanging few email with centile I noticed that they are unwilling to change there configuration setting. So dou to our softswitch (Centile) for voip It is just not so easy buy and set a new one. This radius that we have from Ibill (compatible with centile) we would relay like to replace due to problems with it. SO finaly Centile (from the start they telling us that the centile works with freeradius) said that centile is having problems with 3GPP2. Is there any way to get this working. Where the changes should be made on freeradius? Or to ask in a different way is there any way to get this working :) ? Thanks!! I have also tried with ACCEPT like @Fajar A. Nugrah said but I got this problem (finally my phone begun ringing but new problem rise with media): ++[preprocess] returns ok [acct_unique] WARNING: Attribute NAS-Port was not found in request, unique ID MAY be inconsistent [acct_unique] Hashing ',Client-IP-Address = 212.13.228.58,NAS-IP-Address = 212.13.228.58,Acct-Session-Id = "129464837317821",User-Name = "081609000"' [acct_unique] Acct-Unique-Session-ID = "d9d5c2ea191e529f". ++[acct_unique] returns ok [suffix] No '@' in User-Name = "081609000", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[files] returns noop Executing section accounting from file /etc/raddb/sites-enabled/default +- entering group accounting {...} [detail] expand: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d -> /var/log/radius/radacct/212.13.228.58/detail-20110110 [detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radius/radacct/212.13.228.58/detail-20110110 [detail] expand: %t -> Mon Jan 10 09:32:58 2011 ++[detail] returns ok ++[unix] returns noop [radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp [radutmp] expand: %{User-Name} -> 081609000 rlm_radutmp: No NAS-Port seen. Cannot do anything. rlm_radumtp: WARNING: checkrad will probably not work! ++[radutmp] returns noop ++[exec] returns noop [attr_filter.accounting_response] expand: %{User-Name} -> 081609000 attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] returns updated Sending Accounting-Response of id 3 to 212.13.228.58 port 35277 Finished request 4. Cleaning up request 4 ID 3 with timestamp +13 Going to the next request Waking up in 4.9 seconds. Cleaning up request 3 ID 66 with timestamp +13 Ready to process requests. [ Show » ] softnet added a comment - 10/Jan/11 09:53 AM Hello, what about this issue? I have put 081609000 to Accept in users file to try this way. The call reach the telefone but another problem appears due to port is not send in the request of NAS to freeradius. Thanks! ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "081609000", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry 081609000 at line 71 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = Accept Auth-Type = Accept, accepting the user Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 66 to 212.13.228.58 port 59985 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Accounting-Request packet from host 212.13.228.58 port 35277, id=3, length=593 User-Name = "081609000" User-Password = "v7\265\345" Cisco-Attr-130 = 0x683332332d63616c6c696e672d656e74657270726973652d69643d656e74504258 Acct-Multi-Session-Id = "1294648373178" Calling-Station-Id = "81609000" Called-Station-Id = "38651357952" Cisco-AVPair = "h323-called-enterprise-id=NexTone" h323-remote-address = "h323-remote-address=212.13.249.90" Acct-Session-Id = "129464837317821" h323-conf-id = "h323-conf-id=1294648373178" h323-incoming-conf-id = "h323-incoming-conf-id=1294648373178" h323-call-origin = "h323-call-origin=originate" h323-call-type = "h323-call-type=VOIP" h323-setup-time = "h323-setup-time=08:32:53.182 GMT Mon Jan 10 2011" Acct-Multi-Session-Id = "1294648373178" h323-connect-time = "h323-connect-time=08:32:58.924 GMT Mon Jan 10 2011" h323-disconnect-time = "h323-disconnect-time=08:32:58.934 GMT Mon Jan 10 2011" h323-disconnect-cause = "h323-disconnect-cause=66" Acct-Status-Type = Stop Acct-Session-Time = 0 Event-Timestamp = "Jan 10 2011 09:32:58 CET" # Executing section preacct from file /etc/raddb/sites-enabled/default +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] WARNING: Attribute NAS-Port was not found in request, unique ID MAY be inconsistent [acct_unique] Hashing ',Client-IP-Address = 212.13.228.58,NAS-IP-Address = 212.13.228.58,Acct-Session-Id = "129464837317821",User-Name = "081609000"' [acct_unique] Acct-Unique-Session-ID = "d9d5c2ea191e529f". ++[acct_unique] returns ok [suffix] No '@' in User-Name = "081609000", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[files] returns noop Executing section accounting from file /etc/raddb/sites-enabled/default +- entering group accounting {...} [detail] expand: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d -> /var/log/radius/radacct/212.13.228.58/detail-20110110 [detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radius/radacct/212.13.228.58/detail-20110110 [detail] expand: %t -> Mon Jan 10 09:32:58 2011 ++[detail] returns ok ++[unix] returns noop [radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp [radutmp] expand: %{User-Name} -> 081609000 rlm_radutmp: No NAS-Port seen. Cannot do anything. rlm_radumtp: WARNING: checkrad will probably not work! ++[radutmp] returns noop ++[exec] returns noop [attr_filter.accounting_response] expand: %{User-Name} -> 081609000 attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] returns updated Sending Accounting-Response of id 3 to 212.13.228.58 port 35277 Finished request 4. Cleaning up request 4 ID 3 with timestamp +13 Going to the next request Waking up in 4.9 seconds. Cleaning up request 3 ID 66 with timestamp +13 Ready to process requests. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Voip-database-tp3295546p3334843.html Sent from the FreeRadius - User mailing list archive at Nabble.com.
On 2010/12/21 10:26 AM, miha- wrote:
##----- Activate RADIUS connection setProperty com.centile.connectors.aaa.watchdog.enable false setProperty com.centile.connectors.aaa radius setProperty com.centile.connectors.aaa.localserv intraswitch setProperty com.centile.connectors.aaa.localpass 1122 setProperty com.centile.connectors.aaa.remotserv 1.2.3.5 (ip of freeradius) setProperty com.centile.connectors.aaa.remotport 1812 setProperty com.centile.connectors.aaa.calltype any
I nothing of centile. Alan is right that you need to ask them.. But, my logic says that you need a line similar to the following on your "centile NAS". setProperty com.centile.connectors.aaa.remotepass 1122 ^^^^^^ -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782
participants (6)
-
Alan DeKok -
Fajar A. Nugraha -
Johan Meiring -
Miha Zoubek -
miha- -
Phil Mayers