Server logs say users authenticate, but they don't (Now with more details!)
This isn't a duplicate, I've just included more information about our configuration. We have a Cisco AS5300 for our dialup pool. It is able to log into our new FreeRadius server and make authentication requests, but users are not able to authenticate. It's very strange, because FreeRadius produces logs like this: Thu Nov 2 11:06:24 2006 : Auth: Login OK: [XXXXXX/XXXXXX] (from client dialup port 8) But the client gets "Error 691: Your username or password are incorrect". I can tell that it's authenticating properly, because when a user gets their password wrong, I see this instead: Thu Nov 2 11:02:20 2006 : Auth: Login incorrect: [user1/somepass] (from client dialup port 13) Thu Nov 2 11:02:20 2006 : Auth: Login incorrect: [user1/somepass] (from client dialup port 13) We're using FreeRadius' mysql support for authentication, and I'm absolutely positive that part is working fine. It even creates accounting data in the database. This is what we have in the users file: DEFAULT Framed-Protocol == PPP, Simultaneous-Use == 1 Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP and this is what radiusd.conf looks like without the comments: prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = /var/log/freeradius raddbdir = /etc/freeradius radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/freeradius log_file = ${logdir}/radius.log libdir = /usr/lib/freeradius pidfile = ${run_dir}/freeradius.pid user = freerad group = freerad max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 256 bind_address = * port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log_stripped_names = yes log_auth = yes log_auth_badpass = yes log_auth_goodpass = yes usercollide = no lower_user = no lower_pass = no nospace_user = after nospace_pass = after checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = off $INCLUDE ${confdir}/proxy.conf # proxy.conf has: # realm LOCAL { # type = radius # authhost = LOCAL # accthost = LOCAL #} $INCLUDE ${confdir}/clients.conf # clients.conf has: # client XXX.XXX.XXX.XXX { # secret = XXXXXX # nastype = cisco # shortname = dialup #} $INCLUDE ${confdir}/snmp.conf # snmp.conf has nothing. snmp = no thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { pap { encryption_scheme = crypt } chap { authtype = CHAP } pam { pam_auth = radiusd } unix { cache = no cache_reload = 600 shadow = /etc/shadow radwtmp = ${logdir}/radwtmp } $INCLUDE ${confdir}/eap.conf # eap.conf has: # eap { # default_eap_type = md5 # timer_expire = 60 # ignore_unknown_eap_types = no # cisco_accounting_username_bug = no # # md5 { # } # # leap { # } # # gtc { # auth_type = PAP # } # # mschapv2 { # } # } mschap { authtype = MS-CHAP } realm suffix { format = suffix delimiter = "@" ignore_default = no ignore_null = no } checkval { item-name = Calling-Station-Id check-name = Calling-Station-Id data-type = string } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users compat = no } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 } acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } $INCLUDE ${confdir}/sql.conf # sql.conf has: # #sql { # # driver = "rlm_sql_mysql" # server = "localhost" # login = "XXXXXX" # radius_db = "XXXXXX" # password = "XXXXXX" # acct_table1 = "radacct" # acct_table2 = "radacct" # postauth_table = "radpostauth" # authcheck_table = "radcheck" # authreply_table = "radreply" # groupcheck_table = "radgroupcheck" # groupreply_table = "radgroupreply" # usergroup_table = "usergroup" # deletestalesessions = yes # sqltrace = yes # sqltracefile = /var/log/freeradius/sqltrace.sql # num_sql_socks = 5 # connect_failure_retry_delay = 60 # safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" # sql_user_name = "%{User-Name}" # # authorize_check_query = "SELECT id,UserName,Attribute,Value,op FROM ${authcheck_table} WHERE Username = '%{SQL-User-Name}' ORDER BY id" # authorize_reply_query = "SELECT id,UserName,Attribute,Value,op FROM ${authreply_table} WHERE Username = '%{SQL-User-Name}' ORDER BY id" # authorize_group_check_query = "SELECT ${groupcheck_table}.id,${groupcheck_table}.GroupName,${groupcheck_table}.Attribute,${groupcheck_table}.Value,${groupcheck_table}.op FROM ${groupcheck_table},${usergroup_table} WHERE ${usergroup_table}.Username = '%{SQL-User-Name}' AND ${usergroup_table}.GroupName = ${groupcheck_table}.GroupName ORDER BY ${groupcheck_table}.id" # authorize_group_reply_query = "SELECT ${groupreply_table}.id,${groupreply_table}.GroupName,${groupreply_table}.Attribute,${groupreply_table}.Value,${groupreply_table}.op FROM ${groupreply_table},${usergroup_table} WHERE ${usergroup_table}.Username = '%{SQL-User-Name}' AND ${usergroup_table}.GroupName = ${groupreply_table}.GroupName ORDER BY ${groupreply_table}.id" # accounting_onoff_query = "UPDATE ${acct_table1} SET AcctStopTime='%S', AcctSessionTime=unix_timestamp('%S') - unix_timestamp(AcctStartTime), AcctTerminateCause='%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-Time}' WHERE AcctSessionTime=0 AND AcctStopTime=0 AND NASIPAddress= '%{NAS-IP-Address}' AND AcctStartTime <= '%S'" # # accounting_update_query = "UPDATE ${acct_table1} \ # SET FramedIPAddress = '%{Framed-IP-Address}', \ # AcctSessionTime = '%{Acct-Session-Time}', \ # AcctInputOctets = '%{Acct-Input-Octets}', \ # AcctOutputOctets = '%{Acct-Output-Octets}' \ # WHERE AcctSessionId = '%{Acct-Session-Id}' \ # AND UserName = '%{SQL-User-Name}' \ # AND NASIPAddress= '%{NAS-IP-Address}'" # # accounting_update_query_alt = "INSERT into ${acct_table1} (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S',INTERVAL (%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0}) SECOND), '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Acct-Input-Octets}', '%{Acct-Output-Octets}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0')" # accounting_start_query = "INSERT into ${acct_table1} (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', '0', '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Acct-Delay-Time}', '0')" # accounting_start_query_alt = "UPDATE ${acct_table1} SET AcctStartTime = '%S', AcctStartDelay = '%{Acct-Delay-Time}', ConnectInfo_start = '%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}'" # accounting_stop_query = "UPDATE ${acct_table2} SET AcctStopTime = '%S', AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets = '%{Acct-Input-Octets}', AcctOutputOctets = '%{Acct-Output-Octets}', AcctTerminateCause = '%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-Time}', ConnectInfo_stop = '%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}'" # accounting_stop_query_alt = "INSERT into ${acct_table2} (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0}) SECOND), '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Connect-Info}', '%{Acct-Input-Octets}', '%{Acct-Output-Octets}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{Acct-Delay-Time}')" # simul_count_query = "SELECT COUNT(*) FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0" # simul_verify_query = "SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0" # group_membership_query = "SELECT GroupName FROM ${usergroup_table} WHERE UserName='%{SQL-User-Name}'" # postauth_query = "INSERT into ${postauth_table} (id, user, pass, reply, date) values ('', '%{User-Name}', '%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', NOW())" # #} radutmp { filename = ${logdir}/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 0600 callerid = "yes" } radutmp sradutmp { filename = ${logdir}/sradutmp perm = 0644 callerid = "no" } attr_filter { attrsfile = ${confdir}/attrs } counter daily { filename = ${raddbdir}/db.daily key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User cache-size = 5000 } always fail { rcode = fail } always reject { rcode = reject } always ok { rcode = ok simulcount = 0 mpp = no } expr { } digest { } exec { wait = yes input_pairs = request } exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = request output_pairs = reply } ippool main_pool { range-start = 192.168.1.1 range-stop = 192.168.3.254 netmask = 255.255.255.0 cache-size = 800 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex override = no maximum-timeout = 0 } } instantiate { exec expr } authorize { preprocess sql } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } } preacct { preprocess suffix } accounting { detail radutmp sql } session { sql } post-auth { } pre-proxy { } post-proxy { eap } ## END OF CONFIG ## If you've actually gotten this far, I salute you. :)
Is the server multihomed ? It often happends that the server will recieve a request on one IP address and send out a reply using a different address with a multihomed system. If your system has multiple IP addresses, u can set "bind_address" to the one you want to use. Cheers Paul -----Original Message----- From: freeradius-users-bounces+paul.khavkine=distributel.ca@lists.freeradius.org on behalf of Ernie Dunbar Sent: Fri 11/3/2006 2:02 PM To: freeradius-users@lists.freeradius.org Subject: Server logs say users authenticate, but they don't (Now with more details!) This isn't a duplicate, I've just included more information about our configuration. We have a Cisco AS5300 for our dialup pool. It is able to log into our new FreeRadius server and make authentication requests, but users are not able to authenticate. It's very strange, because FreeRadius produces logs like this: Thu Nov 2 11:06:24 2006 : Auth: Login OK: [XXXXXX/XXXXXX] (from client dialup port 8) But the client gets "Error 691: Your username or password are incorrect". I can tell that it's authenticating properly, because when a user gets their password wrong, I see this instead: Thu Nov 2 11:02:20 2006 : Auth: Login incorrect: [user1/somepass] (from client dialup port 13) Thu Nov 2 11:02:20 2006 : Auth: Login incorrect: [user1/somepass] (from client dialup port 13) We're using FreeRadius' mysql support for authentication, and I'm absolutely positive that part is working fine. It even creates accounting data in the database. This is what we have in the users file: DEFAULT Framed-Protocol == PPP, Simultaneous-Use == 1 Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP and this is what radiusd.conf looks like without the comments: prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = /var/log/freeradius raddbdir = /etc/freeradius radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/freeradius log_file = ${logdir}/radius.log libdir = /usr/lib/freeradius pidfile = ${run_dir}/freeradius.pid user = freerad group = freerad max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 256 bind_address = * port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log_stripped_names = yes log_auth = yes log_auth_badpass = yes log_auth_goodpass = yes usercollide = no lower_user = no lower_pass = no nospace_user = after nospace_pass = after checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = off $INCLUDE ${confdir}/proxy.conf # proxy.conf has: # realm LOCAL { # type = radius # authhost = LOCAL # accthost = LOCAL #} $INCLUDE ${confdir}/clients.conf # clients.conf has: # client XXX.XXX.XXX.XXX { # secret = XXXXXX # nastype = cisco # shortname = dialup #} $INCLUDE ${confdir}/snmp.conf # snmp.conf has nothing. snmp = no thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { pap { encryption_scheme = crypt } chap { authtype = CHAP } pam { pam_auth = radiusd } unix { cache = no cache_reload = 600 shadow = /etc/shadow radwtmp = ${logdir}/radwtmp } $INCLUDE ${confdir}/eap.conf # eap.conf has: # eap { # default_eap_type = md5 # timer_expire = 60 # ignore_unknown_eap_types = no # cisco_accounting_username_bug = no # # md5 { # } # # leap { # } # # gtc { # auth_type = PAP # } # # mschapv2 { # } # } mschap { authtype = MS-CHAP } realm suffix { format = suffix delimiter = "@" ignore_default = no ignore_null = no } checkval { item-name = Calling-Station-Id check-name = Calling-Station-Id data-type = string } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users compat = no } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 } acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } $INCLUDE ${confdir}/sql.conf # sql.conf has: # #sql { # # driver = "rlm_sql_mysql" # server = "localhost" # login = "XXXXXX" # radius_db = "XXXXXX" # password = "XXXXXX" # acct_table1 = "radacct" # acct_table2 = "radacct" # postauth_table = "radpostauth" # authcheck_table = "radcheck" # authreply_table = "radreply" # groupcheck_table = "radgroupcheck" # groupreply_table = "radgroupreply" # usergroup_table = "usergroup" # deletestalesessions = yes # sqltrace = yes # sqltracefile = /var/log/freeradius/sqltrace.sql # num_sql_socks = 5 # connect_failure_retry_delay = 60 # safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" # sql_user_name = "%{User-Name}" # # authorize_check_query = "SELECT id,UserName,Attribute,Value,op FROM ${authcheck_table} WHERE Username = '%{SQL-User-Name}' ORDER BY id" # authorize_reply_query = "SELECT id,UserName,Attribute,Value,op FROM ${authreply_table} WHERE Username = '%{SQL-User-Name}' ORDER BY id" # authorize_group_check_query = "SELECT ${groupcheck_table}.id,${groupcheck_table}.GroupName,${groupcheck_table}.Attribute,${groupcheck_table}.Value,${groupcheck_table}.op FROM ${groupcheck_table},${usergroup_table} WHERE ${usergroup_table}.Username = '%{SQL-User-Name}' AND ${usergroup_table}.GroupName = ${groupcheck_table}.GroupName ORDER BY ${groupcheck_table}.id" # authorize_group_reply_query = "SELECT ${groupreply_table}.id,${groupreply_table}.GroupName,${groupreply_table}.Attribute,${groupreply_table}.Value,${groupreply_table}.op FROM ${groupreply_table},${usergroup_table} WHERE ${usergroup_table}.Username = '%{SQL-User-Name}' AND ${usergroup_table}.GroupName = ${groupreply_table}.GroupName ORDER BY ${groupreply_table}.id" # accounting_onoff_query = "UPDATE ${acct_table1} SET AcctStopTime='%S', AcctSessionTime=unix_timestamp('%S') - unix_timestamp(AcctStartTime), AcctTerminateCause='%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-Time}' WHERE AcctSessionTime=0 AND AcctStopTime=0 AND NASIPAddress= '%{NAS-IP-Address}' AND AcctStartTime <= '%S'" # # accounting_update_query = "UPDATE ${acct_table1} \ # SET FramedIPAddress = '%{Framed-IP-Address}', \ # AcctSessionTime = '%{Acct-Session-Time}', \ # AcctInputOctets = '%{Acct-Input-Octets}', \ # AcctOutputOctets = '%{Acct-Output-Octets}' \ # WHERE AcctSessionId = '%{Acct-Session-Id}' \ # AND UserName = '%{SQL-User-Name}' \ # AND NASIPAddress= '%{NAS-IP-Address}'" # # accounting_update_query_alt = "INSERT into ${acct_table1} (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S',INTERVAL (%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0}) SECOND), '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Acct-Input-Octets}', '%{Acct-Output-Octets}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0')" # accounting_start_query = "INSERT into ${acct_table1} (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', '0', '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Acct-Delay-Time}', '0')" # accounting_start_query_alt = "UPDATE ${acct_table1} SET AcctStartTime = '%S', AcctStartDelay = '%{Acct-Delay-Time}', ConnectInfo_start = '%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}'" # accounting_stop_query = "UPDATE ${acct_table2} SET AcctStopTime = '%S', AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets = '%{Acct-Input-Octets}', AcctOutputOctets = '%{Acct-Output-Octets}', AcctTerminateCause = '%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-Time}', ConnectInfo_stop = '%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}'" # accounting_stop_query_alt = "INSERT into ${acct_table2} (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0}) SECOND), '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Connect-Info}', '%{Acct-Input-Octets}', '%{Acct-Output-Octets}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{Acct-Delay-Time}')" # simul_count_query = "SELECT COUNT(*) FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0" # simul_verify_query = "SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0" # group_membership_query = "SELECT GroupName FROM ${usergroup_table} WHERE UserName='%{SQL-User-Name}'" # postauth_query = "INSERT into ${postauth_table} (id, user, pass, reply, date) values ('', '%{User-Name}', '%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', NOW())" # #} radutmp { filename = ${logdir}/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 0600 callerid = "yes" } radutmp sradutmp { filename = ${logdir}/sradutmp perm = 0644 callerid = "no" } attr_filter { attrsfile = ${confdir}/attrs } counter daily { filename = ${raddbdir}/db.daily key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User cache-size = 5000 } always fail { rcode = fail } always reject { rcode = reject } always ok { rcode = ok simulcount = 0 mpp = no } expr { } digest { } exec { wait = yes input_pairs = request } exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = request output_pairs = reply } ippool main_pool { range-start = 192.168.1.1 range-stop = 192.168.3.254 netmask = 255.255.255.0 cache-size = 800 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex override = no maximum-timeout = 0 } } instantiate { exec expr } authorize { preprocess sql } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } } preacct { preprocess suffix } accounting { detail radutmp sql } session { sql } post-auth { } pre-proxy { } post-proxy { eap } ## END OF CONFIG ## If you've actually gotten this far, I salute you. :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
No, it's not multihomed, but on a lark I tried it anyway (since there's two network cards in it, but one isn't used). It still doesn't work.
Is the server multihomed ? It often happends that the server will recieve a request on one IP address and send out a reply using a different address with a multihomed system.
If your system has multiple IP addresses, u can set "bind_address" to the one you want to use.
Cheers Paul
-----Original Message----- From: freeradius-users-bounces+paul.khavkine=distributel.ca@lists.freeradius.org on behalf of Ernie Dunbar Sent: Fri 11/3/2006 2:02 PM To: freeradius-users@lists.freeradius.org Subject: Server logs say users authenticate, but they don't (Now with more details!)
This isn't a duplicate, I've just included more information about our configuration.
We have a Cisco AS5300 for our dialup pool. It is able to log into our new FreeRadius server and make authentication requests, but users are not able to authenticate.
It's very strange, because FreeRadius produces logs like this:
Thu Nov 2 11:06:24 2006 : Auth: Login OK: [XXXXXX/XXXXXX] (from client dialup port 8)
But the client gets "Error 691: Your username or password are incorrect".
I can tell that it's authenticating properly, because when a user gets their password wrong, I see this instead:
Thu Nov 2 11:02:20 2006 : Auth: Login incorrect: [user1/somepass] (from client dialup port 13) Thu Nov 2 11:02:20 2006 : Auth: Login incorrect: [user1/somepass] (from client dialup port 13)
We're using FreeRadius' mysql support for authentication, and I'm absolutely positive that part is working fine. It even creates accounting data in the database.
This is what we have in the users file:
DEFAULT Framed-Protocol == PPP, Simultaneous-Use == 1 Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP
and this is what radiusd.conf looks like without the comments:
prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = /var/log/freeradius raddbdir = /etc/freeradius radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/freeradius log_file = ${logdir}/radius.log libdir = /usr/lib/freeradius pidfile = ${run_dir}/freeradius.pid
user = freerad group = freerad
max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 256 bind_address = * port = 0
hostname_lookups = no allow_core_dumps = no
regular_expressions = yes extended_expressions = yes
log_stripped_names = yes log_auth = yes log_auth_badpass = yes log_auth_goodpass = yes
usercollide = no
lower_user = no lower_pass = no
nospace_user = after nospace_pass = after
checkrad = ${sbindir}/checkrad
security { max_attributes = 200 reject_delay = 1 status_server = no }
proxy_requests = off $INCLUDE ${confdir}/proxy.conf
# proxy.conf has: # realm LOCAL { # type = radius # authhost = LOCAL # accthost = LOCAL #}
$INCLUDE ${confdir}/clients.conf
# clients.conf has: # client XXX.XXX.XXX.XXX { # secret = XXXXXX # nastype = cisco # shortname = dialup #}
$INCLUDE ${confdir}/snmp.conf
# snmp.conf has nothing.
snmp = no
thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 }
modules { pap { encryption_scheme = crypt }
chap { authtype = CHAP }
pam { pam_auth = radiusd }
unix { cache = no cache_reload = 600 shadow = /etc/shadow radwtmp = ${logdir}/radwtmp }
$INCLUDE ${confdir}/eap.conf
# eap.conf has: # eap { # default_eap_type = md5 # timer_expire = 60 # ignore_unknown_eap_types = no # cisco_accounting_username_bug = no # # md5 { # } # # leap { # } # # gtc { # auth_type = PAP # } # # mschapv2 { # } # }
mschap { authtype = MS-CHAP }
realm suffix { format = suffix delimiter = "@" ignore_default = no ignore_null = no }
checkval { item-name = Calling-Station-Id check-name = Calling-Station-Id data-type = string }
preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no }
files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users compat = no }
detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 }
acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" }
$INCLUDE ${confdir}/sql.conf
# sql.conf has: # #sql { # # driver = "rlm_sql_mysql" # server = "localhost" # login = "XXXXXX" # radius_db = "XXXXXX" # password = "XXXXXX" # acct_table1 = "radacct" # acct_table2 = "radacct" # postauth_table = "radpostauth" # authcheck_table = "radcheck" # authreply_table = "radreply" # groupcheck_table = "radgroupcheck" # groupreply_table = "radgroupreply" # usergroup_table = "usergroup" # deletestalesessions = yes # sqltrace = yes # sqltracefile = /var/log/freeradius/sqltrace.sql # num_sql_socks = 5 # connect_failure_retry_delay = 60 # safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" # sql_user_name = "%{User-Name}" # # authorize_check_query = "SELECT id,UserName,Attribute,Value,op FROM ${authcheck_table} WHERE Username = '%{SQL-User-Name}' ORDER BY id" # authorize_reply_query = "SELECT id,UserName,Attribute,Value,op FROM ${authreply_table} WHERE Username = '%{SQL-User-Name}' ORDER BY id" # authorize_group_check_query = "SELECT ${groupcheck_table}.id,${groupcheck_table}.GroupName,${groupcheck_table}.Attribute,${groupcheck_table}.Value,${groupcheck_table}.op FROM ${groupcheck_table},${usergroup_table} WHERE ${usergroup_table}.Username = '%{SQL-User-Name}' AND ${usergroup_table}.GroupName = ${groupcheck_table}.GroupName ORDER BY ${groupcheck_table}.id" # authorize_group_reply_query = "SELECT ${groupreply_table}.id,${groupreply_table}.GroupName,${groupreply_table}.Attribute,${groupreply_table}.Value,${groupreply_table}.op FROM ${groupreply_table},${usergroup_table} WHERE ${usergroup_table}.Username = '%{SQL-User-Name}' AND ${usergroup_table}.GroupName = ${groupreply_table}.GroupName ORDER BY ${groupreply_table}.id" # accounting_onoff_query = "UPDATE ${acct_table1} SET AcctStopTime='%S', AcctSessionTime=unix_timestamp('%S') - unix_timestamp(AcctStartTime), AcctTerminateCause='%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-Time}' WHERE AcctSessionTime=0 AND AcctStopTime=0 AND NASIPAddress= '%{NAS-IP-Address}' AND AcctStartTime <= '%S'" # # accounting_update_query = "UPDATE ${acct_table1} \ # SET FramedIPAddress = '%{Framed-IP-Address}', \ # AcctSessionTime = '%{Acct-Session-Time}', \ # AcctInputOctets = '%{Acct-Input-Octets}', \ # AcctOutputOctets = '%{Acct-Output-Octets}' \ # WHERE AcctSessionId = '%{Acct-Session-Id}' \ # AND UserName = '%{SQL-User-Name}' \ # AND NASIPAddress= '%{NAS-IP-Address}'" # # accounting_update_query_alt = "INSERT into ${acct_table1} (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S',INTERVAL (%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0}) SECOND), '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Acct-Input-Octets}', '%{Acct-Output-Octets}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0')" # accounting_start_query = "INSERT into ${acct_table1} (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', '0', '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Acct-Delay-Time}', '0')" # accounting_start_query_alt = "UPDATE ${acct_table1} SET AcctStartTime = '%S', AcctStartDelay = '%{Acct-Delay-Time}', ConnectInfo_start = '%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}'" # accounting_stop_query = "UPDATE ${acct_table2} SET AcctStopTime = '%S', AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets = '%{Acct-Input-Octets}', AcctOutputOctets = '%{Acct-Output-Octets}', AcctTerminateCause = '%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-Time}', ConnectInfo_stop = '%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}'" # accounting_stop_query_alt = "INSERT into ${acct_table2} (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0}) SECOND), '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Connect-Info}', '%{Acct-Input-Octets}', '%{Acct-Output-Octets}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{Acct-Delay-Time}')" # simul_count_query = "SELECT COUNT(*) FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0" # simul_verify_query = "SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0" # group_membership_query = "SELECT GroupName FROM ${usergroup_table} WHERE UserName='%{SQL-User-Name}'" # postauth_query = "INSERT into ${postauth_table} (id, user, pass, reply, date) values ('', '%{User-Name}', '%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', NOW())" # #}
radutmp { filename = ${logdir}/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 0600 callerid = "yes" }
radutmp sradutmp { filename = ${logdir}/sradutmp perm = 0644 callerid = "no" }
attr_filter { attrsfile = ${confdir}/attrs }
counter daily { filename = ${raddbdir}/db.daily key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User cache-size = 5000 }
always fail { rcode = fail }
always reject { rcode = reject }
always ok { rcode = ok simulcount = 0 mpp = no }
expr { }
digest { }
exec { wait = yes input_pairs = request }
exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = request output_pairs = reply }
ippool main_pool { range-start = 192.168.1.1 range-stop = 192.168.3.254 netmask = 255.255.255.0 cache-size = 800 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex override = no maximum-timeout = 0 } }
instantiate { exec expr }
authorize { preprocess sql }
authenticate { Auth-Type PAP { pap }
Auth-Type CHAP { chap }
Auth-Type MS-CHAP { mschap } }
preacct { preprocess suffix }
accounting { detail radutmp sql }
session { sql }
post-auth { }
pre-proxy { }
post-proxy { eap }
## END OF CONFIG ##
If you've actually gotten this far, I salute you. :)
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ernie Dunbar wrote:
No, it's not multihomed, but on a lark I tried it anyway (since there's two network cards in it, but one isn't used). It still doesn't work.
G'day Ernie, Can you sniff on the AS5300 and ensure the Access-Accept packets are arriving before the 3 second (default) timeout? Does it work if you temporarily disable the Simultaneous-Use check? -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: james.wakefield@deakin.edu.au Website: http://www.deakin.edu.au
G'day Ernie,
Can you sniff on the AS5300 and ensure the Access-Accept packets are arriving before the 3 second (default) timeout?
Yes, we tried that. The access-accept packets aren't arriving at all!
Does it work if you temporarily disable the Simultaneous-Use check?
No, that doesn't work either.
participants (3)
-
Ernie Dunbar -
James Wakefield -
Paul Khavkine