Hello list, we are using FreeRADIUS to authenticate students wireless access. It's FreeRADIUS Version 2.2.8 running on FreeBSD 9.2-STABLE. Our LDAP server is eDirectory version 8.8 Now, we are upgrading to FreeRADIUS 3.0.15 (installed from ports) running on FreeBSD 11.1-RELEASE. LDAP is always eDirectory 8.8. The bind to LDAP server it's ok, but the user is not authenticate, the error is: Invalid user (eDirectory-ICT: Failed to retrieve eDirectory password: (80) Other (e.g., implementation specific) error): This is the ldap module configuration: # # ICT per test # ldap eDirectory-ICT { server = 'ldaps.unibocconi.it' port = 636 identity = 'cn=yyyyyyyyy,ou=Servers,o=INetServices' password = xxxxxxx base_dn = 'ou=Faculty-Staff,ou=Bocconi,o=INetServices' edir = yes edir_autz = no # # User object identification. # user { base_dn = "${..base_dn}" filter = "(cn=%{%{Stripped-User-Name}:-%{User-Name}})" } # # User membership checking. # group { base_dn = "${..base_dn}" filter = '(objectClass=posixGroup)' membership_attribute = 'memberOf' } # # User profiles. # profile { filter = '(objectclass=radiusprofile)' } # # Bulk load clients from the directory # client { base_dn = "${..base_dn}" filter = '(objectClass=radiusClient)' template { } attribute { ipaddr = 'radiusClientIdentifier' secret = 'radiusClientSecret' } } read_clients = no accounting { reference = "%{tolower:type.%{Acct-Status-Type}}" type { start { update { description := "Online at %S" } } interim-update { update { description := "Last seen at %S" } } stop { update { description := "Offline at %S" } } } } # # Post-Auth can modify LDAP objects too # post-auth { update { description := "Authenticated at %S" } } # # LDAP connection-specific options. # options { chase_referrals = yes rebind = yes res_timeout = 10 srv_timelimit = 3 net_timeout = 1 idle = 60 probes = 3 interval = 3 ldap_debug = 0x0028 } # # This subsection configures the tls related items # that control how FreeRADIUS connects to an LDAP # server. # tls { start_tls = no ca_file = ${certdir}/DigiCertAssuredIDRootCA-TERENA-CA3.crt ca_path = ${certdir} certificate_file = ${certdir}/ldaps.unibocconi.it.crt private_key_file = ${certdir}/ldaps.unibocconi.it.key random_file = /dev/urandom require_cert = 'demand' } # # ldap_connections_number # pool { start = ${thread[pool].start_servers} min = ${thread[pool].min_spare_servers} max = ${thread[pool].max_servers} spare = ${thread[pool].max_spare_servers} uses = 0 retry_delay = 30 lifetime = 0 idle_timeout = 60 } } What's wrong ? Thanks for your help. Ciao Marco -- Marco Pirovano Infrastrutture e Tecnologie Information and Communication Technology Universita' Bocconi via Gobbi, 5 - 20136 Milano Tel. +39 02 5836.3173 Fax. +39 02 5836.3160 Windows makes noise, Linux plays music, but BSD Rocks!
On Aug 1, 2017, at 11:29 AM, Marco Pirovano <marco.pirovano@unibocconi.it> wrote:
Hello list,
we are using FreeRADIUS to authenticate students wireless access. It's FreeRADIUS Version 2.2.8 running on FreeBSD 9.2-STABLE.
Our LDAP server is eDirectory version 8.8
Now, we are upgrading to FreeRADIUS 3.0.15 (installed from ports) running on FreeBSD 11.1-RELEASE. LDAP is always eDirectory 8.8.
The bind to LDAP server it's ok, but the user is not authenticate, the error is:
Invalid user (eDirectory-ICT: Failed to retrieve eDirectory password: (80) Other (e.g., implementation specific) error):
Have you enabled universal password? https://www.netiq.com/documentation/edir_radius/pdfdoc/radiusadmin/radiusadm... -Arran
Hi Arran, yes, the universal password is enabled and is working with FR2. The problem is with FR3. On FR2 in debug mode: The client: [root@cariddi:~] radtest -x pirovano xxxxxxxx 10.5.255.241 1 yyyyyyyy Sending Access-Request of id 97 to 10.5.255.241 port 1812 User-Name = "pirovano" User-Password = "xxxxxxxx" NAS-IP-Address = 10.5.255.241 NAS-Port = 1 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Accept packet from host 10.5.255.241 port 1812, id=97, length=20 The FR2: [eDirectory-UNI] ldap_get_conn: Checking Id: 0 [eDirectory-UNI] ldap_get_conn: Got Id: 0 [eDirectory-UNI] attempting LDAP reconnection [eDirectory-UNI] (re)connect to ldap.unibocconi.it:389, authentication 0 [eDirectory-UNI] starting TLS [eDirectory-UNI] bind as cn=RADIUSAdmin,ou=Servers,o=INetServices/zzzzzzzzz to ldap.unibocconi.it:389 [eDirectory-UNI] waiting for bind result ... [eDirectory-UNI] Bind was successful [eDirectory-UNI] performing search in ou=Faculty-Staff,ou=Bocconi,o=INetServices, with filter (cn=pirovano) [eDirectory-UNI] Added the eDirectory password xxxxxxxx in check items as Cleartext-Password On FR3 in debug mode: the client: [root@freeradius3:~] radtest pirovano xxxxxxxx 10.1.1.82 1 yyyyyyyy Sent Access-Request Id 157 from 0.0.0.0:35640 to 10.1.1.82:1812 length 78 User-Name = "pirovano" User-Password = "xxxxxxxx" NAS-IP-Address = 10.1.1.82 NAS-Port = 1 Message-Authenticator = 0x00 Cleartext-Password = "xxxxxxxx" Received Access-Reject Id 157 from 10.1.1.82:1812 to 0.0.0.0:0 length 20 (0) -: Expected Access-Accept got Access-Reject The FR3: (0) eDirectory-ICT: EXPAND (cn=%{%{Stripped-User-Name}:-%{User-Name}}) (0) eDirectory-ICT: --> (cn=pirovano) (0) eDirectory-ICT: Performing search in "ou=Faculty-Staff,ou=Bocconi,o=INetServices" with filter "(cn=pirovano)", scope "sub" (0) eDirectory-ICT: Waiting for search result... ber_get_next failed. ber_get_next failed. (0) eDirectory-ICT: User object found at DN "cn=Pirovano,ou=ICT,ou=Faculty-Staff,ou=Bocconi,o=INetServices" (0) eDirectory-ICT: ERROR: Failed to retrieve eDirectory password: (80) Other (e.g., implementation specific) error rlm_ldap (eDirectory-ICT): Released connection (0) Need 5 more connections to reach 10 spares rlm_ldap (eDirectory-ICT): Opening additional connection (5), 1 of 27 pending slots used rlm_ldap (eDirectory-ICT): Connecting to ldap://ldaps.unibocconi.it:636 rlm_ldap (eDirectory-ICT): Waiting for bind result... rlm_ldap (eDirectory-ICT): Bind successful (0) [eDirectory-ICT] = fail (0) } # authorize = fail Thanks. Marco ----- Il 1-ago-17, alle 19:35, Arran Cudbard-Bell a.cudbardb@freeradius.org ha scritto:
On Aug 1, 2017, at 11:29 AM, Marco Pirovano <marco.pirovano@unibocconi.it> wrote:
Hello list,
we are using FreeRADIUS to authenticate students wireless access. It's FreeRADIUS Version 2.2.8 running on FreeBSD 9.2-STABLE.
Our LDAP server is eDirectory version 8.8
Now, we are upgrading to FreeRADIUS 3.0.15 (installed from ports) running on FreeBSD 11.1-RELEASE. LDAP is always eDirectory 8.8.
The bind to LDAP server it's ok, but the user is not authenticate, the error is:
Invalid user (eDirectory-ICT: Failed to retrieve eDirectory password: (80) Other (e.g., implementation specific) error):
Have you enabled universal password?
https://www.netiq.com/documentation/edir_radius/pdfdoc/radiusadmin/radiusadm...
-Arran
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Marco Pirovano Infrastrutture e Tecnologie Information and Communication Technology Universita' Bocconi via Gobbi, 5 - 20136 Milano Tel. +39 02 5836.3173 Fax. +39 02 5836.3160 Windows makes noise, Linux plays music, but BSD Rocks!
I suspect that you need to rebuild FR3 with the right LDAP library. Something looks very odd there as I have compiled FR3 with eDir on RHEL 6&7 using universal password without an issue. On 2/08/2017 19:47, "Marco Pirovano" <marco.pirovano@unibocconi.it> wrote:
Hi Arran,
yes, the universal password is enabled and is working with FR2.
The problem is with FR3.
On FR2 in debug mode:
The client:
[root@cariddi:~] radtest -x pirovano xxxxxxxx 10.5.255.241 1 yyyyyyyy Sending Access-Request of id 97 to 10.5.255.241 port 1812 User-Name = "pirovano" User-Password = "xxxxxxxx" NAS-IP-Address = 10.5.255.241 NAS-Port = 1 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Accept packet from host 10.5.255.241 port 1812, id=97, length=20
The FR2:
[eDirectory-UNI] ldap_get_conn: Checking Id: 0 [eDirectory-UNI] ldap_get_conn: Got Id: 0 [eDirectory-UNI] attempting LDAP reconnection [eDirectory-UNI] (re)connect to ldap.unibocconi.it:389, authentication 0 [eDirectory-UNI] starting TLS [eDirectory-UNI] bind as cn=RADIUSAdmin,ou=Servers,o=INetServices/zzzzzzzzz to ldap.unibocconi.it:389 [eDirectory-UNI] waiting for bind result ... [eDirectory-UNI] Bind was successful [eDirectory-UNI] performing search in ou=Faculty-Staff,ou=Bocconi,o=INetServices, with filter (cn=pirovano) [eDirectory-UNI] Added the eDirectory password xxxxxxxx in check items as Cleartext-Password
On FR3 in debug mode:
the client:
[root@freeradius3:~] radtest pirovano xxxxxxxx 10.1.1.82 1 yyyyyyyy Sent Access-Request Id 157 from 0.0.0.0:35640 to 10.1.1.82:1812 length 78 User-Name = "pirovano" User-Password = "xxxxxxxx" NAS-IP-Address = 10.1.1.82 NAS-Port = 1 Message-Authenticator = 0x00 Cleartext-Password = "xxxxxxxx" Received Access-Reject Id 157 from 10.1.1.82:1812 to 0.0.0.0:0 length 20 (0) -: Expected Access-Accept got Access-Reject
The FR3:
(0) eDirectory-ICT: EXPAND (cn=%{%{Stripped-User-Name}:-%{User-Name}}) (0) eDirectory-ICT: --> (cn=pirovano) (0) eDirectory-ICT: Performing search in "ou=Faculty-Staff,ou=Bocconi,o=INetServices" with filter "(cn=pirovano)", scope "sub" (0) eDirectory-ICT: Waiting for search result... ber_get_next failed. ber_get_next failed. (0) eDirectory-ICT: User object found at DN "cn=Pirovano,ou=ICT,ou= Faculty-Staff,ou=Bocconi,o=INetServices"
(0) eDirectory-ICT: ERROR: Failed to retrieve eDirectory password: (80) Other (e.g., implementation specific) error
rlm_ldap (eDirectory-ICT): Released connection (0) Need 5 more connections to reach 10 spares rlm_ldap (eDirectory-ICT): Opening additional connection (5), 1 of 27 pending slots used rlm_ldap (eDirectory-ICT): Connecting to ldap://ldaps.unibocconi.it:636 rlm_ldap (eDirectory-ICT): Waiting for bind result... rlm_ldap (eDirectory-ICT): Bind successful (0) [eDirectory-ICT] = fail (0) } # authorize = fail
Thanks. Marco
----- Il 1-ago-17, alle 19:35, Arran Cudbard-Bell a.cudbardb@freeradius.org ha scritto:
On Aug 1, 2017, at 11:29 AM, Marco Pirovano < marco.pirovano@unibocconi.it> wrote:
Hello list,
we are using FreeRADIUS to authenticate students wireless access. It's FreeRADIUS Version 2.2.8 running on FreeBSD 9.2-STABLE.
Our LDAP server is eDirectory version 8.8
Now, we are upgrading to FreeRADIUS 3.0.15 (installed from ports) running on FreeBSD 11.1-RELEASE. LDAP is always eDirectory 8.8.
The bind to LDAP server it's ok, but the user is not authenticate, the error is:
Invalid user (eDirectory-ICT: Failed to retrieve eDirectory password: (80) Other (e.g., implementation specific) error):
Have you enabled universal password?
https://www.netiq.com/documentation/edir_radius/pdfdoc/radiusadmin/ radiusadmin.pdf
-Arran
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
-- Marco Pirovano Infrastrutture e Tecnologie Information and Communication Technology Universita' Bocconi via Gobbi, 5 - 20136 Milano Tel. +39 02 5836.3173 Fax. +39 02 5836.3160
Windows makes noise, Linux plays music, but BSD Rocks!
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
Actually I suspect it's the SSL library compiled or not compuled into the openldap library. Since you need for Universal password to work a TLS session to eDir. Can you do the same LDAP search using standard ldapsearch over SSL? As the search is failing so that doesn't bode well. On 2/08/2017 20:49, "Peter Lambrechtsen" <peter@crypt.nz> wrote:
I suspect that you need to rebuild FR3 with the right LDAP library. Something looks very odd there as I have compiled FR3 with eDir on RHEL 6&7 using universal password without an issue.
On 2/08/2017 19:47, "Marco Pirovano" <marco.pirovano@unibocconi.it> wrote:
Hi Arran,
yes, the universal password is enabled and is working with FR2.
The problem is with FR3.
On FR2 in debug mode:
The client:
[root@cariddi:~] radtest -x pirovano xxxxxxxx 10.5.255.241 1 yyyyyyyy Sending Access-Request of id 97 to 10.5.255.241 port 1812 User-Name = "pirovano" User-Password = "xxxxxxxx" NAS-IP-Address = 10.5.255.241 NAS-Port = 1 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Accept packet from host 10.5.255.241 port 1812, id=97, length=20
The FR2:
[eDirectory-UNI] ldap_get_conn: Checking Id: 0 [eDirectory-UNI] ldap_get_conn: Got Id: 0 [eDirectory-UNI] attempting LDAP reconnection [eDirectory-UNI] (re)connect to ldap.unibocconi.it:389, authentication 0 [eDirectory-UNI] starting TLS [eDirectory-UNI] bind as cn=RADIUSAdmin,ou=Servers,o=INetServices/zzzzzzzzz to ldap.unibocconi.it:389 [eDirectory-UNI] waiting for bind result ... [eDirectory-UNI] Bind was successful [eDirectory-UNI] performing search in ou=Faculty-Staff,ou=Bocconi,o=INetServices, with filter (cn=pirovano) [eDirectory-UNI] Added the eDirectory password xxxxxxxx in check items as Cleartext-Password
On FR3 in debug mode:
the client:
[root@freeradius3:~] radtest pirovano xxxxxxxx 10.1.1.82 1 yyyyyyyy Sent Access-Request Id 157 from 0.0.0.0:35640 to 10.1.1.82:1812 length 78 User-Name = "pirovano" User-Password = "xxxxxxxx" NAS-IP-Address = 10.1.1.82 NAS-Port = 1 Message-Authenticator = 0x00 Cleartext-Password = "xxxxxxxx" Received Access-Reject Id 157 from 10.1.1.82:1812 to 0.0.0.0:0 length 20 (0) -: Expected Access-Accept got Access-Reject
The FR3:
(0) eDirectory-ICT: EXPAND (cn=%{%{Stripped-User-Name}:-%{User-Name}}) (0) eDirectory-ICT: --> (cn=pirovano) (0) eDirectory-ICT: Performing search in "ou=Faculty-Staff,ou=Bocconi,o=INetServices" with filter "(cn=pirovano)", scope "sub" (0) eDirectory-ICT: Waiting for search result... ber_get_next failed. ber_get_next failed. (0) eDirectory-ICT: User object found at DN "cn=Pirovano,ou=ICT,ou=Faculty -Staff,ou=Bocconi,o=INetServices"
(0) eDirectory-ICT: ERROR: Failed to retrieve eDirectory password: (80) Other (e.g., implementation specific) error
rlm_ldap (eDirectory-ICT): Released connection (0) Need 5 more connections to reach 10 spares rlm_ldap (eDirectory-ICT): Opening additional connection (5), 1 of 27 pending slots used rlm_ldap (eDirectory-ICT): Connecting to ldap://ldaps.unibocconi.it:636 rlm_ldap (eDirectory-ICT): Waiting for bind result... rlm_ldap (eDirectory-ICT): Bind successful (0) [eDirectory-ICT] = fail (0) } # authorize = fail
Thanks. Marco
----- Il 1-ago-17, alle 19:35, Arran Cudbard-Bell a.cudbardb@freeradius.org ha scritto:
On Aug 1, 2017, at 11:29 AM, Marco Pirovano < marco.pirovano@unibocconi.it> wrote:
Hello list,
we are using FreeRADIUS to authenticate students wireless access. It's FreeRADIUS Version 2.2.8 running on FreeBSD 9.2-STABLE.
Our LDAP server is eDirectory version 8.8
Now, we are upgrading to FreeRADIUS 3.0.15 (installed from ports) running on FreeBSD 11.1-RELEASE. LDAP is always eDirectory 8.8.
The bind to LDAP server it's ok, but the user is not authenticate, the error is:
Invalid user (eDirectory-ICT: Failed to retrieve eDirectory password: (80) Other (e.g., implementation specific) error):
Have you enabled universal password?
https://www.netiq.com/documentation/edir_radius/pdfdoc/ radiusadmin/radiusadmin.pdf
-Arran
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list /users.html
-- Marco Pirovano Infrastrutture e Tecnologie Information and Communication Technology Universita' Bocconi via Gobbi, 5 - 20136 Milano Tel. +39 02 5836.3173 Fax. +39 02 5836.3160
Windows makes noise, Linux plays music, but BSD Rocks!
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list /users.html
On 2 Aug 2017, at 04:55, Peter Lambrechtsen <peter@crypt.nz> wrote:
Actually I suspect it's the SSL library compiled or not compuled into the openldap library. Since you need for Universal password to work a TLS session to eDir. Can you do the same LDAP search using standard ldapsearch over SSL? As the search is failing so that doesn't bode well.
Agreed. We’re actually reworking the packages now to use OpenLDAP-LTB packages for the RHEL/Centos .spec files. -Arran
Hello, I did Upgrade from 2.2.9 to 3.0.15. For marketing purposes if my client is not on my base and tries to connect to my system, I permit the access in a specific pool. When I upgraded to 3, this stoped to work. Some help? Look more details..... In my default file: Auth-Type CHAP { chap { invalid = 1 } if(invalid) { update control { Pool-Name := "mkt_pool" } update reply { Mikrotik-Rate-Limit := "300K/2M 600K/2200K 450K/1500K 10/10" } ok } } My radiusd -X output: Ready to process requests (0) Received Access-Request Id 199 from 172.17.6.2:42459 to 187.120.197.145:1812 length 152 (0) Service-Type = Framed-User (0) Framed-Protocol = PPP (0) NAS-Port = 15736495 (0) NAS-Port-Type = Ethernet (0) User-Name = "soniaregina" (0) Calling-Station-Id = "84:C9:B2:A3:BB:67" (0) Called-Station-Id = "CE - POP ITPM5" (0) NAS-Port-Id = "ether5" (0) CHAP-Challenge = 0x3cfe95eca592d11448a098b33412cd0b (0) CHAP-Password = 0x01cc08e5f2ad79880124b1d826606947b2 (0) NAS-Identifier = "CE-ITPM" (0) NAS-IP-Address = 172.17.6.2 (0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (0) authorize { (0) [preprocess] = ok (0) chap: &control:Auth-Type := CHAP (0) [chap] = ok (0) [mschap] = noop (0) sql: EXPAND %{User-Name} (0) sql: --> soniaregina (0) sql: SQL-User-Name set to 'soniaregina' rlm_sql (sql): Reserved connection (1) (0) sql: EXPAND SELECT DISTINCT (R.id), R.username, R.attribute, R.value, R.op FROM mpc_freeradius.radcheck R, mpc_freeradius.nas N, mpc_lw.maclist M WHERE R.username = BINARY '%{SQL-User-Name}' AND M.usuario_login = BINARY '%{SQL-User-Name}' AND N.nasname = '%{Nas-IP-Address}' AND N.gw_id = (SELECT gateway_id FROM mpc_lw.maclist WHERE usuario_login = BINARY '%{SQL-User-Name}' AND plano_id NOT IN (8,9,793) AND gateway_id = ( SELECT gw_id FROM mpc_freeradius.nas WHERE nasname = '%{Nas-IP-Address}' ) ORDER BY ID) UNION ALL SELECT DISTINCT (R.id), R.username, R.attribute, R.value, R.op FROM mpc_freeradius.radcheck R, mpc_freeradius.nas N, mpc_lw.maclist M WHERE R.username = BINARY '%{SQL-User-Name}' AND M.usuario_login = BINARY '%{SQL-User-Name}' AND M.grupocliente = 'ALL-POPS' (0) sql: --> SELECT DISTINCT (R.id), R.username, R.attribute, R.value, R.op FROM mpc_freeradius.radcheck R, mpc_freeradius.nas N, mpc_lw.maclist M WHERE R.username = BINARY 'soniaregina' AND M.usuario_login = BINARY 'soniaregina' AND N.nasname = '172.17.6.2' AND N.gw_id = (SELECT gateway_id FROM mpc_lw.maclist WHERE usuario_login = BINARY 'soniaregina' AND plano_id NOT IN (8,9,793) AND gateway_id = ( SELECT gw_id FROM mpc_freeradius.nas WHERE nasname = '172.17.6.2' ) ORDER BY ID) UNION ALL SELECT DISTINCT (R.id), R.username, R.attribute, R.value, R.op FROM mpc_freeradius.radcheck R, mpc_freeradius.nas N, mpc_lw.maclist M WHERE R.username = BINARY 'soniaregina' AND M.usuario_login = BINARY 'soniaregina' AND M.grupocliente = 'ALL-POPS' (0) sql: Executing select query: SELECT DISTINCT (R.id), R.username, R.attribute, R.value, R.op FROM mpc_freeradius.radcheck R, mpc_freeradius.nas N, mpc_lw.maclist M WHERE R.username = BINARY 'soniaregina' AND M.usuario_login = BINARY 'soniaregina' AND N.nasname = '172.17.6.2' AND N.gw_id = (SELECT gateway_id FROM mpc_lw.maclist WHERE usuario_login = BINARY 'soniaregina' AND plano_id NOT IN (8,9,793) AND gateway_id = ( SELECT gw_id FROM mpc_freeradius.nas WHERE nasname = '172.17.6.2' ) ORDER BY ID) UNION ALL SELECT DISTINCT (R.id), R.username, R.attribute, R.value, R.op FROM mpc_freeradius.radcheck R, mpc_freeradius.nas N, mpc_lw.maclist M WHERE R.username = BINARY 'soniaregina' AND M.usuario_login = BINARY 'soniaregina' AND M.grupocliente = 'ALL-POPS' (0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (0) sql: --> SELECT groupname FROM radusergroup WHERE username = 'soniaregina' ORDER BY priority (0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'soniaregina' ORDER BY priority (0) sql: User not found in any groups rlm_sql (sql): Released connection (1) Need 9 more connections to reach min connections (15) rlm_sql (sql): Opening additional connection (6), 1 of 58 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'mpc_freeradius' on mysql.mpc.com.br via TCP/IP, server version 5.5.55-0ubuntu0.14.04.1-log, protocol version 10 (0) [sql] = notfound (0) [expiration] = noop (0) [logintime] = noop (0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (0) pap: WARNING: Authentication will fail unless a "known good" password is available (0) [pap] = noop (0) } # authorize = ok (0) Found Auth-Type = CHAP (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (0) Auth-Type CHAP { (0) chap: ERROR: &control:Cleartext-Password is required for authentication (0) [chap] = fail (0) } # Auth-Type CHAP = fail (0) Failed to authenticate the user (0) Using Post-Auth-Type Reject (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (0) Post-Auth-Type REJECT { (0) sql: EXPAND .query (0) sql: --> .query (0) sql: Using query template 'query' rlm_sql (sql): Reserved connection (2) (0) sql: EXPAND %{User-Name} (0) sql: --> soniaregina (0) sql: SQL-User-Name set to 'soniaregina' (0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (0) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'soniaregina', '0x01cc08e5f2ad79880124b1d826606947b2', 'Access-Reject', '2017-08-02 09:11:51') (0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'soniaregina', '0x01cc08e5f2ad79880124b1d826606947b2', 'Access-Reject', '2017-08-02 09:11:51') (0) sql: SQL query returned: success (0) sql: 1 record(s) updated rlm_sql (sql): Released connection (2) (0) [sql] = ok (0) attr_filter.access_reject: EXPAND %{User-Name} (0) attr_filter.access_reject: --> soniaregina (0) attr_filter.access_reject: Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) linelog: EXPAND messages.%{%{reply:Packet-Type}:-default} (0) linelog: --> messages.Access-Reject (0) linelog: No such entry ".messages.Access-Reject" (0) [linelog] = noop (0) } # Post-Auth-Type REJECT = updated (0) Login incorrect (chap: &control:Cleartext-Password is required for authentication): [soniaregina/<via Auth-Type = CHAP>] (from client ce-popitpm-rb port 15736495 cli 84:C9:B2:A3:BB:67) (0) Delaying response for 1.000000 seconds
Hello, Sorry to importunate!! I solved the problem. In 3.0.15 version the return is fail and not invalid! I changed in default file and all is ok!! Really sorry! Aurelio Em 02/08/2017 09:37, Aurélio de Souza Ribeiro Neto escreveu:
Hello,
I did Upgrade from 2.2.9 to 3.0.15.
For marketing purposes if my client is not on my base and tries to connect to my system, I permit the access in a specific pool.
When I upgraded to 3, this stoped to work.
Some help?
Look more details.....
In my default file:
Auth-Type CHAP { chap { invalid = 1 }
if(invalid) {
update control { Pool-Name := "mkt_pool" }
update reply { Mikrotik-Rate-Limit := "300K/2M 600K/2200K 450K/1500K 10/10" }
ok }
}
My radiusd -X output:
Ready to process requests (0) Received Access-Request Id 199 from 172.17.6.2:42459 to 187.120.197.145:1812 length 152 (0) Service-Type = Framed-User (0) Framed-Protocol = PPP (0) NAS-Port = 15736495 (0) NAS-Port-Type = Ethernet (0) User-Name = "soniaregina" (0) Calling-Station-Id = "84:C9:B2:A3:BB:67" (0) Called-Station-Id = "CE - POP ITPM5" (0) NAS-Port-Id = "ether5" (0) CHAP-Challenge = 0x3cfe95eca592d11448a098b33412cd0b (0) CHAP-Password = 0x01cc08e5f2ad79880124b1d826606947b2 (0) NAS-Identifier = "CE-ITPM" (0) NAS-IP-Address = 172.17.6.2 (0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (0) authorize { (0) [preprocess] = ok (0) chap: &control:Auth-Type := CHAP (0) [chap] = ok (0) [mschap] = noop (0) sql: EXPAND %{User-Name} (0) sql: --> soniaregina (0) sql: SQL-User-Name set to 'soniaregina' rlm_sql (sql): Reserved connection (1) (0) sql: EXPAND SELECT DISTINCT (R.id), R.username, R.attribute, R.value, R.op FROM mpc_freeradius.radcheck R, mpc_freeradius.nas N, mpc_lw.maclist M WHERE R.username = BINARY '%{SQL-User-Name}' AND M.usuario_login = BINARY '%{SQL-User-Name}' AND N.nasname = '%{Nas-IP-Address}' AND N.gw_id = (SELECT gateway_id FROM mpc_lw.maclist WHERE usuario_login = BINARY '%{SQL-User-Name}' AND plano_id NOT IN (8,9,793) AND gateway_id = ( SELECT gw_id FROM mpc_freeradius.nas WHERE nasname = '%{Nas-IP-Address}' ) ORDER BY ID) UNION ALL SELECT DISTINCT (R.id), R.username, R.attribute, R.value, R.op FROM mpc_freeradius.radcheck R, mpc_freeradius.nas N, mpc_lw.maclist M WHERE R.username = BINARY '%{SQL-User-Name}' AND M.usuario_login = BINARY '%{SQL-User-Name}' AND M.grupocliente = 'ALL-POPS' (0) sql: --> SELECT DISTINCT (R.id), R.username, R.attribute, R.value, R.op FROM mpc_freeradius.radcheck R, mpc_freeradius.nas N, mpc_lw.maclist M WHERE R.username = BINARY 'soniaregina' AND M.usuario_login = BINARY 'soniaregina' AND N.nasname = '172.17.6.2' AND N.gw_id = (SELECT gateway_id FROM mpc_lw.maclist WHERE usuario_login = BINARY 'soniaregina' AND plano_id NOT IN (8,9,793) AND gateway_id = ( SELECT gw_id FROM mpc_freeradius.nas WHERE nasname = '172.17.6.2' ) ORDER BY ID) UNION ALL SELECT DISTINCT (R.id), R.username, R.attribute, R.value, R.op FROM mpc_freeradius.radcheck R, mpc_freeradius.nas N, mpc_lw.maclist M WHERE R.username = BINARY 'soniaregina' AND M.usuario_login = BINARY 'soniaregina' AND M.grupocliente = 'ALL-POPS' (0) sql: Executing select query: SELECT DISTINCT (R.id), R.username, R.attribute, R.value, R.op FROM mpc_freeradius.radcheck R, mpc_freeradius.nas N, mpc_lw.maclist M WHERE R.username = BINARY 'soniaregina' AND M.usuario_login = BINARY 'soniaregina' AND N.nasname = '172.17.6.2' AND N.gw_id = (SELECT gateway_id FROM mpc_lw.maclist WHERE usuario_login = BINARY 'soniaregina' AND plano_id NOT IN (8,9,793) AND gateway_id = ( SELECT gw_id FROM mpc_freeradius.nas WHERE nasname = '172.17.6.2' ) ORDER BY ID) UNION ALL SELECT DISTINCT (R.id), R.username, R.attribute, R.value, R.op FROM mpc_freeradius.radcheck R, mpc_freeradius.nas N, mpc_lw.maclist M WHERE R.username = BINARY 'soniaregina' AND M.usuario_login = BINARY 'soniaregina' AND M.grupocliente = 'ALL-POPS' (0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (0) sql: --> SELECT groupname FROM radusergroup WHERE username = 'soniaregina' ORDER BY priority (0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'soniaregina' ORDER BY priority (0) sql: User not found in any groups rlm_sql (sql): Released connection (1) Need 9 more connections to reach min connections (15) rlm_sql (sql): Opening additional connection (6), 1 of 58 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'mpc_freeradius' on mysql.mpc.com.br via TCP/IP, server version 5.5.55-0ubuntu0.14.04.1-log, protocol version 10 (0) [sql] = notfound (0) [expiration] = noop (0) [logintime] = noop (0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (0) pap: WARNING: Authentication will fail unless a "known good" password is available (0) [pap] = noop (0) } # authorize = ok (0) Found Auth-Type = CHAP (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (0) Auth-Type CHAP { (0) chap: ERROR: &control:Cleartext-Password is required for authentication (0) [chap] = fail (0) } # Auth-Type CHAP = fail (0) Failed to authenticate the user (0) Using Post-Auth-Type Reject (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (0) Post-Auth-Type REJECT { (0) sql: EXPAND .query (0) sql: --> .query (0) sql: Using query template 'query' rlm_sql (sql): Reserved connection (2) (0) sql: EXPAND %{User-Name} (0) sql: --> soniaregina (0) sql: SQL-User-Name set to 'soniaregina' (0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (0) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'soniaregina', '0x01cc08e5f2ad79880124b1d826606947b2', 'Access-Reject', '2017-08-02 09:11:51') (0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'soniaregina', '0x01cc08e5f2ad79880124b1d826606947b2', 'Access-Reject', '2017-08-02 09:11:51') (0) sql: SQL query returned: success (0) sql: 1 record(s) updated rlm_sql (sql): Released connection (2) (0) [sql] = ok (0) attr_filter.access_reject: EXPAND %{User-Name} (0) attr_filter.access_reject: --> soniaregina (0) attr_filter.access_reject: Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) linelog: EXPAND messages.%{%{reply:Packet-Type}:-default} (0) linelog: --> messages.Access-Reject (0) linelog: No such entry ".messages.Access-Reject" (0) [linelog] = noop (0) } # Post-Auth-Type REJECT = updated (0) Login incorrect (chap: &control:Cleartext-Password is required for authentication): [soniaregina/<via Auth-Type = CHAP>] (from client ce-popitpm-rb port 15736495 cli 84:C9:B2:A3:BB:67) (0) Delaying response for 1.000000 seconds
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (4)
-
Arran Cudbard-Bell -
Aurélio de Souza Ribeiro Neto -
Marco Pirovano -
Peter Lambrechtsen