Hi, folks. I'm trying to authenticate in a freeradius server, installed on a Debian 5.0 lenny x86_64. The freeradius version is 2.0.4 That is the message logged in my radius.log : Fri Nov 27 11:52:13 2009 : Error: rlm_radutmp: Logout for NAS cisco6500 port 0, but no Login record And my authentication method is the Debian /passwd one. Simple like that. Thanks a lot for some attention in this case. -- Wagner Pereira PoP-SP/RNP - Ponto de Presença da RNP em São Paulo CCE/USP - Centro de Computação Eletrônica da Universidade de São Paulo http://www.pop-sp.rnp.br Fone@RNP 1015-8902
Thanks, Ivan. But actually I'm worried if anything else is wrong in my configuration. So, I just figure out where is. Maybe in my aaa model at Cisco router. -- Wagner Pereira PoP-SP/RNP - Ponto de Presença da RNP em São Paulo CCE/USP - Centro de Computação Eletrônica da Universidade de São Paulo http://www.pop-sp.rnp.br Fone@RNP 1015-8902 tnt@kalik.net escreveu:
That is the message logged in my radius.log :
Fri Nov 27 11:52:13 2009 : Error: rlm_radutmp: Logout for NAS cisco6500 port 0, but no Login record
Accounting start packet got lost. Or your NAS is sending same port number for all users.
Ivan Kalik
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ivan, the thing is: At the freeradius side I have: clients.conf file client 10.0.0.1 { secret = teste123 shortname = cisco6500 nastype = cisco } users file user Cleartext-Password := "teste123" Service-Type = NAS-Prompt-User $enable15$ Cleartext-Password := "recover" Service-Type = NAS-Prompt-User And at the cisco side I have: aaa new-model aaa group server radius admin ! aaa authentication login default group radius local aaa authentication login localauth local aaa authentication ppp default if-needed group radius local aaa authorization exec default group radius local aaa authorization network default group radius local aaa accounting delay-start aaa accounting exec default start-stop group radius aaa accounting network default start-stop group radius ! aaa session-id common radius-server host 10.0.0.2 auth-port 1812 acct-port 1813 radius-server key 7 1403171818017B7977 And my questions are: How can I be sure where freeradius is authenticating in? /passwd or users file ? -- Wagner Pereira PoP-SP/RNP - Ponto de Presença da RNP em São Paulo CCE/USP - Centro de Computação Eletrônica da Universidade de São Paulo http://www.pop-sp.rnp.br Fone@RNP 1015-8902 tnt@kalik.net escreveu:
But actually I'm worried if anything else is wrong in my configuration. So, I just figure out where is. Maybe in my aaa model at Cisco router.
Since you got to accounting - authentication must be working. What is there to worry about?
Ivan Kalik
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ivan, could you post an excerpt from debug where he is telling me that? -- Wagner Pereira PoP-SP/RNP - Ponto de Presença da RNP em São Paulo CCE/USP - Centro de Computação Eletrônica da Universidade de São Paulo http://www.pop-sp.rnp.br Fone@RNP 1015-8902 tnt@kalik.net escreveu:
And my questions are: How can I be sure where freeradius is authenticating in? /passwd or users file ?
Debug will tell you. Why have them both enabled if you want just one?
Ivan Kalik
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ivan, could you post an excerpt from debug where he is telling me that?
No. It's your machine, not mine. You post the debug and we will tell you which password store is used. Ivan Kalik You bet! Here it is. server1:~# freeradius -X FreeRADIUS Version 2.0.4, for host x86_64-pc-linux-gnu, built on Sep 7 2008 at 17:42:33 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including configuration file /etc/freeradius/snmp.conf including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/inner-tunnel including configuration file /etc/freeradius/sites-enabled/default including dictionary file /etc/freeradius/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/var/run/freeradius/freeradius.pid" user = "freerad" group = "freerad" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 10.0.0.1 { require_message_authenticator = no secret = "teste123" shortname = "cisco6500" nastype = "cisco" } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_check = "none" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = yes input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } rlm_eap: Ignoring EAP-Type/tls because we do not have OpenSSL support. rlm_eap: Ignoring EAP-Type/ttls because we do not have OpenSSL support. rlm_eap: Ignoring EAP-Type/peap because we do not have OpenSSL support. Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" } } } server { modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } } radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } main { snmp = no smux_password = "" snmp_write_access = no } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 10.0.0.1 port 21645, id=210, length=81 NAS-IP-Address = 10.0.0.1 NAS-Port = 1 NAS-Port-Type = Virtual User-Name = "recover" Calling-Station-Id = "10.0.0.3" User-Password = "recover" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "recover", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [recover/recover] (from client cisco6500 port 1 cli 10.0.0.3) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> recover attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 210 to 10.0.0.1 port 21645 Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.0.1 port 21645, id=210, length=81 Sending duplicate reply to client cisco6500 port 21645 - ID: 210 Sending Access-Reject of id 210 to 10.0.0.1 port 21645 Waking up in 0.8 seconds. Cleaning up request 0 ID 210 with timestamp +12 Ready to process requests. rad_recv: Access-Request packet from host 10.0.0.1 port 21645, id=210, length=81 NAS-IP-Address = 10.0.0.1 NAS-Port = 1 NAS-Port-Type = Virtual User-Name = "recover" Calling-Station-Id = "10.0.0.3" User-Password = "recover" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "recover", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [recover/recover] (from client cisco6500 port 1 cli 10.0.0.3) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> recover attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 210 to 10.0.0.1 port 21645 Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.0.1 port 21645, id=210, length=81 Sending duplicate reply to client cisco6500 port 21645 - ID: 210 Sending Access-Reject of id 210 to 10.0.0.1 port 21645 Waking up in 0.8 seconds. Cleaning up request 1 ID 210 with timestamp +22 Ready to process requests. -- Wagner Pereira PoP-SP/RNP - Ponto de Presença da RNP em São Paulo CCE/USP - Centro de Computação Eletrônica da Universidade de São Paulo http://www.pop-sp.rnp.br Fone@RNP 1015-8902 tnt@kalik.net escreveu:
Ivan, could you post an excerpt from debug where he is telling me that?
No. It's your machine, not mine. You post the debug and we will tell you which password store is used.
Ivan Kalik
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ivan, could you post an excerpt from debug where he is telling me that?
rad_recv: Access-Request packet from host 10.0.0.1 port 21645, id=210, length=81 NAS-IP-Address = 10.0.0.1 NAS-Port = 1 NAS-Port-Type = Virtual User-Name = "recover" Calling-Station-Id = "10.0.0.3" User-Password = "recover" ... ++[unix] returns notfound ++[files] returns noop
Nowhere. Because you are using the wrong username. According to what you posted username in users file is "user" not "recover". Ivan Kalik
participants (2)
-
tnt@kalik.net -
Wagner Pereira