newbie - authentication error
Hi all, I'd like to tetst my radius conf with a basic setting. I'm running freeradius-2.0.4-2 on linux debian. my client.conf contains the following : client localhost { ipaddr = 127.0.0.1 secret = testing123 nastype=other } my users file contains the following : testuser
A.L.M.Buxey@lboro.ac.uk a écrit :
Hi,
Hi all,
I'd like to tetst my radius conf with a basic setting.
really? looks from the log you posted that you've massively edited the provided config files. why? you've just broken the server.
ok, that means I have to remove the package and reinstall it. should I then test with a user already created on the system, or shall I create a new one in the users file ? the auth-type cannot be explicitely added to the arguments of the radtest, that's why I tried to set up in many different ways the users file.
alan -
Default configuration works - there is no need to change it. You have instructions in FAQ or users file about making simplest user entries. You don't need to set Auth-Type - server does this on it's own. Ivan Kalik Kalik Informatika ISP Dana 28/5/2008, "pkc_mls" <pkc_mls@yahoo.fr> piše:
A.L.M.Buxey@lboro.ac.uk a écrit :
Hi,
Hi all,
I'd like to tetst my radius conf with a basic setting.
really? looks from the log you posted that you've massively edited the provided config files. why? you've just broken the server.
ok, that means I have to remove the package and reinstall it. should I then test with a user already created on the system, or shall I create a new one in the users file ?
the auth-type cannot be explicitely added to the arguments of the radtest, that's why I tried to set up in many different ways the users file.
alan -
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ivan Kalik a écrit :
Default configuration works - there is no need to change it. You have instructions in FAQ or users file about making simplest user entries. You don't need to set Auth-Type - server does this on it's own.
I just removed the debian packages, removes the /var/log/radius and /etc/freeradius, did an apt-get install again, then followed the first step described in http://deployingradius.com/documents/configuration/pap.html, ie place the following text <http://deployingradius.com/scripts/raddb/users/pap.txt> at the *top* of the /users/ file: bob Cleartext-Password := "hello" then started the freeradius with a -X option : freeradius -X. radtest bob hello localhost 0 testing123 Sending Access-Request of id 189 to 127.0.0.1 port 1812 User-Name = "bob" User-Password = "hello" NAS-IP-Address = x.x.x.x NAS-Port = 0 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=189, length=20 it looks like I choosed the wrong FAQ. the line added to the /etc/freeradius/users was the only modification I did to the users file. anyway, I'll test on another host, to see if it works better.
Ivan Kalik Kalik Informatika ISP
Dana 28/5/2008, "pkc_mls" <pkc_mls@yahoo.fr> piše:
A.L.M.Buxey@lboro.ac.uk a écrit :
Hi,
Hi all,
I'd like to tetst my radius conf with a basic setting.
really? looks from the log you posted that you've massively edited the provided config files. why? you've just broken the server.
ok, that means I have to remove the package and reinstall it. should I then test with a user already created on the system, or shall I create a new one in the users file ?
the auth-type cannot be explicitely added to the arguments of the radtest, that's why I tried to set up in many different ways the users file.
alan -
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Where is the output from the debug (radiusd -X)? Ivan Kalik Kalik Informatika ISP Dana 28/5/2008, "pkc_mls" <pkc_mls@yahoo.fr> piše:
Ivan Kalik a écrit :
Default configuration works - there is no need to change it. You have instructions in FAQ or users file about making simplest user entries. You don't need to set Auth-Type - server does this on it's own.
I just removed the debian packages, removes the /var/log/radius and /etc/freeradius, did an apt-get install again, then followed the first step described in http://deployingradius.com/documents/configuration/pap.html, ie place the following text <http://deployingradius.com/scripts/raddb/users/pap.txt> at the *top* of the /users/ file: bob Cleartext-Password := "hello"
then started the freeradius with a -X option : freeradius -X.
radtest bob hello localhost 0 testing123 Sending Access-Request of id 189 to 127.0.0.1 port 1812 User-Name = "bob" User-Password = "hello" NAS-IP-Address = x.x.x.x NAS-Port = 0 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=189, length=20
it looks like I choosed the wrong FAQ.
the line added to the /etc/freeradius/users was the only modification I did to the users file.
anyway, I'll test on another host, to see if it works better.
Ivan Kalik Kalik Informatika ISP
Dana 28/5/2008, "pkc_mls" <pkc_mls@yahoo.fr> piše:
A.L.M.Buxey@lboro.ac.uk a écrit :
Hi,
Hi all,
I'd like to tetst my radius conf with a basic setting.
really? looks from the log you posted that you've massively edited the provided config files. why? you've just broken the server.
ok, that means I have to remove the package and reinstall it. should I then test with a user already created on the system, or shall I create a new one in the users file ?
the auth-type cannot be explicitely added to the arguments of the radtest, that's why I tried to set up in many different ways the users file.
alan -
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/usershtml
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ivan Kalik a écrit :
Where is the output from the debug (radiusd -X)?
here it is : freeradius -X FreeRADIUS Version 2.0.4, for host i486-pc-linux-gnu, built on May 11 2008 at 18:46:28 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including configuration file /etc/freeradius/snmp.conf including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including dictionary file /etc/freeradius/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/var/run/freeradius/freeradius.pid" user = "freerad" group = "freerad" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_check = "none" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = yes input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { modules { } } radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } main { snmp = no smux_password = "" snmp_write_access = no } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 32780, id=45, length=55 User-Name = "bob" User-Password = "hello" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [bob/hello] (from client localhost port 0) Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 45 to 127.0.0.1 port 32780 Waking up in 4.9 seconds. Cleaning up request 0 ID 45 with timestamp +8 Ready to process requests. thanks for your time and patience.
Ivan Kalik Kalik Informatika ISP
A.L.M.Buxey@lboro.ac.uk a écrit :
Hi,
here it is : freeradius -X
okay. so you didnt edit the config - the package maintainers have edited it in weird ways and broken in.
can you please post your radiusd.conf and sites-enabled/default
there is no sites-enabled/default file. the default is only in the sites-available directory. please find below the radiusd.conf. I removed the comments, but I can also send the complete file if needed. -------------------------------------------------------------------- prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = /var/log/freeradius raddbdir = /etc/freeradius radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/freeradius db_dir = $(raddbdir) libdir = /usr/lib/freeradius pidfile = ${run_dir}/freeradius.pid user = freerad group = freerad max_request_time = 30 cleanup_delay = 5 max_requests = 1024 listen { type = auth ipaddr = * port = 0 } listen { ipaddr = * port = 0 type = acct } hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log { destination = files file = ${logdir}/radius.log syslog_facility = daemon stripped_names = no auth = no auth_badpass = no auth_goodpass = no } checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = yes } proxy_requests = yes $INCLUDE proxy.conf $INCLUDE clients.conf snmp = no $INCLUDE snmp.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { pap { auto_header = no } chap { authtype = CHAP } pam { pam_auth = radiusd } unix { radwtmp = ${logdir}/radwtmp } $INCLUDE eap.conf mschap { } ldap { server = "ldap.your.domain" basedn = "o=My Org,c=UA" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no } dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no } realm IPASS { format = prefix delimiter = "/" } realm suffix { format = suffix delimiter = "@" } realm realmpercent { format = suffix delimiter = "%" } realm ntdomain { format = prefix delimiter = "\\" } checkval { item-name = Calling-Station-Id check-name = Calling-Station-Id data-type = string } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users preproxy_usersfile = ${confdir}/preproxy_users compat = no } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 header = "%t" } acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } radutmp { filename = ${logdir}/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 0600 callerid = "yes" } radutmp sradutmp { filename = ${logdir}/sradutmp perm = 0644 callerid = "no" } attr_filter attr_filter.post-proxy { attrsfile = ${confdir}/attrs } attr_filter attr_filter.pre-proxy { attrsfile = ${confdir}/attrs.pre-proxy } attr_filter attr_filter.access_reject { key = %{User-Name} attrsfile = ${confdir}/attrs.access_reject } attr_filter attr_filter.accounting_response { key = %{User-Name} attrsfile = ${confdir}/attrs.accounting_response } counter daily { filename = ${db_dir}/db.daily key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session reply-name = Session-Timeout allowed-servicetype = Framed-User cache-size = 5000 } always fail { rcode = fail } always reject { rcode = reject } always noop { rcode = noop } always handled { rcode = handled } always updated { rcode = updated } always notfound { rcode = notfound } always ok { rcode = ok simulcount = 0 mpp = no } expr { } digest { } expiration { reply-message = "Password Has Expired\r\n" } logintime { reply-message = "You are calling outside your allowed timespan\r\n" minimum-timeout = 60 } exec { wait = yes input_pairs = request shell_escape = yes output = none } exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = request output_pairs = reply shell_escape = yes } ippool main_pool { range-start = 192.168.1.1 range-stop = 192.168.3.254 netmask = 255.255.255.0 cache-size = 800 session-db = ${db_dir}/db.ippool ip-index = ${db_dir}/db.ipindex override = no maximum-timeout = 0 } policy { filename = ${confdir}/policy.txt } } instantiate { exec expr expiration logintime } $INCLUDE policy.conf $INCLUDE sites-enabled/ -------------------------------------------------------------------- this
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
A.L.M.Buxey@lboro.ac.uk a écrit :
Hi,
here it is : freeradius -X
okay. so you didnt edit the config - the package maintainers have edited it in weird ways and broken in.
can you please post your radiusd.conf and sites-enabled/default
there is no sites-enabled/default file. the default is only in the sites-available directory.
cp /etc/freeradius/sites-available/default /etc/freeradius/sites-enabled/default that default file contains the brains of the server! then run the system again. alan
A.L.M.Buxey@lboro.ac.uk a écrit :
Hi,
cp /etc/freeradius/sites-available/default /etc/freeradius/sites-enabled/default
that default file contains the brains of the server!
that's it. next step is to report the bug to debian package maintainer ... thanks everyone for patience and help.
participants (3)
-
A.L.M.Buxey@lboro.ac.uk -
Ivan Kalik -
pkc_mls