Does anyone here on the list have the RPM for freeradius /w experimental modeles to share with me. I would be very greatfull. I would compile it however, SUSE won't let me compile the program because of interdependancy errors and it's like chasing my tail so I gave up. ---- LeRoy
Hi, I would suggest you to compile freeradius from the scratch, because with the RPM package you would also have dependandcy errors ( which will give you headache believe me ). If you have troubles compiling your do some googling, and you'll find a solution. If not - send an email to this list, and I am sure someone will be able to pinpoint your mistake ( or missing component ). Regards, Edvin -----Original Message----- From: freeradius-users-bounces@lists.freeradius.org [mailto:freeradius-users-bounces@lists.freeradius.org] On Behalf Of LeRoy DeVries Sent: Samstag, 17. Dezember 2005 16:11 To: FreeRadius users mailing list Subject: Freeradius RPM for SUSE 10.0 or 9.3 Does anyone here on the list have the RPM for freeradius /w experimental modeles to share with me. I would be very greatfull. I would compile it however, SUSE won't let me compile the program because of interdependancy errors and it's like chasing my tail so I gave up. ---- LeRoy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
You can find them at http://www.wegener-net.de/fr/suse93 . Norbert LeRoy DeVries wrote:
Does anyone here on the list have the RPM for freeradius /w experimental modeles to share with me. I would be very greatfull.
I would compile it however, SUSE won't let me compile the program because of interdependancy errors and it's like chasing my tail so I gave up.
---- LeRoy
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Saturday 17 December 2005 08:59, Norbert Wegener wrote:
You can find them at http://www.wegener-net.de/fr/suse93 . Norbert
Thanks Norbert... After further googling I found a RPM package for Freeradius v1.0.4 however after installing that package I found it does not have the sql_counter module which I need. How would one go about adding that module. ---- LeRoy
Hello, been reading the list for months, first time posting. I am trying to setup a FreeRadius server which will basically authenticate all request which it receives from any IP in the clients.conf which has the correct secret. It seems that setting: DEFAULT Auth-Type := Accept in the users file accomplishes the AuthAll part but it is doing an auth all for any IP not just the ones in my clients.conf, also it doesn't seem to matter what the secret is set to on the client end, it still sends and accept. If I turn off the DEFAULT Auth-Type := Accept, my clients.conf including the secret is honored. Is there any way to accomplish what I am trying to do? Thanks in advance.
Forgot to mention my version: 1.0.5 Running on Fedora 4 Thanks.. ----- Original Message ----- From: "Mojo Jojo" <mylist@lightwavetech.com> To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Sent: Saturday, December 17, 2005 3:44 PM Subject: Auth All but only for those in my clients.conf
Hello, been reading the list for months, first time posting.
I am trying to setup a FreeRadius server which will basically authenticate all request which it receives from any IP in the clients.conf which has the correct secret.
It seems that setting: DEFAULT Auth-Type := Accept
in the users file accomplishes the AuthAll part but it is doing an auth all for any IP not just the ones in my clients.conf, also it doesn't seem to matter what the secret is set to on the client end, it still sends and accept.
If I turn off the DEFAULT Auth-Type := Accept, my clients.conf including the secret is honored.
Is there any way to accomplish what I am trying to do?
Thanks in advance.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
"Mojo Jojo" <mylist@lightwavetech.com >wrote:
I am trying to setup a FreeRadius server which will basically authenticate all request which it receives from any IP in the clients.conf which has the correct secret.
read raddb/clients.conf
It seems that setting: DEFAULT Auth-Type := Accept
Doesn't help. Alan DeKok.
"Mojo Jojo" <mylist@lightwavetech.com >wrote:
I am trying to setup a FreeRadius server which will basically authenticate all request which it receives from any IP in the clients.conf which has the correct secret.
read raddb/clients.conf
I read the entire file before posting as well as many other files and docs, I have not dound the answer which is why I posted here.
It seems that setting: DEFAULT Auth-Type := Accept
Doesn't help.
I am not sure I understand your response.. It does help because it allows me to AuthAll request that come in regardless of the username or password which is what I want. The problem is that I only want a request to be authed if it came from a client which is configured in my clients.conf file and only if the secret matches. At this time, the request are authed regardless of the username or password but they are authed regardless of the client or secret. Sorry if I did not explain this correctly the first time.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
At this time, the request are authed regardless of the username or password but they are authed regardless of the client or secret.
Not possible.
You are correct.. Let me re-phrase after doing a little more testing... At this time I have an "AuthAll" setup working and it only works for request that come from IPs with belong to clients defined in the clients.conf file. But... I have confirmed 100% that the secret on defined in those clients is totally ignored in this situation. So, I can attempt to login from a defined client using any secret and they all work as long as the request is coming from an IP belonging to a client defined in the clients.conf file. I don't care if the secret is ignored personally, just thought some of you folks might want to know. As long as the request are only honored from authorized IPs this is good enough for the application I am using it for.
Only thing I am stuck on here is that my CHAP request are failing with this message: #### Sat Dec 17 22:31:06 2005 : Auth: Login incorrect (rlm_chap: Clear text password not available) #### I see this section in the FAQ: ################## So, if you're using CHAP, for each user entry you must use: Auth-Type = Local, Password = "stealme" If you're using only PAP, you can get away with: Auth-Type = System or anything else that tickles your fancy. ################### But I am using: ################ DEFAULT Auth-Type = Accept ################ This is so I can do the AuthAll, it works for PAP but not the CHAP request. Since I am not requiring a password for the request, how can I supply it in clear text? So, the question is, how do I make the AuthAll work for CHAP request as well? Thanks..
Mojo Jojo wrote:
Only thing I am stuck on here is that my CHAP request are failing with this message:
#### Sat Dec 17 22:31:06 2005 : Auth: Login incorrect (rlm_chap: Clear text password not available) #### seems pretty clear. You must have clear text passwords in the users file or sql for chap, pap doesn't require them. You may want to run the server in debug since I have noticed that it spits that error out even if they merely have an incorrect password but it is stored clear text. Debug will give you exactly what is going on a few lines above where this is printed. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841
Mojo Jojo wrote:
Only thing I am stuck on here is that my CHAP request are failing with this message:
#### Sat Dec 17 22:31:06 2005 : Auth: Login incorrect (rlm_chap: Clear text password not available) #### seems pretty clear. You must have clear text passwords in the users file or sql for chap, pap doesn't require them. You may want to run the server in debug since I have noticed that it spits that error out even if they merely have an incorrect password but it is stored clear text. Debug will give you exactly what is going on a few lines above where this is printed.
How is it clear? There are no passwords or users on the machine, how can I store the non existent passwords in clear text if they don't exist? I am trying to do an Auth All setup where all users from authorized clients are accepted regardless of username/password.
Mojo Jojo wrote>
Mojo Jojo wrote:
Only thing I am stuck on here is that my CHAP request are failing with this message:
#### Sat Dec 17 22:31:06 2005 : Auth: Login incorrect (rlm_chap: Clear text password not available) ####
seems pretty clear. You must have clear text passwords in the users file or sql for chap, pap doesn't require them. You may want to run the server in debug since I have noticed that it spits that error out even if they merely have an incorrect password but it is stored clear text. Debug will give you exactly what is going on a few lines above where this is printed.
How is it clear? There are no passwords or users on the machine, how can I store the non existent passwords in clear text if they don't exist?
I am trying to do an Auth All setup where all users from authorized clients are accepted regardless of username/password.
sorry. why don't you post a debug output of the client attempt so we all have something to look at? -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841
You want to allow any client that matches what is in the clients.conf file in, correct? The secret in your clients.conf file is used to encrypt and sign packets between the clients and the server. It is not used for authentication. Have you tried adding the IPs to some type of backend? For example, if you used the users file and huntgroups file. In huntgroups. allow Client-IP-Address == 1.1.1.1 allow Client-IP-Address == 1.1.1.2 allow Client-IP-Address == 1.1.1.3 Then in users file DEFAULT Huntgroup-Name == allow, Auth-Type := Accept DEFAULT Auth-Type := Reject
You want to allow any client that matches what is in the clients.conf file in, correct?
Well, sort of.. I want to allow any authentication request which comes in from a client which is contained in the clients.conf file.
The secret in your clients.conf file is used to encrypt and sign packets between the clients and the server. It is not used for authentication.
Based on what you mention here and what someone else on the list mentioned earlier, I think the reason the secret is ignored is because it is used to encrypt the auth info which is basically non existant in an Auth All situation. Am I getting this correct now?
Have you tried adding the IPs to some type of backend?
For example, if you used the users file and huntgroups file.
In huntgroups.
allow Client-IP-Address == 1.1.1.1 allow Client-IP-Address == 1.1.1.2 allow Client-IP-Address == 1.1.1.3
Then in users file
DEFAULT Huntgroup-Name == allow, Auth-Type := Accept
DEFAULT Auth-Type := Reject
Well, I don't understand the huntgroups and all just yet, I am new to FreeRadius (not to Radius in general, just FreeRadius). So, will this fix my issue where only CHAP request are rejected? I am only having trouble with CHAP request at this time, all other request from allowed clients in the clients.conf file are getting an Accept back just as I want. Since we use Qwest dialup as one of our wholesale solutions, they send CHAP and these are getting rejected still, all other vendors are working fine.
The secret in your clients.conf file is used to encrypt and sign packets between the clients and the server. It is not used for authentication.
Based on what you mention here and what someone else on the list mentioned earlier, I think the reason the secret is ignored is because it is used to encrypt the auth info which is basically non existant in an Auth All situation.
Am I getting this correct now?
Yep
Well, I don't understand the huntgroups and all just yet, I am new to FreeRadius (not to Radius in general, just FreeRadius). So, will this fix my issue where only CHAP request are rejected? I am only having trouble with CHAP request at this time, all other request from allowed clients in the clients.conf file are getting an Accept back just as I want.
The huntgroups file is pretty easy to understand. Just read the comments in it. But, now that you mention it. Your Auth-Type := Accept is still working with chap. Perhaps what I told you won't make a difference. Do you have anything in your authorize and authenticate section? Perhaps you ought to just try this. Comment out everything in authorize except for preprocess and files, so it would look like this w/out the comments. authorize { preprocess files } authenticate { } That way the only thing that is touched is the users file. I'd be willing to bet that you have chap listed in authorize right now and its before the files section. So, its hitting the chap section of authorize and doesn't see a chap passwd and fails which causes a reject before it even gets to the files section. Just a guess?
Comment out everything in authorize except for preprocess and files, so it would look like this w/out the comments.
authorize { preprocess files }
authenticate { }
Cool, it worked! I didn't do exactly what you said but close. I found this section: ################### # # The chap module will set 'Auth-Type := CHAP' if we are # handling a CHAP request and Auth-Type has not already been set #chap ################## I just commented out the chap line and that did the trick! Thanks a ton for your help and thanks to the others that offered advice. --Todd
sorry. why don't you post a debug output of the client attempt so we all have something to look at?
OK, here we go.. I changes my IPs and realm names to text similar to this ##MyRealmWasHere## Again, I did want to mention that only CHAP request fail, others go through fine with an Accept. ##################################################################### Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host ##MyIPwasHere##:3457, id=0, length=57 User-Name = "todd@##MyDomainWasHere##.com" CHAP-Password = 0x7e842a573cd6363e06fe53a93a7b8d9e94 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 radius_xlat: '/var/log/radius/radacct/##ClientIPwasHere##/auth-detail-20051219' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/##ClientIPwasHere##/auth-detail-20051219 modcall[authorize]: module "auth_log" returns ok for request 0 rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module "chap" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: Looking up realm "##MyDomainWasHere##/" for User-Name = "todd@##MyDomainWasHere##/.com" rlm_realm: No such realm "##MyDomainWasHere##/.com" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 156 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type CHAP auth: type "CHAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_chap: login attempt by "todd@##MyDomainWasHere##.com" with CHAP password rlm_chap: Could not find clear text password for user todd@##MyDomainWasHere##.com modcall[authenticate]: module "chap" returns invalid for request 0 modcall: group Auth-Type returns invalid for request 0 auth: Failed to validate the user. Login incorrect (rlm_chap: Clear text password not available): [todd@##MyDomainWasHere##.com/<CHAP-Password>] (from client ToddHome port 0) Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 0 to ##ClientIPwasHere##:3457 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 0 with timestamp 43a70341 Nothing to do. Sleeping until we see a request. ###################################################################
Again, I did want to mention that only CHAP request fail, others go through fine with an Accept.
#####################################################################
Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host ##MyIPwasHere##:3457, id=0, length=57 User-Name = "todd@##MyDomainWasHere##.com" CHAP-Password = 0x7e842a573cd6363e06fe53a93a7b8d9e94 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 radius_xlat: '/var/log/radius/radacct/##ClientIPwasHere##/auth-detail-20051219' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/##ClientIPwasHere##/auth-detail-20051219 modcall[authorize]: module "auth_log" returns ok for request 0
I think this is the problem. Try commenting out chap in the authorize section.
rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module "chap" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: Looking up realm "##MyDomainWasHere##/" for User-Name = "todd@##MyDomainWasHere##/.com" rlm_realm: No such realm "##MyDomainWasHere##/.com" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 156
I'd have to assume this matches line (156) matches your Auth-Type := Accept. However, for some reason its not overriding the Auth-Type := Chap, that was set earlier by the chap section of authorize.
modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type CHAP auth: type "CHAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_chap: login attempt by "todd@##MyDomainWasHere##.com" with CHAP password rlm_chap: Could not find clear text password for user todd@##MyDomainWasHere##.com modcall[authenticate]: module "chap" returns invalid for request 0 modcall: group Auth-Type returns invalid for request 0 auth: Failed to validate the user. Login incorrect (rlm_chap: Clear text password not available): [todd@##MyDomainWasHere##.com/<CHAP-Password>] (from client ToddHome port 0) Delaying request 0 for 1 seconds Finished request 0
Try commenting out chap in authorize and authenticate and see what happens.
Mojo Jojo wrote:
At this time, the request are authed regardless of the username or password but they are authed regardless of the client or secret.
Not possible.
You are correct..
Let me re-phrase after doing a little more testing...
At this time I have an "AuthAll" setup working and it only works for request that come from IPs with belong to clients defined in the clients.conf file.
But...
I have confirmed 100% that the secret on defined in those clients is totally ignored in this situation.
So, I can attempt to login from a defined client using any secret and they all work as long as the request is coming from an IP belonging to a client defined in the clients.conf file.
I don't care if the secret is ignored personally, just thought some of you folks might want to know. As long as the request are only honored from authorized IPs this is good enough for the application I am using it for.
If you look at the way the secret is used you'll find that your use of auth-type := accept makes it irrelevant. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841
Lewis Bergman wrote:
Mojo Jojo wrote:
At this time, the request are authed regardless of the username or password but they are authed regardless of the client or secret.
Not possible.
You are correct..
If you look at the way the secret is used you'll find that your use of auth-type := accept makes it irrelevant.
secret is used to encrypt user-passwword attributes.
LeRoy DeVries wrote:
On Saturday 17 December 2005 08:59, Norbert Wegener wrote:
You can find them at http://www.wegener-net.de/fr/suse93 . Norbert
Thanks Norbert...
After further googling I found a RPM package for Freeradius v1.0.4 however after installing that package I found it does not have the sql_counter module which I need. How would one go about adding that module.
I don't know, whether this module is experimetnal in 1.0.4. For the version I've compiled, I modified the corresponding spec file by adding --with-experimental-modules to the configure options and build the rpms. Norbert
---- LeRoy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Saturday 17 December 2005 14:44, Norbert Wegener wrote:
I don't know, whether this module is experimetnal in 1.0.4. For the version I've compiled, I modified the corresponding spec file by adding --with-experimental-modules to the configure options and build the rpms. Norbert
Thanks again Norbert. I d/l your compile and again I was sent off chasing my tail because of dependency issues. After package 5 I gave up. I'm wondering if someone could send my the rlm_sql_counter module for v 1.0.4 I could just plug it into my lib directory and then make the required changes in the etc/radius.conf it would work. Anyone have any knowledge about that. -- LeRoy
participants (8)
-
Alan DeKok -
Dusty Doris -
Joe Maimon -
LeRoy DeVries -
Lewis Bergman -
Mojo Jojo -
Norbert Wegener -
Seferovic Edvin