Hi, FreeRADIUS is trying to do SYSTEM authentication. For SYSTEM authentication to work you need to have a Unix user with the same userid found in the request(in this case jmuser). So let me know which authentication type you want to use. If you want to use LDAP to authenticate your user one simple solution will be to comment out the DEFAULT entry which is setting the Auth-Type to SYSTEM in the users file. The users file is in the raddb directory. There will a couple of lines similar to the following. Just comment them. DEFAULT Auth-Type = System Fall-Through = 1 Also Universal Password is not read wrongly. Since System authentication fails a bind with a wrong password is performed to trigger the intruder detection feature of eDirectory. HTH. Regards, -Sayantan.
jmdanner@samford.edu 07/05/05 11:04 PM >>> Thanks - that worked. I'm getting a tls connect.
Now I have a problem testing using radtest. Using the following syntax. radtest jmuser heath10er server13.samford.edu 199.20.16.13 testing123
From the log the admin bind and login is OK - I've obscured the password, but it shows in the log exactly as it is in radiusd.conf.
rlm_ldap: starting TLS rlm_ldap: bind as cn=admin,ou=cts,o=dxmltemp/xxxxxx to gwtemp.samford.edu:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful Here's the excerpt showing the request from radtest. The password is represented correctly. rad_recv: Access-Request packet from host 199.20.16.13:33419, id=137, length=58 User-Name = "jmuser" User-Password = "heath10er" NAS-IP-Address = 255.255.255.255 NAS-Port = 199 Here's the attempted bind by the user. Note that the password presented is not "heath10er" but "aeath10er" and the bind fails. rlm_ldap: starting TLS rlm_ldap: bind as cn=jmuser,ou=R&D,ou=New Users,o=DXMLTEMP/aeath10er to gwtemp.samford.edu:389 rlm_ldap: waiting for bind result ... rlm_ldap: LDAP login failed: check identity, password settings in ldap section of radiusd.conf rlm_ldap: eDirectory account policy check failed. rlm_ldap: NDS error: failed authentication (-669) Changed the Universal Password to "aeath10er" and got the following. rlm_ldap: starting TLS rlm_ldap: bind as cn=jmuser,ou=R&D,ou=New Users,o=DXMLTEMP/beath10er to gwtemp.samford.edu:389 rlm_ldap: waiting for bind result ... rlm_ldap: LDAP login failed: check identity, password settings in ldap section of radiusd.conf rlm_ldap: eDirectory account policy check failed. rlm_ldap: NDS error: failed authentication (-669) It appears that the Universal Password is being misread. Can that be true? Full log is below. Thanks Mearl
sbhowmick@novell.com 6/27/2005 10:55:07 PM >>> Hi, You need to extract the Self Signed certificate of the CA (from inside the Security Container). Once you have extracted that you need to configure tls_cacertfile in the ldap section of radiusd.conf. You have configured the tls_certfile. Once you do that it should start working.
-Sayantan.
jmdanner@samford.edu 06/27/05 9:20 PM >>> I'm having trouble getting a TLS connection from freeradius to my Novell LDAP Server.
I've used Novell's document "Integrating Novell eDirectory with FreeRadius" to set it up. The radius -X log shows "rlm_ldap: could not start TLS Connect error" I've configured ldap.conf to use the same certificate and am able to do a successful search using: ldapsearch -vvv -h gwtemp.samford.edu -x -Z -b o=dxmltemp "cn=jmuser" dn FreeRadius 1.0.4 compiled --with-edir Redhat AS3 update 5 on an IBM p615 openldap-2.0.27-17 openssl-0.9.7a-33.15 Netware 6.5 SP3 on Dell hardware. Mearl Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/usr/local/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/usr/local/etc/raddb/certs/cert-srv.pem" tls: certificate_file = "/usr/local/etc/raddb/certs/cert-srv.pem" tls: CA_file = "/usr/local/etc/raddb/certs/demoCA/cacert.pem" tls: private_key_password = "whatever" tls: dh_file = "/usr/local/etc/raddb/certs/dh" tls: random_file = "/usr/local/etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" rlm_eap: Loaded and initialized type tls mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" preprocess: hints = "/usr/local/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/usr/local/etc/raddb/users" files: acctusersfile = "/usr/local/etc/raddb/acct_users" files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded LDAP ldap: server = "gwtemp.samford.edu" ldap: port = 389 ldap: net_timeout = 1 ldap: timeout = 4 ldap: timelimit = 3 ldap: identity = "cn=admin,ou=cts,o=dxmltemp" ldap: tls_mode = no ldap: start_tls = yes ldap: tls_cacertfile = "/usr/local/etc/raddb/certs/GWTEMP-SSL-DNS.b64" ldap: tls_cacertdir = "(null)" ldap: tls_certfile = "(null)" ldap: tls_keyfile = "(null)" ldap: tls_randfile = "(null)" ldap: tls_require_cert = "demand" ldap: password = "xxxxx-xxxxx" ldap: basedn = "o=dxmltemp" ldap: filter = "(uniqueID=%{Stripped-User-Name:-%{User-Name}})" ldap: base_filter = "(objectclass=radiusprofile)" ldap: default_profile = "(null)" ldap: profile_attribute = "(null)" ldap: password_header = "(null)" ldap: password_attribute = "nspmPassword" ldap: access_attr = "dialupAccess" ldap: groupname_attribute = "cn" ldap: groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" ldap: groupmembership_attribute = "(null)" ldap: dictionary_mapping = "/usr/local/etc/raddb/ldap.attrmap" ldap: ldap_debug = 0 ldap: ldap_connections_number = 5 ldap: compare_check_items = no ldap: access_attr_used_for_allow = yes ldap: do_xlat = yes ldap: edir_account_policy_check = yes rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap<->radius mappings from file /usr/local/etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port conns: 0x1016f6d8 Module: Instantiated ldap (ldap) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/usr/local/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Listening on proxy *:1814 Ready to process requests. rad_recv: Access-Request packet from host 199.20.16.13:33419, id=137, length=58 User-Name = "jmuser" User-Password = "heath10er" NAS-IP-Address = 255.255.255.255 NAS-Port = 199 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "jmuser", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for jmuser radius_xlat: '(uniqueID=jmuser)' radius_xlat: 'o=dxmltemp' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to gwtemp.samford.edu:389, authentication 0 rlm_ldap: setting TLS CACert File to /usr/local/etc/raddb/certs/GWTEMP-SSL-DNS.b64 rlm_ldap: setting TLS Require Cert to demand rlm_ldap: starting TLS rlm_ldap: bind as cn=admin,ou=cts,o=dxmltemp/xxxxxx to gwtemp.samford.edu:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in o=dxmltemp, with filter (uniqueID=jmuser) rlm_ldap: checking if remote access for jmuser is allowed by dialupAccess rlm_ldap: Added the eDirectory password in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user jmuser authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 modcall[authenticate]: module "unix" returns notfound for request 0 modcall: group authenticate returns notfound for request 0 auth: Failed to validate the user. Processing the post-auth section of radiusd.conf modcall: entering group Post-Auth-Type for request 0 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to gwtemp.samford.edu:389, authentication 0 rlm_ldap: setting TLS CACert File to /usr/local/etc/raddb/certs/GWTEMP-SSL-DNS.b64 rlm_ldap: setting TLS Require Cert to demand rlm_ldap: starting TLS rlm_ldap: bind as cn=jmuser,ou=R&D,ou=New Users,o=DXMLTEMP/aeath10er to gwtemp.samford.edu:389 rlm_ldap: waiting for bind result ... rlm_ldap: LDAP login failed: check identity, password settings in ldap section of radiusd.conf rlm_ldap: eDirectory account policy check failed. rlm_ldap: NDS error: failed authentication (-669) rlm_ldap: ldap_release_conn: Release Id: 0 modcall[post-auth]: module "ldap" returns reject for request 0 modcall: group Post-Auth-Type returns reject for request 0 Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... rad_recv: Access-Request packet from host 199.20.16.13:33419, id=137, length=58 Sending Access-Reject of id 137 to 199.20.16.13:33419 Reply-Message = "NDS error: failed authentication (-669)" --- Walking the entire request list --- Waking up in 2 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 137 with timestamp 42cabe38 Nothing to do. Sleeping until we see a request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Yesterday I put our mirror drive in service after a recommendation here with 0.9.3 and the system is running fine. I decided to try and find out why the system would not work after an update. So I started all over with a completely new install of the radius and put everything in it's /opt directory The only part the does not work is the chap authentication all other authentication works as it should. Our wholesale provider says we are doing PAP just fine but no chap. They had very old instructions for Freeradius but decided to start out with a totally clean install. This user below is in mysql database, and the system passwd/shadow files. He will not authenticate with the mysql database when we include a realm @domain and chap password. It gets the slipstream false from the database so I'm not sure why it won't authenticate the rest. When I do this with the 0.9.3 that is currently running it works fine with the realm. I did diff on the radiusd.conf and the sql.conf files, and work at all the settings to be as close to the old one as possible. A couple new items in the files I did not know right off what they were for and left them as default. The last time we installed 0.9.3 we actually had help to config it to running step by step email instruction but that person is not around any longer. It was running in 45 minutes. here is the radius -x Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /opt/freeradius/etc/raddb/proxy.conf Config: including file: /opt/freeradius/etc/raddb/clients.conf Config: including file: /opt/freeradius/etc/raddb/snmp.conf Config: including file: /opt/freeradius/etc/raddb/eap.conf Config: including file: /opt/freeradius/etc/raddb/sql.conf main: prefix = "/opt/freeradius" main: localstatedir = "/opt/freeradius/var" main: logdir = "/opt/freeradius/var/log/radius" main: libdir = "/opt/freeradius/lib" main: radacctdir = "/opt/freeradius/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 1645 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = "/opt/freeradius/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = "/opt/freeradius/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/opt/freeradius/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /opt/freeradius/lib Module: Loaded exec exec: wait = no exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/opt/freeradius/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/opt/freeradius/etc/raddb/huntgroups" preprocess: hints = "/opt/freeradius/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded attr_filter attr_filter: attrsfile = "/opt/freeradius/etc/raddb/attrs" rlm_attr_filter: Authorize method will be deprecated. Module: Instantiated attr_filter (attr_filter) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = yes realm: ignore_null = yes Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/opt/freeradius/etc/raddb/users" files: acctusersfile = "/opt/freeradius/etc/raddb/acct_users" files: preproxy_usersfile = "/opt/freeradius/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded SQL sql: driver = "rlm_sql_mysql" sql: server = "64.240.76.3" sql: port = "" sql: login = "root" sql: password = "test123" sql: radius_db = "radius" sql: acct_table = "radacct" sql: acct_table2 = "radacct" sql: authcheck_table = "radcheck" sql: authreply_table = "radreply" sql: groupcheck_table = "radgroupcheck" sql: groupreply_table = "radgroupreply" sql: usergroup_table = "usergroup" sql: nas_table = "nas" sql: dict_table = "dictionary" sql: sqltrace = yes sql: sqltracefile = "/opt/freeradius/var/log/radius/sqltrace.sql" sql: readclients = no sql: deletestalesessions = yes sql: num_sql_socks = 5 sql: sql_user_name = "%{User-Name}" sql: default_user_profile = "" sql: query_on_not_found = no sql: authorize_check_query = "SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id" sql: authorize_reply_query = "SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id" sql: authorize_group_check_query = "SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id" sql: authorize_group_reply_query = "SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id" sql: accounting_onoff_query = "UPDATE radacct SET AcctStopTime='%S', AcctSessionTime=unix_timestamp('%S') - unix_timestamp(AcctStartTime), AcctTerminateCause='%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-Time}' WHERE AcctSessionTime=0 AND AcctStopTime=0 AND NASIPAddress= '%{NAS-IP-Address}' AND AcctStartTime <= '%S'" sql: accounting_update_query = "UPDATE radacct ? SET FramedIPAddress = '%{Framed-IP-Address}', ? AcctSessionTime = '%{Acct-Session-Time}', ? AcctInputOctets = '%{Acct-Input-Octets}', ? AcctOutputOctets = '%{Acct-Output-Octets}' ? WHERE AcctSessionId = '%{Acct-Session-Id}' ? AND UserName = '%{SQL-User-Name}' ? AND NASIPAddress= '%{NAS-IP-Address}'" sql: accounting_update_query_alt = "INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S',INTERVAL (%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0}) SECOND), '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Acct-Input-Octets}', '%{Acct-Output-Octets}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0')" sql: accounting_start_query = "INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', '0', '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Acct-Delay-Time}', '0')" sql: accounting_start_query_alt = "UPDATE radacct SET AcctStartTime = '%S', AcctStartDelay = '%{Acct-Delay-Time}', ConnectInfo_start = '%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}'" sql: accounting_stop_query = "UPDATE radacct SET AcctStopTime = '%S', AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets = '%{Acct-Input-Octets}', AcctOutputOctets = '%{Acct-Output-Octets}', AcctTerminateCause = '%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-Time}', ConnectInfo_stop = '%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}'" sql: accounting_stop_query_alt = "INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0}) SECOND), '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Connect-Info}', '%{Acct-Input-Octets}', '%{Acct-Output-Octets}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{Acct-Delay-Time}')" sql: group_membership_query = "SELECT GroupName FROM usergroup WHERE UserName='%{SQL-User-Name}'" sql: connect_failure_retry_delay = 60 sql: simul_count_query = "" sql: simul_verify_query = "SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM radacct WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0" sql: postauth_table = "radpostauth" sql: postauth_query = "INSERT into radpostauth (id, user, pass, reply, date) values ('', '%{User-Name}', '%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', NOW())" sql: safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql): Attempting to connect to root@64.240.76.3:/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 rlm_sql_mysql: Starting connect to MySQL server for #0 rlm_sql (sql): Connected new DB handle, #0 rlm_sql (sql): starting 1 rlm_sql (sql): Attempting to connect rlm_sql_mysql #1 rlm_sql_mysql: Starting connect to MySQL server for #1 rlm_sql (sql): Connected new DB handle, #1 rlm_sql (sql): starting 2 rlm_sql (sql): Attempting to connect rlm_sql_mysql #2 rlm_sql_mysql: Starting connect to MySQL server for #2 rlm_sql (sql): Connected new DB handle, #2 rlm_sql (sql): starting 3 rlm_sql (sql): Attempting to connect rlm_sql_mysql #3 rlm_sql_mysql: Starting connect to MySQL server for #3 rlm_sql (sql): Connected new DB handle, #3 rlm_sql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_mysql #4 rlm_sql_mysql: Starting connect to MySQL server for #4 rlm_sql (sql): Connected new DB handle, #4 Module: Instantiated sql (sql) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/opt/freeradius/var/log/radius/radacct/%{Client-IP-Address}/detail" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/opt/freeradius/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Initializing the thread pool... thread: start_servers = 5 thread: max_servers = 32 thread: min_spare_servers = 3 thread: max_spare_servers = 10 thread: max_requests_per_server = 0 thread: cleanup_delay = 5 Thread 1 waiting to be assigned a request Thread spawned new child 1. Total threads in pool: 1 Thread spawned new child 2. Total threads in pool: 2 Thread 2 waiting to be assigned a request Thread 3 waiting to be assigned a request Thread spawned new child 3. Total threads in pool: 3 Thread 4 waiting to be assigned a request Thread spawned new child 4. Total threads in pool: 4 Thread spawned new child 5. Total threads in pool: 5 Thread pool initialized Listening on authentication *:1645 Listening on accounting *:1646 Listening on proxy *:1647 Ready to process requests. Thread 5 waiting to be assigned a request rad_recv: Access-Request packet from host 64.240.76.3:33187, id=226, length=73 --- Walking the entire request list --- Waking up in 31 seconds... Threads: total/active/spare threads = 5/0/5 Thread 1 got semaphore Thread 1 handling request 0, (1 handled so far) User-Name = "rniclh@surftheusa.com" User-Password = "test123" NAS-IP-Address = 255.255.255.255 NAS-Port = 100 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 hints: Matched other at 80 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "attr_filter" returns noop for request 0 modcall[authorize]: module "chap" returns noop for request 0 rlm_realm: No '@' in User-Name = "rniclh", skipping NULL due to config. modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 159 users: Matched entry DEFAULT at line 178 users: Matched entry DEFAULT at line 190 modcall[authorize]: module "files" returns ok for request 0 radius_xlat: 'rniclh' rlm_sql (sql): sql_set_user escaped user --> 'rniclh' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'rniclh' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'rniclh' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'rniclh' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'rniclh' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'rniclh' ORDER BY id' rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'rniclh' ORDER BY id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'rniclh' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'rniclh' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module "sql" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_unix: [rniclh]: invalid password modcall[authenticate]: module "unix" returns reject for request 0 modcall: group authenticate returns reject for request 0 auth: Failed to validate the user. Login incorrect: [rniclh/test123] (from client ras1 port 100) Delaying request 0 for 1 seconds Finished request 0 Going to the next request Thread 1 waiting to be assigned a request rad_recv: Access-Request packet from host 64.240.76.3:33187, id=226, length=73 Sending Access-Reject of id 226 to 64.240.76.3:33187 Slipstream-Auth = "false" --- Walking the entire request list --- Waking up in 3 seconds...
Sorry about that. Forgot to change the subject line. Yesterday I put our mirror drive in service after a recommendation here with 0.9.3 and the system is running fine. I decided to try and find out why the system would not work after an update. So I started all over with a completely new install of the radius and put everything in it's /opt directory The only part the does not work is the chap authentication all other authentication works as it should. Our wholesale provider says we are doing PAP just fine but no chap. They had very old instructions for Freeradius but decided to start out with a totally clean install. This user below is in mysql database, and the system passwd/shadow files. He will not authenticate with the mysql database when we include a realm @domain and chap password. It gets the slipstream false from the database so I'm not sure why it won't authenticate the rest. When I do this with the 0.9.3 that is currently running it works fine with the realm. I did diff on the radiusd.conf and the sql.conf files, and work at all the settings to be as close to the old one as possible. A couple new items in the files I did not know right off what they were for and left them as default. The last time we installed 0.9.3 we actually had help to config it to running step by step email instruction but that person is not around any longer. It was running in 45 minutes. here is the radius -x Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /opt/freeradius/etc/raddb/proxy.conf Config: including file: /opt/freeradius/etc/raddb/clients.conf Config: including file: /opt/freeradius/etc/raddb/snmp.conf Config: including file: /opt/freeradius/etc/raddb/eap.conf Config: including file: /opt/freeradius/etc/raddb/sql.conf main: prefix = "/opt/freeradius" main: localstatedir = "/opt/freeradius/var" main: logdir = "/opt/freeradius/var/log/radius" main: libdir = "/opt/freeradius/lib" main: radacctdir = "/opt/freeradius/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 1645 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = "/opt/freeradius/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = "/opt/freeradius/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/opt/freeradius/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /opt/freeradius/lib Module: Loaded exec exec: wait = no exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/opt/freeradius/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/opt/freeradius/etc/raddb/huntgroups" preprocess: hints = "/opt/freeradius/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded attr_filter attr_filter: attrsfile = "/opt/freeradius/etc/raddb/attrs" rlm_attr_filter: Authorize method will be deprecated. Module: Instantiated attr_filter (attr_filter) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = yes realm: ignore_null = yes Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/opt/freeradius/etc/raddb/users" files: acctusersfile = "/opt/freeradius/etc/raddb/acct_users" files: preproxy_usersfile = "/opt/freeradius/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded SQL sql: driver = "rlm_sql_mysql" sql: server = "64.240.76.3" sql: port = "" sql: login = "root" sql: password = "test123" sql: radius_db = "radius" sql: acct_table = "radacct" sql: acct_table2 = "radacct" sql: authcheck_table = "radcheck" sql: authreply_table = "radreply" sql: groupcheck_table = "radgroupcheck" sql: groupreply_table = "radgroupreply" sql: usergroup_table = "usergroup" sql: nas_table = "nas" sql: dict_table = "dictionary" sql: sqltrace = yes sql: sqltracefile = "/opt/freeradius/var/log/radius/sqltrace.sql" sql: readclients = no sql: deletestalesessions = yes sql: num_sql_socks = 5 sql: sql_user_name = "%{User-Name}" sql: default_user_profile = "" sql: query_on_not_found = no sql: authorize_check_query = "SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id" sql: authorize_reply_query = "SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id" sql: authorize_group_check_query = "SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id" sql: authorize_group_reply_query = "SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id" sql: accounting_onoff_query = "UPDATE radacct SET AcctStopTime='%S', AcctSessionTime=unix_timestamp('%S') - unix_timestamp(AcctStartTime), AcctTerminateCause='%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-Time}' WHERE AcctSessionTime=0 AND AcctStopTime=0 AND NASIPAddress= '%{NAS-IP-Address}' AND AcctStartTime <= '%S'" sql: accounting_update_query = "UPDATE radacct ? SET FramedIPAddress = '%{Framed-IP-Address}', ? AcctSessionTime = '%{Acct-Session-Time}', ? AcctInputOctets = '%{Acct-Input-Octets}', ? AcctOutputOctets = '%{Acct-Output-Octets}' ? WHERE AcctSessionId = '%{Acct-Session-Id}' ? AND UserName = '%{SQL-User-Name}' ? AND NASIPAddress= '%{NAS-IP-Address}'" sql: accounting_update_query_alt = "INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S',INTERVAL (%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0}) SECOND), '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Acct-Input-Octets}', '%{Acct-Output-Octets}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0')" sql: accounting_start_query = "INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', '0', '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Acct-Delay-Time}', '0')" sql: accounting_start_query_alt = "UPDATE radacct SET AcctStartTime = '%S', AcctStartDelay = '%{Acct-Delay-Time}', ConnectInfo_start = '%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}'" sql: accounting_stop_query = "UPDATE radacct SET AcctStopTime = '%S', AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets = '%{Acct-Input-Octets}', AcctOutputOctets = '%{Acct-Output-Octets}', AcctTerminateCause = '%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-Time}', ConnectInfo_stop = '%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}'" sql: accounting_stop_query_alt = "INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0}) SECOND), '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Connect-Info}', '%{Acct-Input-Octets}', '%{Acct-Output-Octets}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{Acct-Delay-Time}')" sql: group_membership_query = "SELECT GroupName FROM usergroup WHERE UserName='%{SQL-User-Name}'" sql: connect_failure_retry_delay = 60 sql: simul_count_query = "" sql: simul_verify_query = "SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM radacct WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0" sql: postauth_table = "radpostauth" sql: postauth_query = "INSERT into radpostauth (id, user, pass, reply, date) values ('', '%{User-Name}', '%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', NOW())" sql: safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql): Attempting to connect to root@64.240.76.3:/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 rlm_sql_mysql: Starting connect to MySQL server for #0 rlm_sql (sql): Connected new DB handle, #0 rlm_sql (sql): starting 1 rlm_sql (sql): Attempting to connect rlm_sql_mysql #1 rlm_sql_mysql: Starting connect to MySQL server for #1 rlm_sql (sql): Connected new DB handle, #1 rlm_sql (sql): starting 2 rlm_sql (sql): Attempting to connect rlm_sql_mysql #2 rlm_sql_mysql: Starting connect to MySQL server for #2 rlm_sql (sql): Connected new DB handle, #2 rlm_sql (sql): starting 3 rlm_sql (sql): Attempting to connect rlm_sql_mysql #3 rlm_sql_mysql: Starting connect to MySQL server for #3 rlm_sql (sql): Connected new DB handle, #3 rlm_sql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_mysql #4 rlm_sql_mysql: Starting connect to MySQL server for #4 rlm_sql (sql): Connected new DB handle, #4 Module: Instantiated sql (sql) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/opt/freeradius/var/log/radius/radacct/%{Client-IP-Address}/detail" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/opt/freeradius/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Initializing the thread pool... thread: start_servers = 5 thread: max_servers = 32 thread: min_spare_servers = 3 thread: max_spare_servers = 10 thread: max_requests_per_server = 0 thread: cleanup_delay = 5 Thread 1 waiting to be assigned a request Thread spawned new child 1. Total threads in pool: 1 Thread spawned new child 2. Total threads in pool: 2 Thread 2 waiting to be assigned a request Thread 3 waiting to be assigned a request Thread spawned new child 3. Total threads in pool: 3 Thread 4 waiting to be assigned a request Thread spawned new child 4. Total threads in pool: 4 Thread spawned new child 5. Total threads in pool: 5 Thread pool initialized Listening on authentication *:1645 Listening on accounting *:1646 Listening on proxy *:1647 Ready to process requests. Thread 5 waiting to be assigned a request rad_recv: Access-Request packet from host 64.240.76.3:33187, id=226, length=73 --- Walking the entire request list --- Waking up in 31 seconds... Threads: total/active/spare threads = 5/0/5 Thread 1 got semaphore Thread 1 handling request 0, (1 handled so far) User-Name = "rniclh@surftheusa.com" User-Password = "test123" NAS-IP-Address = 255.255.255.255 NAS-Port = 100 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 hints: Matched other at 80 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "attr_filter" returns noop for request 0 modcall[authorize]: module "chap" returns noop for request 0 rlm_realm: No '@' in User-Name = "rniclh", skipping NULL due to config. modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 159 users: Matched entry DEFAULT at line 178 users: Matched entry DEFAULT at line 190 modcall[authorize]: module "files" returns ok for request 0 radius_xlat: 'rniclh' rlm_sql (sql): sql_set_user escaped user --> 'rniclh' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'rniclh' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'rniclh' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'rniclh' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'rniclh' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'rniclh' ORDER BY id' rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'rniclh' ORDER BY id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'rniclh' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'rniclh' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module "sql" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_unix: [rniclh]: invalid password modcall[authenticate]: module "unix" returns reject for request 0 modcall: group authenticate returns reject for request 0 auth: Failed to validate the user. Login incorrect: [rniclh/test123] (from client ras1 port 100) Delaying request 0 for 1 seconds Finished request 0 Going to the next request Thread 1 waiting to be assigned a request rad_recv: Access-Request packet from host 64.240.76.3:33187, id=226, length=73 Sending Access-Reject of id 226 to 64.240.76.3:33187 Slipstream-Auth = "false" --- Walking the entire request list --- Waking up in 3 seconds...
Dusty Doris wrote:
The only part the does not work is the chap authentication all other authentication works as it should. Our wholesale provider says we are doing PAP just fine but no chap. They had very old instructions for Freeradius but decided to start out with a totally clean install.
This user below is in mysql database, and the system passwd/shadow files.
He will not authenticate with the mysql database when we include a realm @domain and chap password.
It gets the slipstream false from the database so I'm not sure why it won't authenticate the rest.
Thread 1 handling request 0, (1 handled so far) User-Name = "rniclh@surftheusa.com" User-Password = "test123" NAS-IP-Address = 255.255.255.255 NAS-Port = 100
I don't see a CHAP password in there.
Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 hints: Matched other at 80
You matched on the hints file on line 80 - what does your hints file say?
DEFAULT Suffix == ".ppp", Strip-User-Name = Yes Hint = "PPP", Service-Type = Framed-User, Framed-Protocol = PPP DEFAULT Suffix == ".slip", Strip-User-Name = Yes Hint = "SLIP", Service-Type = Framed-User, Framed-Protocol = SLIP DEFAULT Suffix == ".cslip", Strip-User-Name = Yes Hint = "CSLIP", Service-Type = Framed-User, Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP other Suffix == "@surftheusa.com", Strip-User-Name = Yes Hint = "PPP", Service-Type = Framed-User, Framed-Protocol = PPP
modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "attr_filter" returns noop for request 0 modcall[authorize]: module "chap" returns noop for request 0 rlm_realm: No '@' in User-Name = "rniclh", skipping NULL due to config. modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 159 users: Matched entry DEFAULT at line 178 users: Matched entry DEFAULT at line 190
You matched the users file in three seperate lines, 159, 178, and 190. What does your users file say on each of those lines?
# First setup all accounts to be checked against the UNIX /etc/passwd. # (Unless a password was already given earlier in this file). # DEFAULT Auth-Type == System Fall-Through = 1 # Defaults for all framed connections. # DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes # # Default for PPP: dynamic IP address, PPP mode, VJ-compression. # NOTE: we do not use Hint = "PPP", since PPP might also be auto-detected # by the terminal server in which case there may not be a "P" suffix. # The terminal server sends "Framed-Protocol = PPP" for auto PPP. # DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP # # Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression. # DEFAULT Hint == "CSLIP" Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP # # Default for SLIP: dynamic IP address, SLIP mode. # DEFAULT Hint == "SLIP" Framed-Protocol = SLIP
modcall[authorize]: module "files" returns ok for request 0 radius_xlat: 'rniclh' rlm_sql (sql): sql_set_user escaped user --> 'rniclh'
...
modcall[authorize]: module "sql" returns ok for request 0 modcall: group authorize returns ok for request 0
Your sql call returned OK, that means the sql part worked.
rad_check_password: Found Auth-Type System auth: type "System"
Now it just got changed to Auth-Type System. Is this from your users file?
Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_unix: [rniclh]: invalid password
You authenticated with the unix module, is that what you want? The user failed because the password did not match your /etc/passwd file.
modcall[authenticate]: module "unix" returns reject for request 0 modcall: group authenticate returns reject for request 0 auth: Failed to validate the user.
I would look at your hints file and your users file to the lines it matched at - post them here if you want us to take a look at it. Also, if you don't want to use /etc/passwd, then disable the unix module in the authentication section.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dusty Doris wrote:
The only part the does not work is the chap authentication all other authentication works as it should. Our wholesale provider says we are doing PAP just fine but no chap. They had very old instructions for Freeradius but decided to start out with a totally clean install.
This user below is in mysql database, and the system passwd/shadow files.
He will not authenticate with the mysql database when we include a realm @domain and chap password.
It gets the slipstream false from the database so I'm not sure why it won't authenticate the rest.
Thread 1 handling request 0, (1 handled so far) User-Name = "rniclh@surftheusa.com" User-Password = "test123" NAS-IP-Address = 255.255.255.255 NAS-Port = 100
I don't see a CHAP password in there.
Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 hints: Matched other at 80
You matched on the hints file on line 80 - what does your hints file say?
DEFAULT Suffix == ".ppp", Strip-User-Name = Yes Hint = "PPP", Service-Type = Framed-User, Framed-Protocol = PPP DEFAULT Suffix == ".slip", Strip-User-Name = Yes Hint = "SLIP", Service-Type = Framed-User, Framed-Protocol = SLIP DEFAULT Suffix == ".cslip", Strip-User-Name = Yes Hint = "CSLIP", Service-Type = Framed-User, Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP other Suffix == "@surftheusa.com", Strip-User-Name = Yes Hint = "PPP", Service-Type = Framed-User, Framed-Protocol = PPP
modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "attr_filter" returns noop for request 0 modcall[authorize]: module "chap" returns noop for request 0 rlm_realm: No '@' in User-Name = "rniclh", skipping NULL due to config. modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 159 users: Matched entry DEFAULT at line 178 users: Matched entry DEFAULT at line 190
You matched the users file in three seperate lines, 159, 178, and 190. What does your users file say on each of those lines?
# First setup all accounts to be checked against the UNIX /etc/passwd. # (Unless a password was already given earlier in this file). # DEFAULT Auth-Type == System Fall-Through = 1 # Defaults for all framed connections. # DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes # # Default for PPP: dynamic IP address, PPP mode, VJ-compression. # NOTE: we do not use Hint = "PPP", since PPP might also be auto-detected # by the terminal server in which case there may not be a "P" suffix. # The terminal server sends "Framed-Protocol = PPP" for auto PPP. # DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP # # Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression. # DEFAULT Hint == "CSLIP" Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP # # Default for SLIP: dynamic IP address, SLIP mode. # DEFAULT Hint == "SLIP" Framed-Protocol = SLIP
modcall[authorize]: module "files" returns ok for request 0 radius_xlat: 'rniclh' rlm_sql (sql): sql_set_user escaped user --> 'rniclh'
...
modcall[authorize]: module "sql" returns ok for request 0 modcall: group authorize returns ok for request 0
Your sql call returned OK, that means the sql part worked.
rad_check_password: Found Auth-Type System auth: type "System"
Now it just got changed to Auth-Type System. Is this from your users file?
Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_unix: [rniclh]: invalid password
You authenticated with the unix module, is that what you want? The user failed because the password did not match your /etc/passwd file.
modcall[authenticate]: module "unix" returns reject for request 0 modcall: group authenticate returns reject for request 0 auth: Failed to validate the user.
I would look at your hints file and your users file to the lines it matched at - post them here if you want us to take a look at it. Also, if you don't want to use /etc/passwd, then disable the unix module in the authentication section.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
DEFAULT Suffix == ".ppp", Strip-User-Name = Yes Hint = "PPP", Service-Type = Framed-User, Framed-Protocol = PPP
DEFAULT Suffix == ".slip", Strip-User-Name = Yes Hint = "SLIP", Service-Type = Framed-User, Framed-Protocol = SLIP
DEFAULT Suffix == ".cslip", Strip-User-Name = Yes Hint = "CSLIP", Service-Type = Framed-User, Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP
Those hints are fine, won't cause any issues as far as I can tell.
You matched the users file in three seperate lines, 159, 178, and 190. What does your users file say on each of those lines?
# First setup all accounts to be checked against the UNIX /etc/passwd. # (Unless a password was already given earlier in this file). # DEFAULT Auth-Type == System Fall-Through = 1
What happens if you comment out where you set Auth-Type == System? The rest of your users file looked to just be matching for setting up reply attributes. It shouldn't have done anything to the Autz/Auth type.
OK, so there is nothing you can see why it's not working? The PAP authenticates work fine. it's CHAP that is failing. Any other ideas? Thanks Bob Dusty Doris wrote:
DEFAULT Suffix == ".ppp", Strip-User-Name = Yes Hint = "PPP", Service-Type = Framed-User, Framed-Protocol = PPP
DEFAULT Suffix == ".slip", Strip-User-Name = Yes Hint = "SLIP", Service-Type = Framed-User, Framed-Protocol = SLIP
DEFAULT Suffix == ".cslip", Strip-User-Name = Yes Hint = "CSLIP", Service-Type = Framed-User, Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP
Those hints are fine, won't cause any issues as far as I can tell.
You matched the users file in three seperate lines, 159, 178, and 190. What does your users file say on each of those lines?
# First setup all accounts to be checked against the UNIX /etc/passwd. # (Unless a password was already given earlier in this file). # DEFAULT Auth-Type == System Fall-Through = 1
What happens if you comment out where you set Auth-Type == System? The rest of your users file looked to just be matching for setting up reply attributes. It shouldn't have done anything to the Autz/Auth type.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Thu, 7 Jul 2005, Radius wrote:
OK, so there is nothing you can see why it's not working?
The PAP authenticates work fine. it's CHAP that is failing.
Any other ideas?
Thanks Bob
Well, the debug output you sent didn't contain a CHAP passwd. It failed because you had set Auth-Type == System, which told freeradius to auth against /etc/passwd, which failed. As I asked before, what happens when you comment out Auth-Type == System in your users file? Did you try that, yet? Also, if please post debug output that contains a CHAP passwd in it for help with your CHAP problem.
OK I can do this, but will the PAP that uses the /etc/passwd be prevented? We have both running here. Do I need to add a Auth == Local or something like that after that so it will check the MySql database when the /etc/passwd fails? Maybe my Fallthough is wrong for 1.0.4. This is runing ok in 0.9.3 Thanks Bob Dusty Doris wrote:
On Thu, 7 Jul 2005, Radius wrote:
OK, so there is nothing you can see why it's not working?
The PAP authenticates work fine. it's CHAP that is failing.
Any other ideas?
Thanks Bob
Well, the debug output you sent didn't contain a CHAP passwd. It failed because you had set Auth-Type == System, which told freeradius to auth against /etc/passwd, which failed.
As I asked before, what happens when you comment out Auth-Type == System in your users file? Did you try that, yet?
Also, if please post debug output that contains a CHAP passwd in it for help with your CHAP problem. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Thu, 7 Jul 2005, Radius wrote:
OK I can do this, but will the PAP that uses the /etc/passwd be prevented?
We have both running here.
Good question, I think it would. Is there any reason you're using both /etc/passwd and mysql? Why not just use mysql?
Do I need to add a Auth == Local or something like that after that so it will check the MySql database when the /etc/passwd fails?
Maybe my Fallthough is wrong for 1.0.4. This is runing ok in 0.9.3
Thanks Bob
If there is something coming in the packet that would definately tell you whether they were in sql or /etc/passwd, then you could edit your users file to handle that. Say, if a certain realm, then set Autz-Type to sql, otherwise, set Autz-Type to system. Check out doc/Autz-Type in the sourcecode. If you can't tell whether or not a user would be in sql or /etc/passwd, then you will probably want to do one of two things. First, migrate all the /etc/passwd users into sql. That would be the preferred method (to me at least). Secondly, check out doc/configurable_failover. That document will show you how to do grouping so that you can try one thing first and if that fails, try another before rejecting the user. Its interesting that it worked for you fine in .9, but not now. As I learn more about your setup, I can say that I've never done this before (using mysql and /etc/password with PAP and CHAP). Since it used to work, I have to think that there is just one small thing that needs to be tweaked. Perhaps there is someone on the list that has an easier suggestion for you than what I had above. But you could always throw it together on your lab machine and give it a try and see how it goes. Hope that is a little helpful, at least maybe pointing to some documentation that might interest you. Dusty Doris
The only part the does not work is the chap authentication all other authentication works as it should. Our wholesale provider says we are doing PAP just fine but no chap. They had very old instructions for Freeradius but decided to start out with a totally clean install.
This user below is in mysql database, and the system passwd/shadow files.
He will not authenticate with the mysql database when we include a realm @domain and chap password.
It gets the slipstream false from the database so I'm not sure why it won't authenticate the rest.
Thread 1 handling request 0, (1 handled so far) User-Name = "rniclh@surftheusa.com" User-Password = "test123" NAS-IP-Address = 255.255.255.255 NAS-Port = 100
I don't see a CHAP password in there.
Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 hints: Matched other at 80
You matched on the hints file on line 80 - what does your hints file say?
modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "attr_filter" returns noop for request 0 modcall[authorize]: module "chap" returns noop for request 0 rlm_realm: No '@' in User-Name = "rniclh", skipping NULL due to config. modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 159 users: Matched entry DEFAULT at line 178 users: Matched entry DEFAULT at line 190
You matched the users file in three seperate lines, 159, 178, and 190. What does your users file say on each of those lines?
modcall[authorize]: module "files" returns ok for request 0 radius_xlat: 'rniclh' rlm_sql (sql): sql_set_user escaped user --> 'rniclh' ... modcall[authorize]: module "sql" returns ok for request 0 modcall: group authorize returns ok for request 0
Your sql call returned OK, that means the sql part worked.
rad_check_password: Found Auth-Type System auth: type "System"
Now it just got changed to Auth-Type System. Is this from your users file?
Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_unix: [rniclh]: invalid password
You authenticated with the unix module, is that what you want? The user failed because the password did not match your /etc/passwd file.
modcall[authenticate]: module "unix" returns reject for request 0 modcall: group authenticate returns reject for request 0 auth: Failed to validate the user.
I would look at your hints file and your users file to the lines it matched at - post them here if you want us to take a look at it. Also, if you don't want to use /etc/passwd, then disable the unix module in the authentication section.
Thanks Dusty, I'll get all this for you. It all works fine on an older release is what is really making it very hard. Yes, we want it to do both. Chap & PAP Dusty Doris wrote:
The only part the does not work is the chap authentication all other authentication works as it should. Our wholesale provider says we are doing PAP just fine but no chap. They had very old instructions for Freeradius but decided to start out with a totally clean install.
This user below is in mysql database, and the system passwd/shadow files.
He will not authenticate with the mysql database when we include a realm @domain and chap password.
It gets the slipstream false from the database so I'm not sure why it won't authenticate the rest.
Thread 1 handling request 0, (1 handled so far) User-Name = "rniclh@surftheusa.com" User-Password = "test123" NAS-IP-Address = 255.255.255.255 NAS-Port = 100
I don't see a CHAP password in there.
Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 hints: Matched other at 80
You matched on the hints file on line 80 - what does your hints file say?
modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "attr_filter" returns noop for request 0 modcall[authorize]: module "chap" returns noop for request 0 rlm_realm: No '@' in User-Name = "rniclh", skipping NULL due to config. modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 159 users: Matched entry DEFAULT at line 178 users: Matched entry DEFAULT at line 190
You matched the users file in three seperate lines, 159, 178, and 190. What does your users file say on each of those lines?
modcall[authorize]: module "files" returns ok for request 0 radius_xlat: 'rniclh' rlm_sql (sql): sql_set_user escaped user --> 'rniclh'
...
modcall[authorize]: module "sql" returns ok for request 0 modcall: group authorize returns ok for request 0
Your sql call returned OK, that means the sql part worked.
rad_check_password: Found Auth-Type System auth: type "System"
Now it just got changed to Auth-Type System. Is this from your users file?
Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_unix: [rniclh]: invalid password
You authenticated with the unix module, is that what you want? The user failed because the password did not match your /etc/passwd file.
modcall[authenticate]: module "unix" returns reject for request 0 modcall: group authenticate returns reject for request 0 auth: Failed to validate the user.
I would look at your hints file and your users file to the lines it matched at - post them here if you want us to take a look at it. Also, if you don't want to use /etc/passwd, then disable the unix module in the authentication section.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dusty Doris wrote:
The only part the does not work is the chap authentication all other authentication works as it should. Our wholesale provider says we are doing PAP just fine but no chap. They had very old instructions for Freeradius but decided to start out with a totally clean install.
This user below is in mysql database, and the system passwd/shadow files.
He will not authenticate with the mysql database when we include a realm @domain and chap password.
It gets the slipstream false from the database so I'm not sure why it won't authenticate the rest.
Thread 1 handling request 0, (1 handled so far) User-Name = "rniclh@surftheusa.com" User-Password = "test123" NAS-IP-Address = 255.255.255.255 NAS-Port = 100
I don't see a CHAP password in there.
Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 hints: Matched other at 80
You matched on the hints file on line 80 - what does your hints file say?
DEFAULT Suffix == ".ppp", Strip-User-Name = Yes Hint = "PPP", Service-Type = Framed-User, Framed-Protocol = PPP DEFAULT Suffix == ".slip", Strip-User-Name = Yes Hint = "SLIP", Service-Type = Framed-User, Framed-Protocol = SLIP DEFAULT Suffix == ".cslip", Strip-User-Name = Yes Hint = "CSLIP", Service-Type = Framed-User, Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP other Suffix == "@surftheusa.com", Strip-User-Name = Yes Hint = "PPP", Service-Type = Framed-User, Framed-Protocol = PPP
modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "attr_filter" returns noop for request 0 modcall[authorize]: module "chap" returns noop for request 0 rlm_realm: No '@' in User-Name = "rniclh", skipping NULL due to config. modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 159 users: Matched entry DEFAULT at line 178 users: Matched entry DEFAULT at line 190
You matched the users file in three seperate lines, 159, 178, and 190. What does your users file say on each of those lines?
# First setup all accounts to be checked against the UNIX /etc/passwd. # (Unless a password was already given earlier in this file). # DEFAULT Auth-Type == System Fall-Through = 1 # Defaults for all framed connections. # DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes # # Default for PPP: dynamic IP address, PPP mode, VJ-compression. # NOTE: we do not use Hint = "PPP", since PPP might also be auto-detected # by the terminal server in which case there may not be a "P" suffix. # The terminal server sends "Framed-Protocol = PPP" for auto PPP. # DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP # # Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression. # DEFAULT Hint == "CSLIP" Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP # # Default for SLIP: dynamic IP address, SLIP mode. # DEFAULT Hint == "SLIP" Framed-Protocol = SLIP
modcall[authorize]: module "files" returns ok for request 0 radius_xlat: 'rniclh' rlm_sql (sql): sql_set_user escaped user --> 'rniclh'
...
modcall[authorize]: module "sql" returns ok for request 0 modcall: group authorize returns ok for request 0
Your sql call returned OK, that means the sql part worked.
rad_check_password: Found Auth-Type System auth: type "System"
Now it just got changed to Auth-Type System. Is this from your users file?
Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_unix: [rniclh]: invalid password
You authenticated with the unix module, is that what you want? The user failed because the password did not match your /etc/passwd file.
modcall[authenticate]: module "unix" returns reject for request 0 modcall: group authenticate returns reject for request 0 auth: Failed to validate the user.
I would look at your hints file and your users file to the lines it matched at - post them here if you want us to take a look at it. Also, if you don't want to use /etc/passwd, then disable the unix module in the authentication section.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I'm thinking that part of this below might be that I can only test locally with radtest. Is there a way to tell radtest to simulate a chap password? But when our provider was running a couple authentication tests for me before I put the backup drive in place it would not authenticate chap. The backup had version 0.9.3 and is running fine right now. So to be able to use the newest version I figured I should try and fix what I did/didn't do. Dusty Doris wrote:
The only part the does not work is the chap authentication all other authentication works as it should. Our wholesale provider says we are doing PAP just fine but no chap. They had very old instructions for Freeradius but decided to start out with a totally clean install.
This user below is in mysql database, and the system passwd/shadow files.
He will not authenticate with the mysql database when we include a realm @domain and chap password.
It gets the slipstream false from the database so I'm not sure why it won't authenticate the rest.
Thread 1 handling request 0, (1 handled so far) User-Name = "rniclh@surftheusa.com" User-Password = "test123" NAS-IP-Address = 255.255.255.255 NAS-Port = 100
I don't see a CHAP password in there.
Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 hints: Matched other at 80
You matched on the hints file on line 80 - what does your hints file say?
modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "attr_filter" returns noop for request 0 modcall[authorize]: module "chap" returns noop for request 0 rlm_realm: No '@' in User-Name = "rniclh", skipping NULL due to config. modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 159 users: Matched entry DEFAULT at line 178 users: Matched entry DEFAULT at line 190
You matched the users file in three seperate lines, 159, 178, and 190. What does your users file say on each of those lines?
modcall[authorize]: module "files" returns ok for request 0 radius_xlat: 'rniclh' rlm_sql (sql): sql_set_user escaped user --> 'rniclh'
...
modcall[authorize]: module "sql" returns ok for request 0 modcall: group authorize returns ok for request 0
Your sql call returned OK, that means the sql part worked.
rad_check_password: Found Auth-Type System auth: type "System"
Now it just got changed to Auth-Type System. Is this from your users file?
Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_unix: [rniclh]: invalid password
You authenticated with the unix module, is that what you want? The user failed because the password did not match your /etc/passwd file.
modcall[authenticate]: module "unix" returns reject for request 0 modcall: group authenticate returns reject for request 0 auth: Failed to validate the user.
I would look at your hints file and your users file to the lines it matched at - post them here if you want us to take a look at it. Also, if you don't want to use /etc/passwd, then disable the unix module in the authentication section.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Dusty Doris -
Radius -
Sayantan Bhowmick