white list for nas-ipaddress
Hi, i want to accept all request coming from a specific nas-ip-assdress , i used to configure like this (in users file): DEFAULT NAS-IP-Address == "192.168.150.25", Auth-Type := Accept Fall-Through = Yes The above settings are not working now, this is the debug of a transaction: rad_recv: Access-Request packet from host 192.168.150.25 port 1645, id=52, length=94 NAS-IP-Address = 192.168.150.25 NAS-Port = 108 NAS-Port-Type = Async User-Name = "123.com.sv" Called-Station-Id = "22660321" Calling-Station-Id = "22264218" User-Password = "cisco" Service-Type = Dialout-Framed-User +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "123.com.sv", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop expand: %{User-Name} -> 123.com.sv [sql] sql_set_user escaped user --> '123.com.sv' rlm_sql (sql): Reserving sql socket id: 22 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '123.com.sv' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = '123.com.sv' ORDER BY priority rlm_sql (sql): Released sql socket id: 22 [sql] User 123.com.sv not found ++[sql] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. Login incorrect: [123.com.sv/cisco] (from client tigo port 108 cli 22264218) Using Post-Auth-Type Reject +- entering group REJECT {...} expand: %{User-Name} -> 123.com.sv attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Im using freeradius 2 and daloradius 0.9, and this a extract of relevant radius.conf settings: authorize { preprocess chap mschap suffix eap { ok = return } files sql expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } eap } preacct { preprocess acct_unique suffix files } accounting { detail sql attr_filter.accounting_response } session { radutmp } post-auth { exec Post-Auth-Type REJECT { attr_filter.access_reject } } post-proxy { eap }
From the debug it appears that users file is not being processed correctly, what should i check? regards Miguel Miranda
The problem is that the sql module returns reject you can remove the sql from authorization On Tue, Jul 28, 2009 at 8:53 PM, Miguel Miranda<miguel.mirandag@gmail.com> wrote:
Hi, i want to accept all request coming from a specific nas-ip-assdress , i used to configure like this (in users file):
DEFAULT NAS-IP-Address == "192.168.150.25", Auth-Type := Accept Fall-Through = Yes The above settings are not working now, this is the debug of a transaction:
rad_recv: Access-Request packet from host 192.168.150.25 port 1645, id=52, length=94 NAS-IP-Address = 192.168.150.25 NAS-Port = 108 NAS-Port-Type = Async User-Name = "123.com.sv" Called-Station-Id = "22660321" Calling-Station-Id = "22264218" User-Password = "cisco" Service-Type = Dialout-Framed-User +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "123.com.sv", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop expand: %{User-Name} -> 123.com.sv [sql] sql_set_user escaped user --> '123.com.sv' rlm_sql (sql): Reserving sql socket id: 22 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '123.com.sv' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = '123.com.sv' ORDER BY priority rlm_sql (sql): Released sql socket id: 22 [sql] User 123.com.sv not found ++[sql] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. Login incorrect: [123.com.sv/cisco] (from client tigo port 108 cli 22264218) Using Post-Auth-Type Reject +- entering group REJECT {...} expand: %{User-Name} -> 123.com.sv attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request
Im using freeradius 2 and daloradius 0.9, and this a extract of relevant radius.conf settings:
authorize { preprocess chap mschap suffix eap { ok = return }
files sql expiration logintime pap }
authenticate { Auth-Type PAP { pap }
Auth-Type CHAP { chap }
Auth-Type MS-CHAP { mschap } eap }
preacct { preprocess acct_unique suffix files }
accounting { detail sql attr_filter.accounting_response }
session { radutmp }
post-auth {
exec
Post-Auth-Type REJECT { attr_filter.access_reject } }
post-proxy { eap }
From the debug it appears that users file is not being processed correctly, what should i check? regards Miguel Miranda
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Well, that is not the only one nas i have , the sql module is requiered for several other nas and hotspots users... On Tue, Jul 28, 2009 at 12:25 PM, Dimitrios Giannakopoulos < d.giannakop@gmail.com> wrote:
The problem is that the sql module returns reject you can remove the sql from authorization
Hi, i want to accept all request coming from a specific nas-ip-assdress , i used to configure like this (in users file):
DEFAULT NAS-IP-Address == "192.168.150.25", Auth-Type := Accept Fall-Through = Yes The above settings are not working now, this is the debug of a transaction:
rad_recv: Access-Request packet from host 192.168.150.25 port 1645, id=52, length=94 NAS-IP-Address = 192.168.150.25 NAS-Port = 108 NAS-Port-Type = Async User-Name = "123.com.sv" Called-Station-Id = "22660321" Calling-Station-Id = "22264218" User-Password = "cisco" Service-Type = Dialout-Framed-User +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "123.com.sv", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop expand: %{User-Name} -> 123.com.sv [sql] sql_set_user escaped user --> '123.com.sv' rlm_sql (sql): Reserving sql socket id: 22 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '123.com.sv' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = '123.com.sv' ORDER BY priority rlm_sql (sql): Released sql socket id: 22 [sql] User 123.com.sv not found ++[sql] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. Login incorrect: [123.com.sv/cisco] (from client tigo port 108 cli
On Tue, Jul 28, 2009 at 8:53 PM, Miguel Miranda<miguel.mirandag@gmail.com> wrote: 22264218)
Using Post-Auth-Type Reject +- entering group REJECT {...} expand: %{User-Name} -> 123.com.sv attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request
Im using freeradius 2 and daloradius 0.9, and this a extract of relevant radius.conf settings:
authorize { preprocess chap mschap suffix eap { ok = return }
files sql expiration logintime pap }
authenticate { Auth-Type PAP { pap }
Auth-Type CHAP { chap }
Auth-Type MS-CHAP { mschap } eap }
preacct { preprocess acct_unique suffix files }
accounting { detail sql attr_filter.accounting_response }
session { radutmp }
post-auth {
exec
Post-Auth-Type REJECT { attr_filter.access_reject } }
post-proxy { eap }
From the debug it appears that users file is not being processed correctly, what should i check? regards Miguel Miranda
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Miranda I use the same users file and authorization configuration (with sql) and it is work fine. On Tue, Jul 28, 2009 at 9:28 PM, Miguel Miranda<miguel.mirandag@gmail.com> wrote:
Well, that is not the only one nas i have , the sql module is requiered for several other nas and hotspots users...
On Tue, Jul 28, 2009 at 12:25 PM, Dimitrios Giannakopoulos <d.giannakop@gmail.com> wrote:
The problem is that the sql module returns reject you can remove the sql from authorization
On Tue, Jul 28, 2009 at 8:53 PM, Miguel Miranda<miguel.mirandag@gmail.com> wrote:
Hi, i want to accept all request coming from a specific nas-ip-assdress , i used to configure like this (in users file):
DEFAULT NAS-IP-Address == "192.168.150.25", Auth-Type := Accept Fall-Through = Yes The above settings are not working now, this is the debug of a transaction:
rad_recv: Access-Request packet from host 192.168.150.25 port 1645, id=52, length=94 NAS-IP-Address = 192.168.150.25 NAS-Port = 108 NAS-Port-Type = Async User-Name = "123.com.sv" Called-Station-Id = "22660321" Calling-Station-Id = "22264218" User-Password = "cisco" Service-Type = Dialout-Framed-User +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "123.com.sv", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop expand: %{User-Name} -> 123.com.sv [sql] sql_set_user escaped user --> '123.com.sv' rlm_sql (sql): Reserving sql socket id: 22 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '123.com.sv' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = '123.com.sv' ORDER BY priority rlm_sql (sql): Released sql socket id: 22 [sql] User 123.com.sv not found ++[sql] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. Login incorrect: [123.com.sv/cisco] (from client tigo port 108 cli 22264218) Using Post-Auth-Type Reject +- entering group REJECT {...} expand: %{User-Name} -> 123.com.sv attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request
Im using freeradius 2 and daloradius 0.9, and this a extract of relevant radius.conf settings:
authorize { preprocess chap mschap suffix eap { ok = return }
files sql expiration logintime pap }
authenticate { Auth-Type PAP { pap }
Auth-Type CHAP { chap }
Auth-Type MS-CHAP { mschap } eap }
preacct { preprocess acct_unique suffix files }
accounting { detail sql attr_filter.accounting_response }
session { radutmp }
post-auth {
exec
Post-Auth-Type REJECT { attr_filter.access_reject } }
post-proxy { eap }
From the debug it appears that users file is not being processed correctly, what should i check? regards Miguel Miranda
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Me too, but my questions is about the nas-ip-address entry that i posted as example, acording to the docs, all users should be accepted, no matter what user/pass combitantion they are using. and in my case freeradius rejects the access On Tue, Jul 28, 2009 at 1:19 PM, Dimitrios Giannakopoulos < d.giannakop@gmail.com> wrote:
Hi Miranda I use the same users file and authorization configuration (with sql) and it is work fine.
On Tue, Jul 28, 2009 at 9:28 PM, Miguel Miranda<miguel.mirandag@gmail.com> wrote:
Well, that is not the only one nas i have , the sql module is requiered for several other nas and hotspots users...
On Tue, Jul 28, 2009 at 12:25 PM, Dimitrios Giannakopoulos <d.giannakop@gmail.com> wrote:
The problem is that the sql module returns reject you can remove the sql from authorization
On Tue, Jul 28, 2009 at 8:53 PM, Miguel Miranda<miguel.mirandag@gmail.com> wrote:
Hi, i want to accept all request coming from a specific
nas-ip-assdress
, i used to configure like this (in users file):
DEFAULT NAS-IP-Address == "192.168.150.25", Auth-Type := Accept Fall-Through = Yes The above settings are not working now, this is the debug of a transaction:
rad_recv: Access-Request packet from host 192.168.150.25 port 1645, id=52, length=94 NAS-IP-Address = 192.168.150.25 NAS-Port = 108 NAS-Port-Type = Async User-Name = "123.com.sv" Called-Station-Id = "22660321" Calling-Station-Id = "22264218" User-Password = "cisco" Service-Type = Dialout-Framed-User +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "123.com.sv", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop expand: %{User-Name} -> 123.com.sv [sql] sql_set_user escaped user --> '123.com.sv' rlm_sql (sql): Reserving sql socket id: 22 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '123.com.sv' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = '123.com.sv' ORDER BY priority rlm_sql (sql): Released sql socket id: 22 [sql] User 123.com.sv not found ++[sql] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. Login incorrect: [123.com.sv/cisco] (from client tigo port 108 cli 22264218) Using Post-Auth-Type Reject +- entering group REJECT {...} expand: %{User-Name} -> 123.com.sv attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request
Im using freeradius 2 and daloradius 0.9, and this a extract of relevant radius.conf settings:
authorize { preprocess chap mschap suffix eap { ok = return }
files sql expiration logintime pap }
authenticate { Auth-Type PAP { pap }
Auth-Type CHAP { chap }
Auth-Type MS-CHAP { mschap } eap }
preacct { preprocess acct_unique suffix files }
accounting { detail sql attr_filter.accounting_response }
session { radutmp }
post-auth {
exec
Post-Auth-Type REJECT { attr_filter.access_reject } }
post-proxy { eap }
From the debug it appears that users file is not being processed correctly, what should i check? regards Miguel Miranda
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Have you tried it with "*Fall-Through = No" or without "**Fall-Through"*? http://freeradius.org/radiusd/man/users.html 2009/7/28 Miguel Miranda <miguel.mirandag@gmail.com>
Me too, but my questions is about the nas-ip-address entry that i posted as example, acording to the docs, all users should be accepted, no matter what user/pass combitantion they are using. and in my case freeradius rejects the access
On Tue, Jul 28, 2009 at 1:19 PM, Dimitrios Giannakopoulos < d.giannakop@gmail.com> wrote:
Hi Miranda I use the same users file and authorization configuration (with sql) and it is work fine.
On Tue, Jul 28, 2009 at 9:28 PM, Miguel Miranda<miguel.mirandag@gmail.com> wrote:
Well, that is not the only one nas i have , the sql module is requiered for several other nas and hotspots users...
On Tue, Jul 28, 2009 at 12:25 PM, Dimitrios Giannakopoulos <d.giannakop@gmail.com> wrote:
The problem is that the sql module returns reject you can remove the sql from authorization
On Tue, Jul 28, 2009 at 8:53 PM, Miguel Miranda<miguel.mirandag@gmail.com> wrote:
Hi, i want to accept all request coming from a specific
nas-ip-assdress
, i used to configure like this (in users file):
DEFAULT NAS-IP-Address == "192.168.150.25", Auth-Type := Accept Fall-Through = Yes The above settings are not working now, this is the debug of a transaction:
rad_recv: Access-Request packet from host 192.168.150.25 port 1645, id=52, length=94 NAS-IP-Address = 192.168.150.25 NAS-Port = 108 NAS-Port-Type = Async User-Name = "123.com.sv" Called-Station-Id = "22660321" Calling-Station-Id = "22264218" User-Password = "cisco" Service-Type = Dialout-Framed-User +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "123.com.sv", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop expand: %{User-Name} -> 123.com.sv [sql] sql_set_user escaped user --> '123.com.sv' rlm_sql (sql): Reserving sql socket id: 22 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '123.com.sv' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = '123.com.sv' ORDER BY priority rlm_sql (sql): Released sql socket id: 22 [sql] User 123.com.sv not found ++[sql] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. Login incorrect: [123.com.sv/cisco] (from client tigo port 108 cli 22264218) Using Post-Auth-Type Reject +- entering group REJECT {...} expand: %{User-Name} -> 123.com.sv attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request
Im using freeradius 2 and daloradius 0.9, and this a extract of relevant radius.conf settings:
authorize { preprocess chap mschap suffix eap { ok = return }
files sql expiration logintime pap }
authenticate { Auth-Type PAP { pap }
Auth-Type CHAP { chap }
Auth-Type MS-CHAP { mschap } eap }
preacct { preprocess acct_unique suffix files }
accounting { detail sql attr_filter.accounting_response }
session { radutmp }
post-auth {
exec
Post-Auth-Type REJECT { attr_filter.access_reject } }
post-proxy { eap }
From the debug it appears that users file is not being processed correctly, what should i check? regards Miguel Miranda
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi, i want to accept all request coming from a specific nas-ip-assdress , i used to configure like this (in users file):
DEFAULT NAS-IP-Address == "192.168.150.25", Auth-Type := Accept Fall-Through = Yes The above settings are not working now, this is the debug of a transaction:
rad_recv: Access-Request packet from host 192.168.150.25 port 1645, id=52, length=94 NAS-IP-Address = 192.168.150.25 NAS-Port = 108 NAS-Port-Type = Async User-Name = "123.com.sv" Called-Station-Id = "22660321" Calling-Station-Id = "22264218" User-Password = "cisco" Service-Type = Dialout-Framed-User ... ++[files] returns noop ...
How sure are you that the users file you are using is the one server is using? Check the debug of the server startup and see if the users file is the correct one. If the file is correct, then your syntax isn't (check that DEFAULT line for typing mistakes). Ivan Kalik Kalik Informatika ISP
Hi, i cheked the debug and the file is correct: Module: Instantiating files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } And i tried without Fall-Through = Yes and same result :-( Im stuck here, any help will be greatly appreciated --- Miguel On Tue, Jul 28, 2009 at 2:27 PM, Ivan Kalik <tnt@kalik.net> wrote:
Hi, i want to accept all request coming from a specific nas-ip-assdress , i used to configure like this (in users file):
DEFAULT NAS-IP-Address == "192.168.150.25", Auth-Type := Accept Fall-Through = Yes The above settings are not working now, this is the debug of a transaction:
rad_recv: Access-Request packet from host 192.168.150.25 port 1645, id=52, length=94 NAS-IP-Address = 192.168.150.25 NAS-Port = 108 NAS-Port-Type = Async User-Name = "123.com.sv" Called-Station-Id = "22660321" Calling-Station-Id = "22264218" User-Password = "cisco" Service-Type = Dialout-Framed-User ... ++[files] returns noop ...
How sure are you that the users file you are using is the one server is using? Check the debug of the server startup and see if the users file is the correct one. If the file is correct, then your syntax isn't (check that DEFAULT line for typing mistakes).
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (5)
-
Alan Buxey -
Dimitrios Giannakopoulos -
Ivan Kalik -
Miguel Miranda -
Nelson Vale