Hi @ll, we're playing with the freeradius features and are getting confused in the way it behaves: We have several different Users in user-files which works fine. Now we want that the radius always answers with OK and no more "Login incorrect" - but with other Options than a correct user. We appended in the config: DEFAULT Auth-Type := Accept ... various Options ... This works with PAP/CHAP, when the user is not listed in a users file. It also works with PAP when the user is in a list, but not with CHAP! Is there a way to realize this? Debug says: rad_recv: Access-Request packet from host XXX:XX, id=114, length=263 User-Name = "XXX" Acct-Session-Id = "XXX" CHAP-Password = XXX CHAP-Challenge = XXX Service-Type = Framed-User Framed-Protocol = PPP ERX-Pppoe-Description = "XXX" Calling-Station-Id = "XXX" NAS-Port-Type = Ethernet NAS-Port = XXX NAS-Port-Id = "XXX" NAS-IP-Address = XXX NAS-Identifier = "XXX" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 10 modcall[authorize]: module "preprocess" returns ok for request 10 rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module "chap" returns ok for request 10 rlm_realm: No '@' in User-Name = "XXX", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 10 users: Matched entry DEFAULT at line 2 modcall[authorize]: module "files" returns ok for request 10 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 10 modcall: leaving group authorize (returns ok) for request 10 Found Autz-Type autz_DSL_B Processing the authorize section of radiusd.conf modcall: entering group autz_DSL_B for request 10 users: Matched entry XXX at line 335992 modcall[authorize]: module "autzfile_DSL_B" returns ok for request 10 modcall: leaving group autz_DSL_B (returns ok) for request 10 rad_check_password: Found Auth-Type CHAP auth: type "CHAP" Processing the authenticate section of radiusd.conf modcall: entering group CHAP for request 10 rlm_chap: login attempt by "XXX" with CHAP password rlm_chap: Using clear text password "XXX" for user XXX authentication. rlm_chap: Password check failed modcall[authenticate]: module "chap" returns reject for request 10 modcall: leaving group CHAP (returns reject) for request 10 auth: Failed to validate the user. -- Thomas Buchberger
Thomas Buchberger wrote:
we're playing with the freeradius features and are getting confused in the way it behaves:
:) It's simple... just read 1000's of lines of debugging output, and hordes of miscellaneous unrelated unorganized documentation files.
We have several different Users in user-files which works fine. Now we want that the radius always answers with OK and no more "Login incorrect" - but with other Options than a correct user.
We appended in the config: DEFAULT Auth-Type := Accept ... users: Matched entry DEFAULT at line 2
Is that entry at line 2 of the "users" file? If not, the server is matching an earlier entry, and not the one with Accept. Alan DeKok.
Hi Alan, Alan DeKok wrote:
:) It's simple... just read 1000's of lines of debugging output, and hordes of miscellaneous unrelated unorganized documentation files.
:-P
We have several different Users in user-files which works fine. Now we want that the radius always answers with OK and no more "Login incorrect" - but with other Options than a correct user.
We appended in the config: DEFAULT Auth-Type := Accept
...
users: Matched entry DEFAULT at line 2
Is that entry at line 2 of the "users" file? If not, the server is matching an earlier entry, and not the one with Accept.
That's another DEFAULT entry to select between machines. The Accept is at the end after all users. Now we've put the Accept before the users and - Same Problem! Different effect... With PAP everything works - but with CHAP: CHAP Passwords don't get checked and if the username is correct the user gets the wrong Options. Not really better... Why does it work with PAP but not with CHAP? Maybe that's a bug? Greetings Thomas
Ivan Kalik wrote:
Add Fall-Through = Yes to the DEFAULT entry if you want to check entries that come later in users file. Fall-Through is active.
With PAP it works - but not with CHAP. That's the problem ... I think the CHAP module handles wrong passwords and auth-type different than the rlm_pap module. Config looks like this: DEFAULT Auth-Type := Accept ERX-Virtual-Router-Name = "vpn:XXX", ERX-Egress-Policy-Name = "XXX", ERX-Local-Loopback-Interface = "loopback 255", Service-Type = Framed-User, Framed-Protocol = PPP, Fall-Through = Yes Test100 Password = "Test100" ERX-Virtual-Router-Name := YYY, ERX-Egress-Policy-Name := "YYY" We're using Version 1.1.6 and give 2.0.5 a try... -- Thomas Buchberger
Config looks like this:
DEFAULT Auth-Type := Accept
That would make any protocol irrelevant. pap or chap.
ERX-Virtual-Router-Name = "vpn:XXX", ERX-Egress-Policy-Name = "XXX", ERX-Local-Loopback-Interface = "loopback 255", Service-Type = Framed-User, Framed-Protocol = PPP, Fall-Through = Yes
Test100 Password = "Test100"
That is not a correct password attribute for 1.1.6. You should use Cleartext-Password. Read instructions in users file. Password is deprecated ages ago and no wonder chap is not using it.
ERX-Virtual-Router-Name := YYY, ERX-Egress-Policy-Name := "YYY"
We're using Version 1.1.6 and give 2.0.5 a try...
Ivan Kalik Kalik Informatika ISP
Thomas Buchberger wrote:
With PAP it works - but not with CHAP. That's the problem ... I think the CHAP module handles wrong passwords and auth-type different than the rlm_pap module.
No. It doesn't.
Config looks like this:
DEFAULT Auth-Type := Accept
This completely bypasses any password checks.
ERX-Virtual-Router-Name = "vpn:XXX", ERX-Egress-Policy-Name = "XXX", ERX-Local-Loopback-Interface = "loopback 255", Service-Type = Framed-User, Framed-Protocol = PPP, Fall-Through = Yes
Test100 Password = "Test100"
Use: Test100 Cleartext-Password := "Test100" That's been documented since at least 1.1.4. Alan DeKok.
Hi Alan and Ivan, Alan DeKok wrote:
Config looks like this:
DEFAULT Auth-Type := Accept
This completely bypasses any password checks.
ERX-Virtual-Router-Name = "vpn:XXX", ERX-Egress-Policy-Name = "XXX", ERX-Local-Loopback-Interface = "loopback 255", Service-Type = Framed-User, Framed-Protocol = PPP, Fall-Through = Yes
Test100 Password = "Test100"
Use:
Test100 Cleartext-Password := "Test100"
OK - now I understand... with Cleartext-Password PAP and CHAP behave the same way... For us the wrong way :-) Is there a possibility so solve it with freeradius? We want to Accept all Users but give "authenticated" (correct username and password) users individual attributes and "non authenticated" users (wrong username and / or password) different attributes but no "Login incorrect". -- Greetings Thomas Buchberger
Have a look at captive portals. Ivan Kalik Kalik Informatika ISP Dana 21/8/2008, "Thomas Buchberger" <buchberger@nefonline.de> piše:
Hi Alan and Ivan,
Alan DeKok wrote:
Config looks like this:
DEFAULT Auth-Type := Accept
This completely bypasses any password checks.
ERX-Virtual-Router-Name = "vpn:XXX", ERX-Egress-Policy-Name = "XXX", ERX-Local-Loopback-Interface = "loopback 255", Service-Type = Framed-User, Framed-Protocol = PPP, Fall-Through = Yes
Test100 Password = "Test100"
Use:
Test100 Cleartext-Password := "Test100"
OK - now I understand... with Cleartext-Password PAP and CHAP behave the same way... For us the wrong way :-) Is there a possibility so solve it with freeradius? We want to Accept all Users but give "authenticated" (correct username and password) users individual attributes and "non authenticated" users (wrong username and / or password) different attributes but no "Login incorrect".
-- Greetings Thomas Buchberger - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
Ivan Kalik -
Thomas Buchberger