Hi, First i want to say that i think that freeradius is a great piece of software. My NAS, pppd, does not grant access to a user with attribute Auth-Type set to Accept but radtest does work. Could this be solved by recompiling pppd with the dictionary file included in the source that reads VALUE Auth-Type None 254 changed to VALUE Auth-Type Accept 254? I already changed the dictionary in /etc/radiusclient/dictionary to this setting, but this didn't solve it. Thanks, Jon.
jon michaels wrote:
My NAS, pppd, does not grant access to a user with attribute Auth-Type set to Accept but radtest does work.
Post the debug log as suggested in the FAQ, README, INSTALL, "man" page, and daily on this list. My *guess* is that the NAS is doing MS-CHAP. You *cannot* simply set Auth-Type = Accept to let them in. You *must* have the "known good" password, and you *must* do a full MS-CHAP exchange.
Could this be solved by recompiling pppd with the dictionary file included in the source that reads VALUE Auth-Type None 254 changed to VALUE Auth-Type Accept 254?
No. Alan DeKok.
Thanks for the quick response. On Mon, Dec 7, 2009 at 11:33 AM, Alan DeKok <aland@deployingradius.com> wrote:
jon michaels wrote:
My NAS, pppd, does not grant access to a user with attribute Auth-Type set to Accept but radtest does work.
Perhaps i should also mention that without Auth-Type set to Accept, i can connect. I am just searching for a good way to update one field in mysql to flip access on and off. If there is another attribute that i can use for this, that would be fine too. I just tried this one because it was mentioned in the /etc/freeradius/users example.
My *guess* is that the NAS is doing MS-CHAP. You *cannot* simply set Auth-Type = Accept to let them in. You *must* have the "known good" password, and you *must* do a full MS-CHAP exchange.
True, its doing mschap. I currently dont understand yet why the debug shows an accept but the ppp doesn't like it. Here's my freeradius debug output and my pppd and pptp debug output underneath it: rad_recv: Access-Request packet from host 127.0.0.1 port 59011, id=238, length=135 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "testuser" MS-CHAP-Challenge = 0xcf50beb20eeb75a90e5577b142c0fdfc MS-CHAP2-Response = 0xec002b8744dec345f27532594312332a563e0000000000000000ef6a691cef86e60776c054bc5180319d1eb0bff41a2275cf NAS-IP-Address = 172.16.132.204 NAS-Port = 0 +- entering group authorize {...} ++[preprocess] returns ok expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/127.0.0.1/auth-detail-20091207 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20091207 expand: %t -> Mon Dec 7 11:41:48 2009 ++[auth_log] returns ok ++[chap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok [suffix] No '@' in User-Name = "testuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry DEFAULT at line 148 ++[files] returns ok expand: %{User-Name} -> testuser [sql] sql_set_user escaped user --> 'testuser' rlm_sql (sql): Reserving sql socket id: 0 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'testuser' ORDER BY id [sql] User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'testuser' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'testuser' ORDER BY priority expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'dynamic' ORDER BY id [sql] User found in group dynamic expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'dynamic' ORDER BY id rlm_sql (sql): Released sql socket id: 0 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing NT-Password from hex encoding [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = Accept Auth-Type = Accept, accepting the user +- entering group session {...} expand: /var/log/freeradius/radutmp -> /var/log/freeradius/radutmp expand: %{User-Name} -> testuser ++[radutmp] returns ok +- entering group post-auth {...} expand: %{NAS-IP-Address} %{NAS-Port} -> 172.16.132.204 0 [main_pool] MD5 on 'key' directive maps to: 3f65cbc9230f10232661e598553cbde4 [main_pool] Searching for an entry for key: '3f65cbc9230f10232661e598553cbde4' [main_pool] Found a stale entry for ip: 172.16.132.163 [main_pool] num: 0 rlm_ippool: Allocating ip to key: '3f65cbc9230f10232661e598553cbde4' [main_pool] num: 1 [main_pool] Allocated ip 172.16.132.160 to client key: 3f65cbc9230f10232661e598553cbde4 ++[main_pool] returns ok expand: /var/log/freeradius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d -> /var/log/freeradius/radacct/127.0.0.1/reply-detail-20091207 [reply_log] /var/log/freeradius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /var/log/freeradius/radacct/127.0.0.1/reply-detail-20091207 expand: %t -> Mon Dec 7 11:41:48 2009 ++[reply_log] returns ok expand: %{User-Name} -> testuser [sql] sql_set_user escaped user --> 'testuser' expand: %{User-Password} -> expand: %{Chap-Password} -> expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'testuser', '', 'Access-Accept', '2009-12-07 11:41:48') rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'testuser', '', 'Access-Accept', '2009-12-07 11:41:48') rlm_sql (sql): Reserving sql socket id: 0 rlm_sql (sql): Released sql socket id: 0 ++[sql] returns ok ++[exec] returns noop Sending Access-Accept of id 238 to 127.0.0.1 port 59011 Service-Type := Framed-User Framed-Protocol := PPP Framed-Compression := Van-Jacobson-TCP-IP Framed-MTU := 1500 Acct-Interim-Interval = 3600 Acct-Status-Type = Interim-Update Framed-IP-Address = 172.16.132.160 Framed-IP-Netmask = 255.255.255.0 Finished request 3. Going to the next request Waking up in 4.9 seconds. Cleaning up request 3 ID 238 with timestamp +4214 Ready to process requests. pptpd[7714]: CTRL: pppd options file = /etc/ppp/pptpd-options pptpd[7714]: CTRL: Starting call (launching pppd, opening GRE) pptpd[7715]: CTRL (PPPD Launcher): program binary = /usr/sbin/pppd pppd[7715]: Plugin radius.so loaded. pppd[7715]: RADIUS plugin initialized. pppd[7715]: Plugin radattr.so loaded. pppd[7715]: RADATTR plugin initialized. pppd[7715]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded. pppd[7715]: pptpd-logwtmp: $Version$ pppd[7715]: pppd 2.4.5 started by root, uid 0 pppd[7715]: using channel 20 pppd[7715]: Using interface ppp0 pppd[7715]: Connect: ppp0 <--> /dev/pts/2 pppd[7715]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x3a4f9548> <pcomp> <accomp>] pptpd[7714]: GRE: Bad checksum from pppd. pppd[7715]: rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xe4a25036> <pcomp> <accomp>] pppd[7715]: sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0xe4a25036> <pcomp> <accomp>] pppd[7715]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x3a4f9548> <pcomp> <accomp>] pppd[7715]: rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xe4a25036> <pcomp> <accomp>] pppd[7715]: sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0xe4a25036> <pcomp> <accomp>] pppd[7715]: rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x3a4f9548> <pcomp> <accomp>] pppd[7715]: sent [LCP EchoReq id=0x0 magic=0x3a4f9548] pppd[7715]: sent [CHAP Challenge id=0xab <fee8a2f7b97dc91c29b77a21b811bd7b>, name = "pptpd"] pppd[7715]: rcvd [LCP EchoReq id=0x0 magic=0xe4a25036] pppd[7715]: sent [LCP EchoRep id=0x0 magic=0x3a4f9548] pppd[7715]: rcvd [LCP EchoRep id=0x0 magic=0xe4a25036] pppd[7715]: rcvd [CHAP Response id=0xab <cd3e1f2e7e3333563806295b83cc29e400000000000000000e5fa91bba34183221a516ca3133441b607edcb9b0a7852d00>, name = "testuser"] pppd[7715]: RADATTR plugin wrote 8 line(s) to file /var/run/radattr.ppp0. pppd[7715]: pppd[7715]: Peer hexuser failed CHAP authentication pppd[7715]: sent [CHAP Failure id=0xab ""] pppd[7715]: sent [LCP TermReq id=0x2 "Authentication failed"] pppd[7715]: rcvd [LCP TermReq id=0x2 "Failed to authenticate ourselves to peer"] pppd[7715]: sent [LCP TermAck id=0x2] pppd[7715]: rcvd [LCP TermAck id=0x2] pppd[7715]: Connection terminated. pppd[7715]: RADATTR plugin removed file /var/run/radattr.ppp0. pppd[7715]: Exit.
Hi,
True, its doing mschap. I currently dont understand yet why the debug shows an accept but the ppp doesn't like it.
quite easy - you are forcing an access-accept on the initial packet and you rNAS wont take that - it needs to offer the full challenge-response and not just get a 'yes yes let them on'. if you remove that part where you are setting access-accept and THEN look at the errors you'll see where its going wrong. you may also need to send back some extra return attributes as part of the accept when its all okay anyway - check your NAS documentation alan
On Mon, Dec 7, 2009 at 12:31 PM, Alan Buxey <A.L.M.Buxey@lboro.ac.uk> wrote:
quite easy - you are forcing an access-accept on the initial packet and you rNAS wont take that - it needs to offer the full challenge-response and not just get a 'yes yes let them on'. if you remove that part where you are setting access-accept and THEN look at the errors you'll see where its going wrong.
If i remove the 'testuser Auth-Type := Accept' completely everything works fine; the user connects and accounting updates are written. I am looking for an efficient way to remove the ability to connect without touching the password in the database. I searched through ppp and radiusclient documentation and source but don't see how i can achieve this the correct way. It will work if i insert and delete the 'Auth-Type := Reject' record for the user to achieve this. I just figured that changing the value from Accept to Reject would be a nicer way to do this. Thanks for your suggestions.
Ok, i figured it out. I can change between Reject and MSCAP and it will work. On Mon, Dec 7, 2009 at 12:55 PM, jon michaels <joniamasad@gmail.com> wrote:
On Mon, Dec 7, 2009 at 12:31 PM, Alan Buxey <A.L.M.Buxey@lboro.ac.uk> wrote:
quite easy - you are forcing an access-accept on the initial packet and you rNAS wont take that - it needs to offer the full challenge-response and not just get a 'yes yes let them on'. if you remove that part where you are setting access-accept and THEN look at the errors you'll see where its going wrong.
If i remove the 'testuser Auth-Type := Accept' completely everything works fine; the user connects and accounting updates are written. I am looking for an efficient way to remove the ability to connect without touching the password in the database. I searched through ppp and radiusclient documentation and source but don't see how i can achieve this the correct way.
It will work if i insert and delete the 'Auth-Type := Reject' record for the user to achieve this. I just figured that changing the value from Accept to Reject would be a nicer way to do this.
Thanks for your suggestions.
Hi,
If i remove the 'testuser Auth-Type := Accept' completely everything works fine; the user connects and accounting updates are written. I am looking for an efficient way to remove the ability to connect without touching the password in the database. I searched through ppp and radiusclient documentation and source but don't see how i can achieve this the correct way.
It will work if i insert and delete the 'Auth-Type := Reject' record for the user to achieve this. I just figured that changing the value from Accept to Reject would be a nicer way to do this.
thats easy then - just set the Reject somewhere else - if the person has been bad or whatever, you can simply create such a return.... eg using SQL - you can create a 'rejected-people' group and have 'Reject' int he Auth-Type for that group...... then, shoudl you need to , simply add that user to the rejected-people group. et voila. alan
participants (3)
-
Alan Buxey -
Alan DeKok -
jon michaels