getting rejected, please give me some light.
I am new with freeradius and I probably didnt understood something yet about how to configure everything: I can authenticate using command line but and on radius wifi but not on NAS\LNS that I' m getting rejected. the logs with couple comments on it: rad_recv: Access-Request packet from host 192.168.10.159 port 54933, id=211, length=43 User-Name = "bob" User-Password = "Hello" # Executing section authorize from file /opt/fradius-2.2.0/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry bob at line 204 ++[files] returns ok WARNING: Please update your configuration, and remove 'Auth-Type = Local' ############### what is that means? what it refers to? i dont have the word loca at all in my files else then the defaults WARNING: Use the PAP or CHAP modules instead. User-Password in the request is correct. # Executing section post-auth from file /opt/fradius-2.2.0/etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 211 to 192.168.10.159 port 54933 Finished request 10. Going to the next request Waking up in 4.9 seconds. Cleaning up request 10 ID 211 with timestamp +2391 ##this is the rejected request Ready to process requests. rad_recv: Access-Request packet from host 192.168.10.131 port 19606, id=134, length=152 NAS-Identifier = "NAS" NAS-IP-Address = 192.168.10.131 Acct-Session-Id = "9358763-re0-3" NAS-Port = 3 NAS-Port-Type = Ethernet Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = "00270e08e1c0" NAS-Port-Id = "re0" Vendor-12341-Attr-12 = 0x7265302d33 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Client-Endpoint:0 = "00:27:0e:08:e1:c0" User-Name = "bob" User-Password = "Hello" # Executing section authorize from file /opt/fradius-2.2.0/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry DEFAULT at line 172 ++[files] returns ok ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user #it's the basic as before so why the software saying that?what is the difference between the logins (a lot) that makes it's not work with users file? Failed to authenticate the user. Using Post-Auth-Type REJECT # Executing group from file /opt/fradius-2.2.0/etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> bob attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 11 for 1 seconds Going to the next request Thanks, Eliezer
On 10/04/2012 01:59 PM, Eliezer Croitoru wrote:
I am new with freeradius and I probably didnt understood something yet about how to configure everything: I can authenticate using command line but and on radius wifi but not on NAS\LNS that I' m getting rejected. the logs with couple comments on it:
All the information you need is in the debug output you posted. Did you read it? Hint, you need the pap module for plaintext auth, it's enabled by default. Why did you disable it? The debug output even calls attention to this omission. You've set the Auth-Type, probably in the users file. Do not do that, the server will figure it out. There are no instructions from the FreeRADIUS doc which instructs you to do this. Why did you set it? -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
On 10/4/2012 8:18 PM, John Dennis wrote:
All the information you need is in the debug output you posted. Did you read it? I have tried but I am unable to understand what is wrong since it's a new language for me.
Hint, you need the pap module for plaintext auth, it's enabled by default. Why did you disable it? The debug output even calls attention to this omission.
I didnt disabled anything.. it's bulk freeradius settings with the only thing changed for sql and ok = return in the pap auth case to prevent trying sql (like in eap settings). I have tried to write username and password in the users which works for wifi EAP but not for NAS\LNS.
You've set the Auth-Type, probably in the users file. Do not do that, the server will figure it out.
In what section I possibly did that?
There are no instructions from the FreeRADIUS doc which instructs you to do this. Why did you set it? I am looking for instructions but it seems like I missed something in understanding?
What I have added is: bob Cleartext-Password := "Hello" and the client config to communicate the server I dont have any rules I have added to the original ones. I recompiled it from source and reinstalled it. pap is on etc.. Found out my problem... now I understood that it's like ACLS "first hits" in the users file. there is no reject or whatever but it does have other "DEFAULT" things and since they exist they comes first before the username I inserted. at least That is what I understood after trying and it's working now fine. the next step SQL. Thanks, Elizer -- Eliezer Croitoru https://www1.ngtech.co.il IT consulting for Nonprofit organizations eliezer <at> ngtech.co.il
On 10/04/2012 03:10 PM, Eliezer Croitoru wrote:
On 10/4/2012 8:18 PM, John Dennis wrote:
All the information you need is in the debug output you posted. Did you read it? I have tried but I am unable to understand what is wrong since it's a new language for me.
Hint, you need the pap module for plaintext auth, it's enabled by default. Why did you disable it? The debug output even calls attention to this omission.
I didnt disabled anything.. it's bulk freeradius settings with the only thing changed for sql and ok = return in the pap auth case to prevent trying sql (like in eap settings).
You say you didn't disable anything and in the next sentence you say you insterted "ok = return" in pap. Your log shows pap is broken, gee I wonder why? Do not change anything you don't understand.
I have tried to write username and password in the users which works for wifi EAP but not for NAS\LNS.
You've set the Auth-Type, probably in the users file. Do not do that, the server will figure it out.
In what section I possibly did that?
There are no instructions from the FreeRADIUS doc which instructs you to do this. Why did you set it? I am looking for instructions but it seems like I missed something in understanding?
What I have added is: bob Cleartext-Password := "Hello"
and the client config to communicate the server
I dont have any rules I have added to the original ones.
I recompiled it from source and reinstalled it.
pap is on etc..
Found out my problem...
now I understood that it's like ACLS "first hits" in the users file.
try reading doc/processing_users_file.rst
there is no reject or whatever but it does have other "DEFAULT" things and since they exist they comes first before the username I inserted. at least That is what I understood after trying and it's working now fine.
the next step SQL.
Nope, the next step is to go back to square one and reinstall the default provided configuration. DO NOT edit anything unless you actually understand what you're doing. Follow the instructions on Alan's website in the howto section: http://deployingradius.com/ Also, the config files under raddb how a lot of documentation, spend some time reading it as well as the information under doc. Poke around Alan's website (above) as well as the FreeRADIUS Wiki. Do not follow any suggestions found on random website, usually they're wrong. Only follow instructions found in the tarball, the freeradius.org website, or deployingradius.com. Do not change anything you do not understand.
Thanks, Elizer
-- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
On Thu, Oct 04, 2012 at 07:59:09PM +0200, Eliezer Croitoru wrote:
+- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry bob at line 204 ++[files] returns ok WARNING: Please update your configuration, and remove 'Auth-Type = Local' ############### what is that means? what it refers to? i dont have the word loca at all in my files else then the defaults WARNING: Use the PAP or CHAP modules instead. User-Password in the request is correct.
This error is slightly misleading. If you remove the pap module in 2.x, the server will internally authenticate in a similar way by setting Auth-Type to 'Local', iff it is not already set. It's an indication that you removed pap, as it will only occur if no Auth-Type has been set, and there is a User-Password in the request. This will break in 3.0. You need to add pap back in again and not rely on Local auth.
[files] users: Matched entry DEFAULT at line 172 ++[files] returns ok ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user #it's the basic as before so why the software saying that?what is the difference between the logins (a lot) that makes it's not work with users file?
You added 'bob' at the bottom of the 'users' file. Move it to the top. (And add pap back in). Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On 10/5/2012 12:07 AM, Matthew Newton wrote:
You added 'bob' at the bottom of the 'users' file. Move it to the top. (And add pap back in).
Matthew Now it works... as I said before.. the only problem was that I added the user name at the end of the file..
Indeed I am trying to read but since there is so much of it it's kind of hard to get it in a sec where to look at. Instead of the principle people writes a bunch of Instructions of how to do specific things... GOOD thing is the man pages which does what it needs. Thanks, Eliezer -- Eliezer Croitoru https://www1.ngtech.co.il IT consulting for Nonprofit organizations eliezer <at> ngtech.co.il
participants (3)
-
Eliezer Croitoru -
John Dennis -
Matthew Newton