Hi. I'm trying to match a suffix in the username using the hints file and strip the suffix. I have the following configured: raddb/hints: DEFAULT Suffix == ".d", Strip-User-Name = Yes Hint = "Dynamic" raddb/users: DEFAULT Hint == "Dynamic" Framed-IP-Address := 255.255.255.254, Fall-Through = Yes user Cleartext-Password := "password" Service-Type = Framed-User, Framed-IP-Address = XXX.XXX.XXX.XXX, Framed-Protocol = PPP, Framed-Routing = None, Session-Timeout = 604800, Idle-Timeout = 86400, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP When run radiusd -W I can see it enter the preprocess module and match an entry, but the suffix is not being stripped and entry in users file not being matched: Tue Jun 3 12:54:15 2008 : Debug: +- entering group authorize Tue Jun 3 12:54:15 2008 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 0 Tue Jun 3 12:54:15 2008 : Debug: rlm_realm: No '@' in User-Name = "user.d", looking up realm NULL Tue Jun 3 12:54:15 2008 : Debug: rlm_realm: No such realm "NULL" Tue Jun 3 12:54:15 2008 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 0 Tue Jun 3 12:54:15 2008 : Debug: ++[suffix] returns noop Tue Jun 3 12:54:15 2008 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 0 Tue Jun 3 12:54:15 2008 : Debug: hints: Matched DEFAULT at 79 Tue Jun 3 12:54:15 2008 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 0 Tue Jun 3 12:54:15 2008 : Debug: ++[preprocess] returns ok Tue Jun 3 12:54:15 2008 : Debug: auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Tue Jun 3 12:54:15 2008 : Debug: auth: Failed to validate the user. Tue Jun 3 12:54:15 2008 : Auth: Login incorrect: [user.d/password] (from client ERX-LAB port 2152726802 cli #ERX01.OTWODDS#BLC01.OTW23DS atm 3/1:0.35#) Tue Jun 3 12:54:15 2008 : Debug: Found Post-Auth-Type Reject Tue Jun 3 12:54:15 2008 : Debug: +- entering group REJECT Tue Jun 3 12:54:15 2008 : Debug: modsingle[post-auth]: calling attr_filter.access_reject (rlm_attr_filter) for request 0 Tue Jun 3 12:54:15 2008 : Debug: expand: %{User-Name} -> user.d Tue Jun 3 12:54:15 2008 : Debug: attr_filter: Matched entry DEFAULT at line 11 Tue Jun 3 12:54:15 2008 : Debug: modsingle[post-auth]: returned from attr_filter.access_reject (rlm_attr_filter) for request 0 Tue Jun 3 12:54:15 2008 : Debug: ++[attr_filter.access_reject] returns updated Tue Jun 3 12:54:15 2008 : Debug: Delaying reject of request 0 for 1 seconds Tue Jun 3 12:54:15 2008 : Debug: Going to the next request Tue Jun 3 12:54:15 2008 : Debug: Waking up in 0.9 seconds. Tue Jun 3 12:54:16 2008 : Debug: Sending delayed reject for request 0 Tue Jun 3 12:54:16 2008 : Debug: Waking up in 4.9 seconds. Tue Jun 3 12:54:21 2008 : Debug: Cleaning up request 0 ID 5 with timestamp +79 Tue Jun 3 12:54:21 2008 : Debug: Ready to process requests. Any ideas ? I'm running FreeRADIUS 2.0.3. Thanx Paul
When run radiusd -W I can see it enter the preprocess module and match an entry, but the suffix is not being stripped and entry in users file not being matched:
Not being stripped? You think that's the problem.
Tue Jun 3 12:54:15 2008 : Debug: +- entering group authorize
Tue Jun 3 12:54:15 2008 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 0
..
Tue Jun 3 12:54:15 2008 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 0
..
Tue Jun 3 12:54:15 2008 : Debug: auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
You haven't hacked away at the default configuration by any chance? Users file entry is not matched because you prevented the server from looking there. Even if you put "files" back in it still won't work as you have broken every single authentication method. Well done! Now put the configuration back the way it was and watch it work. Ivan Kalik Kalik Informatika ISP
files is there in authentication { } section. authenticate { # # PAP authentication, when a back-end database listed # in the 'authorize' section supplies a password. The # password can be clear-text, or encrypted. Auth-Type PAP { pap } # # Most people want CHAP authentication # A back-end database listed in the 'authorize' section # MUST supply a CLEAR TEXT password. Encrypted passwords # won't work. Auth-Type CHAP { chap } # # MSCHAP authentication. Auth-Type MS-CHAP { mschap } # # If you have a Cisco SIP server authenticating against # FreeRADIUS, uncomment the following line, and the 'digest' # line in the 'authorize' section. # digest # # Pluggable Authentication Modules. # pam # # See 'man getpwent' for information on how the 'unix' # module checks the users password. Note that packets # containing CHAP-Password attributes CANNOT be authenticated # against /etc/passwd! See the FAQ for details. # # unix # Uncomment it if you want to use ldap for authentication # # Note that this means "check plain-text password against # the ldap database", which means that EAP won't work, # as it does not supply a plain-text password. # Auth-Type LDAP { # ldap # } # # Allow EAP authentication. eap files } Paul -----Original Message----- From: freeradius-users-bounces+paul.khavkine=distributel.ca@lists.freeradius.o rg [mailto:freeradius-users-bounces+paul.khavkine=distributel.ca@lists.free radius.org] On Behalf Of Ivan Kalik Sent: June 3, 2008 2:07 PM To: FreeRadius users mailing list Subject: Re: Hints file and Strip-User-Name
When run radiusd -W I can see it enter the preprocess module and match an entry, but the suffix is not being stripped and entry in users file not being matched:
Not being stripped? You think that's the problem.
Tue Jun 3 12:54:15 2008 : Debug: +- entering group authorize
Tue Jun 3 12:54:15 2008 : Debug: modsingle[authorize]: calling
suffix
(rlm_realm) for request 0 .. Tue Jun 3 12:54:15 2008 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 0
..
Tue Jun 3 12:54:15 2008 : Debug: auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
You haven't hacked away at the default configuration by any chance? Users file entry is not matched because you prevented the server from looking there. Even if you put "files" back in it still won't work as you have broken every single authentication method. Well done! Now put the configuration back the way it was and watch it work. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
authenticate{}??? What are they doing there. Files are a part of authorize{} section. Ivan Kalik Kalik Informatika ISP Dana 3/6/2008, "Paul Khavkine" <paul.khavkine@distributel.ca> piše:
files is there in authentication { } section.
authenticate { # # PAP authentication, when a back-end database listed # in the 'authorize' section supplies a password. The # password can be clear-text, or encrypted. Auth-Type PAP { pap }
# # Most people want CHAP authentication # A back-end database listed in the 'authorize' section # MUST supply a CLEAR TEXT password. Encrypted passwords # won't work. Auth-Type CHAP { chap }
# # MSCHAP authentication. Auth-Type MS-CHAP { mschap }
# # If you have a Cisco SIP server authenticating against # FreeRADIUS, uncomment the following line, and the 'digest' # line in the 'authorize' section. # digest
# # Pluggable Authentication Modules. # pam
# # See 'man getpwent' for information on how the 'unix' # module checks the users password. Note that packets # containing CHAP-Password attributes CANNOT be authenticated # against /etc/passwd! See the FAQ for details. # # unix
# Uncomment it if you want to use ldap for authentication # # Note that this means "check plain-text password against # the ldap database", which means that EAP won't work, # as it does not supply a plain-text password. # Auth-Type LDAP { # ldap # }
# # Allow EAP authentication. eap files }
Paul
-----Original Message----- From: freeradius-users-bounces+paul.khavkine=distributel.ca@lists.freeradius.o rg [mailto:freeradius-users-bounces+paul.khavkine=distributel.ca@lists.free radius.org] On Behalf Of Ivan Kalik Sent: June 3, 2008 2:07 PM To: FreeRadius users mailing list Subject: Re: Hints file and Strip-User-Name
When run radiusd -W I can see it enter the preprocess module and match an entry, but the suffix is not being stripped and entry in users file not being matched:
Not being stripped? You think that's the problem.
Tue Jun 3 12:54:15 2008 : Debug: +- entering group authorize
Tue Jun 3 12:54:15 2008 : Debug: modsingle[authorize]: calling
suffix
(rlm_realm) for request 0 ... Tue Jun 3 12:54:15 2008 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 0
...
Tue Jun 3 12:54:15 2008 : Debug: auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
You haven't hacked away at the default configuration by any chance? Users file entry is not matched because you prevented the server from looking there. Even if you put "files" back in it still won't work as you have broken every single authentication method. Well done! Now put the configuration back the way it was and watch it work.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
You are right actually, not having a good day today. I unbroken my config, found what was originally not working, had to uncomment the "key" setting in the files {} configuration block to match Stripped-User-Name in the users file. Thanx Paul -----Original Message----- From: freeradius-users-bounces+paul.khavkine=distributel.ca@lists.freeradius.org [mailto:freeradius-users-bounces+paul.khavkine=distributel.ca@lists.freeradius.org] On Behalf Of Ivan Kalik Sent: June 3, 2008 2:47 PM To: FreeRadius users mailing list Subject: RE: Hints file and Strip-User-Name authenticate{}??? What are they doing there. Files are a part of authorize{} section. Ivan Kalik Kalik Informatika ISP Dana 3/6/2008, "Paul Khavkine" <paul.khavkine@distributel.ca> piše:
files is there in authentication { } section.
authenticate { # # PAP authentication, when a back-end database listed # in the 'authorize' section supplies a password. The # password can be clear-text, or encrypted. Auth-Type PAP { pap }
# # Most people want CHAP authentication # A back-end database listed in the 'authorize' section # MUST supply a CLEAR TEXT password. Encrypted passwords # won't work. Auth-Type CHAP { chap }
# # MSCHAP authentication. Auth-Type MS-CHAP { mschap }
# # If you have a Cisco SIP server authenticating against # FreeRADIUS, uncomment the following line, and the 'digest' # line in the 'authorize' section. # digest
# # Pluggable Authentication Modules. # pam
# # See 'man getpwent' for information on how the 'unix' # module checks the users password. Note that packets # containing CHAP-Password attributes CANNOT be authenticated # against /etc/passwd! See the FAQ for details. # # unix
# Uncomment it if you want to use ldap for authentication # # Note that this means "check plain-text password against # the ldap database", which means that EAP won't work, # as it does not supply a plain-text password. # Auth-Type LDAP { # ldap # }
# # Allow EAP authentication. eap files }
Paul
-----Original Message----- From: freeradius-users-bounces+paul.khavkine=distributel.ca@lists.freeradius.o rg [mailto:freeradius-users-bounces+paul.khavkine=distributel.ca@lists.free radius.org] On Behalf Of Ivan Kalik Sent: June 3, 2008 2:07 PM To: FreeRadius users mailing list Subject: Re: Hints file and Strip-User-Name
When run radiusd -W I can see it enter the preprocess module and match an entry, but the suffix is not being stripped and entry in users file not being matched:
Not being stripped? You think that's the problem.
Tue Jun 3 12:54:15 2008 : Debug: +- entering group authorize
Tue Jun 3 12:54:15 2008 : Debug: modsingle[authorize]: calling
suffix
(rlm_realm) for request 0 ... Tue Jun 3 12:54:15 2008 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 0
...
Tue Jun 3 12:54:15 2008 : Debug: auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
You haven't hacked away at the default configuration by any chance? Users file entry is not matched because you prevented the server from looking there. Even if you put "files" back in it still won't work as you have broken every single authentication method. Well done! Now put the configuration back the way it was and watch it work.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Ivan Kalik -
Paul Khavkine