Marco Spiga <mspiga3@alice.it> wrote: Still it does not work :-((
Go read the FAQ. See 5.10. It's directed specifically at your remark.
Alan DEKok.
Endured made!!!!!! I don't have include the output of radtest because I want to only qualify radiusd to use authentication EAP MD5. However as soon as installed freeradius I have tried radtest and it worked well, also whith users inserted in radcheck table of postgresql and authentication EAP MD5 has not never worked. The req.txt file contains: User-Name = "test" EAP-MD5-Password = "password" NAS-IP-Address = "localhost" EAP-Code = Response EAP-Id = 210 EAP-Type-Identity = "test" EAP-Message = "0x0" Message-Authenticator = "0x0" NAS-Port = WITH OUTPUT: +++> About to send encoded packet: User-Name = "test" EAP-MD5-Password = "password" NAS-IP-Address = localhost EAP-Code = Response EAP-Id = 210 EAP-Type-Identity = "test" Sending Access-Request of id 2 to 127.0.0.1:1812 User-Name = "test" NAS-IP-Address = localhost EAP-Message = 0x02d200090174657374 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Challenge packet from host 127.0.0.1:1812, id=2, length=80 EAP-Message = 0x01d300160410dc4eb119fa86b90b61acfdb69ab3a961 Message-Authenticator = 0x30c5633d1d0717256ade7d9780683428 State = 0xf28f6899a431b6ac423bf3672d4a21b9 <+++ EAP decoded packet: EAP-Message = 0x01d300160410dc4eb119fa86b90b61acfdb69ab3a961 Message-Authenticator = 0x30c5633d1d0717256ade7d9780683428 State = 0xf28f6899a431b6ac423bf3672d4a21b9 EAP-Id = 211 EAP-Code = Request EAP-Type-MD5 = 0x10dc4eb119fa86b90b61acfdb69ab3a961 +++> About to send encoded packet: User-Name = "test" EAP-MD5-Password = "password" NAS-IP-Address = localhost EAP-Code = Response EAP-Id = 211 Message-Authenticator = 0x00000000000000000000000000000000 EAP-Type-MD5 = 0x1079d9627aaca015bb70d2d48eb3d5581b State = 0xf28f6899a431b6ac423bf3672d4a21b9 Sending Access-Request of id 3 to 127.0.0.1:1812 User-Name = "test" NAS-IP-Address = localhost Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf28f6899a431b6ac423bf3672d4a21b9 EAP-Message = 0x02d30016041079d9627aaca015bb70d2d48eb3d5581b Re-sending Access-Request of id 3 to 127.0.0.1:1812 User-Name = "test" EAP-MD5-Password = "password" NAS-IP-Address = localhost EAP-Code = Response EAP-Id = 211 Message-Authenticator = 0x00000000000000000000000000000000 EAP-Type-MD5 = 0x1079d9627aaca015bb70d2d48eb3d5581b State = 0xf28f6899a431b6ac423bf3672d4a21b9 EAP-Message = 0x02d30016041079d9627aaca015bb70d2d48eb3d5581b rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=3, length=44 EAP-Message = 0x04d30004 Message-Authenticator = 0x54a6958e6602e2a3ada0be9c34d398b2 <+++ EAP decoded packet: EAP-Message = 0x04d30004 Message-Authenticator = 0x54a6958e6602e2a3ada0be9c34d398b2 EAP-Id = 211 EAP-Code = Failure Total approved auths: 0 Total denied auths: 2 -------------------------------------------------------------------- -------------------------------------------------------------------- the radius.conf file contain: modules { ... eap { default_eap_type = md5 md5 { } ... } ... } # eap sets the authenticate type as EAP authorize { ... eap } # eap authentication takes place. authenticate { eap } the eap.conf file contain: eap { default_eap_type = md5 md5 { } } the users file contain: # # Please read the documentation file ../doc/processing_users_file, # or 'man 5 users' (after installing the server) for more information. # # This file contains authentication security and configuration # information for each user. Accounting requests are NOT processed # through this file. Instead, see 'acct_users', in this directory. # # The first field is the user's name and can be up to # 253 characters in length. This is followed (on the same line) with # the list of authentication requirements for that user. This can # include password, comm server name, comm server port number, protocol # type (perhaps set by the "hints" file), and huntgroup name (set by # the "huntgroups" file). # # If you are not sure why a particular reply is being sent by the # server, then run the server in debugging mode (radiusd -X), and # you will see which entries in this file are matched. # # When an authentication request is received from the comm server, # these values are tested. Only the first match is used unless the # "Fall-Through" variable is set to "Yes". # # A special user named "DEFAULT" matches on all usernames. # You can have several DEFAULT entries. All entries are processed # in the order they appear in this file. The first entry that # matches the login-request will stop processing unless you use # the Fall-Through variable. # # If you use the database support to turn this file into a .db or .dbm # file, the DEFAULT entries _have_ to be at the end of this file and # you can't have multiple entries for one username. # # You don't need to specify a password if you set Auth-Type += System # on the list of authentication requirements. The RADIUS server # will then check the system password file. # # Indented (with the tab character) lines following the first # line indicate the configuration values to be passed back to # the comm server to allow the initiation of a user session. # This can include things like the PPP configuration values # or the host to log the user onto. # # You can include another `users' file with `$INCLUDE users.other' # # # For a list of RADIUS attributes, and links to their definitions, # see: # # http://www.freeradius.org/rfc/attributes.html # # # Deny access for a specific user. Note that this entry MUST # be before any other 'Auth-Type' attribute which results in the user # being authenticated. # # Note that there is NO 'Fall-Through' attribute, so the user will not # be given any additional resources. # #lameuser Auth-Type := Reject # Reply-Message = "Your account has been disabled." # # Deny access for a group of users. # # Note that there is NO 'Fall-Through' attribute, so the user will not # be given any additional resources. # #DEFAULT Group == "disabled", Auth-Type := Reject # Reply-Message = "Your account has been disabled." # # # This is a complete entry for "steve". Note that there is no Fall-Through # entry so that no DEFAULT entry will be used, and the user will NOT # get any attributes in addition to the ones listed here. # #steve Auth-Type := Local, User-Password == "testing" # Service-Type = Framed-User, # Framed-Protocol = PPP, # Framed-IP-Address = 172.16.3.33, # Framed-IP-Netmask = 255.255.255.0, # Framed-Routing = Broadcast-Listen, # Framed-Filter-Id = "std.ppp", # Framed-MTU = 1500, # Framed-Compression = Van-Jacobsen-TCP-IP # # This is an entry for a user with a space in their name. # Note the double quotes surrounding the name. # #"JohnDoe" Auth-Type := Local, User-Password == "hello" # Reply-Message = "Hello, %u" "test" Auth-Type := EAP, User-Password := "password" Reply-Message = "Hello, %u" #"test2" Auth-Type := Local, User-Password == "hello" # Reply-Message = "Hello, %u" # # Dial user back and telnet to the default host for that port # #Deg Auth-Type := Local, User-Password == "ge55ged" # Service-Type = Callback-Login-User, # Login-IP-Host = 0.0.0.0, # Callback-Number = "9,5551212", # Login-Service = Telnet, # Login-TCP-Port = Telnet # # Another complete entry. After the user "dialbk" has logged in, the # connection will be broken and the user will be dialed back after which # he will get a connection to the host "timeshare1". # #dialbk Auth-Type := Local, User-Password == "callme" # Service-Type = Callback-Login-User, # Login-IP-Host = timeshare1, # Login-Service = PortMaster, # Callback-Number = "9,1-800-555-1212" # # user "swilson" will only get a static IP number if he logs in with # a framed protocol on a terminal server in Alphen (see the huntgroups file). # # Note that by setting "Fall-Through", other attributes will be added from # the following DEFAULT entries # #swilson Service-Type == Framed-User, Huntgroup-Name == "alphen" # Framed-IP-Address = 192.168.1.65, # Fall-Through = Yes # # If the user logs in as 'username.shell', then authenticate them # against the system database, give them shell access, and stop processing # the rest of the file. # #DEFAULT Suffix == ".shell", Auth-Type := System # Service-Type = Login-User, # Login-Service = Telnet, # Login-IP-Host = your.shell.machine # # The rest of this file contains the several DEFAULT entries. # DEFAULT entries match with all login names. # Note that DEFAULT entries can also Fall-Through (see first entry). # A name-value pair from a DEFAULT entry will _NEVER_ override # an already existing name-value pair. # # # First setup all accounts to be checked against the UNIX /etc/passwd. # (Unless a password was already given earlier in this file). # DEFAULT Auth-Type = System Fall-Through = 1 # # Set up different IP address pools for the terminal servers. # Note that the "+" behind the IP address means that this is the "base" # IP address. The Port-Id (S0, S1 etc) will be added to it. # #DEFAULT Service-Type == Framed-User, Huntgroup-Name == "alphen" # Framed-IP-Address = 192.168.1.32+, # Fall-Through = Yes #DEFAULT Service-Type == Framed-User, Huntgroup-Name == "delft" # Framed-IP-Address = 192.168.2.32+, # Fall-Through = Yes # # Defaults for all framed connections. # DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes # # Default for PPP: dynamic IP address, PPP mode, VJ-compression. # NOTE: we do not use Hint = "PPP", since PPP might also be auto-detected # by the terminal server in which case there may not be a "P" suffix. # The terminal server sends "Framed-Protocol = PPP" for auto PPP. # DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP # # Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression. # DEFAULT Hint == "CSLIP" Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP # # Default for SLIP: dynamic IP address, SLIP mode. # DEFAULT Hint == "SLIP" Framed-Protocol = SLIP # # Last default: rlogin to our main server. # #DEFAULT # Service-Type = Login-User, # Login-Service = Rlogin, # Login-IP-Host = shellbox.ispdomain.com # # # # Last default: shell on the local terminal server. # # # DEFAULT # Service-Type = Shell-User # On no match, the user is denied access. ------------------------------------------------------ And the OUTPUT of the radiusd -XA is: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: bind_address = 127.0.0.1 IP address [127.0.0.1] main: user = "radiusd" main: group = "radiusd" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/raddb/huntgroups" preprocess: hints = "/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded files files: usersfile = "/etc/raddb/users" files: acctusersfile = "/etc/raddb/acct_users" files: preproxy_usersfile = "/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded detail detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Module: Loaded SQL sql: driver = "rlm_sql_postgresql" sql: server = "localhost" sql: port = "" sql: login = "manut" sql: password = "test" sql: radius_db = "radiusdb" sql: acct_table = "radacct" sql: acct_table2 = "radacct" sql: authcheck_table = "radcheck" sql: authreply_table = "radreply" sql: groupcheck_table = "radgroupcheck" sql: groupreply_table = "radgroupreply" sql: usergroup_table = "usergroup" sql: nas_table = "nas" sql: dict_table = "dictionary" sql: sqltrace = yes sql: sqltracefile = "/var/log/radius/sqltrace.sql" sql: readclients = no sql: deletestalesessions = yes sql: num_sql_socks = 5 sql: sql_user_name = "%{User-Name}" sql: default_user_profile = "" sql: query_on_not_found = no sql: authorize_check_query = "SELECT id, UserName, Attribute, Value, Op ??FROM radcheck ??WHERE Username = '%{SQL-User-Name}' ??ORDER BY id" sql: authorize_reply_query = "SELECT id, UserName, Attribute, Value, Op ??FROM radreply ??WHERE Username = '%{SQL-User-Name}' ??ORDER BY id" sql: authorize_group_check_query = "SELECT radgroupcheck.id, radgroupcheck.GroupName, ??radgroupcheck.Attribute, radgroupcheck.Value,radgroupcheck.Op ??FROM radgroupcheck, usergroup ??WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupcheck.GroupName ??ORDER BY radgroupcheck.id" sql: authorize_group_reply_query = "SELECT radgroupreply.id, radgroupreply.GroupName, radgroupreply.Attribute, ??radgroupreply.Value, radgroupreply.Op ??FROM radgroupreply,usergroup ??WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupreply.GroupName ??ORDER BY radgroupreply.id" sql: accounting_onoff_query = "UPDATE radacct ??SET AcctStopTime = (now() - '%{Acct-Delay-Time:-0}'::interval), ??AcctSessionTime = (EXTRACT(EPOCH FROM(now()::timestamp with time zone - AcctStartTime::timestamp with time zone - '%{Acct-Delay-Time:-0}'::interval)))::BIGINT, ??AcctTerminateCause='%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-Time:-0}' ??WHERE AcctSessionTime IS NULL AND AcctStopTime IS NULL AND NASIPAddress= '%{NAS-IP-Address}' AND AcctStartTime <= now()" sql: accounting_update_query = "UPDATE radacct ??SET FramedIPAddress = NULLIF('%{Framed-IP-Address}', '')::inet, ??AcctSessionTime = (EXTRACT(EPOCH FROM(now()::timestamp with time zone - AcctStartTime::timestamp with time zone - '%{Acct-Delay-Time:-0}'::interval)))::BIGINT, AcctInputOctets = (('%{Acct-Input-Gigawords:-0}'::bigint << 32) + '%{Acct-Input-Octets:-0}'::bigint), AcctOutputOctets = (('%{Acct-Output-Gigawords:-0}'::bigint << 32) + '%{Acct-Output-Octets:-0}'::bigint) ??WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' ??AND NASIPAddress= '%{NAS-IP-Address}' AND AcctStopTime IS NULL" sql: accounting_update_query_alt = "INSERT into radacct ??(AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, ??AcctSessionTime, AcctAuthentic, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, ??ServiceType, FramedProtocol, FramedIPAddress) ??values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', ??'%{NAS-Port}', '%{NAS-Port-Type}', (now() - '%{Acct-Delay-Time:-0}'::interval - '%{Acct-Session-Time:-0}'::interval), ??'%{Acct-Session-Time}', '%{Acct-Authentic}', ??(('%{Acct-Input-Gigawords:-0}'::bigint << 32) + '%{Acct-Input-Octets:-0}'::bigint), ??(('%{Acct-Output-Gigawords:-0}'::bigint << 32) + '%{Acct-Output-Octets:-0}'::bigint), '%{Called-Station-Id}', ??'%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', ??NULLIF('%{Framed-IP-Address}', '')::inet)" sql: accounting_start_query = "INSERT into radacct ??(AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctAuthentic, ??ConnectInfo_start, CalledStationId, CallingStationId, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay) ??values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', ??'%{NAS-Port}', '%{NAS-Port-Type}', (now() - '%{Acct-Delay-Time:-0}'::interval), '%{Acct-Authentic}', '%{Connect-Info}', ??'%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', ??NULLIF('%{Framed-IP-Address}', '')::inet, '%{Acct-Delay-Time:-0}')" sql: accounting_start_query_alt = "UPDATE radacct ??SET AcctStartTime = (now() - '%{Acct-Delay-Time:-0}'::interval), AcctStartDelay = '%{Acct-Delay-Time:-0}', ??ConnectInfo_start = '%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' ??AND NASIPAddress = '%{NAS-IP-Address}' AND AcctStopTime IS NULL" sql: accounting_stop_query = "UPDATE radacct ??SET AcctStopTime = (now() - '%{Acct-Delay-Time:-0}'::interval), ??AcctSessionTime = NULLIF('%{Acct-Session-Time}', '')::bigint, ??AcctInputOctets = (('%{Acct-Input-Gigawords:-0}'::bigint << 32) + '%{Acct-Input-Octets:-0}'::bigint), ??AcctOutputOctets = (('%{Acct-Output-Gigawords:-0}'::bigint << 32) + '%{Acct-Output-Octets:-0}'::bigint), ??AcctTerminateCause = '%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-Time:-0}', ??FramedIPAddress = NULLIF('%{Framed-IP-Address}', '')::inet, ConnectInfo_stop = '%{Connect-Info}' ??WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' ??AND NASIPAddress = '%{NAS-IP-Address}' AND AcctStopTime IS NULL" sql: accounting_stop_query_alt = "INSERT into radacct ??(AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, ??AcctSessionTime, AcctAuthentic, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, ??AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStopDelay) ??values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', ??'%{NAS-Port}', '%{NAS-Port-Type}', (now() - '%{Acct-Delay-Time:-0}'::interval - '%{Acct-Session-Time:-0}'::interval), ??(now() - '%{Acct-Delay-Time:-0}'::interval), NULLIF('%{Acct-Session-Time}', '')::bigint, ??'%{Acct-Authentic}', '%{Connect-Info}', ??(('%{Acct-Input-Gigawords:-0}'::bigint << 32) + '%{Acct-Input-Octets:-0}'::bigint), ??(('%{Acct-Output-Gigawords:-0}'::bigint << 32) + '%{Acct-Output-Octets:-0}'::bigint), '%{Called-Station-Id}', ??'%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}', ??NULLIF('%{Framed-IP-Address}', '')::inet, '%{Acct-Delay-Time:-0}')" sql: group_membership_query = "SELECT GroupName FROM usergroup WHERE UserName='%{SQL-User-Name}'" sql: connect_failure_retry_delay = 60 sql: simul_count_query = "" sql: simul_verify_query = "" sql: postauth_table = "radpostauth" sql: postauth_query = "INSERT into radpostauth (username, pass, reply, authdate) ??values ('%{User-Name}', '%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', NOW())" sql: safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" rlm_sql (sql): Driver rlm_sql_postgresql (module rlm_sql_postgresql) loaded and linked rlm_sql (sql): Attempting to connect to manut@localhost:/radiusdb rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_postgresql #0 rlm_sql (sql): Connected new DB handle, #0 rlm_sql (sql): starting 1 rlm_sql (sql): Attempting to connect rlm_sql_postgresql #1 rlm_sql (sql): Connected new DB handle, #1 rlm_sql (sql): starting 2 rlm_sql (sql): Attempting to connect rlm_sql_postgresql #2 rlm_sql (sql): Connected new DB handle, #2 rlm_sql (sql): starting 3 rlm_sql (sql): Attempting to connect rlm_sql_postgresql #3 rlm_sql (sql): Connected new DB handle, #3 rlm_sql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_postgresql #4 rlm_sql (sql): Connected new DB handle, #4 Module: Instantiated sql (sql) Initializing the thread pool... thread: start_servers = 5 thread: max_servers = 32 thread: min_spare_servers = 3 thread: max_spare_servers = 10 thread: max_requests_per_server = 0 thread: cleanup_delay = 5 Thread spawned new child 1. Total threads in pool: 1 Thread spawned new child 2. Total threads in pool: 2 Thread spawned new child 3. Total threads in pool: 3 Thread spawned new child 4. Total threads in pool: 4 Thread spawned new child 5. Total threads in pool: 5 Thread pool initialized Listening on authentication 127.0.0.1:1812 Listening on accounting 127.0.0.1:1813 Listening on proxy 127.0.0.1:1814 Ready to process requests. Thread 1 waiting to be assigned a request Thread 2 waiting to be assigned a request Thread 3 waiting to be assigned a request Thread 4 waiting to be assigned a request Thread 5 waiting to be assigned a request rad_recv: Access-Request packet from host 127.0.0.1:33132, id=2, length=61 --- Walking the entire request list --- Waking up in 31 seconds... Threads: total/active/spare threads = 5/0/5 Thread 1 got semaphore Thread 1 handling request 0, (1 handled so far) User-Name = "test" NAS-IP-Address = 255.255.255.255 EAP-Message = 0x02d200090174657374 Message-Authenticator = 0xd61847a551a96358b8e6af8b80d9b968 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 rlm_eap: EAP packet type response id 210 length 9 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 2 to 127.0.0.1:33132 EAP-Message = 0x01d300160410dc4eb119fa86b90b61acfdb69ab3a961 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf28f6899a431b6ac423bf3672d4a21b9 Finished request 0 Going to the next request Thread 1 waiting to be assigned a request rad_recv: Access-Request packet from host 127.0.0.1:33132, id=3, length=92 Waking up in 31 seconds... Thread 2 got semaphore Thread 2 handling request 1, (1 handled so far) User-Name = "test" NAS-IP-Address = 255.255.255.255 Message-Authenticator = 0x1af851c856e64a78e42d91428abb07df State = 0xf28f6899a431b6ac423bf3672d4a21b9 EAP-Message = 0x02d30016041079d9627aaca015bb70d2d48eb3d5581b Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 rlm_eap: EAP packet type response id 211 length 22 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/md5 rlm_eap: processing type md5 rlm_eap_md5: User-Password is required for EAP-MD5 authentication rlm_eap: Handler failed in EAP/md5 rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 1 modcall: group authenticate returns invalid for request 1 auth: Failed to validate the user. Delaying request 1 for 1 seconds Finished request 1 Going to the next request Thread 2 waiting to be assigned a request rad_recv: Access-Request packet from host 127.0.0.1:33132, id=3, length=92 Sending Access-Reject of id 3 to 127.0.0.1:33132 EAP-Message = 0x04d30004 Message-Authenticator = 0x00000000000000000000000000000000 --- Walking the entire request list --- Waking up in 3 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 2 with timestamp 43b36b30 Cleaning up request 1 ID 3 with timestamp 43b36b30 Nothing to do. Sleeping until we see a request. Thanks Alan Marco
Marco Spiga <mspiga3@alice.it> wrote:
However as soon as installed freeradius I have tried radtest and it worked well, also whith users inserted in radcheck table of postgresql and authentication EAP MD5 has not never worked.
The entry in the "users" file isn't being matched because you edited radiusd.conf, and broke the server.
modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 rlm_eap: EAP packet type response id 210 length 9 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 modcall: group authorize returns updated for request 0
See? There's no mention of the "files" module, or that any entry in the "users" file was matched. So you can edit the "users" file forever, and it won't affect anything... because *you* told the server to not look at the "users" file.
# eap sets the authenticate type as EAP authorize { ... eap }
And rather than quoting your exact "authorize" section, you've edited it. Since I can read the debug output, I can tell what you've done. But by editing the "radiusd.conf" pieces you quoted, you've gone out of your way to make it more difficult for anyone to be able to help you. In short, if you don't know what the entries in "radiusd.conf" do, DON'T EDIT THEM. The default configuration is set up that way for a reason. IT WORKS. If you had used the default configuration, the "users" file entry would have worked as I said. But because you edited the default configuration (and didn't say you edited it), you broke it, and the "users" fil entry didn't work. Alan DeKok.
Thanks to your patience Alan, I have resolved !!!!!!!!!!!!!!! I have reinstalled freeradius. The errors was in radiusd.conf. Sorry but I did not know that for any modify in users file it was needed restart radiusd :-( The others old files do not give errors. I haved included the difference between the bad radiusd.conf file and the good (my new) radiusd.conf file. 20c20,21 < bind_address = * --- 54,84c55,60 < pap { < encryption_scheme = crypt < } < chap { < authtype = CHAP < } < pam { < pam_auth = radiusd < } < unix { < cache = no < cache_reload = 600 < shadow = /etc/shadow < radwtmp = ${logdir}/radwtmp < } < $INCLUDE ${confdir}/eap.conf < mschap { < authtype = MS-CHAP < } < ldap { < server = "ldap.your.domain" < basedn = "o=My Org,c=UA" < filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" < start_tls = no < access_attr = "dialupAccess" < dictionary_mapping = ${raddbdir}/ldap.attrmap < ldap_connections_number = 5 < timeout = 4 < timelimit = 3 < net_timeout = 1 < } ---
#$INCLUDE ${confdir}/eap.conf eap { default_eap_type = md5 md5 { } } 136c112 < $INCLUDE ${confdir}/postgresql.conf
$INCLUDE ${confdir}/sql.conf 173a150
175a153
177a156,157
preprocess
182,197d161 < exec echo { < wait = yes < program = "/bin/echo %{User-Name}" < input_pairs = request < output_pairs = reply < } < ippool main_pool { < range-start = 192.168.1.1 < range-stop = 192.168.3.254 < netmask = 255.255.255.0 < cache-size = 800 < session-db = ${raddbdir}/db.ippool < ip-index = ${raddbdir}/db.ipindex < override = no < maximum-timeout = 0 < } 205,207d168 < chap < mschap < suffix 209,210d169 < files < sql 213,222d171 < Auth-Type PAP { < pap < } < Auth-Type CHAP { < chap < } < Auth-Type MS-CHAP { < mschap < } < unix 225a175
files 233d182 < unix 234a184 sql 237a188 sql 239a191 sql 244d195
Good year to all the participants to the mailing-list!!!!!!!!!!!!!!! BYE On Thu, Dec 29, 2005 at 02:22:19AM -0500, Alan DeKok wrote:
From: "Alan DeKok" <aland@ox.org> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Date: Thu, 29 Dec 2005 02:22:19 -0500 Subject: Re: EAP-MD5 Authentication problem
Marco Spiga <mspiga3@alice.it> wrote:
However as soon as installed freeradius I have tried radtest and it worked well, also whith users inserted in radcheck table of postgresql and authentication EAP MD5 has not never worked.
The entry in the "users" file isn't being matched because you edited radiusd.conf, and broke the server.
modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 rlm_eap: EAP packet type response id 210 length 9 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 modcall: group authorize returns updated for request 0
See? There's no mention of the "files" module, or that any entry in the "users" file was matched. So you can edit the "users" file forever, and it won't affect anything... because *you* told the server to not look at the "users" file.
# eap sets the authenticate type as EAP authorize { ... eap }
And rather than quoting your exact "authorize" section, you've edited it.
Since I can read the debug output, I can tell what you've done. But by editing the "radiusd.conf" pieces you quoted, you've gone out of your way to make it more difficult for anyone to be able to help you.
In short, if you don't know what the entries in "radiusd.conf" do, DON'T EDIT THEM. The default configuration is set up that way for a reason. IT WORKS.
If you had used the default configuration, the "users" file entry would have worked as I said. But because you edited the default configuration (and didn't say you edited it), you broke it, and the "users" fil entry didn't work.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ---fine del testo---
-- !!!!! Messaggio da Marco !!!!!
Thanks to your patience Alan, I have resolved !!!!!!!!!!!!!!! I have reinstalled freeradius. The errors was in radiusd.conf. Sorry but I did not know that for any modify in users file it was needed restart radiusd :-( The others old files do not give errors. I haved included the difference between the bad radiusd.conf file and the good (my new) radiusd.conf file. 20c20,21 < bind_address = * --- 54,84c55,60 < pap { < encryption_scheme = crypt < } < chap { < authtype = CHAP < } < pam { < pam_auth = radiusd < } < unix { < cache = no < cache_reload = 600 < shadow = /etc/shadow < radwtmp = ${logdir}/radwtmp < } < $INCLUDE ${confdir}/eap.conf < mschap { < authtype = MS-CHAP < } < ldap { < server = "ldap.your.domain" < basedn = "o=My Org,c=UA" < filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" < start_tls = no < access_attr = "dialupAccess" < dictionary_mapping = ${raddbdir}/ldap.attrmap < ldap_connections_number = 5 < timeout = 4 < timelimit = 3 < net_timeout = 1 < } ---
#$INCLUDE ${confdir}/eap.conf eap { default_eap_type = md5 md5 { } } 136c112 < $INCLUDE ${confdir}/postgresql.conf
$INCLUDE ${confdir}/sql.conf 173a150
175a153
177a156,157
preprocess
182,197d161 < exec echo { < wait = yes < program = "/bin/echo %{User-Name}" < input_pairs = request < output_pairs = reply < } < ippool main_pool { < range-start = 192.168.1.1 < range-stop = 192.168.3.254 < netmask = 255.255.255.0 < cache-size = 800 < session-db = ${raddbdir}/db.ippool < ip-index = ${raddbdir}/db.ipindex < override = no < maximum-timeout = 0 < } 205,207d168 < chap < mschap < suffix 209,210d169 < files < sql 213,222d171 < Auth-Type PAP { < pap < } < Auth-Type CHAP { < chap < } < Auth-Type MS-CHAP { < mschap < } < unix 225a175
files 233d182 < unix 234a184 sql 237a188 sql 239a191 sql 244d195
Good year to all the participants to the mailing-list!!!!!!!!!!!!!!! BYE On Thu, Dec 29, 2005 at 02:22:19AM -0500, Alan DeKok wrote:
From: "Alan DeKok" <aland@ox.org> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Date: Thu, 29 Dec 2005 02:22:19 -0500 Subject: Re: EAP-MD5 Authentication problem
Marco Spiga <mspiga3@alice.it> wrote:
However as soon as installed freeradius I have tried radtest and it worked well, also whith users inserted in radcheck table of postgresql and authentication EAP MD5 has not never worked.
The entry in the "users" file isn't being matched because you edited radiusd.conf, and broke the server.
modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 rlm_eap: EAP packet type response id 210 length 9 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 modcall: group authorize returns updated for request 0
See? There's no mention of the "files" module, or that any entry in the "users" file was matched. So you can edit the "users" file forever, and it won't affect anything... because *you* told the server to not look at the "users" file.
# eap sets the authenticate type as EAP authorize { ... eap }
And rather than quoting your exact "authorize" section, you've edited it.
Since I can read the debug output, I can tell what you've done. But by editing the "radiusd.conf" pieces you quoted, you've gone out of your way to make it more difficult for anyone to be able to help you.
In short, if you don't know what the entries in "radiusd.conf" do, DON'T EDIT THEM. The default configuration is set up that way for a reason. IT WORKS.
If you had used the default configuration, the "users" file entry would have worked as I said. But because you edited the default configuration (and didn't say you edited it), you broke it, and the "users" fil entry didn't work.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ---fine del testo---
-- !!!!! Messaggio da Marco !!!!! -fine del testo--- !!!!! Messaggio da Marco !!!!!
participants (2)
-
Alan DeKok -
Marco Spiga