Dear radius gurus, I am trying to setup radius for mysql auth, but I altough the db tables seems to be ok, I cannot auth the users. Any help will be welcome! Thanks in advance! here is what I am trying: [root@intranet raddb]# radtest anavc 2572ava localhost:1645 0 teste Sending Access-Request of id 139 to 127.0.0.1:1645 User-Name = "anavc" User-Password = "2572ava" NAS-IP-Address = intranet NAS-Port = 0 Re-sending Access-Request of id 139 to 127.0.0.1:1645 User-Name = "anavc" User-Password = "\027\257\363\336\323t\270\301\252\320S\213\032y\350\371" NAS-IP-Address = intranet NAS-Port = 0 rad_recv: Access-Reject packet from host 127.0.0.1:1645, id=139, length=20 [root@intranet raddb]# ------------------------------------------------------------------------------------------------------------------------------------------------------------- radiusd -X says: Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:54564, id=171, length=57 User-Name = "anavc" User-Password = "2572ava" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "anavc", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "anavc" rlm_realm: Proxying request from user anavc to realm NULL rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched DEFAULT at 173 modcall[authorize]: module "files" returns ok for request 0 radius_xlat: 'anavc' rlm_sql (sql): sql_set_user escaped user --> 'anavc' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'anavc' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 3 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'anavc' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'anavc' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'anavc' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'anavc' ORDER BY id' rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'anavc' ORDER BY id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'anavc' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'anavc' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): No matching entry in the database for request from user [anavc] rlm_sql (sql): Released sql socket id: 3 modcall[authorize]: module "sql" returns notfound for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 modcall[authenticate]: module "unix" returns notfound for request 0 modcall: group authenticate returns notfound for request 0 auth: Failed to validate the user. Login incorrect: [anavc/2572ava] (from client localhost port 0) rad_lowerpair: Stripped-User-Name now 'anavc' rad_lowerpair: User-Password now '2572ava' rad_rmspace_pair: Stripped-User-Name now 'anavc' rad_rmspace_pair: User-Password now '2572ava' Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: Request already proxied. Ignoring. modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched DEFAULT at 173 modcall[authorize]: module "files" returns ok for request 0 radius_xlat: 'anavc' rlm_sql (sql): sql_set_user escaped user --> 'anavc' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'anavc' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 2 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'anavc' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'anavc' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'anavc' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'anavc' ORDER BY id' rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'anavc' ORDER BY id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'anavc' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'anavc' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): No matching entry in the database for request from user [anavc] rlm_sql (sql): Released sql socket id: 2 modcall[authorize]: module "sql" returns notfound for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 modcall[authenticate]: module "unix" returns notfound for request 0 modcall: group authenticate returns notfound for request 0 auth: Failed to validate the user. Login incorrect: [anavc/2572ava] (from client localhost port 0) Delaying request 0 for 2 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 2 seconds... --- Walking the entire request list --- Waking up in 2 seconds... ------------------------------------------------------------------------------------------------------------------------------------------------------------- when I run the queries by hand: mysql> SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'anavc' ORDER BY id; +----+----------+---------------+---------+----+ | id | UserName | Attribute | Value | op | +----+----------+---------------+---------+----+ | 4 | anavc | User-Password | 2572ava | == | +----+----------+---------------+---------+----+ 1 row in set (0.02 sec) mysql> SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'anavc' ORDER BY id; +----+----------+---------------+---------+----+ | id | UserName | Attribute | Value | op | +----+----------+---------------+---------+----+ | 4 | anavc | User-Password | 2572ava | == | +----+----------+---------------+---------+----+ 1 row in set (0.00 sec) mysql> SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'anavc' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id; +----+-----------+------------------+-------+----+ | id | GroupName | Attribute | Value | op | +----+-----------+------------------+-------+----+ | 1 | dialup | Auth-Type | Local | == | | 2 | dialup | Simultaneous-Use | 1 | == | +----+-----------+------------------+-------+----+ 2 rows in set (0.00 sec) mysql> SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'anavc' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id; +----+-----------+------------------+-------+----+ | id | GroupName | Attribute | Value | op | +----+-----------+------------------+-------+----+ | 1 | dialup | Auth-Type | Local | == | | 2 | dialup | Simultaneous-Use | 1 | == | +----+-----------+------------------+-------+----+ 2 rows in set (0.00 sec) mysql> SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'anavc' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id; +----+-----------+------------------+-------+----+ | id | GroupName | Attribute | Value | op | +----+-----------+------------------+-------+----+ | 1 | dialup | Auth-Type | Local | == | | 2 | dialup | Simultaneous-Use | 1 | == | +----+-----------+------------------+-------+----+ 2 rows in set (0.00 sec) mysql> SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'anavc' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id; +----+-----------+--------------------+---------------------+----+ | id | GroupName | Attribute | Value | op | +----+-----------+--------------------+---------------------+----+ | 27 | dialup | Framed-IP-Address | 255.255.255.254 | == | | 28 | dialup | Framed-Compression | Van-Jacobson-TCP-IP | == | | 29 | dialup | Framed-IP-Netmask | 255.255.255.255 | == | | 30 | dialup | Framed-MTU | 576 | == | | 31 | dialup | Idle-Timeout | 900 | := | +----+-----------+--------------------+---------------------+----+ 5 rows in set (0.03 sec)
Did you pick the operators by chance? You are not very lucky, as only one (for the password) is correct. Even that is not correct if this is the latest version of the server (1.1.6) - you should use Cleartext-Password and := as an operator. radgroupcheck:
+----+-----------+------------------+-------+----+ | id | GroupName | Attribute | Value | op | +----+-----------+------------------+-------+----+ | 1 | dialup | Auth-Type | Local | == | | 2 | dialup | Simultaneous-Use | 1 | == | +----+-----------+------------------+-------+----+
- delete Auth-Type; you don't need it for a recent server version - change op for Simultaneous-Use to := radgroupreply:
+----+-----------+--------------------+---------------------+----+ | id | GroupName | Attribute | Value | op | +----+-----------+--------------------+---------------------+----+ | 27 | dialup | Framed-IP-Address | 255.255.255.254 | == | | 28 | dialup | Framed-Compression | Van-Jacobson-TCP-IP | == | | 29 | dialup | Framed-IP-Netmask | 255.255.255.255 | == | | 30 | dialup | Framed-MTU | 576 | == | | 31 | dialup | Idle-Timeout | 900 | := | +----+-----------+--------------------+---------------------+----+
- change all ops to = - is this (255.255.255.254) really the IP address you want to give your user; client is unlikely to accept IP address above 224 subnet users file:
users: Matched DEFAULT at 173 rad_check_password: Found Auth-Type System
There is a DEFAULT entry towards the end of users file setting Auth-Type System. Comment it out. Ivan Kalik Kalik Informatika ISP
On Friday 08 June 2007 13:24:20 tnt@kalik.co.yu wrote:
radgroupreply:
| 27 | dialup | Framed-IP-Address | 255.255.255.254 | == | | 28 | dialup | Framed-Compression | Van-Jacobson-TCP-IP | == | | 29 | dialup | Framed-IP-Netmask | 255.255.255.255 | == | | 30 | dialup | Framed-MTU | 576 | == | | 31 | dialup | Idle-Timeout | 900 | := |
- change all ops to =
Change all '==' to just '=' or ':=', depending on your needs. The operator for Idle-Timeout is correct.
- is this (255.255.255.254) really the IP address you want to give your user; client is unlikely to accept IP address above 224 subnet
The RFCs say that this IP tells the NAS to assign an IP from the dynamic pool. -Kevin
Hi Kevin and Ivan, Thank you for your replies. I now have it working ok. I do have a further question: I need to auth users both from system (unix passwd) and local (sql). How can I do that? I tried: DEFAULT Auth-Type = System Fall-Through = 1 DEFAULT Auth-Type = local # Fall-Through = 1 # Exec-Program-Wait = "/usr/bin/php/home/ispadmin/latest/src/checkradius.php %u %n" , But it only works for the system entry. Thank you, Felipe
From radiusd.conf:
# In general, you SHOULD NOT set the Auth-Type attribute. The server # will figure it out on its own, and will do the right thing. The # most common side effect of erroneously setting the Auth-Type # attribute is that one authentication method will work, but the # others will not. Remove both Auth-Types and let server sort it out. Make sure sql and unix entries in radiusd.conf are not commented out. Ivan Kalik Kalik Informatika ISP Dana 8/6/2007, "Felipe Ceglia - PY1NB" <felipe-listas@terenet.com.br> piše:
Hi Kevin and Ivan,
Thank you for your replies. I now have it working ok.
I do have a further question:
I need to auth users both from system (unix passwd) and local (sql).
How can I do that?
I tried:
DEFAULT Auth-Type = System Fall-Through = 1
DEFAULT Auth-Type = local # Fall-Through = 1 # Exec-Program-Wait = "/usr/bin/php/home/ispadmin/latest/src/checkradius.php %u %n" ,
But it only works for the system entry.
Thank you,
Felipe
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I just tried it, but then only the sql user is accepted. Thanks, Felipe tnt@kalik.co.yu wrote:
From radiusd.conf:
# In general, you SHOULD NOT set the Auth-Type attribute. The server # will figure it out on its own, and will do the right thing. The # most common side effect of erroneously setting the Auth-Type # attribute is that one authentication method will work, but the # others will not.
Remove both Auth-Types and let server sort it out. Make sure sql and unix entries in radiusd.conf are not commented out.
Ivan Kalik Kalik Informatika ISP
Dana 8/6/2007, "Felipe Ceglia - PY1NB" <felipe-listas@terenet.com.br> piše:
Hi Kevin and Ivan,
Thank you for your replies. I now have it working ok.
I do have a further question:
I need to auth users both from system (unix passwd) and local (sql).
How can I do that?
I tried:
DEFAULT Auth-Type = System Fall-Through = 1
DEFAULT Auth-Type = local # Fall-Through = 1 # Exec-Program-Wait = "/usr/bin/php/home/ispadmin/latest/src/checkradius.php %u %n" ,
But it only works for the system entry.
Thank you,
Felipe
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
OK. Put back: DEFAULT Auth-Type = System Fall-Through = 1 in your users file. Post radiusd -X output for SQL user. If he is found in the database but still rejected you might need to add Auth-Type Local with op := to your radgroupcheck table. Ivan Kalik Kalik Informatika ISP Dana 8/6/2007, "Felipe Ceglia - PY1NB" <felipe-listas@terenet.com.br> piše:
I just tried it, but then only the sql user is accepted.
Thanks,
Felipe
tnt@kalik.co.yu wrote:
From radiusd.conf:
# In general, you SHOULD NOT set the Auth-Type attribute. The server # will figure it out on its own, and will do the right thing. The # most common side effect of erroneously setting the Auth-Type # attribute is that one authentication method will work, but the # others will not.
Remove both Auth-Types and let server sort it out. Make sure sql and unix entries in radiusd.conf are not commented out.
Ivan Kalik Kalik Informatika ISP
Dana 8/6/2007, "Felipe Ceglia - PY1NB" <felipe-listas@terenet.com.br> piše:
Hi Kevin and Ivan,
Thank you for your replies. I now have it working ok.
I do have a further question:
I need to auth users both from system (unix passwd) and local (sql).
How can I do that?
I tried:
DEFAULT Auth-Type = System Fall-Through = 1
DEFAULT Auth-Type = local # Fall-Through = 1 # Exec-Program-Wait = "/usr/bin/php/home/ispadmin/latest/src/checkradius.php %u %n" ,
But it only works for the system entry.
Thank you,
Felipe
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/usershtml
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Ivan, Thank you very much! I owe you guys a pack of beer! Worked finely! I will now take a breath and go deeply into radius manual to understand these operators. Felipe tnt@kalik.co.yu wrote:
OK. Put back:
DEFAULT Auth-Type = System Fall-Through = 1
in your users file.
Post radiusd -X output for SQL user. If he is found in the database but still rejected you might need to add Auth-Type Local with op := to your radgroupcheck table.
Ivan Kalik Kalik Informatika ISP
Dana 8/6/2007, "Felipe Ceglia - PY1NB" <felipe-listas@terenet.com.br> piše:
I just tried it, but then only the sql user is accepted.
Thanks,
Felipe
tnt@kalik.co.yu wrote:
From radiusd.conf:
# In general, you SHOULD NOT set the Auth-Type attribute. The server # will figure it out on its own, and will do the right thing. The # most common side effect of erroneously setting the Auth-Type # attribute is that one authentication method will work, but the # others will not.
Remove both Auth-Types and let server sort it out. Make sure sql and unix entries in radiusd.conf are not commented out.
Ivan Kalik Kalik Informatika ISP
Dana 8/6/2007, "Felipe Ceglia - PY1NB" <felipe-listas@terenet.com.br> piše:
Hi Kevin and Ivan,
Thank you for your replies. I now have it working ok.
I do have a further question:
I need to auth users both from system (unix passwd) and local (sql).
How can I do that?
I tried:
DEFAULT Auth-Type = System Fall-Through = 1
DEFAULT Auth-Type = local # Fall-Through = 1 # Exec-Program-Wait = "/usr/bin/php/home/ispadmin/latest/src/checkradius.php %u %n" ,
But it only works for the system entry.
Thank you,
Felipe
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/usershtml
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I am using Freeradius as a Secondary Radius. The issue is sometimes not always but 98% of the time A user when they connect to the secondary (freeradius) and connect accounting packet start and then when they disconnect no accounting packet stop gets to the secondary Reason its going to the primary radius (VOPRAdius) Thus the problem being the secondary thinks they are still connected. The nas's are not onn site these are from level3 networks Does anyone know what to do for this? I am at a stump on this one.
Please start your own thread. Don't hijack others. Use the same database for storing accounting data for both servers. If you store data from one server in one place and data from the other server in another ... Ivan Kalik Kalik Informatika ISP Dana 9/6/2007, "Jeff" <jeffa@jahelpdesk.com> piše:
I am using Freeradius as a Secondary Radius.
The issue is sometimes not always but 98% of the time
A user when they connect to the secondary (freeradius) and connect
accounting packet start and then when they disconnect no accounting packet stop gets to the secondary
Reason its going to the primary radius (VOPRAdius)
Thus the problem being the secondary thinks they are still connected.
The nas's are not onn site these are from level3 networks
Does anyone know what to do for this?
I am at a stump on this one.
sorry my fault _____ From: tnt@kalik.co.yu To: FreeRadius users mailing list [mailto:freeradius-users@lists.freeradius.org] Sent: Sat, 09 Jun 2007 13:55:17 -0400 Subject: Re: sql question Please start your own thread. Don't hijack others. Use the same database for storing accounting data for both servers. If you store data from one server in one place and data from the other server in another ... Ivan Kalik Kalik Informatika ISP Dana 9/6/2007, "Jeff" <jeffa@jahelpdesk.com> piše:
I am using Freeradius as a Secondary Radius.
The issue is sometimes not always but 98% of the time
A user when they connect to the secondary (freeradius) and connect
accounting packet start and then when they disconnect no accounting packet stop gets to the secondary
Reason its going to the primary radius (VOPRAdius)
Thus the problem being the secondary thinks they are still connected.
The nas's are not onn site these are from level3 networks
Does anyone know what to do for this?
I am at a stump on this one.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (4)
-
Felipe Ceglia - PY1NB -
Jeff -
Kevin Bonner -
tnt@kalik.co.yu