Hello, I have problem with provide IPv6 from users file. I use files as redundant when sql will broke. in file: 2001:db8:2:8000:: Cleartext-Password := 'cisco' Cisco-Service-info = 'QU;1433600000;D;1433600000', Cisco-Avpair += 'subscriber:accounting-list=FRAD_BRAS_ISG_ACCT', Framed-IPv6-Prefix = '2001:db8:2:8000::/56', Idle-Timeout = 10800, Cisco-Avpair += 'subscriber:idle-timeout-direction=inbound' for ipv4 I have 192.168.1.12 Cleartext-Password := 'cisco' Cisco-Service-info = 'QU;1433600000;D;1433600000', Cisco-Avpair += 'subscriber:accounting-list=FRAD_BRAS_ISG_ACCT', Cisco-Avpair += 'subscriber:keepalive=interval 10', Cisco-Avpair += 'subscriber:idle-timeout-direction=inbound' and it works, but for ipv6 doesn't Debug says that radius can't find user :/ (0) Received Access-Request Id 94 from 10.249.1.202:1645 to 10.249.1.203:1912 length 152 (0) User-Name = "2001:DB8:2:8000::" (0) User-Password = "cisco" (0) Framed-IPv6-Prefix = 2001:db8:2:8000::/56 (0) Calling-Station-Id = "00:00:00:00:00:00" (0) NAS-Port-Type = PPPoEoE (0) NAS-Port = 0 (0) NAS-Port-Id = "0/0/0/0" (0) Service-Type = Outbound-User (0) NAS-IP-Address = 10.249.1.202 (0) Acct-Session-Id = "00001200" (0) NAS-Identifier = "ASR_1" (0) Event-Timestamp = "Mar 30 2020 09:39:28 CEST" (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/ikam-isg.server (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "2001:DB8:2:8000::", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) redundant { (0) ikam-isg: EXPAND %{User-Name} (0) ikam-isg: --> 2001:DB8:2:8000:: (0) ikam-isg: SQL-User-Name set to '2001:DB8:2:8000::' rlm_sql (ikam-isg): 0 of 0 connections in use. You may need to increase "spare" rlm_sql (ikam-isg): Opening additional connection (0), 1 of 64 pending slots used rlm_sql_postgresql: Connecting using parameters: dbname=bcman host=localhost user=bcman password=bcman rlm_sql_postgresql: Connection failed: could not connect to server: Connection refused Is the server running on host "localhost" (127.0.0.1) and accepting TCP/IP connections on port 5432? rlm_sql_postgresql: Socket destructor called, closing socket rlm_sql (ikam-isg): Opening connection failed (0) *(0) [ikam-isg] = fail(0) [files] = noop* (0) } # redundant = noop (0) [expiration] = noop (0) [logintime] = noop *(0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type(0) pap: WARNING: Authentication will fail unless a "known good" password is available* (0) [pap] = noop (0) } # authorize = ok *(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject(0) Failed to authenticate the user* (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/ikam-isg.server (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject: EXPAND %{User-Name} (0) attr_filter.access_reject: --> 2001:DB8:2:8000:: (0) attr_filter.access_reject: Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) [eap] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Delaying response for 1.000000 seconds Waking up in 0.6 seconds. Waking up in 0.3 seconds. (0) Sending delayed response (0) Sent Access-Reject Id 94 from 10.249.1.203:1912 to 10.249.1.202:1645 length 20 Waking up in 3.9 seconds. (0) Cleaning up request packet ID 94 with timestamp +6 FreeRADIUS Version 3.0.16 Where I'm doing mistake? Best regards Marcin
Hi, Is it case sensitive? Perhaps “db” and “DB” are not matching. Any reason your RADIUS server is trying to connect to a postgres database, and failing to do so? That seems like a bad configuration..
On 30/03/2020, at 8:46 PM, Marcin Romanowski <marcin@nicram.net> wrote:
Hello, I have problem with provide IPv6 from users file. I use files as redundant when sql will broke.
in file:
2001:db8:2:8000:: Cleartext-Password := 'cisco' Cisco-Service-info = 'QU;1433600000;D;1433600000', Cisco-Avpair += 'subscriber:accounting-list=FRAD_BRAS_ISG_ACCT', Framed-IPv6-Prefix = '2001:db8:2:8000::/56', Idle-Timeout = 10800, Cisco-Avpair += 'subscriber:idle-timeout-direction=inbound'
for ipv4 I have 192.168.1.12 Cleartext-Password := 'cisco' Cisco-Service-info = 'QU;1433600000;D;1433600000', Cisco-Avpair += 'subscriber:accounting-list=FRAD_BRAS_ISG_ACCT', Cisco-Avpair += 'subscriber:keepalive=interval 10', Cisco-Avpair += 'subscriber:idle-timeout-direction=inbound' and it works, but for ipv6 doesn't
Debug says that radius can't find user :/
(0) Received Access-Request Id 94 from 10.249.1.202:1645 to 10.249.1.203:1912 length 152 (0) User-Name = "2001:DB8:2:8000::" (0) User-Password = "cisco" (0) Framed-IPv6-Prefix = 2001:db8:2:8000::/56 (0) Calling-Station-Id = "00:00:00:00:00:00" (0) NAS-Port-Type = PPPoEoE (0) NAS-Port = 0 (0) NAS-Port-Id = "0/0/0/0" (0) Service-Type = Outbound-User (0) NAS-IP-Address = 10.249.1.202 (0) Acct-Session-Id = "00001200" (0) NAS-Identifier = "ASR_1" (0) Event-Timestamp = "Mar 30 2020 09:39:28 CEST" (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/ikam-isg.server (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "2001:DB8:2:8000::", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) redundant { (0) ikam-isg: EXPAND %{User-Name} (0) ikam-isg: --> 2001:DB8:2:8000:: (0) ikam-isg: SQL-User-Name set to '2001:DB8:2:8000::' rlm_sql (ikam-isg): 0 of 0 connections in use. You may need to increase "spare" rlm_sql (ikam-isg): Opening additional connection (0), 1 of 64 pending slots used rlm_sql_postgresql: Connecting using parameters: dbname=bcman host=localhost user=bcman password=bcman rlm_sql_postgresql: Connection failed: could not connect to server: Connection refused Is the server running on host "localhost" (127.0.0.1) and accepting TCP/IP connections on port 5432? rlm_sql_postgresql: Socket destructor called, closing socket rlm_sql (ikam-isg): Opening connection failed (0)
*(0) [ikam-isg] = fail(0) [files] = noop* (0) } # redundant = noop (0) [expiration] = noop (0) [logintime] = noop
*(0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type(0) pap: WARNING: Authentication will fail unless a "known good" password is available* (0) [pap] = noop (0) } # authorize = ok
*(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject(0) Failed to authenticate the user* (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/ikam-isg.server (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject: EXPAND %{User-Name} (0) attr_filter.access_reject: --> 2001:DB8:2:8000:: (0) attr_filter.access_reject: Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) [eap] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Delaying response for 1.000000 seconds Waking up in 0.6 seconds. Waking up in 0.3 seconds. (0) Sending delayed response (0) Sent Access-Reject Id 94 from 10.249.1.203:1912 to 10.249.1.202:1645 length 20 Waking up in 3.9 seconds. (0) Cleaning up request packet ID 94 with timestamp +6
FreeRADIUS Version 3.0.16
Where I'm doing mistake?
Best regards Marcin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pon., 30 mar 2020 o 10:01 Nathan Ward <lists+freeradius@daork.net> napisał(a):
Hi,
Is it case sensitive? Perhaps “db” and “DB” are not matching.
Yes, it was it. Thank you very much.
Any reason your RADIUS server is trying to connect to a postgres database, and failing to do so? That seems like a bad configuration..
No, configuration is good. redundant { ikam-isg files } I'm testing redundant case, when postres will be not available. This is my LAB environment, in production radius and postgres are seperate machines
On 30/03/2020, at 8:46 PM, Marcin Romanowski <marcin@nicram.net> wrote:
Hello, I have problem with provide IPv6 from users file. I use files as redundant when sql will broke.
in file:
2001:db8:2:8000:: Cleartext-Password := 'cisco' Cisco-Service-info = 'QU;1433600000;D;1433600000', Cisco-Avpair += 'subscriber:accounting-list=FRAD_BRAS_ISG_ACCT', Framed-IPv6-Prefix = '2001:db8:2:8000::/56', Idle-Timeout = 10800, Cisco-Avpair += 'subscriber:idle-timeout-direction=inbound'
for ipv4 I have 192.168.1.12 Cleartext-Password := 'cisco' Cisco-Service-info = 'QU;1433600000;D;1433600000', Cisco-Avpair += 'subscriber:accounting-list=FRAD_BRAS_ISG_ACCT', Cisco-Avpair += 'subscriber:keepalive=interval 10', Cisco-Avpair += 'subscriber:idle-timeout-direction=inbound' and it works, but for ipv6 doesn't
Debug says that radius can't find user :/
(0) Received Access-Request Id 94 from 10.249.1.202:1645 to 10.249.1.203:1912 length 152 (0) User-Name = "2001:DB8:2:8000::" (0) User-Password = "cisco" (0) Framed-IPv6-Prefix = 2001:db8:2:8000::/56 (0) Calling-Station-Id = "00:00:00:00:00:00" (0) NAS-Port-Type = PPPoEoE (0) NAS-Port = 0 (0) NAS-Port-Id = "0/0/0/0" (0) Service-Type = Outbound-User (0) NAS-IP-Address = 10.249.1.202 (0) Acct-Session-Id = "00001200" (0) NAS-Identifier = "ASR_1" (0) Event-Timestamp = "Mar 30 2020 09:39:28 CEST" (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/ikam-isg.server (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "2001:DB8:2:8000::", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) redundant { (0) ikam-isg: EXPAND %{User-Name} (0) ikam-isg: --> 2001:DB8:2:8000:: (0) ikam-isg: SQL-User-Name set to '2001:DB8:2:8000::' rlm_sql (ikam-isg): 0 of 0 connections in use. You may need to increase "spare" rlm_sql (ikam-isg): Opening additional connection (0), 1 of 64 pending slots used rlm_sql_postgresql: Connecting using parameters: dbname=bcman host=localhost user=bcman password=bcman rlm_sql_postgresql: Connection failed: could not connect to server: Connection refused Is the server running on host "localhost" (127.0.0.1) and accepting TCP/IP connections on port 5432? rlm_sql_postgresql: Socket destructor called, closing socket rlm_sql (ikam-isg): Opening connection failed (0)
*(0) [ikam-isg] = fail(0) [files] = noop* (0) } # redundant = noop (0) [expiration] = noop (0) [logintime] = noop
*(0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type(0) pap: WARNING: Authentication will fail unless a "known good" password is available* (0) [pap] = noop (0) } # authorize = ok
*(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject(0) Failed to authenticate the user* (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/ikam-isg.server (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject: EXPAND %{User-Name} (0) attr_filter.access_reject: --> 2001:DB8:2:8000:: (0) attr_filter.access_reject: Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) [eap] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Delaying response for 1.000000 seconds Waking up in 0.6 seconds. Waking up in 0.3 seconds. (0) Sending delayed response (0) Sent Access-Reject Id 94 from 10.249.1.203:1912 to 10.249.1.202:1645 length 20 Waking up in 3.9 seconds. (0) Cleaning up request packet ID 94 with timestamp +6
FreeRADIUS Version 3.0.16
Where I'm doing mistake?
Best regards Marcin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Marcin Romanowski / nicraM
Marcin Romanowski <marcin@nicram.net> writes: [...]
rlm_sql_postgresql: Connecting using parameters: dbname=bcman host=localhost user=bcman password=bcman rlm_sql_postgresql: Connection failed: could not connect to server: Connection refused Is the server running on host "localhost" (127.0.0.1) and accepting TCP/IP connections on port 5432? [...]
Have you tried connect to postgres with psql? message above clearly stated that radius can't connect to postgres on localhost. Return back when something like: psql -h localhost -U bcman -d bcman asks you for password. KJ -- http://stopstopnop.pl/stop_stopnop.pl_o_nas.html
pon., 30 mar 2020 o 10:08 Kamil Jońca <kjonca@o2.pl> napisał(a):
Marcin Romanowski <marcin@nicram.net> writes:
[...]
rlm_sql_postgresql: Connecting using parameters: dbname=bcman host=localhost user=bcman password=bcman rlm_sql_postgresql: Connection failed: could not connect to server: Connection refused Is the server running on host "localhost" (127.0.0.1) and accepting TCP/IP connections on port 5432? [...]
Have you tried connect to postgres with psql? message above clearly stated that radius can't connect to postgres on localhost. Return back when something like:
psql -h localhost -U bcman -d bcman
No, this is not issue with database. I've shutdown database to check redundant from files. Normally from database works
asks you for password. KJ
-- http://stopstopnop.pl/stop_stopnop.pl_o_nas.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Marcin Romanowski / nicraM
participants (3)
-
kjonca@o2.pl -
Marcin Romanowski -
Nathan Ward