Freeradius and eDirectory

Radius radius at kingmanaz.net
Wed Jul 6 08:21:54 CEST 2005


Yesterday I put our mirror drive in service after a recommendation here 
with 0.9.3 and the system is running fine. I decided to try and find out 
why the system would not work after an update.

So I started all over with a completely new install of the radius and 
put everything in it's /opt directory

The only part the does not work is the chap authentication all other 
authentication works as it should. Our wholesale provider says we are 
doing PAP just fine but no chap. They had very old instructions for 
Freeradius but decided to start out with a totally clean install.

This user below is in mysql database, and the system passwd/shadow files.

He will not authenticate with the mysql database when we include a realm 
@domain
and chap password.

It gets the slipstream false from the database so I'm not sure why it 
won't authenticate
the rest.

When I do this with the 0.9.3 that is currently running it works fine 
with the realm.

I did diff on the radiusd.conf and the sql.conf files, and work at all 
the settings to be as close to the old one as possible. A couple new 
items in the files I did not know right off what they were for and left 
them as default.

The last time we installed 0.9.3 we actually had help to config it to 
running step by step email instruction but that person is not around any 
longer. It was running in 45 minutes.



here is the radius -x

Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /opt/freeradius/etc/raddb/proxy.conf
Config:   including file: /opt/freeradius/etc/raddb/clients.conf
Config:   including file: /opt/freeradius/etc/raddb/snmp.conf
Config:   including file: /opt/freeradius/etc/raddb/eap.conf
Config:   including file: /opt/freeradius/etc/raddb/sql.conf
 main: prefix = "/opt/freeradius"
 main: localstatedir = "/opt/freeradius/var"
 main: logdir = "/opt/freeradius/var/log/radius"
 main: libdir = "/opt/freeradius/lib"
 main: radacctdir = "/opt/freeradius/var/log/radius/radacct"
 main: hostname_lookups = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 1645
 main: allow_core_dumps = no
 main: log_stripped_names = yes
 main: log_file = "/opt/freeradius/var/log/radius/radius.log"
 main: log_auth = yes
 main: log_auth_badpass = yes
 main: log_auth_goodpass = yes
 main: pidfile = "/opt/freeradius/var/run/radiusd/radiusd.pid"
 main: user = "(null)"
 main: group = "(null)"
 main: usercollide = no
 main: lower_user = "no"
 main: lower_pass = "no"
 main: nospace_user = "no"
 main: nospace_pass = "no"
 main: checkrad = "/opt/freeradius/sbin/checkrad"
 main: proxy_requests = yes
 proxy: retry_delay = 5
 proxy: retry_count = 3
 proxy: synchronous = no
 proxy: default_fallback = yes
 proxy: dead_time = 120
 proxy: post_proxy_authorize = no
 proxy: wake_all_if_all_dead = no
 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = no
 main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
read_config_files:  reading realms
radiusd:  entering modules setup
Module: Library search path is /opt/freeradius/lib
Module: Loaded exec
 exec: wait = no
 exec: program = "(null)"
 exec: input_pairs = "request"
 exec: output_pairs = "(null)"
 exec: packet_type = "(null)"
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
 pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
 mschap: use_mppe = yes
 mschap: require_encryption = no
 mschap: require_strong = no
 mschap: with_ntdomain_hack = no
 mschap: passwd = "(null)"
 mschap: authtype = "MS-CHAP"
 mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded System
 unix: cache = no
 unix: passwd = "(null)"
 unix: shadow = "(null)"
 unix: group = "(null)"
 unix: radwtmp = "/opt/freeradius/var/log/radius/radwtmp"
 unix: usegroup = no
 unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
 eap: default_eap_type = "md5"
 eap: timer_expire = 60
 eap: ignore_unknown_eap_types = no
 eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
 gtc: challenge = "Password: "
 gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
 mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
 preprocess: huntgroups = "/opt/freeradius/etc/raddb/huntgroups"
 preprocess: hints = "/opt/freeradius/etc/raddb/hints"
 preprocess: with_ascend_hack = no
 preprocess: ascend_channels_per_line = 23
 preprocess: with_ntdomain_hack = no
 preprocess: with_specialix_jetstream_hack = no
 preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded attr_filter
 attr_filter: attrsfile = "/opt/freeradius/etc/raddb/attrs"
 rlm_attr_filter: Authorize method will be deprecated.
Module: Instantiated attr_filter (attr_filter)
Module: Loaded realm
 realm: format = "suffix"
 realm: delimiter = "@"
 realm: ignore_default = yes
 realm: ignore_null = yes
Module: Instantiated realm (suffix)
Module: Loaded files
 files: usersfile = "/opt/freeradius/etc/raddb/users"
 files: acctusersfile = "/opt/freeradius/etc/raddb/acct_users"
 files: preproxy_usersfile = "/opt/freeradius/etc/raddb/preproxy_users"
 files: compat = "no"
Module: Instantiated files (files)
Module: Loaded SQL
 sql: driver = "rlm_sql_mysql"
 sql: server = "64.240.76.3"
 sql: port = ""
 sql: login = "root"
 sql: password = "test123"
 sql: radius_db = "radius"
 sql: acct_table = "radacct"
 sql: acct_table2 = "radacct"
 sql: authcheck_table = "radcheck"
 sql: authreply_table = "radreply"
 sql: groupcheck_table = "radgroupcheck"
 sql: groupreply_table = "radgroupreply"
 sql: usergroup_table = "usergroup"
 sql: nas_table = "nas"
 sql: dict_table = "dictionary"
 sql: sqltrace = yes
 sql: sqltracefile = "/opt/freeradius/var/log/radius/sqltrace.sql"
 sql: readclients = no
 sql: deletestalesessions = yes
 sql: num_sql_socks = 5
 sql: sql_user_name = "%{User-Name}"
 sql: default_user_profile = ""
 sql: query_on_not_found = no
 sql: authorize_check_query = "SELECT id,UserName,Attribute,Value,op 
FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id"
 sql: authorize_reply_query = "SELECT id,UserName,Attribute,Value,op 
FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id"
 sql: authorize_group_check_query = "SELECT 
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op  
FROM radgroupcheck,usergroup WHERE usergroup.Username = 
'%{SQL-User-Name}' AND usergroup.GroupName = radgroupcheck.GroupName 
ORDER BY radgroupcheck.id"
 sql: authorize_group_reply_query = "SELECT 
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op  
FROM radgroupreply,usergroup WHERE usergroup.Username = 
'%{SQL-User-Name}' AND usergroup.GroupName = radgroupreply.GroupName 
ORDER BY radgroupreply.id"
 sql: accounting_onoff_query = "UPDATE radacct SET AcctStopTime='%S', 
AcctSessionTime=unix_timestamp('%S') - unix_timestamp(AcctStartTime), 
AcctTerminateCause='%{Acct-Terminate-Cause}', AcctStopDelay = 
'%{Acct-Delay-Time}' WHERE AcctSessionTime=0 AND AcctStopTime=0 AND 
NASIPAddress= '%{NAS-IP-Address}' AND AcctStartTime <= '%S'"
 sql: accounting_update_query = "UPDATE radacct ? SET FramedIPAddress = 
'%{Framed-IP-Address}', ? AcctSessionTime = '%{Acct-Session-Time}', ? 
AcctInputOctets = '%{Acct-Input-Octets}', ? AcctOutputOctets = 
'%{Acct-Output-Octets}' ? WHERE AcctSessionId = '%{Acct-Session-Id}' ? 
AND UserName = '%{SQL-User-Name}' ? AND NASIPAddress= '%{NAS-IP-Address}'"
 sql: accounting_update_query_alt = "INSERT into radacct (AcctSessionId, 
AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, 
AcctStartTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, 
AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, 
ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay) 
values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', 
'%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', 
'%{NAS-Port-Type}', DATE_SUB('%S',INTERVAL (%{Acct-Session-Time:-0} + 
%{Acct-Delay-Time:-0}) SECOND), '%{Acct-Session-Time}', 
'%{Acct-Authentic}', '', '%{Acct-Input-Octets}', 
'%{Acct-Output-Octets}', '%{Called-Station-Id}', 
'%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', 
'%{Framed-IP-Address}', '0')"
 sql: accounting_start_query = "INSERT into radacct (AcctSessionId, 
AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, 
AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, 
ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, 
CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, 
FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) 
values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', 
'%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', 
'%{NAS-Port-Type}', '%S', '0', '0', '%{Acct-Authentic}', 
'%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', 
'%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', 
'%{Framed-IP-Address}', '%{Acct-Delay-Time}', '0')"
 sql: accounting_start_query_alt = "UPDATE radacct SET AcctStartTime = 
'%S', AcctStartDelay = '%{Acct-Delay-Time}', ConnectInfo_start = 
'%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND 
UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}'"
 sql: accounting_stop_query = "UPDATE radacct SET AcctStopTime = '%S', 
AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets = 
'%{Acct-Input-Octets}', AcctOutputOctets = '%{Acct-Output-Octets}', 
AcctTerminateCause = '%{Acct-Terminate-Cause}', AcctStopDelay = 
'%{Acct-Delay-Time}', ConnectInfo_stop = '%{Connect-Info}' WHERE 
AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' 
AND NASIPAddress = '%{NAS-IP-Address}'"
 sql: accounting_stop_query_alt = "INSERT into radacct (AcctSessionId, 
AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, 
AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, 
ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, 
CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, 
FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) 
values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', 
'%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', 
'%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{Acct-Session-Time:-0} + 
%{Acct-Delay-Time:-0}) SECOND), '%S', '%{Acct-Session-Time}', 
'%{Acct-Authentic}', '', '%{Connect-Info}', '%{Acct-Input-Octets}', 
'%{Acct-Output-Octets}', '%{Called-Station-Id}', 
'%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}', 
'%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{Acct-Delay-Time}')"
 sql: group_membership_query = "SELECT GroupName FROM usergroup WHERE 
UserName='%{SQL-User-Name}'"
 sql: connect_failure_retry_delay = 60
 sql: simul_count_query = ""
 sql: simul_verify_query = "SELECT RadAcctId, AcctSessionId, UserName, 
NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, 
FramedProtocol FROM radacct WHERE UserName='%{SQL-User-Name}' AND 
AcctStopTime = 0"
 sql: postauth_table = "radpostauth"
 sql: postauth_query = "INSERT into radpostauth (id, user, pass, reply, 
date) values ('', '%{User-Name}', '%{User-Password:-Chap-Password}', 
'%{reply:Packet-Type}', NOW())"
 sql: safe-characters = 
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
rlm_sql (sql): Attempting to connect to root at 64.240.76.3:/radius
rlm_sql (sql): starting 0
rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
rlm_sql_mysql: Starting connect to MySQL server for #0
rlm_sql (sql): Connected new DB handle, #0
rlm_sql (sql): starting 1
rlm_sql (sql): Attempting to connect rlm_sql_mysql #1
rlm_sql_mysql: Starting connect to MySQL server for #1
rlm_sql (sql): Connected new DB handle, #1
rlm_sql (sql): starting 2
rlm_sql (sql): Attempting to connect rlm_sql_mysql #2
rlm_sql_mysql: Starting connect to MySQL server for #2
rlm_sql (sql): Connected new DB handle, #2
rlm_sql (sql): starting 3
rlm_sql (sql): Attempting to connect rlm_sql_mysql #3
rlm_sql_mysql: Starting connect to MySQL server for #3
rlm_sql (sql): Connected new DB handle, #3
rlm_sql (sql): starting 4
rlm_sql (sql): Attempting to connect rlm_sql_mysql #4
rlm_sql_mysql: Starting connect to MySQL server for #4
rlm_sql (sql): Connected new DB handle, #4
Module: Instantiated sql (sql)
Module: Loaded Acct-Unique-Session-Id
 acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, 
Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
 detail: detailfile = 
"/opt/freeradius/var/log/radius/radacct/%{Client-IP-Address}/detail"
 detail: detailperm = 384
 detail: dirperm = 493
 detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
 radutmp: filename = "/opt/freeradius/var/log/radius/radutmp"
 radutmp: username = "%{User-Name}"
 radutmp: case_sensitive = yes
 radutmp: check_with_nas = yes
 radutmp: perm = 384
 radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Initializing the thread pool...
 thread: start_servers = 5
 thread: max_servers = 32
 thread: min_spare_servers = 3
 thread: max_spare_servers = 10
 thread: max_requests_per_server = 0
 thread: cleanup_delay = 5
Thread 1 waiting to be assigned a request
Thread spawned new child 1. Total threads in pool: 1
Thread spawned new child 2. Total threads in pool: 2
Thread 2 waiting to be assigned a request
Thread 3 waiting to be assigned a request
Thread spawned new child 3. Total threads in pool: 3
Thread 4 waiting to be assigned a request
Thread spawned new child 4. Total threads in pool: 4
Thread spawned new child 5. Total threads in pool: 5
Thread pool initialized
Listening on authentication *:1645
Listening on accounting *:1646
Listening on proxy *:1647
Ready to process requests.
Thread 5 waiting to be assigned a request
rad_recv: Access-Request packet from host 64.240.76.3:33187, id=226, 
length=73
--- Walking the entire request list ---
Waking up in 31 seconds...
Threads: total/active/spare threads = 5/0/5
Thread 1 got semaphore
Thread 1 handling request 0, (1 handled so far)
    User-Name = "rniclh at surftheusa.com"
    User-Password = "test123"
    NAS-IP-Address = 255.255.255.255
    NAS-Port = 100
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  hints: Matched other at 80
  modcall[authorize]: module "preprocess" returns ok for request 0
  modcall[authorize]: module "attr_filter" returns noop for request 0
  modcall[authorize]: module "chap" returns noop for request 0
    rlm_realm: No '@' in User-Name = "rniclh", skipping NULL due to config.
  modcall[authorize]: module "suffix" returns noop for request 0
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 0
    users: Matched entry DEFAULT at line 159
    users: Matched entry DEFAULT at line 178
    users: Matched entry DEFAULT at line 190
  modcall[authorize]: module "files" returns ok for request 0
radius_xlat:  'rniclh'
rlm_sql (sql): sql_set_user escaped user --> 'rniclh'
radius_xlat:  'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE 
Username = 'rniclh' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql_mysql: query:  SELECT id,UserName,Attribute,Value,op FROM 
radcheck WHERE Username = 'rniclh' ORDER BY id
radius_xlat:  'SELECT 
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op  
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'rniclh' AND 
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
rlm_sql_mysql: query:  SELECT 
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op  
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'rniclh' AND 
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id
radius_xlat:  'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE 
Username = 'rniclh' ORDER BY id'
rlm_sql_mysql: query:  SELECT id,UserName,Attribute,Value,op FROM 
radreply WHERE Username = 'rniclh' ORDER BY id
radius_xlat:  'SELECT 
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op  
FROM radgroupreply,usergroup WHERE usergroup.Username = 'rniclh' AND 
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql_mysql: query:  SELECT 
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op  
FROM radgroupreply,usergroup WHERE usergroup.Username = 'rniclh' AND 
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id
rlm_sql (sql): Released sql socket id: 4
  modcall[authorize]: module "sql" returns ok for request 0
modcall: group authorize returns ok for request 0
  rad_check_password:  Found Auth-Type System
auth: type "System"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_unix: [rniclh]: invalid password
  modcall[authenticate]: module "unix" returns reject for request 0
modcall: group authenticate returns reject for request 0
auth: Failed to validate the user.
Login incorrect: [rniclh/test123] (from client ras1 port 100)
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
Thread 1 waiting to be assigned a request
rad_recv: Access-Request packet from host 64.240.76.3:33187, id=226, 
length=73
Sending Access-Reject of id 226 to 64.240.76.3:33187
    Slipstream-Auth = "false"
--- Walking the entire request list ---
Waking up in 3 seconds...




More information about the Freeradius-Users mailing list