FreeRadius out of the box....

Tony Spencer tony at games-master.co.uk
Wed Apr 5 10:07:10 CEST 2006


Because of the issues I've been having with authentication with Freeradius I
started from scratch and used RPM to remove Freeradius and then re-installed
the latest version.

I needed to be able to accept both PAP and CHAP authentication, however I
couldn't get it to do both and had to by default to get it to auth everyone
no matter what the password should be. But I don't see this as ideal.

Since I took over the radius server from someone else I'm guessing it had
been changed by the previous person to the extend where only a re-install
would solve the problem.

 

I read that out of the box Freeradius would accept both PAP and CHAP
authentication as long as the password was in clear text and I used
"Password ==".

So I re-installed Freeradius version freeradius-1.0.1-3.RHEL4.3 and convert
all the entries from Auth-Type := Accept to "Password == <password>" where
<password> was the users password.

 

On testing I found users still couldn't authenticate by PAP or CHAP, I run
"radiusd -X" and from what I could see its because of the Default setting:

 

 

DEFAULT Auth-Type = System

        Fall-Through = 1

 

The NAS is a Cisco 7204VXR and the line for the authentication is:

 

ppp authentication pap chap callin

 

Here is the debug from radius

 

 

################

Ready to process requests.

rad_recv: Access-Request packet from host 10.0.0.3:1645, id=142, length=95

        Framed-Protocol = PPP

        User-Name = "user1 at bb.adslco.com"

        User-Password = "deabercyap"

        NAS-Port-Type = Virtual

        NAS-Port = 1074

        Service-Type = Framed-User

        NAS-IP-Address = 10.0.0.3

  Processing the authorize section of radiusd.conf

modcall: entering group authorize for request 0

  modcall[authorize]: module "preprocess" returns ok for request 0

  modcall[authorize]: module "chap" returns noop for request 0

  modcall[authorize]: module "mschap" returns noop for request 0

    rlm_realm: Looking up realm "bb.adslco.com" for User-Name =
"user1 at bb.adslco.com"

    rlm_realm: No such realm "bb.adslco.com"

  modcall[authorize]: module "suffix" returns noop for request 0

  rlm_eap: No EAP-Message, not doing EAP

  modcall[authorize]: module "eap" returns noop for request 0

    users: Matched DEFAULT at 152

    users: Matched DEFAULT at 171

    users: Matched DEFAULT at 183

  modcall[authorize]: module "files" returns ok for request 0

modcall: group authorize returns ok for request 0

  rad_check_password:  Found Auth-Type System

auth: type "System"

  Processing the authenticate section of radiusd.conf

modcall: entering group authenticate for request 0

  modcall[authenticate]: module "unix" returns notfound for request 0

modcall: group authenticate returns notfound for request 0

auth: Failed to validate the user.

Delaying request 0 for 1 seconds

Finished request 0

Going to the next request

--- Walking the entire request list ---

Waking up in 1 seconds...

--- Walking the entire request list ---

Waking up in 1 seconds...

--- Walking the entire request list ---

Sending Access-Reject of id 142 to 10.0.0.3:1645

Waking up in 4 seconds...

--- Walking the entire request list ---

Cleaning up request 0 ID 142 with timestamp 443377fc

Nothing to do.  Sleeping until we see a request.

rad_recv: Access-Request packet from host 10.0.0.3:1645, id=143, length=95

        Framed-Protocol = PPP

        User-Name = "user1 at bb.adslco.com"

        User-Password = ""

        NAS-Port-Type = Virtual

        NAS-Port = 643

        Service-Type = Framed-User

        NAS-IP-Address = 10.0.0.3

  Processing the authorize section of radiusd.conf

modcall: entering group authorize for request 1

  modcall[authorize]: module "preprocess" returns ok for request 1

  modcall[authorize]: module "chap" returns noop for request 1

  modcall[authorize]: module "mschap" returns noop for request 1

    rlm_realm: Looking up realm "bb.adslco.com" for User-Name =
"user1 at bb.adslco.com"

    rlm_realm: No such realm "bb.adslco.com"

  modcall[authorize]: module "suffix" returns noop for request 1

  rlm_eap: No EAP-Message, not doing EAP

  modcall[authorize]: module "eap" returns noop for request 1

    users: Matched DEFAULT at 152

    users: Matched DEFAULT at 171

    users: Matched DEFAULT at 183

  modcall[authorize]: module "files" returns ok for request 1

modcall: group authorize returns ok for request 1

  rad_check_password:  Found Auth-Type System

auth: type "System"

  Processing the authenticate section of radiusd.conf

modcall: entering group authenticate for request 1

  modcall[authenticate]: module "unix" returns notfound for request 1

modcall: group authenticate returns notfound for request 1

auth: Failed to validate the user.

Delaying request 1 for 1 seconds

Finished request 1

Going to the next request

--- Walking the entire request list ---

Waking up in 1 seconds...

--- Walking the entire request list ---

Waking up in 1 seconds...

--- Walking the entire request list ---

Sending Access-Reject of id 143 to 10.0.0.3:1645

Waking up in 4 seconds...

--- Walking the entire request list ---

Cleaning up request 1 ID 143 with timestamp 44337809

Nothing to do.  Sleeping until we see a request.

rad_recv: Access-Request packet from host 10.0.0.3:1645, id=144, length=95

        Framed-Protocol = PPP

        User-Name = "user2 at bb.adslco.com"

        User-Password = ""

        NAS-Port-Type = Virtual

        NAS-Port = 1154

        Service-Type = Framed-User

        NAS-IP-Address = 10.0.0.3

  Processing the authorize section of radiusd.conf

modcall: entering group authorize for request 2

  modcall[authorize]: module "preprocess" returns ok for request 2

  modcall[authorize]: module "chap" returns noop for request 2

  modcall[authorize]: module "mschap" returns noop for request 2

    rlm_realm: Looking up realm "bb.adslco.com" for User-Name =
"user2 at bb.adslco.com"

    rlm_realm: No such realm "bb.adslco.com"

  modcall[authorize]: module "suffix" returns noop for request 2

  rlm_eap: No EAP-Message, not doing EAP

  modcall[authorize]: module "eap" returns noop for request 2

    users: Matched DEFAULT at 152

    users: Matched DEFAULT at 171

    users: Matched DEFAULT at 183

  modcall[authorize]: module "files" returns ok for request 2

modcall: group authorize returns ok for request 2

  rad_check_password:  Found Auth-Type System

auth: type "System"

  Processing the authenticate section of radiusd.conf

modcall: entering group authenticate for request 2

  modcall[authenticate]: module "unix" returns notfound for request 2

modcall: group authenticate returns notfound for request 2

auth: Failed to validate the user.

Delaying request 2 for 1 seconds

Finished request 2

Going to the next request

--- Walking the entire request list ---

Waking up in 1 seconds...

--- Walking the entire request list ---

Waking up in 1 seconds...

--- Walking the entire request list ---

Sending Access-Reject of id 144 to 10.0.0.3:1645

Waking up in 4 seconds...

--- Walking the entire request list ---

Cleaning up request 2 ID 144 with timestamp 44337821

Nothing to do.  Sleeping until we see a request.

rad_recv: Access-Request packet from host 10.0.0.3:1645, id=145, length=95

        Framed-Protocol = PPP

        User-Name = "user2 at bb.adslco.com"

        User-Password = "wewyam"

        NAS-Port-Type = Virtual

        NAS-Port = 108

        Service-Type = Framed-User

        NAS-IP-Address = 10.0.0.3

  Processing the authorize section of radiusd.conf

modcall: entering group authorize for request 3

  modcall[authorize]: module "preprocess" returns ok for request 3

  modcall[authorize]: module "chap" returns noop for request 3

  modcall[authorize]: module "mschap" returns noop for request 3

    rlm_realm: Looking up realm "bb.adslco.com" for User-Name =
"user2 at bb.adslco.com"

    rlm_realm: No such realm "bb.adslco.com"

  modcall[authorize]: module "suffix" returns noop for request 3

  rlm_eap: No EAP-Message, not doing EAP

  modcall[authorize]: module "eap" returns noop for request 3

    users: Matched DEFAULT at 152

    users: Matched DEFAULT at 171

    users: Matched DEFAULT at 183

  modcall[authorize]: module "files" returns ok for request 3

modcall: group authorize returns ok for request 3

  rad_check_password:  Found Auth-Type System

auth: type "System"

  Processing the authenticate section of radiusd.conf

modcall: entering group authenticate for request 3

  modcall[authenticate]: module "unix" returns notfound for request 3

modcall: group authenticate returns notfound for request 3

auth: Failed to validate the user.

Delaying request 3 for 1 seconds

Finished request 3

Going to the next request

--- Walking the entire request list ---

Waking up in 1 seconds...

--- Walking the entire request list ---

Waking up in 1 seconds...

--- Walking the entire request list ---

Sending Access-Reject of id 145 to 10.0.0.3:1645

Waking up in 4 seconds...

#######################

 

What do I need to change to get Freeradius to accept both PAP and CHAP
authentication?

 

Thanks

Tony


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060405/09c97522/attachment.html>


More information about the Freeradius-Users mailing list