Basic problems getting things to run

Geoff Silver geoff+freeradius at uslinux.net
Thu Feb 16 22:57:52 CET 2006 

Hi Folks,

I've been tasked at my work w/ getting a radius backend working with our Cisco
3000 concentrators to do certificate auth.  We're currently running an old
version of gnu radius for our standard radius auth, but I'd like to move to
freeradius so that we can eventually use some features like the ldap backend.
 In the mean time, I've just been trying to get it working, and I've been
coming up short.

Forgive me if I'm missing something incredibly obvious, but I absolutely can't
get auth to work.  ever.  For starters, here's what I see when running
'radiusd -AX':

rad_recv: Access-Request packet from host 127.0.0.1:34193, id=136, length=61
        Attr-1 = 0x6a617468616e69736d
        Attr-2 = 0xad790d5790cec60e1f908174aabe7335
        Attr-4 = 0x7f000001
        Attr-5 = 0x00000001
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
    users: Matched entry jathanism at line 121
  modcall[authorize]: module "files" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
modcall: group authorize returns ok for request 0
auth: No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user
auth: Failed to validate the user.
Login incorrect: [jathanism] (from client localhost port 0)
  WARNING: Unprintable characters in the password. ?  Double-check the shared
secret on the server and the NAS!
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---


That's running the following locally for testing as the client:

# echo 'User-Name= "jathanism", Password = "jathanism", NAS-IP-Address =
127.0.0.1, NAS-Port = 1' | /opt/reverb/bin/radclient -d
/opt/reverb/share/dictionary -x 127.0.0.1 auth 1234test1234
Sending Access-Request of id 136 to 127.0.0.1 port 1812
        User-Name = "jathanism"
        Password = "jathanism"
        NAS-IP-Address = 127.0.0.1
        NAS-Port = 1
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=136, length=20


My user's file right now looks like:

jathanism       Auth-Type := Local
                User-Password == "jathanism"

DEFAULT         Auth-Type := Accept


Though I've tried as little as just the DEFAULT line, as well as specifying
"Accept" for a specific user.  I've also tried PAP and CHAP, none of which are
ever successful.

My clients.conf file looks like:

client 127.0.0.1 {
        secret          = 1234test1234
        shortname       = localhost
        nastype     = other     # localhost isn't usually a NAS...
}


And what I suspect are the most important parts of my radiusd.conf look like:

authorize {
        preprocess
        files
        chap
}
authenticate {
        Auth-Type PAP {
                pap
        }
        Auth-Type CHAP {
                chap
        }
}

I had tried adding an 'Auth-Type Accept' or 'Auth-Type Local' line, but
couldn't get them to work either.

The thing that worries me most is the "auth: No authenticate method
(Auth-Type) configuration found for the request: Rejecting the user" error
throw by radiusd - no matter what I've tried to do to the radiusd.conf or
users files, it ALWAYS says that.  The "WARNING: Unprintable characters in the
password. ?  Double-check the shared secret on the server and the NAS!" also
frightens me, though I wonder if that's related (the secret is definitely
right, because if I change it, radclient tells me the secret is wrong).

I'm completely at a loss right now.  I've looked at auth.c and some of the
other code, and it seems to me that auth_type just isn't ever getting populated.

Incidentally, the comments in the users file indicate stuff like:

bob	Auth-Type := Local, User-Password == "bobpass"

should work, but radiusd won't start unless it looks like:

bob	Auth-Type := Local
	User-Password == "bobpass"

I can't tell if that's a documentation problem, or a bug, or indicitative of
some larger issue, but I thought I'd mention it.

FWIW, I've tried both freeradius 1.0.5 and 1.1.0.  They were built on Red Hat
EL 3.0 Advanced Server with the stock Red Hat build tools.

Thanks for any help anyone can provide.  I hate to go back to gnu radius, but
I've got to get this working by next Friday or else I won't have much of a
choice.  If anyone willing to assist would like any additional
info/configs/strace output/etc, just ask and I'd be happy to provide them.

More information about the Freeradius-Users mailing list