[Auth Problem] FreeRADIUS with GnuGK and ATA
ByoungJu Jeon
happian at hotmail.com
Wed Jan 11 14:41:09 CET 2006
Hi,
I am now in using FreeRADIUS 1.0.5 with ATA 188 v3.1.2 and GunGK 2.2.2_4 on
FreeBSD 6.0.
When GnuGK send Access Request for ATA, RADIUS reject it.
You can check the log from FreeRADIUS as below.
When authorization, RADIUS set Auth-Type as CHAP. (In the log, you can see
"rlm_chap: Setting 'Auth-Type := CHAP'".) But when authentication, RADIUS
set Auth-Type as Reject. (In the log, you can see "rad_check_password:
Found Auth-Type Reject".) I don't know why Auth-Type is changed.
Could you tell me what I am wrong in configuration?
Thanks in advance.
Bye.
BJ.
=========================== The log from FreeRADIUS
===========================
rad_recv: Access-Request packet from host 152.102.50.225:64821, id=117,
length=145
User-Name = "happian"
CHAP-Password = 0x04b3d9e7363592e0e15a4fc9c7ec90e627
CHAP-Challenge = 0x43c44e1a
NAS-IP-Address = 152.102.50.225
NAS-Identifier = "Gatekeeper"
NAS-Port-Type = Virtual
Service-Type = Login-User
Framed-IP-Address = 152.102.50.223
Cisco-AVPair = "h323-ivr-out=terminal-alias:happian,0175722139;"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
radius_xlat: '/var/log/radius/radacct//auth-detail-20060111'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct//auth-detail-20060111
modcall[authorize]: module "auth_log" returns ok for request 5
rlm_chap: Setting 'Auth-Type := CHAP'
modcall[authorize]: module "chap" returns ok for request 5
radius_xlat: 'happian'
rlm_sql (sql): sql_set_user escaped user --> 'happian'
radius_xlat: 'SELECT id, 'happian', attrname, attrvalue, attrop FROM
??radius_get_check_attrs('happian', NULLIF('152.102.50.223', '
')::INET, ???CASE ????WHEN '' = '' THEN TRUE ????ELSE FALSE ???END, ???CASE
WHEN 'Login-User' = 'Call-Check' THEN TRUE ELSE FALSE EN D, ???'',
NULLIF('',''),
???parse_avpair('h323-ivr-out=3Dterminal-alias:happian=2C0175722139=3B',
'h323-ivr-out', 'terminal-alias') ???)'
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql_postgresql: query: SELECT id, 'happian', attrname, attrvalue, attrop
FROM ??radius_get_check_attrs('happian', NULLIF('152.10 2.50.223',
'')::INET, ???CASE ????WHEN '' = '' THEN TRUE ????ELSE FALSE ???END, ???CASE
WHEN 'Login-User' = 'Call-Check' THEN TRUE E LSE FALSE END, ???'',
NULLIF('',''),
???parse_avpair('h323-ivr-out=3Dterminal-alias:happian=2C0175722139=3B',
'h323-ivr-out', 'termi
nal-alias') ???)
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: affected rows =
radius_xlat: ''
radius_xlat: 'SELECT id, 'happian', attrname, attrvalue, attrop FROM
??radius_get_reply_attrs('happian', NULLIF('152.102.50.223', '
')::INET, ???CASE ????WHEN '' = '' THEN TRUE ????ELSE FALSE ???END, ???CASE
WHEN 'Login-User' = 'Call-Check' THEN TRUE ELSE FALSE EN D, ???'',
NULLIF('',''),
???parse_avpair('h323-ivr-out=3Dterminal-alias:happian=2C0175722139=3B',
'h323-ivr-out', 'terminal-alias') ???)'
rlm_sql_postgresql: query: SELECT id, 'happian', attrname, attrvalue, attrop
FROM ??radius_get_reply_attrs('happian', NULLIF('152.10 2.50.223',
'')::INET, ???CASE ????WHEN '' = '' THEN TRUE ????ELSE FALSE ???END, ???CASE
WHEN 'Login-User' = 'Call-Check' THEN TRUE E LSE FALSE END, ???'',
NULLIF('',''),
???parse_avpair('h323-ivr-out=3Dterminal-alias:happian=2C0175722139=3B',
'h323-ivr-out', 'termi
nal-alias') ???)
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: affected rows =
radius_xlat: ''
rlm_sql (sql): Released sql socket id: 4
modcall[authorize]: module "sql" returns ok for request 5
modcall: group authorize returns ok for request 5
rad_check_password: Found Auth-Type Reject
rad_check_password: Auth-Type = Reject, rejecting user
auth: Failed to validate the user.
Login incorrect: [happian/<CHAP-Password>] (from client Gatekeeper port 0)
Sending Access-Reject of id 117 to 152.102.50.225:64821 Finished request 5
======================================================================
=========================== radiusd.conf =========================== prefix
= /usr/local exec_prefix = ${prefix} sysconfdir = ${prefix}/etc
localstatedir = /var sbindir = ${exec_prefix}/sbin logdir =
${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir =
${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/
log_file = ${logdir}/radius.log libdir = ${exec_prefix}/lib pidfile =
${run_dir}/radiusd.pid max_request_time = 30 delete_blocked_requests = no
cleanup_delay = 5 max_requests = 1024 bind_address = * port = 0
hostname_lookups = no allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = yes
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = yes
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 0
status_server = no
}
proxy_requests = no
$INCLUDE ${confdir}/clients.conf
snmp = no
thread pool {
start_servers = 2
max_servers = 5
min_spare_servers = 1
max_spare_servers = 2
max_requests_per_server = 0
}
modules {
chap {
authtype = CHAP
}
preprocess {
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = yes
}
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
}
detail auth_log {
detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d
detailperm = 0600
}
detail reply_log {
detailfile = ${radacctdir}/%{Client-IP-Address}/reply-detail-%Y%m%d
detailperm = 0600
}
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address,
NAS-Port-Id"
}
$INCLUDE ${confdir}/postgresql.conf
radutmp {
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 0600
callerid = "yes"
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
expr {
}
digest {
}
exec {
wait = yes
input_pairs = request
}
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = request
output_pairs = reply
}
ippool main_pool {
range-start = 192.168.1.1
range-stop = 192.168.3.254
netmask = 255.255.255.0
cache-size = 800
session-db = ${raddbdir}/db.ippool
ip-index = ${raddbdir}/db.ipindex
override = no
}
}
instantiate {
expr
}
authorize {
preprocess
auth_log
chap
sql
}
authenticate {
Auth-Type CHAP {
chap
}
}
preacct {
}
accounting {
acct_unique
sql
}
session {
}
post-auth {
reply_log
}
pre-proxy {
}
post-proxy {
}
=====================================================================
More information about the Freeradius-Users
mailing list