[Auth Problem] FreeRADIUS with GnuGK and ATA

ByoungJu Jeon happian at hotmail.com
Thu Jan 12 09:15:57 CET 2006


Hi,

I am now in using FreeRADIUS 1.0.5  with ATA 188 v3.1.2 and GunGK 2.2.2_4 on 
FreeBSD 6.0.
When GnuGK send Access Request for ATA, RADIUS reject it.

You can check the log from FreeRADIUS as below.

When authorization, RADIUS set Auth-Type as CHAP. (In the log, you can see 
"rlm_chap: Setting 'Auth-Type := CHAP'".) But when authentication, RADIUS 
set Auth-Type as Reject. (In the log, you can see "rad_check_password:  
Found Auth-Type Reject".) I don't know why Auth-Type is changed.

Could you tell me what I am wrong in configuration?

Thanks in advance.
Bye.

BJ.

=========================== The log from FreeRADIUS 
===========================
rad_recv: Access-Request packet from host 152.102.50.225:64821, id=117, 
length=145
        User-Name = "happian"
        CHAP-Password = 0x04b3d9e7363592e0e15a4fc9c7ec90e627
        CHAP-Challenge = 0x43c44e1a
        NAS-IP-Address = 152.102.50.225
        NAS-Identifier = "Gatekeeper"
        NAS-Port-Type = Virtual
        Service-Type = Login-User
        Framed-IP-Address = 152.102.50.223
        Cisco-AVPair = "h323-ivr-out=terminal-alias:happian,0175722139;"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
radius_xlat:  '/var/log/radius/radacct//auth-detail-20060111'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d 
expands to /var/log/radius/radacct//auth-detail-20060111
  modcall[authorize]: module "auth_log" returns ok for request 5
  rlm_chap: Setting 'Auth-Type := CHAP'
  modcall[authorize]: module "chap" returns ok for request 5
radius_xlat:  'happian'
rlm_sql (sql): sql_set_user escaped user --> 'happian'
radius_xlat:  'SELECT id, 'happian', attrname, attrvalue, attrop FROM 
??radius_get_check_attrs('happian', NULLIF('152.102.50.223', '
')::INET, ???CASE ????WHEN '' = '' THEN TRUE ????ELSE FALSE ???END, ???CASE 
WHEN 'Login-User' = 'Call-Check' THEN TRUE ELSE FALSE EN D, ???'', 
NULLIF('',''), 
???parse_avpair('h323-ivr-out=3Dterminal-alias:happian=2C0175722139=3B', 
'h323-ivr-out', 'terminal-alias') ???)'
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql_postgresql: query: SELECT id, 'happian', attrname, attrvalue, attrop 
FROM ??radius_get_check_attrs('happian', NULLIF('152.10 2.50.223', 
'')::INET, ???CASE ????WHEN '' = '' THEN TRUE ????ELSE FALSE ???END, ???CASE 
WHEN 'Login-User' = 'Call-Check' THEN TRUE E LSE FALSE END, ???'', 
NULLIF('',''), 
???parse_avpair('h323-ivr-out=3Dterminal-alias:happian=2C0175722139=3B', 
'h323-ivr-out', 'termi
nal-alias') ???)
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: affected rows =
radius_xlat:  ''
radius_xlat:  'SELECT id, 'happian', attrname, attrvalue, attrop FROM 
??radius_get_reply_attrs('happian', NULLIF('152.102.50.223', '
')::INET, ???CASE ????WHEN '' = '' THEN TRUE ????ELSE FALSE ???END, ???CASE 
WHEN 'Login-User' = 'Call-Check' THEN TRUE ELSE FALSE EN D, ???'', 
NULLIF('',''), 
???parse_avpair('h323-ivr-out=3Dterminal-alias:happian=2C0175722139=3B', 
'h323-ivr-out', 'terminal-alias') ???)'
rlm_sql_postgresql: query: SELECT id, 'happian', attrname, attrvalue, attrop 
FROM ??radius_get_reply_attrs('happian', NULLIF('152.10 2.50.223', 
'')::INET, ???CASE ????WHEN '' = '' THEN TRUE ????ELSE FALSE ???END, ???CASE 
WHEN 'Login-User' = 'Call-Check' THEN TRUE E LSE FALSE END, ???'', 
NULLIF('',''), 
???parse_avpair('h323-ivr-out=3Dterminal-alias:happian=2C0175722139=3B', 
'h323-ivr-out', 'termi
nal-alias') ???)
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: affected rows =
radius_xlat:  ''
rlm_sql (sql): Released sql socket id: 4
  modcall[authorize]: module "sql" returns ok for request 5
modcall: group authorize returns ok for request 5
  rad_check_password:  Found Auth-Type Reject
  rad_check_password: Auth-Type = Reject, rejecting user
auth: Failed to validate the user.
Login incorrect: [happian/<CHAP-Password>] (from client Gatekeeper port 0) 
Sending Access-Reject of id 117 to 152.102.50.225:64821 Finished request 5 
======================================================================

=========================== radiusd.conf =========================== prefix 
= /usr/local exec_prefix = ${prefix} sysconfdir = ${prefix}/etc 
localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = 
${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = 
${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/ 
log_file = ${logdir}/radius.log libdir = ${exec_prefix}/lib pidfile = 
${run_dir}/radiusd.pid max_request_time = 30 delete_blocked_requests = no 
cleanup_delay = 5 max_requests = 1024 bind_address = * port = 0 
hostname_lookups = no allow_core_dumps = no
regular_expressions	= yes
extended_expressions	= yes
log_stripped_names = yes
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = yes
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad

security {
	max_attributes = 200
	reject_delay = 0
	status_server = no
}

proxy_requests  = no

$INCLUDE  ${confdir}/clients.conf

snmp	= no

thread pool {
	start_servers = 2
	max_servers = 5
	min_spare_servers = 1
	max_spare_servers = 2
	max_requests_per_server = 0
}

modules {
	chap {
		authtype = CHAP
	}

	preprocess {
		with_ascend_hack = no
		ascend_channels_per_line = 23
		with_ntdomain_hack = no
		with_specialix_jetstream_hack = no
		with_cisco_vsa_hack = yes
	}

	detail {
		detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
		detailperm = 0600
	}

	detail auth_log {
		detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d
		detailperm = 0600
	}

	detail reply_log {
		detailfile = ${radacctdir}/%{Client-IP-Address}/reply-detail-%Y%m%d
		detailperm = 0600
	}

	acct_unique {
		key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, 
NAS-Port-Id"
	}

	$INCLUDE  ${confdir}/postgresql.conf

	radutmp {
		filename = ${logdir}/radutmp
		username = %{User-Name}
		case_sensitive = yes
		check_with_nas = yes
		perm = 0600
		callerid = "yes"
	}

	radutmp sradutmp {
		filename = ${logdir}/sradutmp
		perm = 0644
		callerid = "no"
	}

	expr {
	}

	digest {
	}

	exec {
		wait = yes
		input_pairs = request
	}

	exec echo {
		wait = yes
		program = "/bin/echo %{User-Name}"
		input_pairs = request
		output_pairs = reply
	}

	ippool main_pool {
		range-start = 192.168.1.1
		range-stop = 192.168.3.254
		netmask = 255.255.255.0
		cache-size = 800
		session-db = ${raddbdir}/db.ippool
		ip-index = ${raddbdir}/db.ipindex
		override = no
	}
}

instantiate {
	expr
}

authorize {
	preprocess
	auth_log
	chap
	sql
}

authenticate {
	Auth-Type CHAP {
		chap
	}
}

preacct {
}

accounting {
	acct_unique
	sql
}

session {
}

post-auth {
	reply_log
}

pre-proxy {
}

post-proxy {
}
=====================================================================





More information about the Freeradius-Users mailing list