Server logs say users authenticate, but they don't (Now with more details!)
Ernie Dunbar
maillist at lightspeed.ca
Sat Nov 4 00:44:56 CET 2006
No, it's not multihomed, but on a lark I tried it anyway (since there's
two network cards in it, but one isn't used). It still doesn't work.
> Is the server multihomed ?
> It often happends that the server will recieve a request on one IP address
> and send out a reply using a different address with a multihomed system.
>
> If your system has multiple IP addresses, u can set "bind_address" to the
> one you want to use.
>
> Cheers
> Paul
>
>
> -----Original Message-----
> From:
> freeradius-users-bounces+paul.khavkine=distributel.ca at lists.freeradius.org
> on behalf of Ernie Dunbar
> Sent: Fri 11/3/2006 2:02 PM
> To: freeradius-users at lists.freeradius.org
> Subject: Server logs say users authenticate, but they don't (Now with more
> details!)
>
> This isn't a duplicate, I've just included more information about our
> configuration.
>
> We have a Cisco AS5300 for our dialup pool. It is able to log into our new
> FreeRadius server and make authentication requests, but users are not able
> to authenticate.
>
> It's very strange, because FreeRadius produces logs like this:
>
> Thu Nov 2 11:06:24 2006 : Auth: Login OK: [XXXXXX/XXXXXX] (from client
> dialup port 8)
>
> But the client gets "Error 691: Your username or password are incorrect".
>
> I can tell that it's authenticating properly, because when a user gets
> their password wrong, I see this instead:
>
> Thu Nov 2 11:02:20 2006 : Auth: Login incorrect: [user1/somepass] (from
> client dialup port 13)
> Thu Nov 2 11:02:20 2006 : Auth: Login incorrect: [user1/somepass] (from
> client dialup port 13)
>
> We're using FreeRadius' mysql support for authentication, and I'm
> absolutely positive that part is working fine. It even creates accounting
> data in the database.
>
> This is what we have in the users file:
>
> DEFAULT Framed-Protocol == PPP, Simultaneous-Use == 1
> Framed-Protocol = PPP,
> Framed-Compression = Van-Jacobson-TCP-IP
>
> and this is what radiusd.conf looks like without the comments:
>
> prefix = /usr
> exec_prefix = /usr
> sysconfdir = /etc
> localstatedir = /var
> sbindir = ${exec_prefix}/sbin
> logdir = /var/log/freeradius
> raddbdir = /etc/freeradius
> radacctdir = ${logdir}/radacct
> confdir = ${raddbdir}
> run_dir = ${localstatedir}/run/freeradius
> log_file = ${logdir}/radius.log
> libdir = /usr/lib/freeradius
> pidfile = ${run_dir}/freeradius.pid
>
> user = freerad
> group = freerad
>
> max_request_time = 30
> delete_blocked_requests = no
> cleanup_delay = 5
> max_requests = 256
> bind_address = *
> port = 0
>
> hostname_lookups = no
> allow_core_dumps = no
>
> regular_expressions = yes
> extended_expressions = yes
>
> log_stripped_names = yes
> log_auth = yes
> log_auth_badpass = yes
> log_auth_goodpass = yes
>
> usercollide = no
>
> lower_user = no
> lower_pass = no
>
> nospace_user = after
> nospace_pass = after
>
> checkrad = ${sbindir}/checkrad
>
> security {
> max_attributes = 200
> reject_delay = 1
> status_server = no
> }
>
> proxy_requests = off
> $INCLUDE ${confdir}/proxy.conf
>
> # proxy.conf has:
> # realm LOCAL {
> # type = radius
> # authhost = LOCAL
> # accthost = LOCAL
> #}
>
> $INCLUDE ${confdir}/clients.conf
>
> # clients.conf has:
> # client XXX.XXX.XXX.XXX {
> # secret = XXXXXX
> # nastype = cisco
> # shortname = dialup
> #}
>
> $INCLUDE ${confdir}/snmp.conf
>
> # snmp.conf has nothing.
>
> snmp = no
>
> thread pool {
> start_servers = 5
> max_servers = 32
> min_spare_servers = 3
> max_spare_servers = 10
> max_requests_per_server = 0
> }
>
> modules {
> pap {
> encryption_scheme = crypt
> }
>
> chap {
> authtype = CHAP
> }
>
> pam {
> pam_auth = radiusd
> }
>
> unix {
> cache = no
> cache_reload = 600
> shadow = /etc/shadow
> radwtmp = ${logdir}/radwtmp
> }
>
> $INCLUDE ${confdir}/eap.conf
>
> # eap.conf has:
> # eap {
> # default_eap_type = md5
> # timer_expire = 60
> # ignore_unknown_eap_types = no
> # cisco_accounting_username_bug = no
> #
> # md5 {
> # }
> #
> # leap {
> # }
> #
> # gtc {
> # auth_type = PAP
> # }
> #
> # mschapv2 {
> # }
> # }
>
> mschap {
> authtype = MS-CHAP
> }
>
> realm suffix {
> format = suffix
> delimiter = "@"
> ignore_default = no
> ignore_null = no
> }
>
> checkval {
> item-name = Calling-Station-Id
> check-name = Calling-Station-Id
> data-type = string
> }
>
> preprocess {
> huntgroups = ${confdir}/huntgroups
> hints = ${confdir}/hints
> with_ascend_hack = no
> ascend_channels_per_line = 23
> with_ntdomain_hack = no
> with_specialix_jetstream_hack = no
> with_cisco_vsa_hack = no
> }
>
> files {
> usersfile = ${confdir}/users
> acctusersfile = ${confdir}/acct_users
> compat = no
> }
>
> detail {
> detailfile =
> ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
> detailperm = 0600
> }
>
> acct_unique {
> key = "User-Name, Acct-Session-Id, NAS-IP-Address,
> Client-IP-Address, NAS-Port"
> }
>
> $INCLUDE ${confdir}/sql.conf
>
> # sql.conf has:
> #
> #sql {
> #
> # driver = "rlm_sql_mysql"
> # server = "localhost"
> # login = "XXXXXX"
> # radius_db = "XXXXXX"
> # password = "XXXXXX"
> # acct_table1 = "radacct"
> # acct_table2 = "radacct"
> # postauth_table = "radpostauth"
> # authcheck_table = "radcheck"
> # authreply_table = "radreply"
> # groupcheck_table = "radgroupcheck"
> # groupreply_table = "radgroupreply"
> # usergroup_table = "usergroup"
> # deletestalesessions = yes
> # sqltrace = yes
> # sqltracefile = /var/log/freeradius/sqltrace.sql
> # num_sql_socks = 5
> # connect_failure_retry_delay = 60
> # safe-characters =
> "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
> # sql_user_name = "%{User-Name}"
> #
> # authorize_check_query = "SELECT id,UserName,Attribute,Value,op
> FROM ${authcheck_table} WHERE Username = '%{SQL-User-Name}' ORDER BY id"
> # authorize_reply_query = "SELECT id,UserName,Attribute,Value,op
> FROM ${authreply_table} WHERE Username = '%{SQL-User-Name}' ORDER BY id"
> # authorize_group_check_query = "SELECT
> ${groupcheck_table}.id,${groupcheck_table}.GroupName,${groupcheck_table}.Attribute,${groupcheck_table}.Value,${groupcheck_table}.op
> FROM ${groupcheck_table},${usergroup_table} WHERE
> ${usergroup_table}.Username = '%{SQL-User-Name}' AND
> ${usergroup_table}.GroupName = ${groupcheck_table}.GroupName ORDER BY
> ${groupcheck_table}.id"
> # authorize_group_reply_query = "SELECT
> ${groupreply_table}.id,${groupreply_table}.GroupName,${groupreply_table}.Attribute,${groupreply_table}.Value,${groupreply_table}.op
> FROM ${groupreply_table},${usergroup_table} WHERE
> ${usergroup_table}.Username = '%{SQL-User-Name}' AND
> ${usergroup_table}.GroupName = ${groupreply_table}.GroupName ORDER BY
> ${groupreply_table}.id"
> # accounting_onoff_query = "UPDATE ${acct_table1} SET
> AcctStopTime='%S', AcctSessionTime=unix_timestamp('%S') -
> unix_timestamp(AcctStartTime),
> AcctTerminateCause='%{Acct-Terminate-Cause}', AcctStopDelay =
> '%{Acct-Delay-Time}' WHERE AcctSessionTime=0 AND AcctStopTime=0 AND
> NASIPAddress= '%{NAS-IP-Address}' AND AcctStartTime <= '%S'"
> #
> # accounting_update_query = "UPDATE ${acct_table1} \
> # SET FramedIPAddress = '%{Framed-IP-Address}', \
> # AcctSessionTime = '%{Acct-Session-Time}', \
> # AcctInputOctets = '%{Acct-Input-Octets}', \
> # AcctOutputOctets = '%{Acct-Output-Octets}' \
> # WHERE AcctSessionId = '%{Acct-Session-Id}' \
> # AND UserName = '%{SQL-User-Name}' \
> # AND NASIPAddress= '%{NAS-IP-Address}'"
> #
> # accounting_update_query_alt = "INSERT into ${acct_table1}
> (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId,
> NASPortType, AcctStartTime, AcctSessionTime, AcctAuthentic,
> ConnectInfo_start, AcctInputOctets, AcctOutputOctets, CalledStationId,
> CallingStationId, ServiceType, FramedProtocol, FramedIPAddress,
> AcctStartDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
> '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',
> '%{NAS-Port-Type}', DATE_SUB('%S',INTERVAL (%{Acct-Session-Time:-0} +
> %{Acct-Delay-Time:-0}) SECOND), '%{Acct-Session-Time}',
> '%{Acct-Authentic}', '', '%{Acct-Input-Octets}', '%{Acct-Output-Octets}',
> '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}',
> '%{Framed-Protocol}', '%{Framed-IP-Address}', '0')"
> # accounting_start_query = "INSERT into ${acct_table1}
> (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId,
> NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic,
> ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets,
> CalledStationId, CallingStationId, AcctTerminateCause, ServiceType,
> FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay)
> values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
> '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',
> '%{NAS-Port-Type}', '%S', '0', '0', '%{Acct-Authentic}',
> '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}',
> '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}',
> '%{Framed-IP-Address}', '%{Acct-Delay-Time}', '0')"
> # accounting_start_query_alt = "UPDATE ${acct_table1} SET
> AcctStartTime = '%S', AcctStartDelay = '%{Acct-Delay-Time}',
> ConnectInfo_start = '%{Connect-Info}' WHERE AcctSessionId =
> '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress =
> '%{NAS-IP-Address}'"
> # accounting_stop_query = "UPDATE ${acct_table2} SET AcctStopTime =
> '%S', AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets =
> '%{Acct-Input-Octets}', AcctOutputOctets = '%{Acct-Output-Octets}',
> AcctTerminateCause = '%{Acct-Terminate-Cause}', AcctStopDelay =
> '%{Acct-Delay-Time}', ConnectInfo_stop = '%{Connect-Info}' WHERE
> AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND
> NASIPAddress = '%{NAS-IP-Address}'"
> # accounting_stop_query_alt = "INSERT into ${acct_table2}
> (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId,
> NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic,
> ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets,
> CalledStationId, CallingStationId, AcctTerminateCause, ServiceType,
> FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay)
> values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
> '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',
> '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{Acct-Session-Time:-0} +
> %{Acct-Delay-Time:-0}) SECOND), '%S', '%{Acct-Session-Time}',
> '%{Acct-Authentic}', '', '%{Connect-Info}', '%{Acct-Input-Octets}',
> '%{Acct-Output-Octets}', '%{Called-Station-Id}', '%{Calling-Station-Id}',
> '%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}',
> '%{Framed-IP-Address}', '0', '%{Acct-Delay-Time}')"
> # simul_count_query = "SELECT COUNT(*) FROM ${acct_table1} WHERE
> UserName='%{SQL-User-Name}' AND AcctStopTime = 0"
> # simul_verify_query = "SELECT RadAcctId, AcctSessionId, UserName,
> NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol
> FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND AcctStopTime =
> 0"
> # group_membership_query = "SELECT GroupName FROM
> ${usergroup_table} WHERE UserName='%{SQL-User-Name}'"
> # postauth_query = "INSERT into ${postauth_table} (id, user, pass,
> reply, date) values ('', '%{User-Name}',
> '%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', NOW())"
> #
> #}
>
> radutmp {
> filename = ${logdir}/radutmp
> username = %{User-Name}
> case_sensitive = yes
> check_with_nas = yes
> perm = 0600
> callerid = "yes"
> }
>
> radutmp sradutmp {
> filename = ${logdir}/sradutmp
> perm = 0644
> callerid = "no"
> }
>
> attr_filter {
> attrsfile = ${confdir}/attrs
> }
>
> counter daily {
> filename = ${raddbdir}/db.daily
> key = User-Name
> count-attribute = Acct-Session-Time
> reset = daily
> counter-name = Daily-Session-Time
> check-name = Max-Daily-Session
> allowed-servicetype = Framed-User
> cache-size = 5000
> }
>
> always fail {
> rcode = fail
> }
>
> always reject {
> rcode = reject
> }
>
> always ok {
> rcode = ok
> simulcount = 0
> mpp = no
> }
>
> expr {
> }
>
> digest {
> }
>
> exec {
> wait = yes
> input_pairs = request
> }
>
> exec echo {
> wait = yes
> program = "/bin/echo %{User-Name}"
> input_pairs = request
> output_pairs = reply
> }
>
> ippool main_pool {
> range-start = 192.168.1.1
> range-stop = 192.168.3.254
> netmask = 255.255.255.0
> cache-size = 800
> session-db = ${raddbdir}/db.ippool
> ip-index = ${raddbdir}/db.ipindex
> override = no
> maximum-timeout = 0
> }
> }
>
> instantiate {
> exec
> expr
> }
>
> authorize {
> preprocess
> sql
> }
>
>
>
> authenticate {
> Auth-Type PAP {
> pap
> }
>
> Auth-Type CHAP {
> chap
> }
>
> Auth-Type MS-CHAP {
> mschap
> }
> }
>
>
> preacct {
> preprocess
> suffix
> }
>
> accounting {
> detail
> radutmp
> sql
> }
>
> session {
> sql
> }
>
> post-auth {
> }
>
> pre-proxy {
> }
>
> post-proxy {
> eap
> }
>
> ## END OF CONFIG ##
>
> If you've actually gotten this far, I salute you. :)
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list