problem in autehtication with EAP-MD5

tnt at kalik.co.yu tnt at kalik.co.yu
Thu May 31 14:33:26 CEST 2007


Server is giving access-accept because you have correct user and correct
password. But for connection to work you need more parameters.

Ivan Kalik
Kalik Informatika ISP


Dana 31/5/2007, "shantanu choudhary" <shantanu_843 at yahoo.co.in> piše:

>this is the user file, i dont think there is any spelling mistake or else why server is giving access accept? is it problem with AP?
>
>
>#    Please read the documentation file ../doc/processing_users_file,
>#    or 'man 5 users' (after installing the server) for more information.
>#
>#    As of 1.1.4, you SHOULD NOT use Auth-Type.  See "man rlm_pap"
>#    for a much better way of dealing with differing passwords.
>#    If you set Auth-Type, SOME AUTHENTICATION METHODS WILL NOT WORK.
>#    If you don't set Auth-Type, the server will figure out what to do,
>#    and will almost always do the right thing.
>#
>#    This file contains authentication security and configuration
>#    information for each user.  Accounting requests are NOT processed
>#    through this file.  Instead, see 'acct_users', in this directory.
>#
>#    The first field is the user's name and can be up to
>#    253 characters in length.  This is followed (on the same line) with
>#    the list of authentication requirements for that user.  This can
>#    include password, comm server name, comm server port number, protocol
>#    type (perhaps set by the "hints" file), and huntgroup name (set by
>#    the "huntgroups" file).
>#
>#    Indented (with the tab character) lines following the first
>#    line indicate the configuration values to be passed back to
>#    the comm server to allow the initiation of a user session.
>#    This can include things like the PPP configuration values
>#    or the host to log the user onto.
>#
>#    If you are not sure why a particular reply is being sent by the
>#    server, then run the server in debugging mode (radiusd -X), and
>#    you will see which entries in this file are matched.
>#
>#    When an authentication request is received from the comm server,
>#    these values are tested. Only the first match is used unless the
>#    "Fall-Through" variable is set to "Yes".
>#
>#    A special user named "DEFAULT" matches on all usernames.
>#    You can have several DEFAULT entries. All entries are processed
>#    in the order they appear in this file. The first entry that
>#    matches the login-request will stop processing unless you use
>#    the Fall-Through variable.
>#
>#    You can include another `users' file with `$INCLUDE users.other'
>#
>
>#
>#    For a list of RADIUS attributes, and links to their definitions,
>#    see:
>#
>#    http://www.freeradius.org/rfc/attributes.html
>#
>
>#
># Deny access for a specific user.  Note that this entry MUST
># be before any other 'Auth-Type' attribute which results in the user
># being authenticated.
>#
># Note that there is NO 'Fall-Through' attribute, so the user will not
># be given any additional resources.
>#
>#lameuser    Auth-Type := Reject
>#        Reply-Message = "Your account has been disabled."
>
>#
># Deny access for a group of users.
>#
># Note that there is NO 'Fall-Through' attribute, so the user will not
># be given any additional resources.
>#
>#DEFAULT    Group == "disabled", Auth-Type := Reject
>#        Reply-Message = "Your account has been disabled."
>#
>
>#
># This is a complete entry for "steve". Note that there is no Fall-Through
># entry so that no DEFAULT entry will be used, and the user will NOT
># get any attributes in addition to the ones listed here.
>#
>#steve    Cleartext-Password := "testing"
>#    Service-Type = Framed-User,
>#    Framed-Protocol = PPP,
>#    Framed-IP-Address = 172.16.3.33,
>#    Framed-IP-Netmask = 255.255.255.0,
>#    Framed-Routing = Broadcast-Listen,
>#    Framed-Filter-Id = "std.ppp",
>#    Framed-MTU = 1500,
>#    Framed-Compression = Van-Jacobsen-TCP-IP
>
>#
># This is an entry for a user with a space in their name.
># Note the double quotes surrounding the name.
>#
>#"John Doe"    Cleartext-Password := "hello"
>#        Reply-Message = "Hello, %u"
>
>#
># Dial user back and telnet to the default host for that port
>#
>#Deg    Cleartext-Password := "ge55ged"
>#    Service-Type = Callback-Login-User,
>#    Login-IP-Host = 0.0.0.0,
>#    Callback-Number = "9,5551212",
>#    Login-Service = Telnet,
>#    Login-TCP-Port = Telnet
>
>#
># Another complete entry. After the user "dialbk" has logged in, the
># connection will be broken and the user will be dialed back after which
># he will get a connection to the host "timeshare1".
>#
>#dialbk    Cleartext-Password := "callme"
>#    Service-Type = Callback-Login-User,
>#    Login-IP-Host = timeshare1,
>#    Login-Service = PortMaster,
>#    Callback-Number = "9,1-800-555-1212"
>
>#
># user "swilson" will only get a static IP number if he logs in with
># a framed protocol on a terminal server in Alphen (see the huntgroups file).
>#
># Note that by setting "Fall-Through", other attributes will be added from
># the following DEFAULT entries
>#
>#swilson    Service-Type == Framed-User, Huntgroup-Name == "alphen"
>#        Framed-IP-Address = 192.168.1.65,
>#        Fall-Through = Yes
>
>#
># If the user logs in as 'username.shell', then authenticate them
># against the system database, give them shell access, and stop processing
># the rest of the file.
>#
># Note that authenticating against an /etc/passwd file works ONLY for PAP,
># and not for CHAP, MS-CHAP, or EAP.
>#
>#DEFAULT    Suffix == ".shell", Auth-Type := System
>#        Service-Type = Login-User,
>#        Login-Service = Telnet,
>#        Login-IP-Host = your.shell.machine
>
>
>#
># The rest of this file contains the several DEFAULT entries.
># DEFAULT entries match with all login names.
># Note that DEFAULT entries can also Fall-Through (see first entry).
># A name-value pair from a DEFAULT entry will _NEVER_ override
># an already existing name-value pair.
>#
>
>#
># First setup all accounts to be checked against the UNIX /etc/passwd.
># (Unless a password was already given earlier in this file).
>#
>
>testuser        Password = "whatever"
>
>DEFAULT    Auth-Type = System
>    Fall-Through = 1
>
>#
># Set up different IP address pools for the terminal servers.
># Note that the "+" behind the IP address means that this is the "base"
># IP address. The Port-Id (S0, S1 etc) will be added to it.
>#
>#DEFAULT    Service-Type == Framed-User, Huntgroup-Name == "alphen"
>#        Framed-IP-Address = 192.168.1.32+,
>#        Fall-Through = Yes
>
>#DEFAULT    Service-Type == Framed-User, Huntgroup-Name == "delft"
>#        Framed-IP-Address = 192.168.2.32+,
>#        Fall-Through = Yes
>
>#
># Defaults for all framed connections.
>#
>DEFAULT    Service-Type == Framed-User
>    Framed-IP-Address = 192.168.2.132,
>    Framed-MTU = 576,
>    Service-Type = Framed-User,
>    Fall-Through = Yes
>
>#
># Default for PPP: dynamic IP address, PPP mode, VJ-compression.
># NOTE: we do not use Hint = "PPP", since PPP might also be auto-detected
>#    by the terminal server in which case there may not be a "P" suffix.
>#    The terminal server sends "Framed-Protocol = PPP" for auto PPP.
>#
>DEFAULT    Framed-Protocol == PPP
>    Framed-Protocol = PPP,
>    Framed-Compression = Van-Jacobson-TCP-IP
>
>#
># Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression.
>#
>DEFAULT    Hint == "CSLIP"
>    Framed-Protocol = SLIP,
>    Framed-Compression = Van-Jacobson-TCP-IP
>
>#
># Default for SLIP: dynamic IP address, SLIP mode.
>#
>DEFAULT    Hint == "SLIP"
>    Framed-Protocol = SLIP
>
>#
># Last default: rlogin to our main server.
>#
>#DEFAULT
>#    Service-Type = Login-User,
>#    Login-Service = Rlogin,
>#    Login-IP-Host = shellbox.ispdomain.com
>
># #
># # Last default: shell on the local terminal server.
># #
># DEFAULT
>#     Service-Type = Shell-User
>
># On no match, the user is denied access.
>
>tnt at kalik.co.yu wrote: There is a spelling mistake somewhere. Post that users file again. If you
>are using DHCP you don't need IP address and netmask. Just return the
>service type.
>
>Those parameters are to tell NAS how to make this connection and what
>type of user is it, what services can he use etc.
>
>Ivan Kalik
>Kalik Informatika ISP
>
>
>Dana 31/5/2007, "shantanu choudhary"  piše:
>
>>we tried to use service type, framed protocol, framed ip address(what are they used for???), framed ipnetmask  but after making those changes, my server was unable to startup giving an error relate to some parsiing failure.
>>can u tell me what should i add, and is it not supposed to work and i get an IP using DHCP client. with gui it is showing associated but i m not able to get IP.
>>regards
>>shantanu
>>
>>tnt at kalik.co.yu wrote: I think that problem is that supplicant expects IP adress, netmask etc.
>>in the accept packet. Witout those it cant configure the connection.
>>Return appropriate parameters and connection should be established.
>>
>>Ivan Kalik
>>Kalik Informatika ISP
>>
>>
>>Dana 31/5/2007, "shantanu choudhary"  piše:
>>
>>>we have restarted that server with this user file,
>>>one question i want to ask, what address is the client requesting for which it is failing, where do u thik the problem is?
>>>
>>>regards
>>>shantanu
>>>
>>
>>-
>>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>
>>
>>
>>
>>
>>---------------------------------
>> Download prohibited? No problem! CHAT from any browser, without download.
>>
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
>
>
>
>---------------------------------
> Looking for people who are YOUR TYPE?  Find them here!
>




More information about the Freeradius-Users mailing list