FreeRadius Basic Authentication Problem
Syed Anwarul Hasan
syedanwarulhasan2007 at gmail.com
Fri Aug 22 18:26:57 CEST 2008
Thank you *Ivan* for your help and exact advice. I was able to debug and
able to do user Authentication as you said.
I once again thanks FreeRadius OpenSource Community for helping people with
their Questions.
SYED
On Fri, Aug 22, 2008 at 4:14 PM, orion <meshkruaj at gmail.com> wrote:
> do not use
> *Auth-Type :=System,*
> dont use Auth-Type at all.
>
>
> 2008/8/22 Syed Anwarul Hasan <syedanwarulhasan2007 at gmail.com>
>
>> FreeRADIUS Version 2.0.5, for host i686-pc-linux-gnu, built on Jul 21 2008
>> at 15:35:42
>> Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
>> There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
>> PARTICULAR PURPOSE.
>> You may redistribute copies of FreeRADIUS under the terms of the
>> GNU General Public License v2.
>> Starting - reading configuration files ...
>> including configuration file /usr/local/etc/raddb/radiusd.conf
>> including configuration file /usr/local/etc/raddb/proxy.conf
>> including configuration file /usr/local/etc/raddb/clients.conf
>> including configuration file /usr/local/etc/raddb/snmp.conf
>> including files in directory /usr/local/etc/raddb/modules/
>> including configuration file /usr/local/etc/raddb/modules/policy
>> including configuration file /usr/local/etc/raddb/modules/acct_unique
>> including configuration file /usr/local/etc/raddb/modules/unix
>> including configuration file /usr/local/etc/raddb/modules/chap
>> including configuration file /usr/local/etc/raddb/modules/preprocess
>> including configuration file /usr/local/etc/raddb/modules/expiration
>> including configuration file /usr/local/etc/raddb/modules/mac2vlan
>> including configuration file /usr/local/etc/raddb/modules/mschap
>> including configuration file /usr/local/etc/raddb/modules/ippool
>> including configuration file /usr/local/etc/raddb/modules/files
>> including configuration file /usr/local/etc/raddb/modules/krb5
>> including configuration file /usr/local/etc/raddb/modules/passwd
>> including configuration file /usr/local/etc/raddb/modules/radutmp
>> including configuration file /usr/local/etc/raddb/modules/attr_rewrite
>> including configuration file /usr/local/etc/raddb/modules/echo
>> including configuration file /usr/local/etc/raddb/modules/etc_group
>> including configuration file /usr/local/etc/raddb/modules/pap
>> including configuration file /usr/local/etc/raddb/modules/realm
>> including configuration file /usr/local/etc/raddb/modules/pam
>> including configuration file /usr/local/etc/raddb/modules/always
>> including configuration file /usr/local/etc/raddb/modules/exec
>> including configuration file /usr/local/etc/raddb/modules/logintime
>> including configuration file /usr/local/etc/raddb/modules/sql_log
>> including configuration file /usr/local/etc/raddb/modules/smbpasswd
>> including configuration file /usr/local/etc/raddb/modules/sradutmp
>> including configuration file /usr/local/etc/raddb/modules/counter
>> including configuration file /usr/local/etc/raddb/modules/ldap
>> including configuration file /usr/local/etc/raddb/modules/expr
>> including configuration file /usr/local/etc/raddb/modules/attr_filter
>> including configuration file /usr/local/etc/raddb/modules/checkval
>> including configuration file /usr/local/etc/raddb/modules/digest
>> including configuration file /usr/local/etc/raddb/modules/detail
>> including configuration file /usr/local/etc/raddb/modules/detail.log
>> including configuration file /usr/local/etc/raddb/modules/mac2ip
>> including configuration file /usr/local/etc/raddb/eap.conf
>> including configuration file /usr/local/etc/raddb/sql.conf
>> including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf
>> including configuration file /usr/local/etc/raddb/sql/mysql/counter.conf
>> including configuration file /usr/local/etc/raddb/policy.conf
>> including files in directory /usr/local/etc/raddb/sites-enabled/
>> including configuration file /usr/local/etc/raddb/sites-enabled/default
>> including configuration file
>> /usr/local/etc/raddb/sites-enabled/inner-tunnel
>> including dictionary file /usr/local/etc/raddb/dictionary
>> main {
>> prefix = "/usr/local"
>> localstatedir = "/usr/local/var"
>> logdir = "/usr/local/var/log/radius"
>> libdir = "/usr/local/lib"
>> radacctdir = "/usr/local/var/log/radius/radacct"
>> hostname_lookups = no
>> max_request_time = 30
>> cleanup_delay = 5
>> max_requests = 1024
>> allow_core_dumps = no
>> pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
>> checkrad = "/usr/local/sbin/checkrad"
>> debug_level = 0
>> proxy_requests = yes
>> log {
>> stripped_names = no
>> auth = no
>> auth_badpass = no
>> auth_goodpass = no
>> }
>> }
>> client localhost {
>> ipaddr = 127.0.0.1
>> require_message_authenticator = no
>> secret = "testing123"
>> shortname = "localhost"
>> nastype = "other"
>> }
>> radiusd: #### Loading Realms and Home Servers ####
>> proxy server {
>> retry_delay = 5
>> retry_count = 3
>> default_fallback = no
>> dead_time = 120
>> wake_all_if_all_dead = no
>> }
>> home_server localhost {
>> ipaddr = 127.0.0.1
>> port = 1812
>> type = "auth"
>> secret = "testing123"
>> response_window = 20
>> max_outstanding = 65536
>> zombie_period = 40
>> status_check = "status-server"
>> ping_check = "none"
>> ping_interval = 30
>> check_interval = 30
>> num_answers_to_alive = 3
>> num_pings_to_alive = 3
>> revive_interval = 120
>> status_check_timeout = 4
>> }
>> home_server_pool my_auth_failover {
>> type = fail-over
>> home_server = localhost
>> }
>> realm example.com {
>> auth_pool = my_auth_failover
>> }
>> realm LOCAL {
>> }
>> radiusd: #### Instantiating modules ####
>> instantiate {
>> Module: Linked to module rlm_exec
>> Module: Instantiating exec
>> exec {
>> wait = no
>> input_pairs = "request"
>> shell_escape = yes
>> }
>> Module: Linked to module rlm_expr
>> Module: Instantiating expr
>> Module: Linked to module rlm_expiration
>> Module: Instantiating expiration
>> expiration {
>> reply-message = "Password Has Expired "
>> }
>> Module: Linked to module rlm_logintime
>> Module: Instantiating logintime
>> logintime {
>> reply-message = "You are calling outside your allowed timespan "
>> minimum-timeout = 60
>> }
>> }
>> radiusd: #### Loading Virtual Servers ####
>> server inner-tunnel {
>> modules {
>> Module: Checking authenticate {...} for more modules to load
>> Module: Linked to module rlm_pap
>> Module: Instantiating pap
>> pap {
>> encryption_scheme = "auto"
>> auto_header = no
>> }
>> Module: Linked to module rlm_chap
>> Module: Instantiating chap
>> Module: Linked to module rlm_mschap
>> Module: Instantiating mschap
>> mschap {
>> use_mppe = yes
>> require_encryption = no
>> require_strong = no
>> with_ntdomain_hack = no
>> }
>> Module: Linked to module rlm_unix
>> Module: Instantiating unix
>> unix {
>> radwtmp = "/usr/local/var/log/radius/radwtmp"
>> }
>> Module: Linked to module rlm_eap
>> Module: Instantiating eap
>> eap {
>> default_eap_type = "md5"
>> timer_expire = 60
>> ignore_unknown_eap_types = no
>> cisco_accounting_username_bug = no
>> }
>> Module: Linked to sub-module rlm_eap_md5
>> Module: Instantiating eap-md5
>> Module: Linked to sub-module rlm_eap_leap
>> Module: Instantiating eap-leap
>> Module: Linked to sub-module rlm_eap_gtc
>> Module: Instantiating eap-gtc
>> gtc {
>> challenge = "Password: "
>> auth_type = "PAP"
>> }
>> rlm_eap: Ignoring EAP-Type/tls because we do not have OpenSSL support.
>> rlm_eap: Ignoring EAP-Type/ttls because we do not have OpenSSL support.
>> rlm_eap: Ignoring EAP-Type/peap because we do not have OpenSSL support.
>> Module: Linked to sub-module rlm_eap_mschapv2
>> Module: Instantiating eap-mschapv2
>> mschapv2 {
>> with_ntdomain_hack = no
>> }
>> Module: Checking authorize {...} for more modules to load
>> Module: Linked to module rlm_realm
>> Module: Instantiating suffix
>> realm suffix {
>> format = "suffix"
>> delimiter = "@"
>> ignore_default = no
>> ignore_null = no
>> }
>> Module: Linked to module rlm_files
>> Module: Instantiating files
>> files {
>> usersfile = "/usr/local/etc/raddb/users"
>> acctusersfile = "/usr/local/etc/raddb/acct_users"
>> preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
>> compat = "no"
>> }
>> Module: Checking session {...} for more modules to load
>> Module: Linked to module rlm_radutmp
>> Module: Instantiating radutmp
>> radutmp {
>> filename = "/usr/local/var/log/radius/radutmp"
>> username = "%{User-Name}"
>> case_sensitive = yes
>> check_with_nas = yes
>> perm = 384
>> callerid = yes
>> }
>> Module: Checking post-proxy {...} for more modules to load
>> Module: Checking post-auth {...} for more modules to load
>> Module: Linked to module rlm_attr_filter
>> Module: Instantiating attr_filter.access_reject
>> attr_filter attr_filter.access_reject {
>> attrsfile = "/usr/local/etc/raddb/attrs.access_reject"
>> key = "%{User-Name}"
>> }
>> }
>> }
>> server {
>> modules {
>> Module: Checking authenticate {...} for more modules to load
>> Module: Checking authorize {...} for more modules to load
>> Module: Linked to module rlm_preprocess
>> Module: Instantiating preprocess
>> preprocess {
>> huntgroups = "/usr/local/etc/raddb/huntgroups"
>> hints = "/usr/local/etc/raddb/hints"
>> with_ascend_hack = no
>> ascend_channels_per_line = 23
>> with_ntdomain_hack = no
>> with_specialix_jetstream_hack = no
>> with_cisco_vsa_hack = no
>> with_alvarion_vsa_hack = no
>> }
>> Module: Checking preacct {...} for more modules to load
>> Module: Linked to module rlm_acct_unique
>> Module: Instantiating acct_unique
>> acct_unique {
>> key = "User-Name, Acct-Session-Id, NAS-IP-Address,
>> Client-IP-Address, NAS-Port"
>> }
>> Module: Checking accounting {...} for more modules to load
>> Module: Linked to module rlm_detail
>> Module: Instantiating detail
>> detail {
>> detailfile =
>> "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
>> header = "%t"
>> detailperm = 384
>> dirperm = 493
>> locking = no
>> log_packet_header = no
>> }
>> Module: Instantiating attr_filter.accounting_response
>> attr_filter attr_filter.accounting_response {
>> attrsfile = "/usr/local/etc/raddb/attrs.accounting_response"
>> key = "%{User-Name}"
>> }
>> Module: Checking session {...} for more modules to load
>> Module: Checking post-proxy {...} for more modules to load
>> Module: Checking post-auth {...} for more modules to load
>> }
>> }
>> radiusd: #### Opening IP addresses and Ports ####
>> listen {
>> type = "auth"
>> ipaddr = *
>> port = 0
>> }
>> listen {
>> type = "acct"
>> ipaddr = *
>> port = 0
>> }
>> Listening on authentication address * port 1812
>> Listening on accounting address * port 1813
>> Listening on proxy address * port 1814
>> Ready to process requests.
>> rad_recv: Access-Request packet from host 127.0.0.1 port 1029, id=10,
>> length=56
>> User-Name = "John"
>> User-Password = "hello"
>> NAS-IP-Address = 192.168.1.131
>> NAS-Port = 1
>> +- entering group authorize
>> ++[preprocess] returns ok
>> ++[chap] returns noop
>> ++[mschap] returns noop
>> rlm_realm: No '@' in User-Name = "John", looking up realm NULL
>> rlm_realm: No such realm "NULL"
>> ++[suffix] returns noop
>> rlm_eap: No EAP-Message, not doing EAP
>> ++[eap] returns noop
>> ++[unix] returns notfound
>> ++[files] returns noop
>> ++[expiration] returns noop
>> ++[logintime] returns noop
>> rlm_pap: WARNING! No "known good" password found for the user.
>> Authentication may fail because of this.
>> ++[pap] returns noop
>> auth: No authenticate method (Auth-Type) configuration found for the
>> request: Rejecting the user
>> auth: Failed to validate the user.
>> Found Post-Auth-Type Reject
>> +- entering group REJECT
>> expand: %{User-Name} -> John
>> attr_filter: Matched entry DEFAULT at line 11
>> ++[attr_filter.access_reject] returns updated
>> Sending Access-Reject of id 10 to 127.0.0.1 port 1029
>> Finished request 0.
>> Going to the next request
>> Waking up in 4.9 seconds.
>> Cleaning up request 0 ID 10 with timestamp +7
>> Ready to process requests.
>>
>>
>> And my radtest command *radtest John hello localhost 1 testing123
>>
>> Users file
>>
>> # This is an entry for a user with a space in their name.
>> # Note the double quotes surrounding the name.
>>
>> John Auth-Type :=System,Huntgroup-Name == John,User-Password := "hello"
>>
>> Reply-Message = "Hello, %{User-Name}",
>> Fall-Through = Yes
>> **
>>
>> And in Huntgroup file
>> I have added this line
>>
>> John NAS-IP-Address == 127.0.0.1
>>
>>
>> Clients.conf I have not modified client being localhost.
>> radiusd.conf : I have not modified , the listening IP address is *
>> (wildcard) with port 0 for /etc/services 1812 and 1813 ports.
>>
>> In the sites-enabled directory , in the Authorize section, the files
>> section is included .
>>
>> Hence this is the scenario, I have been trying to authenticate RADIUS
>> server with a single user entry in User file but i am unable to do.
>>
>> I hope you all help me in this regard.
>>
>>
>> SYED
>>
>> *
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080822/d3c894a6/attachment.html>
More information about the Freeradius-Users
mailing list