freeradius+pptpd+mysq -> rc_avpair_new: unknown attribute 6
Vladi Lemurov
fix at stekloprom.ru
Wed Mar 19 08:59:08 CET 2008
Hello!
I've installed freeradius on CentOS 5.1 and configured it to use mysql.
freeradius+mysql seems to work fine,
here's the output of "radtest" command:
radtest myuser mypassword localhost 0 mysecret
Sending Access-Request of id 188 to 127.0.0.1 port 1812
User-Name = "user"
User-Password = "mypassword"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=188, length=38
Framed-IP-Address = 192.168.200.11
Framed-IP-Netmask = 255.255.255.255
Framed-Protocol = PPP
-----
but when I try to connect to pptpd, pptpd doesn't even try to connect to
radius server (I even tried to listen
with tcpdump on lo for packets going to ports 1812 and 1813, caught
nothing from pptpd) and gives me the following errors:
rc_avpair_new: unknown attribute 6
rc_avpair_new: unknown attribute 7
rc_avpair_new: unknown attribute 1
rc_avpair_new: unknown attribute 11
rc_avpair_new: unknown attribute 25
rc_avpair_new: unknown attribute 31
rc_avpair_new: unknown attribute 4
-----
I've googled and found out that usually this happens because
dictionary.microsoft isn't in the dictionary path or it is of
some different format. I double checked it and put the working
directory.microsoft file in the proper place - still not working.
Then I've made some mistakes in the dictionary.microsoft on purpose (I
wrote sdfgsdfsdfsd there) and radiusd -fX complained on it, thus
it does see this dictionary:
read_config_files: reading dictionary
Errors reading dictionary: dict_init:
/usr/share/freeradius/dictionary.microsoft[6] invalid entry
-----
What am I doing wrong? Below I've copypasted config files of pptpd
radius and their debug logs.
Vladi Lemuroff.
here's the corresponding debug output:
rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx:33320, id=188,
length=58
User-Name = "user"
User-Password = "mypassword"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
rlm_realm: No '@' in User-Name = "user", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
radius_xlat: 'user'
rlm_sql (sql): sql_set_user escaped user --> 'user'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
radcheck WHERE Username = 'user' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 4
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHER
E usergroup.Username = 'user' AND usergroup.GroupName =
radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
radreply WHERE Username = 'user' ORDER BY id'
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHER
E usergroup.Username = 'user' AND usergroup.GroupName =
radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): Released sql socket id: 4
modcall[authorize]: module "sql" returns ok for request 0
modcall[authorize]: module "mschap" returns noop for request 0
modcall: leaving group authorize (returns ok) for request 0
auth: type Local
auth: user supplied User-Password matches local User-Password
Login OK: [user/password] (from client radiushost port 0)
Sending Access-Accept of id 188 to xxx.xxx.xxx.xxx port 33320
Framed-IP-Address := 192.168.200.11
Framed-IP-Netmask := 255.255.255.255
Framed-Protocol := PPP
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 188 with timestamp 47e0bcdd
Nothing to do. Sleeping until we see a request.
-----
here's my /etc/ppp/pptpd.options config file:
name pptpd
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
proxyarp
debug
dump
lock
novj
novjccomp
nologfd
lcp-echo-interval 10
lcp-echo-failure 6
logfile /var/log/ppp/pppd.log
-----
here's my radiusd.conf:
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = /usr/lib64
pidfile = ${run_dir}/radiusd.pid
user = radiusd
group = radiusd
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = localhost
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = yes
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = yes
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf
snmp = no
$INCLUDE ${confdir}/snmp.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
$INCLUDE ${confdir}/sql.conf
mschap {
authtype = MS-CHAP
use_mppe = no
require_strong = yes
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
preproxy_usersfile = ${confdir}/preproxy_users
compat = no
}
detail {
detailfile =
${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
}
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
}
realm suffix {
format = suffix
delimiter = "@"
ignore_default = no
ignore_null = no
}
radutmp {
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 0600
callerid = "yes"
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
attr_filter {
attrsfile = ${confdir}/attrs
}
counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
sqlcounter dailycounter {
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
sqlmod-inst = sql
key = User-Name
reset = daily
query = "SELECT SUM(AcctSessionTime - \
GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
FROM radacct WHERE UserName='%{%k}' AND \
UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
}
sqlcounter monthlycounter {
counter-name = Monthly-Session-Time
check-name = Max-Monthly-Session
sqlmod-inst = sql
key = User-Name
reset = monthly
query = "SELECT SUM(AcctSessionTime - \
GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
FROM radacct WHERE UserName='%{%k}' AND \
UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
}
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
expr {
}
digest {
}
exec {
wait = yes
input_pairs = request
}
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = request
output_pairs = reply
}
ippool main_pool {
range-start = 192.168.1.1
range-stop = 192.168.3.254
netmask = 255.255.255.0
cache-size = 800
session-db = ${raddbdir}/db.ippool
ip-index = ${raddbdir}/db.ipindex
override = no
maximum-timeout = 0
}
}
instantiate {
exec
expr
}
authorize {
preprocess
suffix
sql
mschap
}
authenticate {
Auth-Type MS-CHAP {
mschap
}
}
preacct {
preprocess
acct_unique
suffix
}
accounting {
acct_unique
detail
sql
}
session {
radutmp
}
post-auth {
}
pre-proxy {
}
post-proxy {
}
-----
here's my /etc/radiusclient/radiusclient.conf:
auth_order radius
login_tries 4
login_timeout 60
issue /etc/radiusclient/issue
authserver localhost
acctserver localhost
servers /etc/radiusclient/servers
dictionary /etc/raddb/dictionary
seqfile /var/run/radius.seq
mapfile /etc/radiusclient/port-id-map
default_realm
radius_timeout 10
radius_retries 3
login_local /bin/login
-----
here's my /etc/raddb/clients.conf:
client 127.0.0.1 {
secret = mysecret
shortname = localhost
nastype = other # localhost isn't usually a NAS...
}
-----
here's my /usr/share/freeradius/dictionary:
$INCLUDE dictionary.compat
$INCLUDE dictionary.rfc2865
$INCLUDE dictionary.rfc2866
$INCLUDE dictionary.rfc2867
$INCLUDE dictionary.rfc2868
$INCLUDE dictionary.rfc2869
$INCLUDE dictionary.rfc3162
$INCLUDE dictionary.rfc3576
$INCLUDE dictionary.rfc3580
$INCLUDE dictionary.3com
$INCLUDE dictionary.3gpp
$INCLUDE dictionary.3gpp2
$INCLUDE dictionary.acc
$INCLUDE dictionary.airespace
$INCLUDE dictionary.alcatel
$INCLUDE dictionary.alteon
$INCLUDE dictionary.alvarion
$INCLUDE dictionary.aruba
$INCLUDE dictionary.ascend
$INCLUDE dictionary.bay
$INCLUDE dictionary.bintec
$INCLUDE dictionary.cablelabs
$INCLUDE dictionary.cabletron
$INCLUDE dictionary.cisco
$INCLUDE dictionary.cisco.vpn5000
$INCLUDE dictionary.cisco.bbsm
$INCLUDE dictionary.colubris
$INCLUDE dictionary.cosine
$INCLUDE dictionary.digium
$INCLUDE dictionary.epygi
$INCLUDE dictionary.erx
$INCLUDE dictionary.ericsson
$INCLUDE dictionary.extreme
$INCLUDE dictionary.freeradius
$INCLUDE dictionary.fortinet
$INCLUDE dictionary.foundry
$INCLUDE dictionary.gandalf
$INCLUDE dictionary.gemtek
$INCLUDE dictionary.issanni
$INCLUDE dictionary.itk
$INCLUDE dictionary.ipunplugged
$INCLUDE dictionary.juniper
$INCLUDE dictionary.karlnet
$INCLUDE dictionary.livingston
$INCLUDE dictionary.localweb
$INCLUDE dictionary.lucent
$INCLUDE dictionary.hp
$INCLUDE dictionary.microsoft
$INCLUDE dictionary.mikrotik
$INCLUDE dictionary.navini
$INCLUDE dictionary.netscreen
$INCLUDE dictionary.ntua
$INCLUDE dictionary.nomadix
$INCLUDE dictionary.nortel
$INCLUDE dictionary.packeteer
$INCLUDE dictionary.propel
$INCLUDE dictionary.quintum
$INCLUDE dictionary.redback
$INCLUDE dictionary.redcreek
$INCLUDE dictionary.riverstone
$INCLUDE dictionary.roaringpenguin
$INCLUDE dictionary.shasta
$INCLUDE dictionary.shiva
$INCLUDE dictionary.sonicwall
$INCLUDE dictionary.springtide
$INCLUDE dictionary.starent
$INCLUDE dictionary.telebit
$INCLUDE dictionary.trapeze
$INCLUDE dictionary.tropos
$INCLUDE dictionary.t_systems_nova
$INCLUDE dictionary.usr
$INCLUDE dictionary.valemount
$INCLUDE dictionary.versanet
$INCLUDE dictionary.waverider
$INCLUDE dictionary.walabi
$INCLUDE dictionary.wispr
$INCLUDE dictionary.xedia
$INCLUDE dictionary.xylan
$INCLUDE dictionary.freeradius.internal
ATTRIBUTE Originating-Line-Info 94 string
ATTRIBUTE Digest-Response 206 string
ATTRIBUTE Digest-Attributes 207 octets
# stupid format
VALUE Service-Type Voice 12
VALUE Service-Type Fax 13
VALUE Service-Type Modem-Relay 14
VALUE Service-Type IAPP-Register 15
VALUE Service-Type IAPP-AP-Check 16
VALUE Framed-Protocol GPRS-PDP-Context 7
VALUE NAS-Port-Type Wireless-CDMA2000 22
VALUE NAS-Port-Type Wireless-UMTS 23
VALUE NAS-Port-Type Wireless-1X-EV 24
VALUE NAS-Port-Type IAPP 25
VALUE Framed-Protocol PPTP 9
-----
here's my /usr/share/freeradius/dictionary.microsoft:
VENDOR Microsoft 311
BEGIN-VENDOR Microsoft
ATTRIBUTE MS-CHAP-Response 1 string Microsoft
ATTRIBUTE MS-CHAP-Error 2 string Microsoft
ATTRIBUTE MS-CHAP-CPW-1 3 string Microsoft
ATTRIBUTE MS-CHAP-CPW-2 4 string Microsoft
ATTRIBUTE MS-CHAP-LM-Enc-PW 5 string Microsoft
ATTRIBUTE MS-CHAP-NT-Enc-PW 6 string Microsoft
ATTRIBUTE MS-MPPE-Encryption-Policy 7 string Microsoft
ATTRIBUTE MS-MPPE-Encryption-Type 8 string Microsoft
ATTRIBUTE MS-MPPE-Encryption-Types 8 string Microsoft
ATTRIBUTE MS-RAS-Vendor 9 integer Microsoft
ATTRIBUTE MS-CHAP-Domain 10 string Microsoft
ATTRIBUTE MS-CHAP-Challenge 11 string Microsoft
ATTRIBUTE MS-CHAP-MPPE-Keys 12 string Microsoft
ATTRIBUTE MS-BAP-Usage 13 integer Microsoft
ATTRIBUTE MS-Link-Utilization-Threshold 14 integer Microsoft
ATTRIBUTE MS-Link-Drop-Time-Limit 15 integer Microsoft
ATTRIBUTE MS-MPPE-Send-Key 16 string Microsoft
ATTRIBUTE MS-MPPE-Recv-Key 17 string Microsoft
ATTRIBUTE MS-RAS-Version 18 string Microsoft
ATTRIBUTE MS-Old-ARAP-Password 19 string Microsoft
ATTRIBUTE MS-New-ARAP-Password 20 string Microsoft
ATTRIBUTE MS-ARAP-PW-Change-Reason 21 integer Microsoft
ATTRIBUTE MS-Filter 22 string Microsoft
ATTRIBUTE MS-Acct-Auth-Type 23 integer Microsoft
ATTRIBUTE MS-Acct-EAP-Type 24 integer Microsoft
ATTRIBUTE MS-CHAP2-Response 25 string Microsoft
ATTRIBUTE MS-CHAP2-Success 26 string Microsoft
ATTRIBUTE MS-CHAP2-CPW 27 string Microsoft
ATTRIBUTE MS-Primary-DNS-Server 28 ipaddr Microsoft
ATTRIBUTE MS-Secondary-DNS-Server 29 ipaddr Microsoft
ATTRIBUTE MS-Primary-NBNS-Server 30 ipaddr Microsoft
ATTRIBUTE MS-Secondary-NBNS-Server 31 ipaddr Microsoft
VALUE MS-BAP-Usage Not-Allowed 0
VALUE MS-BAP-Usage Allowed 1
VALUE MS-BAP-Usage Required 2
VALUE MS-ARAP-PW-Change-Reason Just-Change-Password 1
VALUE MS-ARAP-PW-Change-Reason Expired-Password 2
VALUE MS-ARAP-PW-Change-Reason Admin-Requires-Password-Change 3
VALUE MS-ARAP-PW-Change-Reason Password-Too-Short 4
VALUE MS-Acct-Auth-Type PAP 1
VALUE MS-Acct-Auth-Type CHAP 2
VALUE MS-Acct-Auth-Type MS-CHAP-1 3
VALUE MS-Acct-Auth-Type MS-CHAP-2 4
VALUE MS-Acct-Auth-Type EAP 5
VALUE MS-Acct-EAP-Type MD5 4
VALUE MS-Acct-EAP-Type OTP 5
VALUE MS-Acct-EAP-Type Generic-Token-Card 6
VALUE MS-Acct-EAP-Type TLS 13
END-VENDOR Microsoft
-----
here's the "radiusd -fX" output:
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = "/usr"
main: localstatedir = "/var"
main: logdir = "/var/log/radius"
main: libdir = "/usr/lib64"
main: radacctdir = "/var/log/radius/radacct"
main: hostname_lookups = no
main: snmp = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = yes
main: log_file = "/var/log/radius/radius.log"
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = "/var/run/radiusd/radiusd.pid"
main: bind_address = localhost IP address [127.0.0.1]
main: user = "radiusd"
main: group = "radiusd"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib64
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded MS-CHAP
mschap: use_mppe = no
mschap: require_encryption = no
mschap: require_strong = yes
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded preprocess
preprocess: huntgroups = "/etc/raddb/huntgroups"
preprocess: hints = "/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
preprocess: with_alvarion_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded SQL
sql: driver = "rlm_sql_mysql"
sql: server = "localhost"
sql: port = ""
sql: login = "root"
sql: password = "sqlpassword"
sql: radius_db = "radius"
sql: nas_table = "nas"
sql: sqltrace = no
sql: sqltracefile = "/var/log/radius/sqltrace.sql"
sql: readclients = no
sql: deletestalesessions = yes
sql: num_sql_socks = 5
sql: sql_user_name = "%{User-Name}"
sql: default_user_profile = ""
sql: query_on_not_found = no
sql: authorize_check_query = "SELECT id, UserName, Attribute, Value,
op FROM radcheck WHERE Username =
'%{SQL-User-Name}' ORDER
BY id"
sql: authorize_reply_query = "SELECT id, UserName, Attribute, Value,
op FROM radreply WHERE Username =
'%{SQL-User-Name}' ORDER
BY id"
sql: authorize_group_check_query = "SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgro
upcheck,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id"
sql: authorize_group_reply_query = "SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgro
upreply,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id"
sql: accounting_onoff_query = "UPDATE radacct SET AcctStopTime='%S',
AcctSessionTime=unix_timestamp('%S') - unix_timestamp(AcctStartTime),
AcctTerminateCause
='%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-Time}' WHERE
AcctSessionTime=0 AND AcctStopTime=0 AND NASIPAddress=
'%{NAS-IP-Address}' AND AcctStar
tTime <= '%S'"
sql: accounting_update_query = "UPDATE radacct SET
FramedIPAddress = '%{Framed-IP-Address}', AcctSessionTime =
'%{Acct-Session-Time}',
AcctInputOctets = '%{Acct-Input-Octets}',
AcctOutputOctets = '%{Acct-Output-Octets}' WHERE AcctSessionId
= '%{Acct-Session-Id}'
AND UserName = '%{SQL-User-Name}' AND NASIPAddress=
'%{NAS-IP-Address}'"
sql: accounting_update_query_alt = "INSERT into radacct (AcctSessionId,
AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType,
AcctStartTime, A
cctSessionTime, AcctAuthentic, ConnectInfo_start, AcctInputOctets,
AcctOutputOctets, CalledStationId, CallingStationId, ServiceType,
FramedProtocol, FramedIPA
ddress, AcctStartDelay) values('%{Acct-Session-Id}',
'%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}',
'%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-P
ort-Type}', DATE_SUB('%S',INTERVAL (%{Acct-Session-Time:-0} +
%{Acct-Delay-Time:-0}) SECOND), '%{Acct-Session-Time}',
'%{Acct-Authentic}', '', '%{Acct-Input-O
ctets}', '%{Acct-Output-Octets}', '%{Called-Station-Id}',
'%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}',
'%{Framed-IP-Address}', '0')"
sql: accounting_start_query = "INSERT into radacct (AcctSessionId,
AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType,
AcctStartTime, AcctSt
opTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start,
ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId,
CallingStationId, AcctTermina
teCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay,
AcctStopDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{SQL-User-Na
me}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',
'%{NAS-Port-Type}', '%S', '0', '0', '%{Acct-Authentic}',
'%{Connect-Info}', '', '0', '0', '%{Called-Stat
ion-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}',
'%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Acct-Delay-Time}', '0')"
sql: accounting_start_query_alt = "UPDATE radacct SET AcctStartTime =
'%S', AcctStartDelay = '%{Acct-Delay-Time}', ConnectInfo_start =
'%{Connect-Info}' WHER
E AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}'
AND NASIPAddress = '%{NAS-IP-Address}'"
sql: accounting_stop_query = "UPDATE radacct SET AcctStopTime = '%S',
AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets =
'%{Acct-Input-Octets}', Acc
tOutputOctets = '%{Acct-Output-Octets}', AcctTerminateCause =
'%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-Time}',
ConnectInfo_stop = '%{Connect-I
nfo}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName =
'%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}'"
sql: accounting_stop_query_alt = "INSERT into radacct (AcctSessionId,
AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType,
AcctStartTime, Acc
tStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start,
ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId,
CallingStationId, AcctTerm
inateCause, ServiceType, FramedProtocol, FramedIPAddress,
AcctStartDelay, AcctStopDelay) values('%{Acct-Session-Id}',
'%{Acct-Unique-Session-Id}', '%{SQL-User
-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',
'%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{Acct-Session-Time:-0} +
%{Acct-Delay-Time:-0}) SECOND)
, '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '',
'%{Connect-Info}', '%{Acct-Input-Octets}', '%{Acct-Output-Octets}',
'%{Called-Station-Id}', '%{Callin
g-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}',
'%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{Acct-Delay-Time}')"
sql: group_membership_query = "SELECT GroupName FROM usergroup WHERE
UserName='%{SQL-User-Name}'"
sql: connect_failure_retry_delay = 60
sql: simul_count_query = ""
sql: simul_verify_query = "SELECT RadAcctId, AcctSessionId, UserName,
NASIPAddress, NASPortId, FramedIPAddress, CallingStationId,
FramedProtocol FROM radacct
WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0"
sql: postauth_query = "INSERT into radpostauth (id, user, pass, reply,
date) values ('', '%{User-Name}', '%{User-Password:-Chap-Password}',
'%{reply:Packet-T
ype}', NOW())"
sql: safe-characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
rlm_sql (sql): Attempting to connect to root at localhost:/radius
rlm_sql (sql): starting 0
rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
rlm_sql_mysql: Starting connect to MySQL server for #0
rlm_sql (sql): Connected new DB handle, #0
rlm_sql (sql): starting 1
rlm_sql (sql): Attempting to connect rlm_sql_mysql #1
rlm_sql_mysql: Starting connect to MySQL server for #1
rlm_sql (sql): Connected new DB handle, #1
rlm_sql (sql): starting 2
rlm_sql (sql): Attempting to connect rlm_sql_mysql #2
rlm_sql_mysql: Starting connect to MySQL server for #2
rlm_sql (sql): Connected new DB handle, #2
rlm_sql (sql): starting 3
rlm_sql (sql): Attempting to connect rlm_sql_mysql #3
rlm_sql_mysql: Starting connect to MySQL server for #3
rlm_sql (sql): Connected new DB handle, #3
rlm_sql (sql): starting 4
rlm_sql (sql): Attempting to connect rlm_sql_mysql #4
rlm_sql_mysql: Starting connect to MySQL server for #4
rlm_sql (sql): Connected new DB handle, #4
Module: Instantiated sql (sql)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
"/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication 127.0.0.1:1812
Listening on accounting 127.0.0.1:1813
Ready to process requests.
rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx:33320, id=188,
length=58
User-Name = "user"
User-Password = "password"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
rlm_realm: No '@' in User-Name = "user", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
radius_xlat: 'user'
rlm_sql (sql): sql_set_user escaped user --> 'user'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
radcheck WHERE Username = 'user' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 4
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHER
E usergroup.Username = 'user' AND usergroup.GroupName =
radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
radreply WHERE Username = 'user' ORDER BY id'
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHER
E usergroup.Username = 'user' AND usergroup.GroupName =
radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): Released sql socket id: 4
modcall[authorize]: module "sql" returns ok for request 0
modcall[authorize]: module "mschap" returns noop for request 0
modcall: leaving group authorize (returns ok) for request 0
auth: type Local
auth: user supplied User-Password matches local User-Password
Login OK: [user/password] (from client radiushost port 0)
Sending Access-Accept of id 188 to xxx.xxx.xxx.xxx port 33320
Framed-IP-Address := 192.168.200.11
Framed-IP-Netmask := 255.255.255.255
Framed-Protocol := PPP
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 188 with timestamp 47e0bcdd
Nothing to do. Sleeping until we see a request.
-----
here's the debug output of pptpd:
Plugin radius.so loaded.
RADIUS plugin initialized.
Plugin radattr.so loaded.
RADATTR plugin initialized.
Plugin /usr/lib64/pptpd/pptpd-logwtmp.so loaded.
pptpd-logwtmp: $Version$
pppd options in effect:
debug # (from /etc/ppp/options.pptpd)
logfile /var/log/ppp/pppd.log # (from /etc/ppp/options.pptpd)
dump # (from /etc/ppp/options.pptpd)
plugin radius.so # (from /etc/ppp/options.pptpd)
plugin radattr.so # (from command line)
plugin /usr/lib64/pptpd/pptpd-logwtmp.so # (from command
line)
require-mschap-v2 # (from /etc/ppp/options.pptpd)
refuse-pap # (from /etc/ppp/options.pptpd)
refuse-chap # (from /etc/ppp/options.pptpd)
refuse-mschap # (from /etc/ppp/options.pptpd)
name pptpd # (from /etc/ppp/options.pptpd)
pptpd-original-ip xxx.xxx.xxx.xxx # (from command line)
115200 # (from command line)
lock # (from /etc/ppp/options.pptpd)
local # (from command line)
lcp-echo-failure 6 # (from /etc/ppp/options.pptpd)
lcp-echo-interval 10 # (from /etc/ppp/options.pptpd)
novj # (from /etc/ppp/options.pptpd)
novjccomp # (from /etc/ppp/options.pptpd)
ipparam xxx.xxx.xxx.xxx # (from command line)
proxyarp # (from /etc/ppp/options.pptpd)
192.168.200.1:192.168.200.2 # (from command line)
using channel 69
Using interface ppp0
Connect: ppp0 <--> /dev/pts/0
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic
0x65af9c5b> <pcomp> <accomp>]
rcvd [LCP ConfReq id=0x0 <mru 1400> <magic 0x33d76a8f> <pcomp> <accomp>
<callback CBCP>]
sent [LCP ConfRej id=0x0 <callback CBCP>]
rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic
0x65af9c5b> <pcomp> <accomp>]
rcvd [LCP ConfReq id=0x1 <mru 1400> <magic 0x33d76a8f> <pcomp> <accomp>]
sent [LCP ConfAck id=0x1 <mru 1400> <magic 0x33d76a8f> <pcomp> <accomp>]
sent [LCP EchoReq id=0x0 magic=0x65af9c5b]
sent [CHAP Challenge id=0x69 <8c6633e8a89fd872949e81c92634d55c>, name =
"pptpd"]
rcvd [LCP Ident id=0x2 magic=0x33d76a8f "MSRASV5.20"]
rcvd [LCP Ident id=0x3 magic=0x33d76a8f "MSRAS-0-SNEAKY"]
rcvd [LCP EchoRep id=0x0 magic=0x33d76a8f]
rcvd [CHAP Response id=0x69
<5e0aa213a4f2a576417df0d4e364e587000000000000000044d86fcfa765752f05f61f2c3c1388a58986857761cc47ff00>,
name = "nik"]
rc_avpair_new: unknown attribute 6
rc_avpair_new: unknown attribute 7
rc_avpair_new: unknown attribute 1
rc_avpair_new: unknown attribute 11
rc_avpair_new: unknown attribute 25
rc_avpair_new: unknown attribute 31
rc_avpair_new: unknown attribute 4
Peer nik failed CHAP authentication
sent [CHAP Failure id=0x69 ""]
sent [LCP TermReq id=0x2 "Authentication failed"]
rcvd [LCP TermAck id=0x2 "Authentication failed"]
Connection terminated.
RADATTR plugin removed file /var/run/radattr.ppp0.
More information about the Freeradius-Users
mailing list