Auth-Type
jon michaels
joniamasad at gmail.com
Mon Dec 7 09:05:10 CET 2009
Thanks for the quick response.
On Mon, Dec 7, 2009 at 11:33 AM, Alan DeKok <aland at deployingradius.com> wrote:
> jon michaels wrote:
>> My NAS, pppd, does not grant access to a user with attribute Auth-Type
>> set to Accept but radtest does work.
Perhaps i should also mention that without Auth-Type set to Accept, i
can connect. I am just searching for a good way to update one field in
mysql to flip access on and off. If there is another attribute that i
can use for this, that would be fine too. I just tried this one
because it was mentioned in the /etc/freeradius/users example.
> My *guess* is that the NAS is doing MS-CHAP. You *cannot* simply set
> Auth-Type = Accept to let them in. You *must* have the "known good"
> password, and you *must* do a full MS-CHAP exchange.
True, its doing mschap. I currently dont understand yet why the debug
shows an accept but the ppp doesn't like it.
Here's my freeradius debug output and my pppd and pptp debug output
underneath it:
rad_recv: Access-Request packet from host 127.0.0.1 port 59011,
id=238, length=135
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "testuser"
MS-CHAP-Challenge = 0xcf50beb20eeb75a90e5577b142c0fdfc
MS-CHAP2-Response =
0xec002b8744dec345f27532594312332a563e0000000000000000ef6a691cef86e60776c054bc5180319d1eb0bff41a2275cf
NAS-IP-Address = 172.16.132.204
NAS-Port = 0
+- entering group authorize {...}
++[preprocess] returns ok
expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
-> /var/log/freeradius/radacct/127.0.0.1/auth-detail-20091207
[auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20091207
expand: %t -> Mon Dec 7 11:41:48 2009
++[auth_log] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry DEFAULT at line 148
++[files] returns ok
expand: %{User-Name} -> testuser
[sql] sql_set_user escaped user --> 'testuser'
rlm_sql (sql): Reserving sql socket id: 0
expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER
BY id -> SELECT id, username, attribute, value, op FROM
radcheck WHERE username = 'testuser' ORDER BY id
[sql] User found in radcheck table
expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER
BY id -> SELECT id, username, attribute, value, op FROM
radreply WHERE username = 'testuser' ORDER BY id
expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
groupname FROM radusergroup WHERE username =
'testuser' ORDER BY priority
expand: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = '%{Sql-Group}'
ORDER BY id -> SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = 'dynamic'
ORDER BY id
[sql] User found in group dynamic
expand: SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = '%{Sql-Group}'
ORDER BY id -> SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = 'dynamic'
ORDER BY id
rlm_sql (sql): Released sql socket id: 0
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing NT-Password from hex encoding
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = Accept
Auth-Type = Accept, accepting the user
+- entering group session {...}
expand: /var/log/freeradius/radutmp -> /var/log/freeradius/radutmp
expand: %{User-Name} -> testuser
++[radutmp] returns ok
+- entering group post-auth {...}
expand: %{NAS-IP-Address} %{NAS-Port} -> 172.16.132.204 0
[main_pool] MD5 on 'key' directive maps to: 3f65cbc9230f10232661e598553cbde4
[main_pool] Searching for an entry for key: '3f65cbc9230f10232661e598553cbde4'
[main_pool] Found a stale entry for ip: 172.16.132.163
[main_pool] num: 0
rlm_ippool: Allocating ip to key: '3f65cbc9230f10232661e598553cbde4'
[main_pool] num: 1
[main_pool] Allocated ip 172.16.132.160 to client key:
3f65cbc9230f10232661e598553cbde4
++[main_pool] returns ok
expand: /var/log/freeradius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d
-> /var/log/freeradius/radacct/127.0.0.1/reply-detail-20091207
[reply_log] /var/log/freeradius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d
expands to /var/log/freeradius/radacct/127.0.0.1/reply-detail-20091207
expand: %t -> Mon Dec 7 11:41:48 2009
++[reply_log] returns ok
expand: %{User-Name} -> testuser
[sql] sql_set_user escaped user --> 'testuser'
expand: %{User-Password} ->
expand: %{Chap-Password} ->
expand: INSERT INTO radpostauth (username,
pass, reply, authdate) VALUES (
'%{User-Name}',
'%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth
(username, pass, reply, authdate)
VALUES ( 'testuser',
'', 'Access-Accept', '2009-12-07
11:41:48')
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth
(username, pass, reply, authdate)
VALUES ( 'testuser',
'', 'Access-Accept', '2009-12-07
11:41:48')
rlm_sql (sql): Reserving sql socket id: 0
rlm_sql (sql): Released sql socket id: 0
++[sql] returns ok
++[exec] returns noop
Sending Access-Accept of id 238 to 127.0.0.1 port 59011
Service-Type := Framed-User
Framed-Protocol := PPP
Framed-Compression := Van-Jacobson-TCP-IP
Framed-MTU := 1500
Acct-Interim-Interval = 3600
Acct-Status-Type = Interim-Update
Framed-IP-Address = 172.16.132.160
Framed-IP-Netmask = 255.255.255.0
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 3 ID 238 with timestamp +4214
Ready to process requests.
pptpd[7714]: CTRL: pppd options file = /etc/ppp/pptpd-options
pptpd[7714]: CTRL: Starting call (launching pppd, opening GRE)
pptpd[7715]: CTRL (PPPD Launcher): program binary = /usr/sbin/pppd
pppd[7715]: Plugin radius.so loaded.
pppd[7715]: RADIUS plugin initialized.
pppd[7715]: Plugin radattr.so loaded.
pppd[7715]: RADATTR plugin initialized.
pppd[7715]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
pppd[7715]: pptpd-logwtmp: $Version$
pppd[7715]: pppd 2.4.5 started by root, uid 0
pppd[7715]: using channel 20
pppd[7715]: Using interface ppp0
pppd[7715]: Connect: ppp0 <--> /dev/pts/2
pppd[7715]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2>
<magic 0x3a4f9548> <pcomp> <accomp>]
pptpd[7714]: GRE: Bad checksum from pppd.
pppd[7715]: rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xe4a25036>
<pcomp> <accomp>]
pppd[7715]: sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0xe4a25036>
<pcomp> <accomp>]
pppd[7715]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2>
<magic 0x3a4f9548> <pcomp> <accomp>]
pppd[7715]: rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xe4a25036>
<pcomp> <accomp>]
pppd[7715]: sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0xe4a25036>
<pcomp> <accomp>]
pppd[7715]: rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2>
<magic 0x3a4f9548> <pcomp> <accomp>]
pppd[7715]: sent [LCP EchoReq id=0x0 magic=0x3a4f9548]
pppd[7715]: sent [CHAP Challenge id=0xab
<fee8a2f7b97dc91c29b77a21b811bd7b>, name = "pptpd"]
pppd[7715]: rcvd [LCP EchoReq id=0x0 magic=0xe4a25036]
pppd[7715]: sent [LCP EchoRep id=0x0 magic=0x3a4f9548]
pppd[7715]: rcvd [LCP EchoRep id=0x0 magic=0xe4a25036]
pppd[7715]: rcvd [CHAP Response id=0xab
<cd3e1f2e7e3333563806295b83cc29e400000000000000000e5fa91bba34183221a516ca3133441b607edcb9b0a7852d00>,
name = "testuser"]
pppd[7715]: RADATTR plugin wrote 8 line(s) to file /var/run/radattr.ppp0.
pppd[7715]:
pppd[7715]: Peer hexuser failed CHAP authentication
pppd[7715]: sent [CHAP Failure id=0xab ""]
pppd[7715]: sent [LCP TermReq id=0x2 "Authentication failed"]
pppd[7715]: rcvd [LCP TermReq id=0x2 "Failed to authenticate ourselves to peer"]
pppd[7715]: sent [LCP TermAck id=0x2]
pppd[7715]: rcvd [LCP TermAck id=0x2]
pppd[7715]: Connection terminated.
pppd[7715]: RADATTR plugin removed file /var/run/radattr.ppp0.
pppd[7715]: Exit.
More information about the Freeradius-Users
mailing list