white list for nas-ipaddress

Nelson Vale nelsonduvall at gmail.com
Tue Jul 28 22:57:08 CEST 2009


Have you tried it with "*Fall-Through = No" or without "**Fall-Through"*?

http://freeradius.org/radiusd/man/users.html

2009/7/28 Miguel Miranda <miguel.mirandag at gmail.com>

> Me too, but my questions is about the nas-ip-address entry that i posted as
> example, acording to the docs, all users should be accepted, no matter what
> user/pass combitantion they are using.
> and in my case freeradius rejects the access
>
>
> On Tue, Jul 28, 2009 at 1:19 PM, Dimitrios Giannakopoulos <
> d.giannakop at gmail.com> wrote:
>
>> Hi Miranda
>> I use the same users file and authorization configuration (with sql)
>> and it is work fine.
>>
>>
>> On Tue, Jul 28, 2009 at 9:28 PM, Miguel
>> Miranda<miguel.mirandag at gmail.com> wrote:
>> > Well, that is not the only one nas i have , the sql module is requiered
>> for
>> > several other nas and hotspots users...
>> >
>> > On Tue, Jul 28, 2009 at 12:25 PM, Dimitrios Giannakopoulos
>> > <d.giannakop at gmail.com> wrote:
>> >>
>> >> The problem is that the sql module returns reject
>> >> you can remove the sql from authorization
>> >>
>> >> On Tue, Jul 28, 2009 at 8:53 PM, Miguel
>> >> Miranda<miguel.mirandag at gmail.com> wrote:
>> >> > Hi, i want to accept all request coming from a specific
>> nas-ip-assdress
>> >> > , i
>> >> > used to configure like this (in users file):
>> >> >
>> >> > DEFAULT NAS-IP-Address == "192.168.150.25", Auth-Type := Accept
>> >> >                 Fall-Through = Yes
>> >> > The above settings are not working now, this is the debug of a
>> >> > transaction:
>> >> >
>> >> > rad_recv: Access-Request packet from host 192.168.150.25 port 1645,
>> >> > id=52,
>> >> > length=94
>> >> >         NAS-IP-Address = 192.168.150.25
>> >> >         NAS-Port = 108
>> >> >         NAS-Port-Type = Async
>> >> >         User-Name = "123.com.sv"
>> >> >         Called-Station-Id = "22660321"
>> >> >         Calling-Station-Id = "22264218"
>> >> >         User-Password = "cisco"
>> >> >         Service-Type = Dialout-Framed-User
>> >> > +- entering group authorize {...}
>> >> > ++[preprocess] returns ok
>> >> > ++[chap] returns noop
>> >> > ++[mschap] returns noop
>> >> > [suffix] No '@' in User-Name = "123.com.sv", looking up realm NULL
>> >> > [suffix] No such realm "NULL"
>> >> > ++[suffix] returns noop
>> >> > [eap] No EAP-Message, not doing EAP
>> >> > ++[eap] returns noop
>> >> > ++[files] returns noop
>> >> >         expand: %{User-Name} -> 123.com.sv
>> >> > [sql] sql_set_user escaped user --> '123.com.sv'
>> >> > rlm_sql (sql): Reserving sql socket id: 22
>> >> >         expand: SELECT id, username, attribute, value, op
>> FROM
>> >> > radcheck           WHERE username = '%{SQL-User-Name}'
>> ORDER
>> >> > BY id
>> >> > -> SELECT id, username, attribute, value, op           FROM
>> >> > radcheck           WHERE username = '123.com.sv'           ORDER BY
>> id
>> >> >         expand: SELECT groupname           FROM radusergroup
>> >> > WHERE
>> >> > username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT
>> >> > groupname           FROM radusergroup           WHERE username =
>> >> > '123.com.sv'           ORDER BY priority
>> >> > rlm_sql (sql): Released sql socket id: 22
>> >> > [sql] User 123.com.sv not found
>> >> > ++[sql] returns notfound
>> >> > ++[expiration] returns noop
>> >> > ++[logintime] returns noop
>> >> > [pap] WARNING! No "known good" password found for the user.
>> >> > Authentication
>> >> > may fail because of this.
>> >> > ++[pap] returns noop
>> >> > No authenticate method (Auth-Type) configuration found for the
>> request:
>> >> > Rejecting the user
>> >> > Failed to authenticate the user.
>> >> > Login incorrect: [123.com.sv/cisco] (from client tigo port 108 cli
>> >> > 22264218)
>> >> > Using Post-Auth-Type Reject
>> >> > +- entering group REJECT {...}
>> >> >         expand: %{User-Name} -> 123.com.sv
>> >> >  attr_filter: Matched entry DEFAULT at line 11
>> >> > ++[attr_filter.access_reject] returns updated
>> >> > Delaying reject of request 1 for 1 seconds
>> >> > Going to the next request
>> >> >
>> >> >
>> >> > Im using freeradius 2 and daloradius 0.9, and this a extract of
>> relevant
>> >> > radius.conf settings:
>> >> >
>> >> > authorize {
>> >> >         preprocess
>> >> >         chap
>> >> >         mschap
>> >> >         suffix
>> >> >         eap {
>> >> >                 ok = return
>> >> >         }
>> >> >
>> >> >         files
>> >> >         sql
>> >> >         expiration
>> >> >         logintime
>> >> >         pap
>> >> > }
>> >> >
>> >> >
>> >> >
>> >> > authenticate {
>> >> >         Auth-Type PAP {
>> >> >                 pap
>> >> >         }
>> >> >
>> >> >         Auth-Type CHAP {
>> >> >                 chap
>> >> >         }
>> >> >
>> >> >         Auth-Type MS-CHAP {
>> >> >                 mschap
>> >> >         }
>> >> >         eap
>> >> > }
>> >> >
>> >> >
>> >> > preacct {
>> >> >         preprocess
>> >> >         acct_unique
>> >> >         suffix
>> >> >         files
>> >> > }
>> >> >
>> >> > accounting {
>> >> >         detail
>> >> >         sql
>> >> >         attr_filter.accounting_response
>> >> > }
>> >> >
>> >> >
>> >> > session {
>> >> >         radutmp
>> >> > }
>> >> >
>> >> >
>> >> > post-auth {
>> >> >
>> >> >
>> >> >
>> >> >
>> >> >
>> >> >         exec
>> >> >
>> >> >         Post-Auth-Type REJECT {
>> >> >                 attr_filter.access_reject
>> >> >         }
>> >> > }
>> >> >
>> >> > post-proxy {
>> >> >         eap
>> >> > }
>> >> >
>> >> >
>> >> > From the debug it appears that users file is not being processed
>> >> > correctly,
>> >> > what should i check?
>> >> > regards
>> >> > Miguel Miranda
>> >> >
>> >> >
>> >> >
>> >> > -
>> >> > List info/subscribe/unsubscribe? See
>> >> > http://www.freeradius.org/list/users.html
>> >> >
>> >>
>> >> -
>> >> List info/subscribe/unsubscribe? See
>> >> http://www.freeradius.org/list/users.html
>> >
>> >
>> > -
>> > List info/subscribe/unsubscribe? See
>> > http://www.freeradius.org/list/users.html
>> >
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090728/19197efe/attachment.html>


More information about the Freeradius-Users mailing list