I can get Access-Accept but no Framed-IP-Address
Tevfik Ceydeliler
tevfik.ceydeliler at astron.yasar.com.tr
Tue Jan 26 15:37:51 CET 2010
Hi,
I fresh install freeradius ( Yes. I am newbie). I try to give IP address
for my authenticated user who use token as password. But still I don't
understand why altough users can give access if IP is in a ip pool,
other users can't give IP address as static. What affects while user
take IP address as static and from pool? What are the changes?
#users file:
tevfikceydeliler Proxy-To-Realm := 10.1.1.51
Framed-IP-Address := 172.30.64.20,
Framed-IP-Netmask := 255.255.255.255
In my case user can get Access-Accept but there is no IP address
#Here is the log:
root at radiussql:/etc/freeradius# freeradius -X
FreeRADIUS Version 2.1.0, for host i486-pc-linux-gnu, built on Sep 17
2009 at 17:22:02
...
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/echo
...
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/ippool
...
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/sites-enabled/default
including dictionary file /etc/freeradius/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
client 10.65.8.100 {
require_message_authenticator = no
secret = "testing123"
shortname = "tceydelilerNB"
}
client 172.30.80.1 {
require_message_authenticator = no
secret = "1q2w3e4r"
shortname = "TurkcellGGSN"
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
realm 10.1.1.51 {
authhost = 10.1.1.51:1812
secret = geheim
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = "You are calling outside your allowed timespan
"
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server inner-tunnel {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
Module: Linked to module rlm_unix
Module: Instantiating unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Ignoring EAP-Type/tls because we do not have OpenSSL support.
Ignoring EAP-Type/ttls because we do not have OpenSSL support.
Ignoring EAP-Type/peap because we do not have OpenSSL support.
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_realm
Module: Instantiating suffix
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating files
files {
usersfile = "/etc/freeradius/users"
acctusersfile = "/etc/freeradius/acct_users"
preproxy_usersfile = "/etc/freeradius/preproxy_users"
compat = "no"
}
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Linked to module rlm_attr_filter
Module: Instantiating attr_filter.access_reject
attr_filter attr_filter.access_reject {
attrsfile = "/etc/freeradius/attrs.access_reject"
key = "%{User-Name}"
}
}
}
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = "/etc/freeradius/huntgroups"
hints = "/etc/freeradius/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating detail
detail {
detailfile =
"/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_ippool
Module: Instantiating TESTPOOL
ippool TESTPOOL {
session-db = "/etc/freeradius/db.ippool"
ip-index = "/etc/freeradius/db.ipindex"
key = "%{NAS-IP-Address} %{NAS-Port}"
range-start = 172.30.64.10
range-stop = 172.30.64.15
netmask = 255.255.240.0
cache-size = 6
override = yes
maximum-timeout = 0
}
Module: Instantiating attr_filter.accounting_response
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/freeradius/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
}
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.65.8.100 port 59112, id=15,
length=108
User-Name = "tevfikceydeliler"
User-Password = "172987330606"
NAS-Identifier = "GGFILE02"
Called-Station-Id = "yasarapn"
Framed-Protocol = 0
Service-Type = 0
NAS-Port-Type = Virtual
Calling-Station-Id = "905308507313"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "tevfikceydeliler", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry tevfikceydeliler at line 224
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Sending Access-Request of id 116 to 10.1.1.51 port 1812
User-Name = "tevfikceydeliler"
User-Password = "172987330606"
NAS-Identifier = "GGFILE02"
Called-Station-Id = "yasarapn"
Framed-Protocol = 0
Service-Type = 0
NAS-Port-Type = Virtual
Calling-Station-Id = "905308507313"
NAS-IP-Address = 10.65.8.100
Proxy-State = 0x3135
Proxying request 0 to home server 10.1.1.51 port 1812
Sending Access-Request of id 116 to 10.1.1.51 port 1812
User-Name = "tevfikceydeliler"
User-Password = "172987330606"
NAS-Identifier = "GGFILE02"
Called-Station-Id = "yasarapn"
Framed-Protocol = 0
Service-Type = 0
NAS-Port-Type = Virtual
Calling-Station-Id = "905308507313"
NAS-IP-Address = 10.65.8.100
Proxy-State = 0x3135
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Accept packet from host 10.1.1.51 port 1812, id=116,
length=24
Proxy-State = 0x3135
+- entering group post-proxy {...}
[eap] No pre-existing handler found
++[eap] returns noop
Found Auth-Type = Accept
Auth-Type = Accept, accepting the user
+- entering group post-auth {...}
[TESTPOOL] Could not find Pool-Name attribute.
++[TESTPOOL] returns noop
++[exec] returns noop
Sending Access-Accept of id 15 to 10.65.8.100 port 59112
Finished request 0.
Going to the next request
Waking up in 4.9 seconds
And Here is the packet analyzer output of radius part (I think number 8
and 9 are missing):
#Request:
Radius Protocol
Code: Access-Request (1)
Packet identifier: 0xf (15)
Length: 108
Authenticator: 20202020202031323634353135343333
[The response to this request is in frame 4]
Attribute Value Pairs
AVP: l=18 t=User-Name(1): tevfikceydeliler
Length: 16
User-Name: tevfikceydeliler
AVP: l=18 t=User-Password(2): Encrypted
Length: 16
User-Password: \033b\273\326\245
AVP: l=10 t=NAS-Identifier(32): GGFILE02
Length: 8
NAS-Identifier: GGFILE02
AVP: l=10 t=Called-Station-Id(30): yasarapn
Length: 8
Called-Station-Id: yasarapn
AVP: l=6 t=Framed-Protocol(7): Unknown(0)
Length: 4
Framed-Protocol: Unknown (0)
AVP: l=6 t=Service-Type(6): Unknown(0)
Length: 4
Service-Type: Unknown (0)
AVP: l=6 t=NAS-Port-Type(61): Virtual(5)
Length: 4
NAS-Port-Type: Virtual (5)
AVP: l=14 t=Calling-Station-Id(31): 905308507313
Length: 12
Calling-Station-Id: 905308507313
#Answer:
Radius Protocol
Code: Access-Accept (2)
Packet identifier: 0xf (15)
Length: 20
Authenticator: 120DE5C52368150FB88F9EB91D31D80
[This is a response to a request in frame 1]
[time from request: 0.005307000 seconds]
Bu elektronik postada bulunan tum fikir ve gorusler ve ekindeki dosyalar sadece adres sahip/sahiplerine ait olup, Yasar Toplulugu Sirketleri bu mesajin icerigi ile ilgili olarak hic bir hukuksal sorumlulugu kabul etmez. Eger gonderilmesi dusunulen kisi veya kurulus degilseniz, lutfen gonderen kisiyi derhal haberdar ediniz ve mesaji sisteminizden siliniz.The information contained in this e-mail and any files transmitted with it are intended solely for the use of the individual or entity to whom they are addressed and Yasar Group Companies do not accept legal responsibility for the contents. If you are not the intended recipient, please immediately notify the sender and delete it from your system.
More information about the Freeradius-Users
mailing list