Freeradius-Users Digest, Vol 113, Issue 86

KAVYA PRABHAKAR kavyamelinmaneprabhakar at gmail.com
Mon Sep 22 11:00:16 CEST 2014 

Hi,

"If you check rad client from remote machine the case will be different."

I have binded my Radius client ip and port in clients.conf and in
radiusd.conf.

My radius server and client is present in two different PCs. Will that be a
prob?

Now in debug mode log looks like this:

Cleaning up request 33 ID 108 with timestamp 541fd188
Nothing to do.  Sleeping until we see a request.
rad_recv: Access-Request packet from host 10.253.6.11:1645, id=1, length=53
        NAS-IP-Address = 11.6.253.10
        User-Name = "raduser"
        User-Password = "k\014%\220\2779\213\203\307\030\222\364\004qM\223"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 34
  modcall[authorize]: module "preprocess" returns ok for request 34
radius_xlat:  '../var/log/radius/radacct/
10.253.6.11/auth-detail-20140922.log'
rlm_detail:
../var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d.log
expands to ../var/log/radius/radacct/10.253.6.11/auth-detail-20140922.l
  modcall[authorize]: module "auth_log" returns ok for request 34
  modcall[authorize]: module "chap" returns noop for request 34
  modcall[authorize]: module "mschap" returns noop for request 34
    rlm_realm: No '@' in User-Name = "raduser", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 34
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 34
    users: Matched entry DEFAULT at line 170
  modcall[authorize]: module "files" returns ok for request 34
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
  modcall[authorize]: module "pap" returns noop for request 34
modcall: leaving group authorize (returns ok) for request 34
  rad_check_password:  Found Auth-Type System
auth: type "System"
  ERROR: Unknown value specified for Auth-Type.  Cannot perform requested
action.
auth: Failed to validate the user.
Login incorrect:
[raduser/k\014%\220\2779\213\203\307\030\222\364\004qM\223] (from client
private-network-3 port 0)
  WARNING: Unprintable characters in the password. ?  Double-check the
shared secret on the server and the NAS!
Delaying request 34 for 1 seconds
Finished request 34
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 1 to 10.253.6.11 port 1645
Waking up in 4 seconds...
rad_recv: Access-Request packet from host 10.253.6.11:1645, id=1, length=53
Sending duplicate reply to client private-network-3:1645 - ID: 1
Re-sending Access-Reject of id 1 to 10.253.6.11 port 1645
--- Walking the entire request list ---
Waking up in 3 seconds...
--- Walking the entire request list ---
Cleaning up request 34 ID 1 with timestamp 541fd3a6
Nothing to do.  Sleeping until we see a request.


Thanks,
Kavya


On Mon, Sep 22, 2014 at 1:57 PM, <
freeradius-users-request at lists.freeradius.org> wrote:

> Send Freeradius-Users mailing list submissions to
>         freeradius-users at lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
>         freeradius-users-request at lists.freeradius.org
>
> You can reach the person managing the list at
>         freeradius-users-owner at lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
>    1. Re: Beginner need help (Himanshu Pandey) (KAVYA PRABHAKAR)
>    2. Re: Beginner need help (Himanshu Pandey) (Amit Linux)
>    3. 3.0.4: proxy-to-vserver and proxied post-auth? (Stefan Winter)
>    4. Re: Beginner need help (Himanshu Pandey) (A.L.M.Buxey at lboro.ac.uk)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 22 Sep 2014 13:10:54 +0530
> From: KAVYA PRABHAKAR <kavyamelinmaneprabhakar at gmail.com>
> To: freeradius-users at lists.freeradius.org
> Subject: Re: Beginner need help (Himanshu Pandey)
> Message-ID:
>         <CANpdVrz8yFuvUP55vtjdiX0hBRq6RQQ5wajb94LsJ=-
> 2XWHYxw at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi,
>
> I am beginner. I installed Freeradius in my windows PC.
> With default configuration it works as expected.
>
> Now I have a RADIUS client which will send request to server and I want
> server to authenticate the same.
>
> I should be changing users.conf
>
> raduser User-Password == "Password"
>  where User-name = "raduser" and Password = "Password"
>
> I will have to change clients.conf as well.
>
> client <ipaddr/mask>{
>   secret = secret
>   shortname = client name  # what is the significance of shortname
> }
>
> In radiusd.conf, I have changed to which Ip and port RADIUS server has to
> listen to. (optional)
>
> After doing respective changes, I will execute following command:
>
> radtest raduser Password 10.253.6.11 1812 Password
>
> The result is as follows:
>
> C:\FreeRADIUS.net\bin>radclient.exe -d ..\etc\raddb -f radtest.txt -x -s
> 127.1 au
> th testing123
> Sending Access-Request of id 108 to 127.0.0.1 port 1812
>         User-Name = "testuser"
>         User-Password = "testpw"
>         NAS-IP-Address = 127.0.0.1
>         NAS-Port = 123
> rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=108, length=20
>
>            Total approved auths:  1
>              Total denied auths:  0
>                Total lost auths:  0
>
> Here I would like to know why am I getting reply from 127.0.0.1 when I have
> explicitly asked to receive from 10.253.6.11
>
> PFA the debug log.
>
> Thanks in advance,
> Kavya
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140922/f9c75785/attachment-0001.html
> >
>
> ------------------------------
>
> Message: 2
> Date: Mon, 22 Sep 2014 13:40:23 +0530
> From: Amit Linux <amitbutere64 at gmail.com>
> To: FreeRadius users mailing list
>         <freeradius-users at lists.freeradius.org>
> Subject: Re: Beginner need help (Himanshu Pandey)
> Message-ID: <1A3C9BD9-2C19-419E-9A8D-2C7FD6DF5ABD at gmail.com>
> Content-Type: text/plain; charset="us-ascii"
>
> Hi Kavya,
>
> You can bind radius on specific ip to have response from particular ip.
> If you check rad client from remote machine the case will be different.
>
> Regards
> Amit B.
> HTH
> Sent from my iPhone
>
> > On 22-Sep-2014, at 13:10, KAVYA PRABHAKAR <
> kavyamelinmaneprabhakar at gmail.com> wrote:
> >
> > Hi,
> >
> > I am beginner. I installed Freeradius in my windows PC.
> > With default configuration it works as expected.
> >
> > Now I have a RADIUS client which will send request to server and I want
> server to authenticate the same.
> >
> > I should be changing users.conf
> >
> > raduser User-Password == "Password"
> >  where User-name = "raduser" and Password = "Password"
> >
> > I will have to change clients.conf as well.
> >
> > client <ipaddr/mask>{
> >   secret = secret
> >   shortname = client name  # what is the significance of shortname
> > }
> >
> > In radiusd.conf, I have changed to which Ip and port RADIUS server has
> to listen to. (optional)
> >
> > After doing respective changes, I will execute following command:
> >
> > radtest raduser Password 10.253.6.11 1812 Password
> >
> > The result is as follows:
> >
> > C:\FreeRADIUS.net\bin>radclient.exe -d ..\etc\raddb -f radtest.txt -x -s
> 127.1 au
> > th testing123
> > Sending Access-Request of id 108 to 127.0.0.1 port 1812
> >         User-Name = "testuser"
> >         User-Password = "testpw"
> >         NAS-IP-Address = 127.0.0.1
> >         NAS-Port = 123
> > rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=108,
> length=20
> >
> >            Total approved auths:  1
> >              Total denied auths:  0
> >                Total lost auths:  0
> >
> > Here I would like to know why am I getting reply from 127.0.0.1 when I
> have explicitly asked to receive from 10.253.6.11
> >
> > PFA the debug log.
> >
> > Thanks in advance,
> > Kavya
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140922/ceed896b/attachment-0001.html
> >
>
> ------------------------------
>
> Message: 3
> Date: Mon, 22 Sep 2014 10:24:35 +0200
> From: Stefan Winter <stefan.winter at restena.lu>
> To: FreeRadius users mailing list
>         <freeradius-users at lists.freeradius.org>
> Subject: 3.0.4: proxy-to-vserver and proxied post-auth?
> Message-ID: <541FDCC3.8040602 at restena.lu>
> Content-Type: text/plain; charset="utf-8"
>
> Hello,
>
> I've migrated almost all my virtual servers - but one - to 3.0.4.
>
> There's one thing which I had expected to work, but it doesn't, but I do
> recall some discussions around this on the list; but not what the final
> verdict was.
>
> My proxied-to vserver needs to do some stuff in post-auth. However it
> looks like post-auth is not actually called; instead, only the post-auth
> of the original vserver is.
>
> Is that desired/expected behaviour in 3.0.4?
>
> The symptoms of this boils down to these two lines:
>
> Debug: (55) modsingle[authenticate]: returned from pap (rlm_pap) for
> request 55
> Debug: (55)   [pap] = ok
> Debug: (55)  } # Auth-Type PAP = ok
> Debug: (55) Empty post-proxy section.  Using default return values.
> Debug: (55) Found Auth-Type = Accept
> Debug: (55) Auth-Type = Accept, accepting the user
> Debug: (55) # Executing section post-auth from file
> /usr/local/freeradius/config/raddb/sites-enabled/AAI
>
> The PAP instance there is the one from the proxied-to vserver; must be,
> as it knows my password and the retrieval of that password is unique to
> the vserver in question.
>
> The next line speaks about empty post-proxy; that looks like the initial
> vserver kicks in right after authenticate { } with its PAP is finished.
>
> It then executes post-auth from the initial vserver, not the one from
> proxied-to (the proxied-to vserver is called "staff", not "AAI"). That's
> not helpful for my setup :-(
>
> So... just wondering if this is a bug or if I'm going to need a majorish
> rethink of my post-auth logic here...
>
> Greetings,
>
> Stefan Winter
>
> --
> Stefan WINTER
> Ingenieur de Recherche
> Fondation RESTENA - R?seau T?l?informatique de l'Education Nationale et
> de la Recherche
> 6, rue Richard Coudenhove-Kalergi
> L-1359 Luxembourg
>
> Tel: +352 424409 1
> Fax: +352 422473
>
> PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
> recipient's key is known to me
>
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: 0x8A39DC66.asc
> Type: application/pgp-keys
> Size: 3243 bytes
> Desc: not available
> URL: <
> http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140922/31a29f11/attachment-0001.key
> >
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: signature.asc
> Type: application/pgp-signature
> Size: 836 bytes
> Desc: OpenPGP digital signature
> URL: <
> http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140922/31a29f11/attachment-0001.pgp
> >
>
> ------------------------------
>
> Message: 4
> Date: Mon, 22 Sep 2014 08:27:20 +0000
> From: A.L.M.Buxey at lboro.ac.uk
> To: FreeRadius users mailing list
>         <freeradius-users at lists.freeradius.org>
> Subject: Re: Beginner need help (Himanshu Pandey)
> Message-ID: <20140922082720.GA2282 at lboro.ac.uk>
> Content-Type: text/plain; charset=us-ascii
>
> Hi,
>
> >    Here I would like to know why am I getting reply from 127.0.0.1 when I
> >    have explicitly asked to receive from 10.253.6.11
>
> no you havent. you've just added 10.253.6.11 as a possible client.  if you
> only want to
> receive from the interface/IP then change the listen directive in the
> config so that it
> doesnt listen on 127.0.0.1
>
> alan
>
>
> ------------------------------
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> End of Freeradius-Users Digest, Vol 113, Issue 86
> *************************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140922/79813126/attachment-0001.html>

More information about the Freeradius-Users mailing list