Help with Radius errors
Philip Bellino
pbellino at mrv.com
Fri May 15 15:10:59 CEST 2015
Alan,
I changed the == to = for all entries in the users file and added the Begin-VENDOR and END-VENDOR in our dictionary.mrv file (thanks Herwin) and now it all performs perfectly.
Thanks for all your help.
Phil
-----Original Message-----
From: Philip Bellino
Sent: Friday, May 15, 2015 9:03 AM
To: 'FreeRadius users mailing list'
Subject: RE: Help with Radius errors
Alan,
I sent it as an attachment.
I will include it here inline:
#
# dictionary.mrv
#
# Version:$Id: dictionary.mrv,v 1.0 2002/11/12 15:44:38 nminka Exp $
#
VENDOR MRV 33
ATTRIBUTE MRV-Remote-Access-List 1 string MRV
ATTRIBUTE MRV-Port-Access-List 2 string MRV
ATTRIBUTE MRV-Outlet-Access-List 3 string MRV
ATTRIBUTE MRV-Outlet-Group-Access-List 4 string MRV
ATTRIBUTE MRV-Login-Mode 5 string MRV
ATTRIBUTE MRV-Menu-Name 6 string MRV
ATTRIBUTE MRV-Web-Menu-Name 7 string MRV
ATTRIBUTE MRV-Security-Level 8 string MRV
ATTRIBUTE MRV-User-Prompt 9 string MRV
ATTRIBUTE MRV-Command-Logging 10 string MRV
ATTRIBUTE MRV-Audit-Logging 11 string MRV
ATTRIBUTE MRV-Web-Login-Mode 12 string MRV
ATTRIBUTE MRV-Connect-Escape-Char 13 string MRV
ATTRIBUTE MRV-Port-ReadOnly-List 14 string MRV
#
ATTRIBUTE MRV-Acct-Command-Log 100 string MRV
ATTRIBUTE MRV-Acct-Audit-Log 101 string MRV
-----Original Message-----
From: Philip Bellino
Sent: Friday, May 15, 2015 8:50 AM
To: 'FreeRadius users mailing list'
Subject: RE: Help with Radius errors
Alan,
I attached an edited dictionary.mrv by mistake. I attached our original one for you here.
My apologies.
Phil
-----Original Message-----
From: Philip Bellino
Sent: Friday, May 15, 2015 6:08 AM
To: FreeRadius users mailing list
Subject: RE: Help with Radius errors
Alan,
Your points are well taken. Thank you.
We commented out using including our dictionary.mrv file (attached) in dictionary and references to our attributes in the users file and now Radius authentication succeeds.
Here is an entry in the users file that used our attributes successfully in freeradius 2.1.1
###################################
# MRV Vender Specific Testing
###################################
zeusCleartext-Password := "dog"
Service-Type == NAS-Prompt-User,
Idle-Timeout == 60,
MRV-Login-Mode == "cli",
MRV-Security-Level == "outlet shell",
MRV-Command-Logging == "syslog",
MRV-Audit-Logging == "syslog",
MRV-User-Prompt == "zeus",
MRV-Menu-Name == "/config/M_demo_menu",
MRV-Web-Menu-Name == "/config/M_demo_menu",
MRV-Port-Access-List == "2 4",
MRV-Remote-Access-List == "telnet",
MRV-Outlet-Access-List == "3:1 4:1",
MRV-Outlet-Group-Access-List == "2"
If you can point me in the right direction with regards to what I need to change to use our dictionary attributes, I would appreciate it.
Thanks again,
Phil
-----Original Message-----
From: Freeradius-Users [mailto:freeradius-users-bounces+pbellino=mrv.com at lists.freeradius.org] On Behalf Of Alan DeKok
Sent: Thursday, May 14, 2015 4:02 PM
To: FreeRadius users mailing list
Subject: Re: Help with Radius errors
On May 14, 2015, at 3:40 PM, Philip Bellino <pbellino at mrv.com> wrote:
> Due to a hard disk crash we had to replace our radius server PC. Our
> newer PC is running Fedora Core 21. We then downloaded the FreeRadius
> 3.0.8 tar.gz file, built and installed it. We now cannot get past the following errors (in bold below).
> We have tried reconfiguring the shared secret as suggested, on the
> server (editing the clients.conf file and retyping the secret) and the client side but still get these errors.
I think you've broken something.
> In the 2.1.1 version, the only files we changed were "radiusd.conf", "clients.conf" and "users" and added our own dictionary file.
> So for 3.0.8, we followed suit.
What did you put into the dictionary file?
>
> Ready to process requests
> (0) Received Access-Request Id 24 from 10.242.135.17:1026 to 10.242.135.10:1812 length 68
> (0) MRV-Remote-Access-List = 'gina'
> (0) MRV-Outlet-Group-Access-List = ' ???'
> (0) MRV-Login-Mode = '
> (0) NAS-Port-Type = Virtual
> (0) MRV-Port-Access-List = '^????D???a????S?'
> (0) MRV-Menu-Name = '
What are those attributes? They are NOT standard RADIUS attributes. There is no User-Name in the packet, which is typically required. There is no User-Password in the packet, which is also typically required.
> (0) WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!
That message is printed ONLY if there's a User-Password in the attribute.
So.. .you've done something, and broken the server. The short answer is "don't do that".
Go back to the default configuration. i.e. back out ALL of your local changes. Check that you can get users authenticated, by adding a Cleartext-Password for that user. Check that it works with radtest. Then, make another change.
You've fallen into the trap of "make 100 changes, and then something doesn't work". You'll never get it debugged doing that.
Make ONE change. Test it. Make ANOTHER change. Test it. This is all documented in "man radiusd".
And post your dictionary here. Odds are it poaches on the standard space, and breaks all of RADIUS.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[E-Banner]<http://www.mrv.com/landing/video-datasheet-mrvs-optidriver-platform>
MRV Communications is a global supplier of packet and optical solutions that power the world’s largest networks. Our products combine innovative hardware with intelligent software to make networks smarter, faster and more efficient.
The contents of this message, together with any attachments, are intended only for the use of the person(s) to whom they are addressed and may contain confidential and/or privileged information. If you are not the intended recipient, immediately advise the sender, delete this message and any attachments and note that any distribution, or copying of this message, or any attachment, is prohibited.
More information about the Freeradius-Users
mailing list