New to FreeRadius and can't manage to get it to work for me

Moshe Sakajo moshe_s at packetlight.com
Mon Aug 20 14:47:46 CEST 2018 

Hi,

I am a QA Engineer and my purpose is to test that my boxes RADIUS support feature is functioning right

and that it is OK with the most popular RADIUS servers.



One of our customers complaint about the fact that he is not able to make our boxes authenticated against FreeRadius.



I have no experience with FreeRadius and I immediately revealed that is not a Plug-and-Play RADIUS Server as TekRADIUS (Windows).



With TekRADIUS I manage to authenticate a user that performs a login into our boxes. Actually it is almost Plug-and-Play.

I simply defined a Default (name of the client/group) with a secret and a vendor that is general (ietf)

then I defined  3 users (one for each of my privileges). Each user has two attributes:

1.       User_Password with a type of Check the Value is the password string

2.       Class with a type of Success-Reply which controls the priveleges of the users. The Value is an integer (4/2/1)





I have set FreeRadius like this:

1.       I added the clients.conf file the following client

client <http://10.0.1.0/8> 10.0.1.0/8<http://10.0.1.0/8> {

                secret = test

                nastype = other

}

2.        I added a user into the users file

moshe Cleartext-Password := "moshe"

                Service-Type = "6"



3.       The radius.conf was set with the following log {} settings

auth = yes

auth-goodpass = yes



with all of that said I can also tell the radius.log show that the Login attempts are OK but I still

get Access denied from my device, like something is still missing.



Can you please tell me what might be missing ? Thanks for the support



Here is the debug info



root at radius1:/etc/freeradius# freeradius -X

freeradius: FreeRADIUS Version 2.2.8, for host x86_64-pc-linux-gnu, built on Jul 26 2017 at 15:27:21

Copyright (C) 1999-2015 The FreeRADIUS server project and contributors.

There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A

PARTICULAR PURPOSE.

You may redistribute copies of FreeRADIUS under the terms of the

GNU General Public License.

For more information about these matters, see the file named COPYRIGHT.

Starting - reading configuration files ...

including configuration file /etc/freeradius/radiusd.conf

including configuration file /etc/freeradius/proxy.conf

including configuration file /etc/freeradius/clients.conf

including files in directory /etc/freeradius/modules/

including configuration file /etc/freeradius/modules/etc_group

including configuration file /etc/freeradius/modules/exec

including configuration file /etc/freeradius/modules/mac2vlan

including configuration file /etc/freeradius/modules/pam

including configuration file /etc/freeradius/modules/wimax

including configuration file /etc/freeradius/modules/unix

including configuration file /etc/freeradius/modules/policy

including configuration file /etc/freeradius/modules/sradutmp

including configuration file /etc/freeradius/modules/checkval

including configuration file /etc/freeradius/modules/krb5

including configuration file /etc/freeradius/modules/perl

including configuration file /etc/freeradius/modules/attr_filter

including configuration file /etc/freeradius/modules/dynamic_clients

including configuration file /etc/freeradius/modules/files

including configuration file /etc/freeradius/modules/preprocess

including configuration file /etc/freeradius/modules/dhcp_sqlippool

including configuration file /etc/freeradius/modules/passwd

including configuration file /etc/freeradius/modules/soh

including configuration file /etc/freeradius/modules/<http://detail.example.com>detail.example.com<http://detail.example.com>

including configuration file /etc/freeradius/modules/linelog

including configuration file /etc/freeradius/modules/counter

including configuration file /etc/freeradius/modules/ippool

including configuration file /etc/freeradius/modules/ldap

including configuration file /etc/freeradius/modules/mac2ip

including configuration file /etc/freeradius/modules/sql_log

including configuration file /etc/freeradius/modules/radrelay

including configuration file /etc/freeradius/modules/ntlm_auth

including configuration file /etc/freeradius/modules/expiration

including configuration file /etc/freeradius/modules/cui

including configuration file /etc/freeradius/modules/opendirectory

including configuration file /etc/freeradius/modules/echo

including configuration file /etc/freeradius/modules/expr

including configuration file /etc/freeradius/modules/always

including configuration file /etc/freeradius/modules/cache

including configuration file /etc/freeradius/modules/rediswho

including configuration file /etc/freeradius/modules/digest

including configuration file /etc/freeradius/modules/replicate

including configuration file /etc/freeradius/modules/radutmp

including configuration file /etc/freeradius/modules/detail.log

including configuration file /etc/freeradius/modules/acct_unique

including configuration file /etc/freeradius/modules/chap

including configuration file /etc/freeradius/modules/redis

including configuration file /etc/freeradius/modules/detail

including configuration file /etc/freeradius/modules/realm

including configuration file /etc/freeradius/modules/smsotp

including configuration file /etc/freeradius/modules/inner-eap

including configuration file /etc/freeradius/modules/mschap

including configuration file /etc/freeradius/modules/otp

including configuration file /etc/freeradius/modules/attr_rewrite

including configuration file /etc/freeradius/modules/logintime

including configuration file /etc/freeradius/modules/smbpasswd

including configuration file /etc/freeradius/modules/pap

including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login

including configuration file /etc/freeradius/eap.conf

including configuration file /etc/freeradius/policy.conf

including files in directory /etc/freeradius/sites-enabled/

including configuration file /etc/freeradius/sites-enabled/default

including configuration file /etc/freeradius/sites-enabled/inner-tunnel

main {

        user = "freerad"

        group = "freerad"

        allow_core_dumps = no

}

including dictionary file /etc/freeradius/dictionary

main {

        name = "freeradius"

        prefix = "/usr"

        localstatedir = "/var"

        sbindir = "/usr/sbin"

        logdir = "/var/log/freeradius"

        run_dir = "/var/run/freeradius"

        libdir = "/usr/lib/freeradius"

        radacctdir = "/var/log/freeradius/radacct"

        hostname_lookups = no

        max_request_time = 30

        cleanup_delay = 5

        max_requests = 1024

        pidfile = "/var/run/freeradius/freeradius.pid"

        checkrad = "/usr/sbin/checkrad"

        debug_level = 0

        proxy_requests = yes

log {

        stripped_names = no

        auth = yes

        auth_badpass = no

        auth_goodpass = yes

}

security {

        max_attributes = 200

        reject_delay = 1

More information about the Freeradius-Users mailing list