Hi Pete,
the Service-Type does matter only if u use it in your auth part. The reason you see "IAPP-Register" is due to radius dictionaries, responsible for translating between numbers and attributes (radius only transports numbers).
Regarding the problem of FreeRADIUS not authorizing the requests I think it is a matter of which module do u want to perform that and configure that properly. I would recomed you should running freeradius in debug mode (-X ) and post more info here.
Cheers, DanB
On Wed, May 28, 2008 at 10:02 AM, Pete Kay petedao@gmail.com wrote:
Hi, I am having problem with configuring FreeRadius to authenticate suername and password. I have tried to test freeradius with a test client and it works by sending the following message: Ready to process requests. User-Name = "1005@192.168.1.104" User-Password = "1234" Service-Type = Authenticate-Only NAS-Port = 0 NAS-IP-Address = 127.0.0.1
The message that is sent by Openser is as follows: Waking up in 1.9 seconds. User-Name = "1005@192.168.1.104" Digest-Attributes = 0x0a0631303036 Digest-Attributes = 0x010f3139322e3136382e312e313034 Digest-Attributes = 0x022a34383364376265396630623738663734363935343562386366373865303561316161623032633366 Digest-Attributes = 0x04137369703a3139322e3136382e312e313034 Digest-Attributes = 0x030a5245474953544552 Digest-Response = "eb5f24a5563e9c1096855ef8b2c72d2b" Service-Type = IAPP-Register X-Ascend-PW-Lifetime = 825241654 NAS-Port = 5060 NAS-IP-Address = 127.0.0.1
Freeradius can't find the password and is reject users as a result of that. Also, is the Service-Type supposed to be Authenticate-Only instead? Is this something to do with my openser.cfg setup that is causing the problem?
Thanks in advance for your help.
Regards, Pete
Users mailing list Users@lists.openser.org http://lists.openser.org/cgi-bin/mailman/listinfo/users
Hi Dan,
Please kindly take a look at the following radius-X output. Thanks alot for all your help.
User-Name = "1006@192.168.1.104" Digest-Attributes = 0x0a0631303036 Digest-Attributes = 0x010f3139322e3136382e312e313034 Digest-Attributes = 0x022a34383364646135323939343738313830333633356136633964383131386336313039333930656461 Digest-Attributes = 0x04137369703a3139322e3136382e312e313034 Digest-Attributes = 0x030a5245474953544552 Digest-Response = "1130e5ed3a8e7266cbe8fa9d4463fdf4" Service-Type = IAPP-Register X-Ascend-PW-Lifetime = 825241654 NAS-Port = 5060 NAS-IP-Address = 127.0.0.1 +- entering group authorize ++[preprocess] returns ok expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20080529 rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20080529 expand: %t -> Thu May 29 06:13:58 2008 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_digest: Adding Auth-Type = DIGEST ++[digest] returns ok rlm_realm: Looking up realm "192.168.1.104" for User-Name = " 1006@192.168.1.104" rlm_realm: Found realm "192.168.1.104" rlm_realm: Adding Stripped-User-Name = "1006" rlm_realm: Adding Realm = "192.168.1.104" rlm_realm: Authentication realm is LOCAL. ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop expand: %{Stripped-User-Name} -> 1006 expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> 1006 rlm_sql (sql): sql_set_user escaped user --> '1006' rlm_sql (sql): Reserving sql socket id: 2 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '1006' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '1006' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = '1006' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = '1006' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = '1006' ORDER BY priority rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = '1006' ORDER BY priority expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'openser' ORDER BY id rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'openser' ORDER BY id rlm_sql (sql): User found in group openser expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'openser' ORDER BY id rlm_sql_mysql: query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'openser' ORDER BY id rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type Local auth: type Local auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. Login incorrect: [1006@192.168.1.104/<via Auth-Type = Local>] (from client localhost port 5060) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> 1006@192.168.1.104 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 189 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 189 Waking up in 4.9 seconds. User-Name = "1006@192.168.1.104" Digest-Attributes = 0x0a0631303036 Digest-Attributes = 0x010f3139322e3136382e312e313034 Digest-Attributes = 0x022a34383364646135323939343738313830333633356136633964383131386336313039333930656461 Digest-Attributes = 0x04137369703a3139322e3136382e312e313034 Digest-Attributes = 0x030a5245474953544552 Digest-Response = "1130e5ed3a8e7266cbe8fa9d4463fdf4" Service-Type = IAPP-Register X-Ascend-PW-Lifetime = 825241654 NAS-Port = 5060 NAS-IP-Address = 127.0.0.1 +- entering group authorize ++[preprocess] returns ok expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20080529 rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20080529 expand: %t -> Thu May 29 06:13:59 2008 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_digest: Adding Auth-Type = DIGEST ++[digest] returns ok rlm_realm: Looking up realm "192.168.1.104" for User-Name = " 1006@192.168.1.104" rlm_realm: Found realm "192.168.1.104" rlm_realm: Adding Stripped-User-Name = "1006" rlm_realm: Adding Realm = "192.168.1.104" rlm_realm: Authentication realm is LOCAL. ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop expand: %{Stripped-User-Name} -> 1006 expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> 1006 rlm_sql (sql): sql_set_user escaped user --> '1006' rlm_sql (sql): Reserving sql socket id: 1 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '1006' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '1006' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = '1006' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = '1006' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = '1006' ORDER BY priority rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = '1006' ORDER BY priority expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'openser' ORDER BY id rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'openser' ORDER BY id rlm_sql (sql): User found in group openser expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'openser' ORDER BY id rlm_sql_mysql: query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'openser' ORDER BY id rlm_sql (sql): Released sql socket id: 1 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type Local auth: type Local auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. Login incorrect: [1006@192.168.1.104/<via Auth-Type = Local>] (from client localhost port 5060) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> 1006@192.168.1.104 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 190 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 190 Waking up in 3.9 seconds.
Pete,
this query should return an attribute named password, which will be used later for creating a digest hash and compare it with the one received over the request: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '1006' ORDER BY id. What does it return for you?
DanB
On Wed, May 28, 2008 at 4:19 PM, Pete Kay petedao@gmail.com wrote:
Hi Dan,
Please kindly take a look at the following radius-X output. Thanks alot for all your help.
User-Name = "1006@192.168.1.104" Digest-Attributes = 0x0a0631303036 Digest-Attributes = 0x010f3139322e3136382e312e313034 Digest-Attributes =0x022a34383364646135323939343738313830333633356136633964383131386336313039333930656461 Digest-Attributes = 0x04137369703a3139322e3136382e312e313034 Digest-Attributes = 0x030a5245474953544552 Digest-Response = "1130e5ed3a8e7266cbe8fa9d4463fdf4" Service-Type = IAPP-Register X-Ascend-PW-Lifetime = 825241654 NAS-Port = 5060 NAS-IP-Address = 127.0.0.1 +- entering group authorize ++[preprocess] returns ok expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20080529 rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/ 127.0.0.1/auth-detail-20080529 expand: %t -> Thu May 29 06:13:58 2008 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_digest: Adding Auth-Type = DIGEST ++[digest] returns ok rlm_realm: Looking up realm "192.168.1.104" for User-Name = " 1006@192.168.1.104" rlm_realm: Found realm "192.168.1.104" rlm_realm: Adding Stripped-User-Name = "1006" rlm_realm: Adding Realm = "192.168.1.104" rlm_realm: Authentication realm is LOCAL. ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop expand: %{Stripped-User-Name} -> 1006 expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> 1006 rlm_sql (sql): sql_set_user escaped user --> '1006' rlm_sql (sql): Reserving sql socket id: 2 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '1006' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '1006' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = '1006' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = '1006' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = '1006' ORDER BY priority rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = '1006' ORDER BY priority expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'openser' ORDER BY id rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'openser' ORDER BY id rlm_sql (sql): User found in group openser expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'openser' ORDER BY id rlm_sql_mysql: query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'openser' ORDER BY id rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type Local auth: type Local auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. Login incorrect: [1006@192.168.1.104/<via Auth-Type = Local>] (from client localhost port 5060) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> 1006@192.168.1.104 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 189 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 189 Waking up in 4.9 seconds. User-Name = "1006@192.168.1.104" Digest-Attributes = 0x0a0631303036 Digest-Attributes = 0x010f3139322e3136382e312e313034 Digest-Attributes = 0x022a34383364646135323939343738313830333633356136633964383131386336313039333930656461 Digest-Attributes = 0x04137369703a3139322e3136382e312e313034 Digest-Attributes = 0x030a5245474953544552 Digest-Response = "1130e5ed3a8e7266cbe8fa9d4463fdf4" Service-Type = IAPP-Register X-Ascend-PW-Lifetime = 825241654 NAS-Port = 5060 NAS-IP-Address = 127.0.0.1 +- entering group authorize ++[preprocess] returns ok expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20080529 rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/ 127.0.0.1/auth-detail-20080529 expand: %t -> Thu May 29 06:13:59 2008 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_digest: Adding Auth-Type = DIGEST ++[digest] returns ok rlm_realm: Looking up realm "192.168.1.104" for User-Name = " 1006@192.168.1.104" rlm_realm: Found realm "192.168.1.104" rlm_realm: Adding Stripped-User-Name = "1006" rlm_realm: Adding Realm = "192.168.1.104" rlm_realm: Authentication realm is LOCAL. ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop expand: %{Stripped-User-Name} -> 1006 expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> 1006 rlm_sql (sql): sql_set_user escaped user --> '1006' rlm_sql (sql): Reserving sql socket id: 1 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '1006' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '1006' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = '1006' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = '1006' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = '1006' ORDER BY priority rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = '1006' ORDER BY priority expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'openser' ORDER BY id rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'openser' ORDER BY id rlm_sql (sql): User found in group openser expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'openser' ORDER BY id rlm_sql_mysql: query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'openser' ORDER BY id rlm_sql (sql): Released sql socket id: 1 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type Local auth: type Local auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. Login incorrect: [1006@192.168.1.104/<via Auth-Type = Local>] (from client localhost port 5060) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> 1006@192.168.1.104 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 190 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 190 Waking up in 3.9 seconds.
Users mailing list Users@lists.openser.org http://lists.openser.org/cgi-bin/mailman/listinfo/users
Hi Dan,
It returns: +----+----------+--------------------+-------+----+ | id | username | attribute | value | op | +----+----------+--------------------+-------+----+ | 3 | 1006 | Cleartext-Password | 1234 | := | +----+----------+--------------------+-------+----+
Thanks for all your help.
Regards, Pete
Pete Kay writes:
It returns: +----+----------+--------------------+-------+----+ | id | username | attribute | value | op | +----+----------+--------------------+-------+----+ | 3 | 1006 | Cleartext-Password | 1234 | := | +----+----------+--------------------+-------+----+
i use encrypted passwords and attribute then is Digest-HA1.
-- juha
My ones are clear since are used by more than one app, so I have 'User-Password' as attribute. Not sure whether "Cleartext-Password" should do, since I did not play with the latest Freeradius yet, but you could try changing into both what Juha has or what I have.
DanB
On Wed, May 28, 2008 at 4:50 PM, Juha Heinanen jh@tutpro.com wrote:
Pete Kay writes:
It returns: +----+----------+--------------------+-------+----+ | id | username | attribute | value | op | +----+----------+--------------------+-------+----+ | 3 | 1006 | Cleartext-Password | 1234 | := | +----+----------+--------------------+-------+----+
i use encrypted passwords and attribute then is Digest-HA1.
-- juha
Users mailing list Users@lists.openser.org http://lists.openser.org/cgi-bin/mailman/listinfo/users
Hi Dan, If I change the attribute to user-password, I still can't authenticate. It is so strange since I am able to authenticate using my test client.
Waking up in 4.9 seconds. User-Name = "1006@192.168.1.104" Digest-Attributes = 0x0a0631303036 Digest-Attributes = 0x010f3139322e3136382e312e313034 Digest-Attributes = 0x022a34383364653562636166376535646335323862373335643661393364363634636237376533396636 Digest-Attributes = 0x04137369703a3139322e3136382e312e313034 Digest-Attributes = 0x030a5245474953544552 Digest-Response = "9b614ed006554a3a7ea094b14237dae9" Service-Type = IAPP-Register X-Ascend-PW-Lifetime = 825241654 NAS-Port = 5060 NAS-IP-Address = 127.0.0.1 +- entering group authorize ++[preprocess] returns ok expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20080529 rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20080529 expand: %t -> Thu May 29 07:02:41 2008 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_digest: Adding Auth-Type = DIGEST ++[digest] returns ok rlm_realm: Looking up realm "192.168.1.104" for User-Name = " 1006@192.168.1.104" rlm_realm: Found realm "192.168.1.104" rlm_realm: Adding Stripped-User-Name = "1006" rlm_realm: Adding Realm = "192.168.1.104" rlm_realm: Authentication realm is LOCAL. ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop expand: %{Stripped-User-Name} -> 1006 expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> 1006 rlm_sql (sql): sql_set_user escaped user --> '1006' rlm_sql (sql): Reserving sql socket id: 1 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '1006' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '1006' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = '1006' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = '1006' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = '1006' ORDER BY priority rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = '1006' ORDER BY priority expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'openser' ORDER BY id rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'openser' ORDER BY id rlm_sql (sql): User found in group openser expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'openser' ORDER BY id rlm_sql_mysql: query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'openser' ORDER BY id rlm_sql (sql): Released sql socket id: 1 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type Local !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! auth: type Local auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. Login incorrect: [1006@192.168.1.104/<via Auth-Type = Local>] (from client localhost port 5060) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> 1006@192.168.1.104 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 227 for 1 seconds Going to the next request
But even if I change to Digest-HA1, I still can't authenticate:
Waking up in 0.8 seconds. User-Name = "1006@192.168.1.104" Digest-Attributes = 0x0a0631303036 Digest-Attributes = 0x010f3139322e3136382e312e313034 Digest-Attributes = 0x022a34383364653635643437393064306234623163626463333130653930633338383766393734653963 Digest-Attributes = 0x04137369703a3139322e3136382e312e313034 Digest-Attributes = 0x030a5245474953544552 Digest-Response = "1a8ef3e9646fc8fba9eb9b50b1e0187e" Service-Type = IAPP-Register X-Ascend-PW-Lifetime = 825241654 NAS-Port = 5060 NAS-IP-Address = 127.0.0.1 +- entering group authorize ++[preprocess] returns ok expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20080529 rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20080529 expand: %t -> Thu May 29 07:05:22 2008 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_digest: Adding Auth-Type = DIGEST ++[digest] returns ok rlm_realm: Looking up realm "192.168.1.104" for User-Name = " 1006@192.168.1.104" rlm_realm: Found realm "192.168.1.104" rlm_realm: Adding Stripped-User-Name = "1006" rlm_realm: Adding Realm = "192.168.1.104" rlm_realm: Authentication realm is LOCAL. ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop expand: %{Stripped-User-Name} -> 1006 expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> 1006 rlm_sql (sql): sql_set_user escaped user --> '1006' rlm_sql (sql): Reserving sql socket id: 1 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '1006' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '1006' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = '1006' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = '1006' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = '1006' ORDER BY priority rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = '1006' ORDER BY priority expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'openser' ORDER BY id rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'openser' ORDER BY id rlm_sql (sql): User found in group openser expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'openser' ORDER BY id rlm_sql_mysql: query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'openser' ORDER BY id rlm_sql (sql): Released sql socket id: 1 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop rad_check_password: Found Auth-Type Local auth: type Local auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. Login incorrect: [1006@192.168.1.104/<via Auth-Type = Local>] (from client localhost port 5060) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> 1006@192.168.1.104 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 237 for 1 seconds
Hi Pete,
if it still does not work, can u post somewhere your radiusd.conf + sql.conf files?
Cheers, DanB
On Wed, May 28, 2008 at 5:12 PM, Pete Kay petedao@gmail.com wrote:
Hi Dan, If I change the attribute to user-password, I still can't authenticate. It is so strange since I am able to authenticate using my test client.
Waking up in 4.9 seconds. User-Name = "1006@192.168.1.104" Digest-Attributes = 0x0a0631303036 Digest-Attributes = 0x010f3139322e3136382e312e313034 Digest-Attributes = 0x022a34383364653562636166376535646335323862373335643661393364363634636237376533396636 Digest-Attributes = 0x04137369703a3139322e3136382e312e313034 Digest-Attributes = 0x030a5245474953544552 Digest-Response = "9b614ed006554a3a7ea094b14237dae9" Service-Type = IAPP-Register X-Ascend-PW-Lifetime = 825241654 NAS-Port = 5060 NAS-IP-Address = 127.0.0.1 +- entering group authorize ++[preprocess] returns ok expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20080529 rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/ 127.0.0.1/auth-detail-20080529 expand: %t -> Thu May 29 07:02:41 2008 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_digest: Adding Auth-Type = DIGEST ++[digest] returns ok rlm_realm: Looking up realm "192.168.1.104" for User-Name = " 1006@192.168.1.104" rlm_realm: Found realm "192.168.1.104" rlm_realm: Adding Stripped-User-Name = "1006" rlm_realm: Adding Realm = "192.168.1.104" rlm_realm: Authentication realm is LOCAL. ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop expand: %{Stripped-User-Name} -> 1006 expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> 1006 rlm_sql (sql): sql_set_user escaped user --> '1006' rlm_sql (sql): Reserving sql socket id: 1 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '1006' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '1006' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = '1006' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = '1006' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = '1006' ORDER BY priority rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = '1006' ORDER BY priority expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'openser' ORDER BY id rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'openser' ORDER BY id rlm_sql (sql): User found in group openser expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'openser' ORDER BY id rlm_sql_mysql: query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'openser' ORDER BY id rlm_sql (sql): Released sql socket id: 1 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type Local
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! auth: type Local auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. Login incorrect: [1006@192.168.1.104/<via Auth-Type = Local>] (from client localhost port 5060) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> 1006@192.168.1.104 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 227 for 1 seconds Going to the next request
But even if I change to Digest-HA1, I still can't authenticate:
Waking up in 0.8 seconds. User-Name = "1006@192.168.1.104" Digest-Attributes = 0x0a0631303036 Digest-Attributes = 0x010f3139322e3136382e312e313034 Digest-Attributes = 0x022a34383364653635643437393064306234623163626463333130653930633338383766393734653963 Digest-Attributes = 0x04137369703a3139322e3136382e312e313034 Digest-Attributes = 0x030a5245474953544552 Digest-Response = "1a8ef3e9646fc8fba9eb9b50b1e0187e" Service-Type = IAPP-Register X-Ascend-PW-Lifetime = 825241654 NAS-Port = 5060 NAS-IP-Address = 127.0.0.1 +- entering group authorize ++[preprocess] returns ok expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20080529 rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/ 127.0.0.1/auth-detail-20080529 expand: %t -> Thu May 29 07:05:22 2008 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_digest: Adding Auth-Type = DIGEST ++[digest] returns ok rlm_realm: Looking up realm "192.168.1.104" for User-Name = " 1006@192.168.1.104" rlm_realm: Found realm "192.168.1.104" rlm_realm: Adding Stripped-User-Name = "1006" rlm_realm: Adding Realm = "192.168.1.104" rlm_realm: Authentication realm is LOCAL. ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop expand: %{Stripped-User-Name} -> 1006 expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> 1006 rlm_sql (sql): sql_set_user escaped user --> '1006' rlm_sql (sql): Reserving sql socket id: 1 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '1006' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '1006' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = '1006' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = '1006' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = '1006' ORDER BY priority rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = '1006' ORDER BY priority expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'openser' ORDER BY id rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'openser' ORDER BY id rlm_sql (sql): User found in group openser expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'openser' ORDER BY id rlm_sql_mysql: query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'openser' ORDER BY id rlm_sql (sql): Released sql socket id: 1 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop rad_check_password: Found Auth-Type Local auth: type Local auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. Login incorrect: [1006@192.168.1.104/<via Auth-Type = Local>] (from client localhost port 5060) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> 1006@192.168.1.104 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 237 for 1 seconds
Hi Juha,
Are you suggesting to change attribute to Digest-HA1? How do you tell openser to send password in an encrypted format?
Thanks, Pete
On Wed, May 28, 2008 at 10:50 PM, Juha Heinanen jh@tutpro.com wrote:
Pete Kay writes:
It returns: +----+----------+--------------------+-------+----+ | id | username | attribute | value | op | +----+----------+--------------------+-------+----+ | 3 | 1006 | Cleartext-Password | 1234 | := | +----+----------+--------------------+-------+----+
i use encrypted passwords and attribute then is Digest-HA1.
-- juha
Pete Kay writes:
Are you suggesting to change attribute to Digest-HA1? How do you tell openser to send password in an encrypted format?
you don't need to tell openser anything about it. you just store into radcheck value field md5 of username:domain:password.
-- juha
-
Dan-Cristian Bogos -
jh@tutpro.com -
Pete Kay