|

»

FreeRadius - User

file detail

View: New views

9 Messages — Rating Filter: Alert me

	file detail by Alvaro Quiñones :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hi I run radiusd and the service up without errors, however i try to see file detail and it not appear. /usr/local/var/log/radius/radacct/ users are authenticating, but file detail is not create.Why ?? where is the problem? Thanks Alvaro - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
	Re: file detail by Alan DeKok :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message =?ISO-8859-1?Q?Alvaro_Qui=F1ones?= <aquino@...> wrote: > I run radiusd and the service up without errors, however i try to see > file detail and it not appear. > /usr/local/var/log/radius/radacct/ > users are authenticating, but file detail is not create.Why ?? where is > the problem? Is your NAS sending accounting packets? The server can only log to "detail" if it is sent data to log. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
	Question about Session start by santy-3 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Dear All, I have implemented freeradius in Redhat box. And I have some questions about it. It have searched the web but still can't find a clue or i just missed it :(. Also my questions are: 1. How do we start the session? I have send the request to the server and got access_accepted. And as I know the session is start after we send the accounting_request and get response from the server. The problem is how to do that using command prompt? My Nas is Suse box. I use this command to send acct_request echo "User-Name= Anna"\| radclient 10.1.0.76 acct -x testing123 Is that right? or is there any place I can refer to use the radclient command? 2. Do I need to write external script to run the command? Because I want to use the session time out but seems still not working.(because I don't know how to start the session) 3. Where should I put the acc_type. Is it in server side or nas side? I really hope someone can help me (please...) Thanks a lot in advance Best Regards, Santy __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
	Freeradius authentication question by Le Gal Philippe :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hi everybody, I'm trying to authenticate users login in a machine using ssh. I have configured ssh & PAM on that server to autenticate against the radius server (Redhat Application Server 2.1). Please find below the debug of the radius server as well as my conf files. The Free radius server says : Login incorrect: [test/\010\n\INCORRECT] (from client us067.eudra.org port 1500 cli 192.168.xx.xx) WARNING: Unprintable characters in the password. ? Double-check the shared secret on the server and the NAS! So did I . I checked the secrets on the server and they are IDENTICAL... I used the NTRadPing utility with exactly the same parameters and it works absolutely fine ! Thank you for your help ! my /etc/raddb/server file : (on the client machine) : [root@us067 root]# vi /etc/raddb/server # pam_radius_auth configuration file. Copy to: /etc/raddb/server # # For proper security, this file SHOULD have permissions 0600, # that is readable by root, and NO ONE else. If anyone other than # root can read this file, then they can spoof responses from the server! # # There are 3 fields per line in this file. There may be multiple # lines. Blank lines or lines beginning with '#' are treated as # comments, and are ignored. The fields are: # # server[:port] secret [timeout] # # the port name or number is optional. The default port name is # "radius", and is looked up from /etc/services The timeout field is # optional. The default timeout is 3 seconds. # # If multiple RADIUS server lines exist, they are tried in order. The # first server to return success or failure causes the module to return # success or failure. Only if a server fails to response is it skipped, # and the next server in turn is used. # # The timeout field controls how many seconds the module waits before # deciding that the server has failed to respond. # # server[:port] shared_secret timeout (s) loginhost.eudra.org philippe123456 1 # # having localhost in your radius configuration is a Good Thing. # # See the INSTALL file for pam.conf hints. clients.conf : client us067.eudra.org { secret = philippe123456 shortname = us067.eudra.org } [root@us072 raddb]# radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/usr/local/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" preprocess: hints = "/usr/local/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/usr/local/etc/raddb/users" files: acctusersfile = "/usr/local/etc/raddb/acct_users" files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/usr/local/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication :1812 Listening on accounting :1813 Ready to process requests. rad_recv: Access-Request packet from host 172.16.51.67:2531, id=82, length=89 User-Name = "test" User-Password = "\010\n\INCORRECT" NAS-IP-Address = 172.16.51.67 NAS-Identifier = "sshd" NAS-Port = 1506 NAS-Port-Type = Virtual Service-Type = Authenticate-Only Calling-Station-Id = "192.168.60.76" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 156 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_unix: [test]: invalid password modcall[authenticate]: module "unix" returns reject for request 0 modcall: group authenticate returns reject for request 0 auth: Failed to validate the user. Login incorrect: [test/\010\n\INCORRECT] (from client us067.eudra.org port 1506 cli 192.168.60.76) WARNING: Unprintable characters in the password. ? Double-check the shared secret on the server and the NAS! Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 82 to 172.16.51.67:2531 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 82 with timestamp 43d0c994 Nothing to do. Sleeping until we see a request. ________________________________________________________________________ This e-mail has been scanned for all known viruses by EMEA. ________________________________________________________________________ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
	Re: Freeradius authentication question by Kai Geek :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hello, [root@us067 root]# vi /etc/raddb/server ?? the config file will this be ? correct directory; #vi /etc/raddb/clients.conf oke. > ----- Original Message ----- > From: "Le Gal Philippe" <Philippe.LeGal@...> > To: "FreeRadius users mailing list" <freeradius-users@...> > Subject: Freeradius authentication question > Date: Fri, 20 Jan 2006 11:34:51 -0000 > > > > Hi everybody, > > I'm trying to authenticate users login in a machine using ssh. I > have configured ssh & PAM on that server to autenticate against the > radius server (Redhat Application Server 2.1). > > Please find below the debug of the radius server as well as my conf files. > > The Free radius server says : > > Login incorrect: [test/\010\n\INCORRECT] (from client > us067.eudra.org port 1500 cli 192.168.xx.xx) > WARNING: Unprintable characters in the password. ? Double-check > the shared secret on the server and the NAS! > > So did I . I checked the secrets on the server and they are IDENTICAL... > > I used the NTRadPing utility with exactly the same parameters and > it works absolutely fine ! > > Thank you for your help ! > > my /etc/raddb/server file : (on the client machine) : > > [root@us067 root]# vi /etc/raddb/server > # pam_radius_auth configuration file. Copy to: /etc/raddb/server > # > # For proper security, this file SHOULD have permissions 0600, > # that is readable by root, and NO ONE else. If anyone other than > # root can read this file, then they can spoof responses from the server! > # > # There are 3 fields per line in this file. There may be multiple > # lines. Blank lines or lines beginning with '#' are treated as > # comments, and are ignored. The fields are: > # > # server[:port] secret [timeout] > # > # the port name or number is optional. The default port name is > # "radius", and is looked up from /etc/services The timeout field is > # optional. The default timeout is 3 seconds. > # > # If multiple RADIUS server lines exist, they are tried in order. The > # first server to return success or failure causes the module to return > # success or failure. Only if a server fails to response is it skipped, > # and the next server in turn is used. > # > # The timeout field controls how many seconds the module waits before > # deciding that the server has failed to respond. > # > # server[:port] shared_secret timeout (s) > loginhost.eudra.org philippe123456 1 > # > # having localhost in your radius configuration is a Good Thing. > # > # See the INSTALL file for pam.conf hints. > > > clients.conf : > > client us067.eudra.org { > secret = philippe123456 > shortname = us067.eudra.org > } > > > [root@us072 raddb]# radiusd -X > Starting - reading configuration files ... > reread_config: reading radiusd.conf > Config: including file: /usr/local/etc/raddb/proxy.conf > Config: including file: /usr/local/etc/raddb/clients.conf > Config: including file: /usr/local/etc/raddb/snmp.conf > Config: including file: /usr/local/etc/raddb/eap.conf > Config: including file: /usr/local/etc/raddb/sql.conf > main: prefix = "/usr/local" > main: localstatedir = "/usr/local/var" > main: logdir = "/usr/local/var/log/radius" > main: libdir = "/usr/local/lib" > main: radacctdir = "/usr/local/var/log/radius/radacct" > main: hostname_lookups = no > main: max_request_time = 30 > main: cleanup_delay = 5 > main: max_requests = 1024 > main: delete_blocked_requests = 0 > main: port = 0 > main: allow_core_dumps = no > main: log_stripped_names = no > main: log_file = "/usr/local/var/log/radius/radius.log" > main: log_auth = yes > main: log_auth_badpass = yes > main: log_auth_goodpass = yes > main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" > main: user = "(null)" > main: group = "(null)" > main: usercollide = no > main: lower_user = "no" > main: lower_pass = "no" > main: nospace_user = "no" > main: nospace_pass = "no" > main: checkrad = "/usr/local/sbin/checkrad" > main: proxy_requests = yes > proxy: retry_delay = 5 > proxy: retry_count = 3 > proxy: synchronous = no > proxy: default_fallback = yes > proxy: dead_time = 120 > proxy: post_proxy_authorize = yes > proxy: wake_all_if_all_dead = no > security: max_attributes = 200 > security: reject_delay = 1 > security: status_server = no > main: debug_level = 0 > read_config_files: reading dictionary > read_config_files: reading naslist > Using deprecated naslist file. Support for this will go away soon. > read_config_files: reading clients > read_config_files: reading realms > radiusd: entering modules setup > Module: Library search path is /usr/local/lib > Module: Loaded exec > exec: wait = yes > exec: program = "(null)" > exec: input_pairs = "request" > exec: output_pairs = "(null)" > exec: packet_type = "(null)" > rlm_exec: Wait=yes but no output defined. Did you mean output=none? > Module: Instantiated exec (exec) > Module: Loaded expr > Module: Instantiated expr (expr) > Module: Loaded PAP > pap: encryption_scheme = "crypt" > Module: Instantiated pap (pap) > Module: Loaded CHAP > Module: Instantiated chap (chap) > Module: Loaded MS-CHAP > mschap: use_mppe = yes > mschap: require_encryption = no > mschap: require_strong = no > mschap: with_ntdomain_hack = no > mschap: passwd = "(null)" > mschap: authtype = "MS-CHAP" > mschap: ntlm_auth = "(null)" > Module: Instantiated mschap (mschap) > Module: Loaded System > unix: cache = no > unix: passwd = "(null)" > unix: shadow = "(null)" > unix: group = "(null)" > unix: radwtmp = "/usr/local/var/log/radius/radwtmp" > unix: usegroup = no > unix: cache_reload = 600 > Module: Instantiated unix (unix) > Module: Loaded eap > eap: default_eap_type = "md5" > eap: timer_expire = 60 > eap: ignore_unknown_eap_types = no > eap: cisco_accounting_username_bug = no > rlm_eap: Loaded and initialized type md5 > rlm_eap: Loaded and initialized type leap > gtc: challenge = "Password: " > gtc: auth_type = "PAP" > rlm_eap: Loaded and initialized type gtc > mschapv2: with_ntdomain_hack = no > rlm_eap: Loaded and initialized type mschapv2 > Module: Instantiated eap (eap) > Module: Loaded preprocess > preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" > preprocess: hints = "/usr/local/etc/raddb/hints" > preprocess: with_ascend_hack = no > preprocess: ascend_channels_per_line = 23 > preprocess: with_ntdomain_hack = no > preprocess: with_specialix_jetstream_hack = no > preprocess: with_cisco_vsa_hack = no > Module: Instantiated preprocess (preprocess) > Module: Loaded realm > realm: format = "suffix" > realm: delimiter = "@" > realm: ignore_default = no > realm: ignore_null = no > Module: Instantiated realm (suffix) > Module: Loaded files > files: usersfile = "/usr/local/etc/raddb/users" > files: acctusersfile = "/usr/local/etc/raddb/acct_users" > files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" > files: compat = "no" > Module: Instantiated files (files) > Module: Loaded Acct-Unique-Session-Id > acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, > Client-IP-Address, NAS-Port" > Module: Instantiated acct_unique (acct_unique) > Module: Loaded detail > detail: detailfile = > "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" > detail: detailperm = 384 > detail: dirperm = 493 > detail: locking = no > Module: Instantiated detail (detail) > Module: Loaded radutmp > radutmp: filename = "/usr/local/var/log/radius/radutmp" > radutmp: username = "%{User-Name}" > radutmp: case_sensitive = yes > radutmp: check_with_nas = yes > radutmp: perm = 384 > radutmp: callerid = yes > Module: Instantiated radutmp (radutmp) > Listening on authentication :1812 > Listening on accounting :1813 > Ready to process requests. > rad_recv: Access-Request packet from host 172.16.51.67:2531, id=82, length=89 > User-Name = "test" > User-Password = "\010\n\INCORRECT" > NAS-IP-Address = 172.16.51.67 > NAS-Identifier = "sshd" > NAS-Port = 1506 > NAS-Port-Type = Virtual > Service-Type = Authenticate-Only > Calling-Station-Id = "192.168.60.76" > Processing the authorize section of radiusd.conf > modcall: entering group authorize for request 0 > modcall[authorize]: module "preprocess" returns ok for request 0 > modcall[authorize]: module "chap" returns noop for request 0 > modcall[authorize]: module "mschap" returns noop for request 0 > rlm_realm: No '@' in User-Name = "test", looking up realm NULL > rlm_realm: No such realm "NULL" > modcall[authorize]: module "suffix" returns noop for request 0 > rlm_eap: No EAP-Message, not doing EAP > modcall[authorize]: module "eap" returns noop for request 0 > users: Matched entry DEFAULT at line 156 > modcall[authorize]: module "files" returns ok for request 0 > modcall: group authorize returns ok for request 0 > rad_check_password: Found Auth-Type System > auth: type "System" > Processing the authenticate section of radiusd.conf > modcall: entering group authenticate for request 0 > rlm_unix: [test]: invalid password > modcall[authenticate]: module "unix" returns reject for request 0 > modcall: group authenticate returns reject for request 0 > auth: Failed to validate the user. > Login incorrect: [test/\010\n\INCORRECT] (from client > us067.eudra.org port 1506 cli 192.168.60.76) > WARNING: Unprintable characters in the password. ? Double-check > the shared secret on the server and the NAS! > Delaying request 0 for 1 seconds > Finished request 0 > Going to the next request > --- Walking the entire request list --- > Waking up in 1 seconds... > --- Walking the entire request list --- > Waking up in 1 seconds... > --- Walking the entire request list --- > Sending Access-Reject of id 82 to 172.16.51.67:2531 > Waking up in 4 seconds... > --- Walking the entire request list --- > Cleaning up request 0 ID 82 with timestamp 43d0c994 > Nothing to do. Sleeping until we see a request. > > ________________________________________________________________________ > This e-mail has been scanned for all known viruses by EMEA. > ________________________________________________________________________ > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > +-+-+-+ BEGIN PGP SIGNATURE +-+-+-+ Version: GnuPG v1.4.2 (GNU/Linux) .-. .-. _ : : : : :_; .-' : .--. : `-. .-. .--. ,-.,-. ' .; :' '_.'' .; :: :' .; ; : ,. : `.__.'`.__.'`.__.':_;`.__,_;:_;:_; Kai "Ozgur" Geek Network Engineer PGP ID: B1B63B6E +-+-+-+ END PGP SIGNATURE +-+-+-+ -- _______________________________________________ Check out the latest SMS services @ http://www.linuxmail.org This allows you to send and receive SMS through your mailbox. Powered by Outblaze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
	RE: Freeradius authentication question by Le Gal Philippe :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message The Pam radius configuration file on the client machine should be located here: /etc/raddb/server (cf pam radius INSTALL) I can't see why the radius server can not decrypt the password when I know my shared secret is absolutely identical on the client and on the radius server. Anyone ? Philippe -----Original Message----- From: freeradius-users-bounces+philippe.legal=emea.eu.int@... [mailto:freeradius-users-bounces+philippe.legal=emea.eu.int@... dius.org]On Behalf Of Kai Geek Sent: 20 January 2006 12:00 To: FreeRadius users mailing list Subject: Re: Freeradius authentication question Hello, [root@us067 root]# vi /etc/raddb/server ?? the config file will this be ? correct directory; #vi /etc/raddb/clients.conf oke. > ----- Original Message ----- > From: "Le Gal Philippe" <Philippe.LeGal@...> > To: "FreeRadius users mailing list" <freeradius-users@...> > Subject: Freeradius authentication question > Date: Fri, 20 Jan 2006 11:34:51 -0000 > > > > Hi everybody, > > I'm trying to authenticate users login in a machine using ssh. I > have configured ssh & PAM on that server to autenticate against the > radius server (Redhat Application Server 2.1). > > Please find below the debug of the radius server as well as my conf files. > > The Free radius server says : > > Login incorrect: [test/\010\n\INCORRECT] (from client > us067.eudra.org port 1500 cli 192.168.xx.xx) > WARNING: Unprintable characters in the password. ? Double-check > the shared secret on the server and the NAS! > > So did I . I checked the secrets on the server and they are IDENTICAL... > > I used the NTRadPing utility with exactly the same parameters and > it works absolutely fine ! > > Thank you for your help ! > > my /etc/raddb/server file : (on the client machine) : > > [root@us067 root]# vi /etc/raddb/server > # pam_radius_auth configuration file. Copy to: /etc/raddb/server > # > # For proper security, this file SHOULD have permissions 0600, > # that is readable by root, and NO ONE else. If anyone other than > # root can read this file, then they can spoof responses from the server! > # > # There are 3 fields per line in this file. There may be multiple > # lines. Blank lines or lines beginning with '#' are treated as > # comments, and are ignored. The fields are: > # > # server[:port] secret [timeout] > # > # the port name or number is optional. The default port name is > # "radius", and is looked up from /etc/services The timeout field is > # optional. The default timeout is 3 seconds. > # > # If multiple RADIUS server lines exist, they are tried in order. The > # first server to return success or failure causes the module to return > # success or failure. Only if a server fails to response is it skipped, > # and the next server in turn is used. > # > # The timeout field controls how many seconds the module waits before > # deciding that the server has failed to respond. > # > # server[:port] shared_secret timeout (s) > loginhost.eudra.org philippe123456 1 > # > # having localhost in your radius configuration is a Good Thing. > # > # See the INSTALL file for pam.conf hints. > > > clients.conf : > > client us067.eudra.org { > secret = philippe123456 > shortname = us067.eudra.org > } > > > [root@us072 raddb]# radiusd -X > Starting - reading configuration files ... > reread_config: reading radiusd.conf > Config: including file: /usr/local/etc/raddb/proxy.conf > Config: including file: /usr/local/etc/raddb/clients.conf > Config: including file: /usr/local/etc/raddb/snmp.conf > Config: including file: /usr/local/etc/raddb/eap.conf > Config: including file: /usr/local/etc/raddb/sql.conf > main: prefix = "/usr/local" > main: localstatedir = "/usr/local/var" > main: logdir = "/usr/local/var/log/radius" > main: libdir = "/usr/local/lib" > main: radacctdir = "/usr/local/var/log/radius/radacct" > main: hostname_lookups = no > main: max_request_time = 30 > main: cleanup_delay = 5 > main: max_requests = 1024 > main: delete_blocked_requests = 0 > main: port = 0 > main: allow_core_dumps = no > main: log_stripped_names = no > main: log_file = "/usr/local/var/log/radius/radius.log" > main: log_auth = yes > main: log_auth_badpass = yes > main: log_auth_goodpass = yes > main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" > main: user = "(null)" > main: group = "(null)" > main: usercollide = no > main: lower_user = "no" > main: lower_pass = "no" > main: nospace_user = "no" > main: nospace_pass = "no" > main: checkrad = "/usr/local/sbin/checkrad" > main: proxy_requests = yes > proxy: retry_delay = 5 > proxy: retry_count = 3 > proxy: synchronous = no > proxy: default_fallback = yes > proxy: dead_time = 120 > proxy: post_proxy_authorize = yes > proxy: wake_all_if_all_dead = no > security: max_attributes = 200 > security: reject_delay = 1 > security: status_server = no > main: debug_level = 0 > read_config_files: reading dictionary > read_config_files: reading naslist > Using deprecated naslist file. Support for this will go away soon. > read_config_files: reading clients > read_config_files: reading realms > radiusd: entering modules setup > Module: Library search path is /usr/local/lib > Module: Loaded exec > exec: wait = yes > exec: program = "(null)" > exec: input_pairs = "request" > exec: output_pairs = "(null)" > exec: packet_type = "(null)" > rlm_exec: Wait=yes but no output defined. Did you mean output=none? > Module: Instantiated exec (exec) > Module: Loaded expr > Module: Instantiated expr (expr) > Module: Loaded PAP > pap: encryption_scheme = "crypt" > Module: Instantiated pap (pap) > Module: Loaded CHAP > Module: Instantiated chap (chap) > Module: Loaded MS-CHAP > mschap: use_mppe = yes > mschap: require_encryption = no > mschap: require_strong = no > mschap: with_ntdomain_hack = no > mschap: passwd = "(null)" > mschap: authtype = "MS-CHAP" > mschap: ntlm_auth = "(null)" > Module: Instantiated mschap (mschap) > Module: Loaded System > unix: cache = no > unix: passwd = "(null)" > unix: shadow = "(null)" > unix: group = "(null)" > unix: radwtmp = "/usr/local/var/log/radius/radwtmp" > unix: usegroup = no > unix: cache_reload = 600 > Module: Instantiated unix (unix) > Module: Loaded eap > eap: default_eap_type = "md5" > eap: timer_expire = 60 > eap: ignore_unknown_eap_types = no > eap: cisco_accounting_username_bug = no > rlm_eap: Loaded and initialized type md5 > rlm_eap: Loaded and initialized type leap > gtc: challenge = "Password: " > gtc: auth_type = "PAP" > rlm_eap: Loaded and initialized type gtc > mschapv2: with_ntdomain_hack = no > rlm_eap: Loaded and initialized type mschapv2 > Module: Instantiated eap (eap) > Module: Loaded preprocess > preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" > preprocess: hints = "/usr/local/etc/raddb/hints" > preprocess: with_ascend_hack = no > preprocess: ascend_channels_per_line = 23 > preprocess: with_ntdomain_hack = no > preprocess: with_specialix_jetstream_hack = no > preprocess: with_cisco_vsa_hack = no > Module: Instantiated preprocess (preprocess) > Module: Loaded realm > realm: format = "suffix" > realm: delimiter = "@" > realm: ignore_default = no > realm: ignore_null = no > Module: Instantiated realm (suffix) > Module: Loaded files > files: usersfile = "/usr/local/etc/raddb/users" > files: acctusersfile = "/usr/local/etc/raddb/acct_users" > files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" > files: compat = "no" > Module: Instantiated files (files) > Module: Loaded Acct-Unique-Session-Id > acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, > Client-IP-Address, NAS-Port" > Module: Instantiated acct_unique (acct_unique) > Module: Loaded detail > detail: detailfile = > "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" > detail: detailperm = 384 > detail: dirperm = 493 > detail: locking = no > Module: Instantiated detail (detail) > Module: Loaded radutmp > radutmp: filename = "/usr/local/var/log/radius/radutmp" > radutmp: username = "%{User-Name}" > radutmp: case_sensitive = yes > radutmp: check_with_nas = yes > radutmp: perm = 384 > radutmp: callerid = yes > Module: Instantiated radutmp (radutmp) > Listening on authentication :1812 > Listening on accounting :1813 > Ready to process requests. > rad_recv: Access-Request packet from host 172.16.51.67:2531, id=82, length=89 > User-Name = "test" > User-Password = "\010\n\INCORRECT" > NAS-IP-Address = 172.16.51.67 > NAS-Identifier = "sshd" > NAS-Port = 1506 > NAS-Port-Type = Virtual > Service-Type = Authenticate-Only > Calling-Station-Id = "192.168.60.76" > Processing the authorize section of radiusd.conf > modcall: entering group authorize for request 0 > modcall[authorize]: module "preprocess" returns ok for request 0 > modcall[authorize]: module "chap" returns noop for request 0 > modcall[authorize]: module "mschap" returns noop for request 0 > rlm_realm: No '@' in User-Name = "test", looking up realm NULL > rlm_realm: No such realm "NULL" > modcall[authorize]: module "suffix" returns noop for request 0 > rlm_eap: No EAP-Message, not doing EAP > modcall[authorize]: module "eap" returns noop for request 0 > users: Matched entry DEFAULT at line 156 > modcall[authorize]: module "files" returns ok for request 0 > modcall: group authorize returns ok for request 0 > rad_check_password: Found Auth-Type System > auth: type "System" > Processing the authenticate section of radiusd.conf > modcall: entering group authenticate for request 0 > rlm_unix: [test]: invalid password > modcall[authenticate]: module "unix" returns reject for request 0 > modcall: group authenticate returns reject for request 0 > auth: Failed to validate the user. > Login incorrect: [test/\010\n\INCORRECT] (from client > us067.eudra.org port 1506 cli 192.168.60.76) > WARNING: Unprintable characters in the password. ? Double-check > the shared secret on the server and the NAS! > Delaying request 0 for 1 seconds > Finished request 0 > Going to the next request > --- Walking the entire request list --- > Waking up in 1 seconds... > --- Walking the entire request list --- > Waking up in 1 seconds... > --- Walking the entire request list --- > Sending Access-Reject of id 82 to 172.16.51.67:2531 > Waking up in 4 seconds... > --- Walking the entire request list --- > Cleaning up request 0 ID 82 with timestamp 43d0c994 > Nothing to do. Sleeping until we see a request. > > ________________________________________________________________________ > This e-mail has been scanned for all known viruses by EMEA. > ________________________________________________________________________ > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > +-+-+-+ BEGIN PGP SIGNATURE +-+-+-+ Version: GnuPG v1.4.2 (GNU/Linux) .-. .-. _ : : : : :_; .-' : .--. : `-. .-. .--. ,-.,-. ' .; :' '_.'' .; :: :' .; ; : ,. : `.__.'`.__.'`.__.':_;`.__,_;:_;:_; Kai "Ozgur" Geek Network Engineer PGP ID: B1B63B6E +-+-+-+ END PGP SIGNATURE +-+-+-+ -- _______________________________________________ Check out the latest SMS services @ http://www.linuxmail.org This allows you to send and receive SMS through your mailbox. Powered by Outblaze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ________________________________________________________________________ This e-mail has been scanned for all known viruses by EMEA. ________________________________________________________________________ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
	RE: Freeradius authentication question by Kai Geek :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message hmm ok a lot thank you.. regards :) > ----- Original Message ----- > From: "Le Gal Philippe" <Philippe.LeGal@...> > To: "FreeRadius users mailing list" <freeradius-users@...> > Subject: RE: Freeradius authentication question > Date: Fri, 20 Jan 2006 12:08:59 -0000 > > > > The Pam radius configuration file on the client machine should be > located here: /etc/raddb/server (cf pam radius INSTALL) > > I can't see why the radius server can not decrypt the password when > I know my shared secret is absolutely identical on the client and > on the radius server. > > Anyone ? > > Philippe > > -----Original Message----- > From: > freeradius-users-bounces+philippe.legal=emea.eu.int@... > [mailto:freeradius-users-bounces+philippe.legal=emea.eu.int@... > dius.org]On Behalf Of Kai Geek > Sent: 20 January 2006 12:00 > To: FreeRadius users mailing list > Subject: Re: Freeradius authentication question > > > Hello, > [root@us067 root]# vi /etc/raddb/server ?? > > the config file will this be ? > correct directory; > > #vi /etc/raddb/clients.conf > > oke. > > > ----- Original Message ----- > > From: "Le Gal Philippe" <Philippe.LeGal@...> > > To: "FreeRadius users mailing list" <freeradius-users@...> > > Subject: Freeradius authentication question Date: Fri, 20 Jan > > 2006 11:34:51 -0000 > > > > > > > > Hi everybody, > > > > I'm trying to authenticate users login in a machine using ssh. I > > have configured ssh & PAM on that server to autenticate against > > the radius server (Redhat Application Server 2.1). > > > > Please find below the debug of the radius server as well as my conf files. > > > > The Free radius server says : > > > > Login incorrect: [test/\010\n\INCORRECT] (from client > > us067.eudra.org port 1500 cli 192.168.xx.xx) > > WARNING: Unprintable characters in the password. ? > > Double-check the shared secret on the server and the NAS! > > > > So did I . I checked the secrets on the server and they are IDENTICAL... > > > > I used the NTRadPing utility with exactly the same parameters and > > it works absolutely fine ! > > > > Thank you for your help ! > > > > my /etc/raddb/server file : (on the client machine) : > > > > [root@us067 root]# vi /etc/raddb/server > > # pam_radius_auth configuration file. Copy to: /etc/raddb/server > > # > > # For proper security, this file SHOULD have permissions 0600, > > # that is readable by root, and NO ONE else. If anyone other than > > # root can read this file, then they can spoof responses from the server! > > # > > # There are 3 fields per line in this file. There may be multiple > > # lines. Blank lines or lines beginning with '#' are treated as > > # comments, and are ignored. The fields are: > > # > > # server[:port] secret [timeout] > > # > > # the port name or number is optional. The default port name is > > # "radius", and is looked up from /etc/services The timeout field is > > # optional. The default timeout is 3 seconds. > > # > > # If multiple RADIUS server lines exist, they are tried in order. The > > # first server to return success or failure causes the module to return > > # success or failure. Only if a server fails to response is it skipped, > > # and the next server in turn is used. > > # > > # The timeout field controls how many seconds the module waits before > > # deciding that the server has failed to respond. > > # > > # server[:port] shared_secret timeout (s) > > loginhost.eudra.org philippe123456 1 > > # > > # having localhost in your radius configuration is a Good Thing. > > # > > # See the INSTALL file for pam.conf hints. > > > > > > clients.conf : > > > > client us067.eudra.org { > > secret = philippe123456 > > shortname = us067.eudra.org > > } > > > > > > [root@us072 raddb]# radiusd -X > > Starting - reading configuration files ... > > reread_config: reading radiusd.conf > > Config: including file: /usr/local/etc/raddb/proxy.conf > > Config: including file: /usr/local/etc/raddb/clients.conf > > Config: including file: /usr/local/etc/raddb/snmp.conf > > Config: including file: /usr/local/etc/raddb/eap.conf > > Config: including file: /usr/local/etc/raddb/sql.conf > > main: prefix = "/usr/local" > > main: localstatedir = "/usr/local/var" > > main: logdir = "/usr/local/var/log/radius" > > main: libdir = "/usr/local/lib" > > main: radacctdir = "/usr/local/var/log/radius/radacct" > > main: hostname_lookups = no > > main: max_request_time = 30 > > main: cleanup_delay = 5 > > main: max_requests = 1024 > > main: delete_blocked_requests = 0 > > main: port = 0 > > main: allow_core_dumps = no > > main: log_stripped_names = no > > main: log_file = "/usr/local/var/log/radius/radius.log" > > main: log_auth = yes > > main: log_auth_badpass = yes > > main: log_auth_goodpass = yes > > main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" > > main: user = "(null)" > > main: group = "(null)" > > main: usercollide = no > > main: lower_user = "no" > > main: lower_pass = "no" > > main: nospace_user = "no" > > main: nospace_pass = "no" > > main: checkrad = "/usr/local/sbin/checkrad" > > main: proxy_requests = yes > > proxy: retry_delay = 5 > > proxy: retry_count = 3 > > proxy: synchronous = no > > proxy: default_fallback = yes > > proxy: dead_time = 120 > > proxy: post_proxy_authorize = yes > > proxy: wake_all_if_all_dead = no > > security: max_attributes = 200 > > security: reject_delay = 1 > > security: status_server = no > > main: debug_level = 0 > > read_config_files: reading dictionary > > read_config_files: reading naslist > > Using deprecated naslist file. Support for this will go away soon. > > read_config_files: reading clients > > read_config_files: reading realms > > radiusd: entering modules setup > > Module: Library search path is /usr/local/lib > > Module: Loaded exec > > exec: wait = yes > > exec: program = "(null)" > > exec: input_pairs = "request" > > exec: output_pairs = "(null)" > > exec: packet_type = "(null)" > > rlm_exec: Wait=yes but no output defined. Did you mean output=none? > > Module: Instantiated exec (exec) > > Module: Loaded expr > > Module: Instantiated expr (expr) > > Module: Loaded PAP > > pap: encryption_scheme = "crypt" > > Module: Instantiated pap (pap) > > Module: Loaded CHAP > > Module: Instantiated chap (chap) > > Module: Loaded MS-CHAP > > mschap: use_mppe = yes > > mschap: require_encryption = no > > mschap: require_strong = no > > mschap: with_ntdomain_hack = no > > mschap: passwd = "(null)" > > mschap: authtype = "MS-CHAP" > > mschap: ntlm_auth = "(null)" > > Module: Instantiated mschap (mschap) > > Module: Loaded System > > unix: cache = no > > unix: passwd = "(null)" > > unix: shadow = "(null)" > > unix: group = "(null)" > > unix: radwtmp = "/usr/local/var/log/radius/radwtmp" > > unix: usegroup = no > > unix: cache_reload = 600 > > Module: Instantiated unix (unix) > > Module: Loaded eap > > eap: default_eap_type = "md5" > > eap: timer_expire = 60 > > eap: ignore_unknown_eap_types = no > > eap: cisco_accounting_username_bug = no > > rlm_eap: Loaded and initialized type md5 > > rlm_eap: Loaded and initialized type leap > > gtc: challenge = "Password: " > > gtc: auth_type = "PAP" > > rlm_eap: Loaded and initialized type gtc > > mschapv2: with_ntdomain_hack = no > > rlm_eap: Loaded and initialized type mschapv2 > > Module: Instantiated eap (eap) > > Module: Loaded preprocess > > preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" > > preprocess: hints = "/usr/local/etc/raddb/hints" > > preprocess: with_ascend_hack = no > > preprocess: ascend_channels_per_line = 23 > > preprocess: with_ntdomain_hack = no > > preprocess: with_specialix_jetstream_hack = no > > preprocess: with_cisco_vsa_hack = no > > Module: Instantiated preprocess (preprocess) > > Module: Loaded realm > > realm: format = "suffix" > > realm: delimiter = "@" > > realm: ignore_default = no > > realm: ignore_null = no > > Module: Instantiated realm (suffix) > > Module: Loaded files > > files: usersfile = "/usr/local/etc/raddb/users" > > files: acctusersfile = "/usr/local/etc/raddb/acct_users" > > files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" > > files: compat = "no" > > Module: Instantiated files (files) > > Module: Loaded Acct-Unique-Session-Id > > acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, > > Client-IP-Address, NAS-Port" > > Module: Instantiated acct_unique (acct_unique) > > Module: Loaded detail > > detail: detailfile = > > "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" > > detail: detailperm = 384 > > detail: dirperm = 493 > > detail: locking = no > > Module: Instantiated detail (detail) > > Module: Loaded radutmp > > radutmp: filename = "/usr/local/var/log/radius/radutmp" > > radutmp: username = "%{User-Name}" > > radutmp: case_sensitive = yes > > radutmp: check_with_nas = yes > > radutmp: perm = 384 > > radutmp: callerid = yes > > Module: Instantiated radutmp (radutmp) > > Listening on authentication :1812 > > Listening on accounting :1813 > > Ready to process requests. > > rad_recv: Access-Request packet from host 172.16.51.67:2531, id=82, length=89 > > User-Name = "test" > > User-Password = "\010\n\INCORRECT" > > NAS-IP-Address = 172.16.51.67 > > NAS-Identifier = "sshd" > > NAS-Port = 1506 > > NAS-Port-Type = Virtual > > Service-Type = Authenticate-Only > > Calling-Station-Id = "192.168.60.76" > > Processing the authorize section of radiusd.conf > > modcall: entering group authorize for request 0 > > modcall[authorize]: module "preprocess" returns ok for request 0 > > modcall[authorize]: module "chap" returns noop for request 0 > > modcall[authorize]: module "mschap" returns noop for request 0 > > rlm_realm: No '@' in User-Name = "test", looking up realm NULL > > rlm_realm: No such realm "NULL" > > modcall[authorize]: module "suffix" returns noop for request 0 > > rlm_eap: No EAP-Message, not doing EAP > > modcall[authorize]: module "eap" returns noop for request 0 > > users: Matched entry DEFAULT at line 156 > > modcall[authorize]: module "files" returns ok for request 0 > > modcall: group authorize returns ok for request 0 > > rad_check_password: Found Auth-Type System > > auth: type "System" > > Processing the authenticate section of radiusd.conf > > modcall: entering group authenticate for request 0 > > rlm_unix: [test]: invalid password > > modcall[authenticate]: module "unix" returns reject for request 0 > > modcall: group authenticate returns reject for request 0 > > auth: Failed to validate the user. > > Login incorrect: [test/\010\n\INCORRECT] (from client > > us067.eudra.org port 1506 cli 192.168.60.76) > > WARNING: Unprintable characters in the password. ? > > Double-check the shared secret on the server and the NAS! > > Delaying request 0 for 1 seconds > > Finished request 0 > > Going to the next request > > --- Walking the entire request list --- > > Waking up in 1 seconds... > > --- Walking the entire request list --- > > Waking up in 1 seconds... > > --- Walking the entire request list --- > > Sending Access-Reject of id 82 to 172.16.51.67:2531 > > Waking up in 4 seconds... > > --- Walking the entire request list --- > > Cleaning up request 0 ID 82 with timestamp 43d0c994 > > Nothing to do. Sleeping until we see a request. > > > > ________________________________________________________________________ > > This e-mail has been scanned for all known viruses by EMEA. > > ________________________________________________________________________ > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > > > > +-+-+-+ BEGIN PGP SIGNATURE +-+-+-+ > Version: GnuPG v1.4.2 (GNU/Linux) > .-. .-. _ > : : : : :_; > .-' : .--. : `-. .-. .--. ,-.,-. > ' .; :' '_.'' .; :: :' .; ; : ,. : > `.__.'`.__.'`.__.':_;`.__,_;:_;:_; > > Kai "Ozgur" Geek > Network Engineer > PGP ID: B1B63B6E > +-+-+-+ END PGP SIGNATURE +-+-+-+ > > > -- > _______________________________________________ > Check out the latest SMS services @ http://www.linuxmail.org > This allows you to send and receive SMS through your mailbox. > > Powered by Outblaze > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > ________________________________________________________________________ > This e-mail has been scanned for all known viruses by EMEA. > ________________________________________________________________________ > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > +-+-+-+ BEGIN PGP SIGNATURE +-+-+-+ Version: GnuPG v1.4.2 (GNU/Linux) .-. .-. _ : : : : :_; .-' : .--. : `-. .-. .--. ,-.,-. ' .; :' '_.'' .; :: :' .; ; : ,. : `.__.'`.__.'`.__.':_;`.__,_;:_;:_; Kai "Ozgur" Geek Network Engineer PGP ID: B1B63B6E +-+-+-+ END PGP SIGNATURE +-+-+-+ -- _______________________________________________ Check out the latest SMS services @ http://www.linuxmail.org This allows you to send and receive SMS through your mailbox. Powered by Outblaze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
	Re: Freeradius authentication question by Alan DeKok :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message "Le Gal Philippe" <Philippe.LeGal@...> wrote: > I'm trying to authenticate users login in a machine using ssh. I > have configured ssh & PAM on that server to autenticate against the > radius server (Redhat Application Server 2.1). ... > The Free radius server says : > > Login incorrect: [test/\010\n\INCORRECT] (from client us067.eudra.org port 1500 cli 192.168.xx.xx) If that isn't the password you entered in SSH, then either SSH or PAM is changing the password to that "INCORRECT" string. There's nothing you can do to FreeRADIUS to fix the problem. Instead, find out why SSH or PAM is changing the password. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
	Re: Question about Session start by Alan DeKok :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message San <san_sar@...> wrote: > 1. How do we start the session? I have send the > request to the server and got access_accepted. What program is sending the request? > I use this command to send acct_request > echo "User-Name= Anna"\| radclient 10.1.0.76 acct -x > testing123 > Is that right? or is there any place I can refer to > use the radclient command? That's a good start. Read the RFC's to see what attributes are required in accounting packets. > 2. Do I need to write external script to run the > command? The same program that sends Access-Request should send Accounting-Request. My suggestion is to buy the O'Reilly RADIUS book and read it. It's a good introduction to RADIUS, which you will need to solve your problems. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html