FreeRADIUS 3, FreeBSD, eDirectory

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

FreeRADIUS 3, FreeBSD, eDirectory

Marco Pirovano
Hello list,

we are using FreeRADIUS to authenticate students wireless access.
It's FreeRADIUS Version 2.2.8 running on FreeBSD 9.2-STABLE.

Our LDAP server is eDirectory version 8.8


Now, we are upgrading to FreeRADIUS 3.0.15 (installed from ports) running on FreeBSD 11.1-RELEASE.
LDAP is always eDirectory 8.8.

The bind to LDAP server it's ok, but the user is not authenticate, the error is:

  Invalid user (eDirectory-ICT: Failed to retrieve eDirectory password: (80) Other (e.g., implementation specific) error):


This is the ldap module configuration:

#
# ICT per test
#
ldap eDirectory-ICT {
        server = 'ldaps.unibocconi.it'
        port = 636

        identity = 'cn=yyyyyyyyy,ou=Servers,o=INetServices'
        password = xxxxxxx

        base_dn = 'ou=Faculty-Staff,ou=Bocconi,o=INetServices'

        edir = yes
        edir_autz = no

        #
        #  User object identification.
        #
        user {
                base_dn = "${..base_dn}"
                filter = "(cn=%{%{Stripped-User-Name}:-%{User-Name}})"
        }

        #
        #  User membership checking.
        #
        group {
                base_dn = "${..base_dn}"
                filter = '(objectClass=posixGroup)'
                membership_attribute = 'memberOf'
        }

        #
        #  User profiles.
        #
        profile {
                filter = '(objectclass=radiusprofile)'
        }

        #
        #  Bulk load clients from the directory
        #
        client {
                base_dn = "${..base_dn}"
                filter = '(objectClass=radiusClient)'
                template {
                }
                attribute {
                        ipaddr = 'radiusClientIdentifier'
                        secret = 'radiusClientSecret'
                }
        }

        read_clients = no

        accounting {
                reference = "%{tolower:type.%{Acct-Status-Type}}"

                type {
                        start {
                                update {
                                        description := "Online at %S"
                                }
                        }

                        interim-update {
                                update {
                                        description := "Last seen at %S"
                                }
                        }

                        stop {
                                update {
                                        description := "Offline at %S"
                                }
                        }
                }
        }

        #
        #  Post-Auth can modify LDAP objects too
        #
        post-auth {
                update {
                        description := "Authenticated at %S"
                }
        }

        #
        #  LDAP connection-specific options.
        #
        options {
                chase_referrals = yes
                rebind = yes
                res_timeout = 10
                srv_timelimit = 3
                net_timeout = 1
                idle = 60
                probes = 3
                interval = 3
                ldap_debug = 0x0028
        }

        #
        #  This subsection configures the tls related items
        #  that control how FreeRADIUS connects to an LDAP
        #  server.
        #
        tls {
                start_tls = no
                ca_file = ${certdir}/DigiCertAssuredIDRootCA-TERENA-CA3.crt
                ca_path = ${certdir}
                certificate_file = ${certdir}/ldaps.unibocconi.it.crt
                private_key_file = ${certdir}/ldaps.unibocconi.it.key
                random_file = /dev/urandom
                require_cert = 'demand'
        }

        #
        #  ldap_connections_number
        #
        pool {
                start = ${thread[pool].start_servers}
                min = ${thread[pool].min_spare_servers}
                max = ${thread[pool].max_servers}
                spare = ${thread[pool].max_spare_servers}
                uses = 0
                retry_delay = 30
                lifetime = 0
                idle_timeout = 60
        }
}

What's wrong ?

Thanks for your help.

Ciao
Marco
--
Marco Pirovano
Infrastrutture e Tecnologie
Information and Communication Technology
Universita' Bocconi
via Gobbi, 5 - 20136 Milano
Tel. +39 02 5836.3173  Fax. +39 02 5836.3160

Windows makes noise, Linux plays music,
but BSD Rocks!

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: FreeRADIUS 3, FreeBSD, eDirectory

arr2036

> On Aug 1, 2017, at 11:29 AM, Marco Pirovano <[hidden email]> wrote:
>
> Hello list,
>
> we are using FreeRADIUS to authenticate students wireless access.
> It's FreeRADIUS Version 2.2.8 running on FreeBSD 9.2-STABLE.
>
> Our LDAP server is eDirectory version 8.8
>
>
> Now, we are upgrading to FreeRADIUS 3.0.15 (installed from ports) running on FreeBSD 11.1-RELEASE.
> LDAP is always eDirectory 8.8.
>
> The bind to LDAP server it's ok, but the user is not authenticate, the error is:
>
>  Invalid user (eDirectory-ICT: Failed to retrieve eDirectory password: (80) Other (e.g., implementation specific) error):
>
Have you enabled universal password?

https://www.netiq.com/documentation/edir_radius/pdfdoc/radiusadmin/radiusadmin.pdf

-Arran

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

signature.asc (859 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: FreeRADIUS 3, FreeBSD, eDirectory

Marco Pirovano
Hi Arran,

yes, the universal password is enabled and is working with FR2.

The problem is with FR3.

On FR2 in debug mode:

The client:

[root@cariddi:~] radtest -x pirovano xxxxxxxx 10.5.255.241 1 yyyyyyyy
Sending Access-Request of id 97 to 10.5.255.241 port 1812
        User-Name = "pirovano"
        User-Password = "xxxxxxxx"
        NAS-IP-Address = 10.5.255.241
        NAS-Port = 1
        Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 10.5.255.241 port 1812, id=97, length=20

The FR2:

 [eDirectory-UNI] ldap_get_conn: Checking Id: 0
  [eDirectory-UNI] ldap_get_conn: Got Id: 0
  [eDirectory-UNI] attempting LDAP reconnection
  [eDirectory-UNI] (re)connect to ldap.unibocconi.it:389, authentication 0
  [eDirectory-UNI] starting TLS
  [eDirectory-UNI] bind as cn=RADIUSAdmin,ou=Servers,o=INetServices/zzzzzzzzz to ldap.unibocconi.it:389
  [eDirectory-UNI] waiting for bind result ...
  [eDirectory-UNI] Bind was successful
  [eDirectory-UNI] performing search in ou=Faculty-Staff,ou=Bocconi,o=INetServices, with filter (cn=pirovano)
[eDirectory-UNI] Added the eDirectory password xxxxxxxx in check items as Cleartext-Password



On FR3 in debug mode:

the client:

[root@freeradius3:~] radtest pirovano xxxxxxxx 10.1.1.82 1 yyyyyyyy
Sent Access-Request Id 157 from 0.0.0.0:35640 to 10.1.1.82:1812 length 78
        User-Name = "pirovano"
        User-Password = "xxxxxxxx"
        NAS-IP-Address = 10.1.1.82
        NAS-Port = 1
        Message-Authenticator = 0x00
        Cleartext-Password = "xxxxxxxx"
Received Access-Reject Id 157 from 10.1.1.82:1812 to 0.0.0.0:0 length 20
(0) -: Expected Access-Accept got Access-Reject


The FR3:

(0) eDirectory-ICT: EXPAND (cn=%{%{Stripped-User-Name}:-%{User-Name}})
(0) eDirectory-ICT:    --> (cn=pirovano)
(0) eDirectory-ICT: Performing search in "ou=Faculty-Staff,ou=Bocconi,o=INetServices" with filter "(cn=pirovano)", scope "sub"
(0) eDirectory-ICT: Waiting for search result...
ber_get_next failed.
ber_get_next failed.
(0) eDirectory-ICT: User object found at DN "cn=Pirovano,ou=ICT,ou=Faculty-Staff,ou=Bocconi,o=INetServices"

(0) eDirectory-ICT: ERROR: Failed to retrieve eDirectory password: (80) Other (e.g., implementation specific) error

rlm_ldap (eDirectory-ICT): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_ldap (eDirectory-ICT): Opening additional connection (5), 1 of 27 pending slots used
rlm_ldap (eDirectory-ICT): Connecting to ldap://ldaps.unibocconi.it:636
rlm_ldap (eDirectory-ICT): Waiting for bind result...
rlm_ldap (eDirectory-ICT): Bind successful
(0)     [eDirectory-ICT] = fail
(0)   } # authorize = fail



Thanks.
Marco


----- Il 1-ago-17, alle 19:35, Arran Cudbard-Bell [hidden email] ha scritto:

>> On Aug 1, 2017, at 11:29 AM, Marco Pirovano <[hidden email]>
>> wrote:
>>
>> Hello list,
>>
>> we are using FreeRADIUS to authenticate students wireless access.
>> It's FreeRADIUS Version 2.2.8 running on FreeBSD 9.2-STABLE.
>>
>> Our LDAP server is eDirectory version 8.8
>>
>>
>> Now, we are upgrading to FreeRADIUS 3.0.15 (installed from ports) running on
>> FreeBSD 11.1-RELEASE.
>> LDAP is always eDirectory 8.8.
>>
>> The bind to LDAP server it's ok, but the user is not authenticate, the error is:
>>
>>  Invalid user (eDirectory-ICT: Failed to retrieve eDirectory password: (80) Other
>>  (e.g., implementation specific) error):
>>
>
> Have you enabled universal password?
>
> https://www.netiq.com/documentation/edir_radius/pdfdoc/radiusadmin/radiusadmin.pdf
>
> -Arran
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

--
Marco Pirovano
Infrastrutture e Tecnologie
Information and Communication Technology
Universita' Bocconi
via Gobbi, 5 - 20136 Milano
Tel. +39 02 5836.3173  Fax. +39 02 5836.3160

Windows makes noise, Linux plays music,
but BSD Rocks!

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: FreeRADIUS 3, FreeBSD, eDirectory

Peter Lambrechtsen-4
I suspect that you need to rebuild FR3 with the right LDAP library.
Something looks very odd there as I have compiled FR3 with eDir on RHEL 6&7
using universal password without an issue.

On 2/08/2017 19:47, "Marco Pirovano" <[hidden email]> wrote:

> Hi Arran,
>
> yes, the universal password is enabled and is working with FR2.
>
> The problem is with FR3.
>
> On FR2 in debug mode:
>
> The client:
>
> [root@cariddi:~] radtest -x pirovano xxxxxxxx 10.5.255.241 1 yyyyyyyy
> Sending Access-Request of id 97 to 10.5.255.241 port 1812
>         User-Name = "pirovano"
>         User-Password = "xxxxxxxx"
>         NAS-IP-Address = 10.5.255.241
>         NAS-Port = 1
>         Message-Authenticator = 0x00000000000000000000000000000000
> rad_recv: Access-Accept packet from host 10.5.255.241 port 1812, id=97,
> length=20
>
> The FR2:
>
>  [eDirectory-UNI] ldap_get_conn: Checking Id: 0
>   [eDirectory-UNI] ldap_get_conn: Got Id: 0
>   [eDirectory-UNI] attempting LDAP reconnection
>   [eDirectory-UNI] (re)connect to ldap.unibocconi.it:389, authentication 0
>   [eDirectory-UNI] starting TLS
>   [eDirectory-UNI] bind as cn=RADIUSAdmin,ou=Servers,o=INetServices/zzzzzzzzz
> to ldap.unibocconi.it:389
>   [eDirectory-UNI] waiting for bind result ...
>   [eDirectory-UNI] Bind was successful
>   [eDirectory-UNI] performing search in ou=Faculty-Staff,ou=Bocconi,o=INetServices,
> with filter (cn=pirovano)
> [eDirectory-UNI] Added the eDirectory password xxxxxxxx in check items as
> Cleartext-Password
>
>
>
> On FR3 in debug mode:
>
> the client:
>
> [root@freeradius3:~] radtest pirovano xxxxxxxx 10.1.1.82 1 yyyyyyyy
> Sent Access-Request Id 157 from 0.0.0.0:35640 to 10.1.1.82:1812 length 78
>         User-Name = "pirovano"
>         User-Password = "xxxxxxxx"
>         NAS-IP-Address = 10.1.1.82
>         NAS-Port = 1
>         Message-Authenticator = 0x00
>         Cleartext-Password = "xxxxxxxx"
> Received Access-Reject Id 157 from 10.1.1.82:1812 to 0.0.0.0:0 length 20
> (0) -: Expected Access-Accept got Access-Reject
>
>
> The FR3:
>
> (0) eDirectory-ICT: EXPAND (cn=%{%{Stripped-User-Name}:-%{User-Name}})
> (0) eDirectory-ICT:    --> (cn=pirovano)
> (0) eDirectory-ICT: Performing search in "ou=Faculty-Staff,ou=Bocconi,o=INetServices"
> with filter "(cn=pirovano)", scope "sub"
> (0) eDirectory-ICT: Waiting for search result...
> ber_get_next failed.
> ber_get_next failed.
> (0) eDirectory-ICT: User object found at DN "cn=Pirovano,ou=ICT,ou=
> Faculty-Staff,ou=Bocconi,o=INetServices"
>
> (0) eDirectory-ICT: ERROR: Failed to retrieve eDirectory password: (80)
> Other (e.g., implementation specific) error
>
> rlm_ldap (eDirectory-ICT): Released connection (0)
> Need 5 more connections to reach 10 spares
> rlm_ldap (eDirectory-ICT): Opening additional connection (5), 1 of 27
> pending slots used
> rlm_ldap (eDirectory-ICT): Connecting to ldap://ldaps.unibocconi.it:636
> rlm_ldap (eDirectory-ICT): Waiting for bind result...
> rlm_ldap (eDirectory-ICT): Bind successful
> (0)     [eDirectory-ICT] = fail
> (0)   } # authorize = fail
>
>
>
> Thanks.
> Marco
>
>
> ----- Il 1-ago-17, alle 19:35, Arran Cudbard-Bell
> [hidden email] ha scritto:
>
> >> On Aug 1, 2017, at 11:29 AM, Marco Pirovano <
> [hidden email]>
> >> wrote:
> >>
> >> Hello list,
> >>
> >> we are using FreeRADIUS to authenticate students wireless access.
> >> It's FreeRADIUS Version 2.2.8 running on FreeBSD 9.2-STABLE.
> >>
> >> Our LDAP server is eDirectory version 8.8
> >>
> >>
> >> Now, we are upgrading to FreeRADIUS 3.0.15 (installed from ports)
> running on
> >> FreeBSD 11.1-RELEASE.
> >> LDAP is always eDirectory 8.8.
> >>
> >> The bind to LDAP server it's ok, but the user is not authenticate, the
> error is:
> >>
> >>  Invalid user (eDirectory-ICT: Failed to retrieve eDirectory password:
> (80) Other
> >>  (e.g., implementation specific) error):
> >>
> >
> > Have you enabled universal password?
> >
> > https://www.netiq.com/documentation/edir_radius/pdfdoc/radiusadmin/
> radiusadmin.pdf
> >
> > -Arran
> >
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>
> --
> Marco Pirovano
> Infrastrutture e Tecnologie
> Information and Communication Technology
> Universita' Bocconi
> via Gobbi, 5 - 20136 Milano
> Tel. +39 02 5836.3173  Fax. +39 02 5836.3160
>
> Windows makes noise, Linux plays music,
> but BSD Rocks!
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: FreeRADIUS 3, FreeBSD, eDirectory

Peter Lambrechtsen-4
Actually I suspect it's the SSL library compiled or not compuled into the
openldap library. Since you need for Universal password to work a TLS
session to eDir.
Can you do the same LDAP search using standard ldapsearch over SSL? As the
search is failing so that doesn't bode well.

On 2/08/2017 20:49, "Peter Lambrechtsen" <[hidden email]> wrote:

> I suspect that you need to rebuild FR3 with the right LDAP library.
> Something looks very odd there as I have compiled FR3 with eDir on RHEL 6&7
> using universal password without an issue.
>
> On 2/08/2017 19:47, "Marco Pirovano" <[hidden email]> wrote:
>
>> Hi Arran,
>>
>> yes, the universal password is enabled and is working with FR2.
>>
>> The problem is with FR3.
>>
>> On FR2 in debug mode:
>>
>> The client:
>>
>> [root@cariddi:~] radtest -x pirovano xxxxxxxx 10.5.255.241 1 yyyyyyyy
>> Sending Access-Request of id 97 to 10.5.255.241 port 1812
>>         User-Name = "pirovano"
>>         User-Password = "xxxxxxxx"
>>         NAS-IP-Address = 10.5.255.241
>>         NAS-Port = 1
>>         Message-Authenticator = 0x00000000000000000000000000000000
>> rad_recv: Access-Accept packet from host 10.5.255.241 port 1812, id=97,
>> length=20
>>
>> The FR2:
>>
>>  [eDirectory-UNI] ldap_get_conn: Checking Id: 0
>>   [eDirectory-UNI] ldap_get_conn: Got Id: 0
>>   [eDirectory-UNI] attempting LDAP reconnection
>>   [eDirectory-UNI] (re)connect to ldap.unibocconi.it:389, authentication
>> 0
>>   [eDirectory-UNI] starting TLS
>>   [eDirectory-UNI] bind as cn=RADIUSAdmin,ou=Servers,o=INetServices/zzzzzzzzz
>> to ldap.unibocconi.it:389
>>   [eDirectory-UNI] waiting for bind result ...
>>   [eDirectory-UNI] Bind was successful
>>   [eDirectory-UNI] performing search in ou=Faculty-Staff,ou=Bocconi,o=INetServices,
>> with filter (cn=pirovano)
>> [eDirectory-UNI] Added the eDirectory password xxxxxxxx in check items as
>> Cleartext-Password
>>
>>
>>
>> On FR3 in debug mode:
>>
>> the client:
>>
>> [root@freeradius3:~] radtest pirovano xxxxxxxx 10.1.1.82 1 yyyyyyyy
>> Sent Access-Request Id 157 from 0.0.0.0:35640 to 10.1.1.82:1812 length 78
>>         User-Name = "pirovano"
>>         User-Password = "xxxxxxxx"
>>         NAS-IP-Address = 10.1.1.82
>>         NAS-Port = 1
>>         Message-Authenticator = 0x00
>>         Cleartext-Password = "xxxxxxxx"
>> Received Access-Reject Id 157 from 10.1.1.82:1812 to 0.0.0.0:0 length 20
>> (0) -: Expected Access-Accept got Access-Reject
>>
>>
>> The FR3:
>>
>> (0) eDirectory-ICT: EXPAND (cn=%{%{Stripped-User-Name}:-%{User-Name}})
>> (0) eDirectory-ICT:    --> (cn=pirovano)
>> (0) eDirectory-ICT: Performing search in "ou=Faculty-Staff,ou=Bocconi,o=INetServices"
>> with filter "(cn=pirovano)", scope "sub"
>> (0) eDirectory-ICT: Waiting for search result...
>> ber_get_next failed.
>> ber_get_next failed.
>> (0) eDirectory-ICT: User object found at DN "cn=Pirovano,ou=ICT,ou=Faculty
>> -Staff,ou=Bocconi,o=INetServices"
>>
>> (0) eDirectory-ICT: ERROR: Failed to retrieve eDirectory password: (80)
>> Other (e.g., implementation specific) error
>>
>> rlm_ldap (eDirectory-ICT): Released connection (0)
>> Need 5 more connections to reach 10 spares
>> rlm_ldap (eDirectory-ICT): Opening additional connection (5), 1 of 27
>> pending slots used
>> rlm_ldap (eDirectory-ICT): Connecting to ldap://ldaps.unibocconi.it:636
>> rlm_ldap (eDirectory-ICT): Waiting for bind result...
>> rlm_ldap (eDirectory-ICT): Bind successful
>> (0)     [eDirectory-ICT] = fail
>> (0)   } # authorize = fail
>>
>>
>>
>> Thanks.
>> Marco
>>
>>
>> ----- Il 1-ago-17, alle 19:35, Arran Cudbard-Bell
>> [hidden email] ha scritto:
>>
>> >> On Aug 1, 2017, at 11:29 AM, Marco Pirovano <
>> [hidden email]>
>> >> wrote:
>> >>
>> >> Hello list,
>> >>
>> >> we are using FreeRADIUS to authenticate students wireless access.
>> >> It's FreeRADIUS Version 2.2.8 running on FreeBSD 9.2-STABLE.
>> >>
>> >> Our LDAP server is eDirectory version 8.8
>> >>
>> >>
>> >> Now, we are upgrading to FreeRADIUS 3.0.15 (installed from ports)
>> running on
>> >> FreeBSD 11.1-RELEASE.
>> >> LDAP is always eDirectory 8.8.
>> >>
>> >> The bind to LDAP server it's ok, but the user is not authenticate, the
>> error is:
>> >>
>> >>  Invalid user (eDirectory-ICT: Failed to retrieve eDirectory password:
>> (80) Other
>> >>  (e.g., implementation specific) error):
>> >>
>> >
>> > Have you enabled universal password?
>> >
>> > https://www.netiq.com/documentation/edir_radius/pdfdoc/
>> radiusadmin/radiusadmin.pdf
>> >
>> > -Arran
>> >
>> > -
>> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list
>> /users.html
>>
>> --
>> Marco Pirovano
>> Infrastrutture e Tecnologie
>> Information and Communication Technology
>> Universita' Bocconi
>> via Gobbi, 5 - 20136 Milano
>> Tel. +39 02 5836.3173  Fax. +39 02 5836.3160
>>
>> Windows makes noise, Linux plays music,
>> but BSD Rocks!
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
>> /users.html
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: FreeRADIUS 3, FreeBSD, eDirectory

arr2036

> On 2 Aug 2017, at 04:55, Peter Lambrechtsen <[hidden email]> wrote:
>
> Actually I suspect it's the SSL library compiled or not compuled into the
> openldap library. Since you need for Universal password to work a TLS
> session to eDir.
> Can you do the same LDAP search using standard ldapsearch over SSL? As the
> search is failing so that doesn't bode well.

Agreed.  We’re actually reworking the packages now to use OpenLDAP-LTB  packages for the RHEL/Centos .spec files.

-Arran

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

signature.asc (817 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

CHAP - FREERADIUS 2 to FRERRADIUS 3

Aurélio de Souza Ribeiro Neto
In reply to this post by Marco Pirovano
Hello,

I did Upgrade from 2.2.9 to 3.0.15.

For marketing purposes if my client is not on my base and tries to
connect to my system, I permit the access in a specific pool.

When I upgraded to 3, this stoped to work.

Some help?

Look more details.....

In my default file:

         Auth-Type CHAP {
                chap  {
                        invalid = 1
                     }

                     if(invalid) {

                        update control {
                          Pool-Name := "mkt_pool"
                        }

                        update reply {
                          Mikrotik-Rate-Limit := "300K/2M 600K/2200K
450K/1500K 10/10"
                        }

                        ok
                    }

         }


My radiusd -X output:

Ready to process requests
(0) Received Access-Request Id 199 from 172.17.6.2:42459 to
187.120.197.145:1812 length 152
(0)   Service-Type = Framed-User
(0)   Framed-Protocol = PPP
(0)   NAS-Port = 15736495
(0)   NAS-Port-Type = Ethernet
(0)   User-Name = "soniaregina"
(0)   Calling-Station-Id = "84:C9:B2:A3:BB:67"
(0)   Called-Station-Id = "CE - POP ITPM5"
(0)   NAS-Port-Id = "ether5"
(0)   CHAP-Challenge = 0x3cfe95eca592d11448a098b33412cd0b
(0)   CHAP-Password = 0x01cc08e5f2ad79880124b1d826606947b2
(0)   NAS-Identifier = "CE-ITPM"
(0)   NAS-IP-Address = 172.17.6.2
(0) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(0)   authorize {
(0)     [preprocess] = ok
(0) chap:   &control:Auth-Type := CHAP
(0)     [chap] = ok
(0)     [mschap] = noop
(0) sql: EXPAND %{User-Name}
(0) sql:    --> soniaregina
(0) sql: SQL-User-Name set to 'soniaregina'
rlm_sql (sql): Reserved connection (1)
(0) sql: EXPAND SELECT DISTINCT (R.id), R.username, R.attribute,
R.value, R.op                                  FROM
mpc_freeradius.radcheck R, mpc_freeradius.nas N, mpc_lw.maclist
M                                  WHERE R.username =  BINARY
'%{SQL-User-Name}'                                  AND M.usuario_login
=  BINARY '%{SQL-User-Name}'                                  AND
N.nasname = '%{Nas-IP-Address}'                                  AND
N.gw_id = (SELECT gateway_id FROM mpc_lw.maclist WHERE usuario_login =  
BINARY '%{SQL-User-Name}' AND plano_id NOT IN
(8,9,793)                                                       AND
gateway_id = ( SELECT gw_id FROM mpc_freeradius.nas WHERE nasname =
'%{Nas-IP-Address}' )                                  ORDER BY
ID)                                  UNION
ALL                                  SELECT DISTINCT (R.id), R.username,
R.attribute, R.value, R.op                                  FROM
mpc_freeradius.radcheck R, mpc_freeradius.nas N, mpc_lw.maclist
M                                  WHERE R.username =  BINARY
'%{SQL-User-Name}'                                  AND M.usuario_login
=  BINARY '%{SQL-User-Name}'                                  AND
M.grupocliente = 'ALL-POPS'
(0) sql:    --> SELECT DISTINCT (R.id), R.username, R.attribute,
R.value, R.op                                  FROM
mpc_freeradius.radcheck R, mpc_freeradius.nas N, mpc_lw.maclist
M                                  WHERE R.username =  BINARY
'soniaregina'                                  AND M.usuario_login =  
BINARY 'soniaregina'                                  AND N.nasname =  
'172.17.6.2'                                  AND N.gw_id = (SELECT
gateway_id FROM mpc_lw.maclist WHERE usuario_login =  BINARY
'soniaregina' AND plano_id NOT IN
(8,9,793)                                                       AND
gateway_id = ( SELECT gw_id FROM mpc_freeradius.nas WHERE nasname =
'172.17.6.2' )                                  ORDER BY
ID)                                  UNION
ALL                                  SELECT DISTINCT (R.id), R.username,
R.attribute, R.value, R.op                                  FROM
mpc_freeradius.radcheck R, mpc_freeradius.nas N, mpc_lw.maclist
M                                  WHERE R.username =  BINARY
'soniaregina'                                  AND M.usuario_login =  
BINARY 'soniaregina'                                  AND M.grupocliente
= 'ALL-POPS'
(0) sql: Executing select query: SELECT DISTINCT (R.id), R.username,
R.attribute, R.value, R.op                                  FROM
mpc_freeradius.radcheck R, mpc_freeradius.nas N, mpc_lw.maclist
M                                  WHERE R.username =  BINARY
'soniaregina'                                  AND M.usuario_login =  
BINARY 'soniaregina'                                  AND N.nasname =  
'172.17.6.2'                                  AND N.gw_id = (SELECT
gateway_id FROM mpc_lw.maclist WHERE usuario_login =  BINARY
'soniaregina' AND plano_id NOT IN
(8,9,793)                                                       AND
gateway_id = ( SELECT gw_id FROM mpc_freeradius.nas WHERE nasname =
'172.17.6.2' )                                  ORDER BY
ID)                                  UNION
ALL                                  SELECT DISTINCT (R.id), R.username,
R.attribute, R.value, R.op                                  FROM
mpc_freeradius.radcheck R, mpc_freeradius.nas N, mpc_lw.maclist
M                                  WHERE R.username =  BINARY
'soniaregina'                                  AND M.usuario_login =  
BINARY 'soniaregina'                                  AND M.grupocliente
= 'ALL-POPS'
(0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username =
'%{SQL-User-Name}' ORDER BY priority
(0) sql:    --> SELECT groupname FROM radusergroup WHERE username =
'soniaregina' ORDER BY priority
(0) sql: Executing select query: SELECT groupname FROM radusergroup
WHERE username = 'soniaregina' ORDER BY priority
(0) sql: User not found in any groups
rlm_sql (sql): Released connection (1)
Need 9 more connections to reach min connections (15)
rlm_sql (sql): Opening additional connection (6), 1 of 58 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'mpc_freeradius' on
mysql.mpc.com.br via TCP/IP, server version 5.5.55-0ubuntu0.14.04.1-log,
protocol version 10
(0)     [sql] = notfound
(0)     [expiration] = noop
(0)     [logintime] = noop
(0) pap: WARNING: No "known good" password found for the user.  Not
setting Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good"
password is available
(0)     [pap] = noop
(0)   } # authorize = ok
(0) Found Auth-Type = CHAP
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0)   Auth-Type CHAP {
(0) chap: ERROR: &control:Cleartext-Password is required for authentication
(0)     [chap] = fail
(0)   } # Auth-Type CHAP = fail
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0)   Post-Auth-Type REJECT {
(0) sql: EXPAND .query
(0) sql:    --> .query
(0) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (2)
(0) sql: EXPAND %{User-Name}
(0) sql:    --> soniaregina
(0) sql: SQL-User-Name set to 'soniaregina'
(0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply,
authdate) VALUES ( '%{SQL-User-Name}',
'%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(0) sql:    --> INSERT INTO radpostauth (username, pass, reply,
authdate) VALUES ( 'soniaregina',
'0x01cc08e5f2ad79880124b1d826606947b2', 'Access-Reject', '2017-08-02
09:11:51')
(0) sql: Executing query: INSERT INTO radpostauth (username, pass,
reply, authdate) VALUES ( 'soniaregina',
'0x01cc08e5f2ad79880124b1d826606947b2', 'Access-Reject', '2017-08-02
09:11:51')
(0) sql: SQL query returned: success
(0) sql: 1 record(s) updated
rlm_sql (sql): Released connection (2)
(0)     [sql] = ok
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject:    --> soniaregina
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0)     [attr_filter.access_reject] = updated
(0) linelog: EXPAND messages.%{%{reply:Packet-Type}:-default}
(0) linelog:    --> messages.Access-Reject
(0) linelog: No such entry ".messages.Access-Reject"
(0)     [linelog] = noop
(0)   } # Post-Auth-Type REJECT = updated
(0) Login incorrect (chap: &control:Cleartext-Password is required for
authentication): [soniaregina/<via Auth-Type = CHAP>] (from client
ce-popitpm-rb port 15736495 cli 84:C9:B2:A3:BB:67)
(0) Delaying response for 1.000000 seconds



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: CHAP - FREERADIUS 2 to FRERRADIUS 3

Aurélio de Souza Ribeiro Neto
Hello,

     Sorry to importunate!!
     I solved the problem.

     In 3.0.15 version the return is fail and not invalid!

     I changed in default file and all is ok!!

     Really sorry!

Aurelio


Em 02/08/2017 09:37, Aurélio de Souza Ribeiro Neto escreveu:

> Hello,
>
> I did Upgrade from 2.2.9 to 3.0.15.
>
> For marketing purposes if my client is not on my base and tries to
> connect to my system, I permit the access in a specific pool.
>
> When I upgraded to 3, this stoped to work.
>
> Some help?
>
> Look more details.....
>
> In my default file:
>
>         Auth-Type CHAP {
>                chap  {
>                        invalid = 1
>                     }
>
>                     if(invalid) {
>
>                        update control {
>                          Pool-Name := "mkt_pool"
>                        }
>
>                        update reply {
>                          Mikrotik-Rate-Limit := "300K/2M 600K/2200K
> 450K/1500K 10/10"
>                        }
>
>                        ok
>                    }
>
>         }
>
>
> My radiusd -X output:
>
> Ready to process requests
> (0) Received Access-Request Id 199 from 172.17.6.2:42459 to
> 187.120.197.145:1812 length 152
> (0)   Service-Type = Framed-User
> (0)   Framed-Protocol = PPP
> (0)   NAS-Port = 15736495
> (0)   NAS-Port-Type = Ethernet
> (0)   User-Name = "soniaregina"
> (0)   Calling-Station-Id = "84:C9:B2:A3:BB:67"
> (0)   Called-Station-Id = "CE - POP ITPM5"
> (0)   NAS-Port-Id = "ether5"
> (0)   CHAP-Challenge = 0x3cfe95eca592d11448a098b33412cd0b
> (0)   CHAP-Password = 0x01cc08e5f2ad79880124b1d826606947b2
> (0)   NAS-Identifier = "CE-ITPM"
> (0)   NAS-IP-Address = 172.17.6.2
> (0) # Executing section authorize from file
> /usr/local/etc/raddb/sites-enabled/default
> (0)   authorize {
> (0)     [preprocess] = ok
> (0) chap:   &control:Auth-Type := CHAP
> (0)     [chap] = ok
> (0)     [mschap] = noop
> (0) sql: EXPAND %{User-Name}
> (0) sql:    --> soniaregina
> (0) sql: SQL-User-Name set to 'soniaregina'
> rlm_sql (sql): Reserved connection (1)
> (0) sql: EXPAND SELECT DISTINCT (R.id), R.username, R.attribute,
> R.value, R.op                                  FROM
> mpc_freeradius.radcheck R, mpc_freeradius.nas N, mpc_lw.maclist
> M                                  WHERE R.username =  BINARY
> '%{SQL-User-Name}'                                  AND
> M.usuario_login =  BINARY
> '%{SQL-User-Name}'                                  AND N.nasname =
> '%{Nas-IP-Address}'                                  AND N.gw_id =
> (SELECT gateway_id FROM mpc_lw.maclist WHERE usuario_login = BINARY
> '%{SQL-User-Name}' AND plano_id NOT IN (8,9,793) AND gateway_id = (
> SELECT gw_id FROM mpc_freeradius.nas WHERE nasname =
> '%{Nas-IP-Address}' ) ORDER BY ID)                                  
> UNION ALL                                  SELECT DISTINCT (R.id),
> R.username, R.attribute, R.value,
> R.op                                  FROM mpc_freeradius.radcheck R,
> mpc_freeradius.nas N, mpc_lw.maclist
> M                                  WHERE R.username =  BINARY
> '%{SQL-User-Name}'                                  AND
> M.usuario_login =  BINARY
> '%{SQL-User-Name}'                                  AND M.grupocliente
> = 'ALL-POPS'
> (0) sql:    --> SELECT DISTINCT (R.id), R.username, R.attribute,
> R.value, R.op                                  FROM
> mpc_freeradius.radcheck R, mpc_freeradius.nas N, mpc_lw.maclist
> M                                  WHERE R.username =  BINARY
> 'soniaregina'                                  AND M.usuario_login =  
> BINARY 'soniaregina'                                  AND N.nasname =  
> '172.17.6.2'                                  AND N.gw_id = (SELECT
> gateway_id FROM mpc_lw.maclist WHERE usuario_login =  BINARY
> 'soniaregina' AND plano_id NOT IN (8,9,793) AND gateway_id = ( SELECT
> gw_id FROM mpc_freeradius.nas WHERE nasname = '172.17.6.2'
> )                                  ORDER BY
> ID)                                  UNION
> ALL                                  SELECT DISTINCT (R.id),
> R.username, R.attribute, R.value,
> R.op                                  FROM mpc_freeradius.radcheck R,
> mpc_freeradius.nas N, mpc_lw.maclist
> M                                  WHERE R.username =  BINARY
> 'soniaregina'                                  AND M.usuario_login =  
> BINARY 'soniaregina'                                  AND
> M.grupocliente = 'ALL-POPS'
> (0) sql: Executing select query: SELECT DISTINCT (R.id), R.username,
> R.attribute, R.value, R.op                                  FROM
> mpc_freeradius.radcheck R, mpc_freeradius.nas N, mpc_lw.maclist
> M                                  WHERE R.username =  BINARY
> 'soniaregina'                                  AND M.usuario_login =  
> BINARY 'soniaregina'                                  AND N.nasname =  
> '172.17.6.2'                                  AND N.gw_id = (SELECT
> gateway_id FROM mpc_lw.maclist WHERE usuario_login =  BINARY
> 'soniaregina' AND plano_id NOT IN (8,9,793) AND gateway_id = ( SELECT
> gw_id FROM mpc_freeradius.nas WHERE nasname = '172.17.6.2'
> )                                  ORDER BY
> ID)                                  UNION
> ALL                                  SELECT DISTINCT (R.id),
> R.username, R.attribute, R.value,
> R.op                                  FROM mpc_freeradius.radcheck R,
> mpc_freeradius.nas N, mpc_lw.maclist
> M                                  WHERE R.username =  BINARY
> 'soniaregina'                                  AND M.usuario_login =  
> BINARY 'soniaregina'                                  AND
> M.grupocliente = 'ALL-POPS'
> (0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username =
> '%{SQL-User-Name}' ORDER BY priority
> (0) sql:    --> SELECT groupname FROM radusergroup WHERE username =
> 'soniaregina' ORDER BY priority
> (0) sql: Executing select query: SELECT groupname FROM radusergroup
> WHERE username = 'soniaregina' ORDER BY priority
> (0) sql: User not found in any groups
> rlm_sql (sql): Released connection (1)
> Need 9 more connections to reach min connections (15)
> rlm_sql (sql): Opening additional connection (6), 1 of 58 pending
> slots used
> rlm_sql_mysql: Starting connect to MySQL server
> rlm_sql_mysql: Connected to database 'mpc_freeradius' on
> mysql.mpc.com.br via TCP/IP, server version
> 5.5.55-0ubuntu0.14.04.1-log, protocol version 10
> (0)     [sql] = notfound
> (0)     [expiration] = noop
> (0)     [logintime] = noop
> (0) pap: WARNING: No "known good" password found for the user. Not
> setting Auth-Type
> (0) pap: WARNING: Authentication will fail unless a "known good"
> password is available
> (0)     [pap] = noop
> (0)   } # authorize = ok
> (0) Found Auth-Type = CHAP
> (0) # Executing group from file
> /usr/local/etc/raddb/sites-enabled/default
> (0)   Auth-Type CHAP {
> (0) chap: ERROR: &control:Cleartext-Password is required for
> authentication
> (0)     [chap] = fail
> (0)   } # Auth-Type CHAP = fail
> (0) Failed to authenticate the user
> (0) Using Post-Auth-Type Reject
> (0) # Executing group from file
> /usr/local/etc/raddb/sites-enabled/default
> (0)   Post-Auth-Type REJECT {
> (0) sql: EXPAND .query
> (0) sql:    --> .query
> (0) sql: Using query template 'query'
> rlm_sql (sql): Reserved connection (2)
> (0) sql: EXPAND %{User-Name}
> (0) sql:    --> soniaregina
> (0) sql: SQL-User-Name set to 'soniaregina'
> (0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply,
> authdate) VALUES ( '%{SQL-User-Name}',
> '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
> (0) sql:    --> INSERT INTO radpostauth (username, pass, reply,
> authdate) VALUES ( 'soniaregina',
> '0x01cc08e5f2ad79880124b1d826606947b2', 'Access-Reject', '2017-08-02
> 09:11:51')
> (0) sql: Executing query: INSERT INTO radpostauth (username, pass,
> reply, authdate) VALUES ( 'soniaregina',
> '0x01cc08e5f2ad79880124b1d826606947b2', 'Access-Reject', '2017-08-02
> 09:11:51')
> (0) sql: SQL query returned: success
> (0) sql: 1 record(s) updated
> rlm_sql (sql): Released connection (2)
> (0)     [sql] = ok
> (0) attr_filter.access_reject: EXPAND %{User-Name}
> (0) attr_filter.access_reject:    --> soniaregina
> (0) attr_filter.access_reject: Matched entry DEFAULT at line 11
> (0)     [attr_filter.access_reject] = updated
> (0) linelog: EXPAND messages.%{%{reply:Packet-Type}:-default}
> (0) linelog:    --> messages.Access-Reject
> (0) linelog: No such entry ".messages.Access-Reject"
> (0)     [linelog] = noop
> (0)   } # Post-Auth-Type REJECT = updated
> (0) Login incorrect (chap: &control:Cleartext-Password is required for
> authentication): [soniaregina/<via Auth-Type = CHAP>] (from client
> ce-popitpm-rb port 15736495 cli 84:C9:B2:A3:BB:67)
> (0) Delaying response for 1.000000 seconds
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Loading...