[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Integrate PPP and OpenVPN user authentication with Freeradius2 on CentOS

Posted on 2011-10-07
104
Medium Priority
?
2,254 Views
Last Modified: 2012-05-12
Hello,

I installed freeradius2 with mysql module on centos. and everything works well. i mean i create user on mysql database and test it with "radtest" and received request-accept message.

Now, I wanna connect to server with PPTP, L2TP and OpenVPN connection and when to trying it i receive error and connection not established.

anyone know how I should do it?
0
Comment
Question by:re-searcher
  • 70
  • 34
104 Comments
 
LVL 81

Accepted Solution

by:
arnold earned 2000 total points
ID: 36930717
openswan server reference to incorporating radius authentication
http://lists.openswan.org/pipermail/users/2008-May/014657.html

They have a plug-in that you need to specify in /etc/pppd.conf
http://www.openl2tp.org/doc/quick_start
http://linux.die.net/man/8/pppd-radius


http://www.openswan.org/docs/local/README.XAUTH
Work on one protocol at a time versus trying to get all three.
are you using applications are you using to provide the different services: PPTP, L2TP, etc.
0
 
LVL 3

Author Comment

by:re-searcher
ID: 36930742
What about PPTP and OpenVPN?
0
 
LVL 3

Author Comment

by:re-searcher
ID: 36930777
I wanna provide different VPN services to my employees not all of them.
i wanna be able to set user use all of pptp/l2tp/openvpn or one of them.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 81

Expert Comment

by:arnold
ID: 36930850
openVPN you need to use a plug-in
http://www.imped.net/oss/misc/openvpn-2.0-howto-edit.html#auth
http://openvpn.net/archive/openvpn-users/2006-07/msg00138.html

each application you use to provide has its own configuration setting.  Which application do you use for PPTP?

The links I provided in the question deal with making adjustments to /etc/ppp to reference an external application for authentication.  The external script will be the one that will generate the rad-access-request and will await the response.
in the file /etc/ppp/options.pptpd it adds the plugin radius.so
Then you need the radiusclient installed and which is used by radius.so from /etc/radiusclient/server file where you configure the information about the server it will be querying.
http://poptop.sourceforge.net/dox/radius_mysql.html

The application you choose to provide the services has to support the option for external authentication.
0
 
LVL 3

Author Comment

by:re-searcher
ID: 36930881
Thanks for your answer,

regarding PPTP:
ppp.i386                                 2.4.3-14.3.v5          installed       
pptpd.i386                               1.3.0-3.1.v5           installed  

Open in new window

0
 
LVL 81

Expert Comment

by:arnold
ID: 36931071
Check the manual pages for those on whether they support the use of external programs/scripts for authentication.
Those that can, usually can be extended to do tasks you want which I found many opensource resources are.

/etc/ppp/options.pptpd
http://ppp.samba.org/pppd.html
/etc/ppp/options.pptpd
within this file the link I posted deals with including the radius.so
which ties into radiusclient that you need to install which relies on /etc/radiusclient/server
i.e.
pptpd only binds to an IP where the request will be received.
it will use /usr/sbin/ppp to establish a channel of communication initially for authentication
ppp based on the ... will initiate the exchange of data username/password and then use the local configuration to validate the data provided.

when testing, make sure to run freeradius in debug mode which will tell you what it received and what it responded with.  This way you can narrow down the cause if the response is not what you expected.
i.e. the type of connection (NAS-Type) alters the response freeradius sends. etc.
0
 
LVL 3

Author Comment

by:re-searcher
ID: 36931343
Arnold,

i don't have radiusclient directory on "/etc" instead of "radiusclient" directory i have a "raddb".
in addition i don't have a "server" sub-directory in "raddb".

What' i should to do?
0
 
LVL 81

Expert Comment

by:arnold
ID: 36931504
0
 
LVL 3

Author Comment

by:re-searcher
ID: 36931583
I installed freeradius2 on ClearOS which it's based of CentOS.

[root@researcher ~]# yum search radius
Loading "kmod" plugin
Loading "protect-packages" plugin
base-kernels                                                                  |  951 B     00:00     
base-updates                                                                  |  951 B     00:00     
clearcentos-os                                                                |  951 B     00:00     
base-supplements                                                              |  951 B     00:00     
base-os                                                                       | 1.1 kB     00:00     
clearcentos-updates                                                           |  951 B     00:00     
base-console                                                                  |  951 B     00:00     
freeradius2-mysql.i386 : MySQL support for freeradius
freeradius2-postgresql.i386 : Postgresql support for freeradius
freeradius2.i386 : High-performance and highly configurable free RADIUS server
freeradius2-unixODBC.i386 : Unix ODBC support for freeradius
freeradius2-ldap.i386 : LDAP support for freeradius
freeradius.i386 : High-performance and highly configurable free RADIUS server.
freeradius-mysql.i386 : MySQL bindings for freeradius
freeradius2-python.i386 : Python support for freeradius
freeradius-unixODBC.i386 : unixODBC bindings for freeradius
freeradius2-utils.i386 : FreeRADIUS utilities
freeradius2-mysql.i386 : MySQL support for freeradius
freeradius2.i386 : High-performance and highly configurable free RADIUS server
freeradius2-krb5.i386 : Kerberos 5 support for freeradius
freeradius-postgresql.i386 : postgresql bindings for freeradius
freeradius2-utils.i386 : FreeRADIUS utilities
freeradius2-perl.i386 : Perl support for freeradius

Open in new window

0
 
LVL 3

Author Comment

by:re-searcher
ID: 36931597
[root@researcher ~]# uname -a
Linux researcher.lan 2.6.18-194.8.1.v5PAE #1 SMP Thu Jul 15 02:01:47 EDT 2010 i686 i686 i386 GNU/Linux

Open in new window

0
 
LVL 81

Expert Comment

by:arnold
ID: 36932166
http://pkgs.org/centos-5-rhel-5/rpmforge-i386/radiusclient-ng-0.5.6-5.el5.rf.i386.rpm.html
download the above and get a listing of what is within
rpm -q --filesbypkg -p radiusclient-ng-0.5.6-5.el5.rf.i386.rpm | more

this will list the contents of the package without installing it/altering your system.
Check what is being installed versus what you already have on the system.


radclient should be part of the freeradius utils.
0
 
LVL 3

Author Comment

by:re-searcher
ID: 36932827
# rpm -q --filesbypkg -p radiusclient-ng-0.5.6-5.el5.rf.i386.rpm | more
warning: radiusclient-ng-0.5.6-5.el5.rf.i386.rpm: Header V3 DSA signature: NOKEY, key ID 6b8d79e6
radiusclient-ng           /etc/radiusclient-ng
radiusclient-ng           /etc/radiusclient-ng/issue
radiusclient-ng           /etc/radiusclient-ng/port-id-map
radiusclient-ng           /etc/radiusclient-ng/radiusclient.conf
radiusclient-ng           /etc/radiusclient-ng/servers
radiusclient-ng           /usr/lib/libradiusclient-ng.so.2
radiusclient-ng           /usr/lib/libradiusclient-ng.so.2.0.0
radiusclient-ng           /usr/share/doc/radiusclient-ng-0.5.6
radiusclient-ng           /usr/share/doc/radiusclient-ng-0.5.6/BUGS
radiusclient-ng           /usr/share/doc/radiusclient-ng-0.5.6/CHANGES
radiusclient-ng           /usr/share/doc/radiusclient-ng-0.5.6/COPYRIGHT
radiusclient-ng           /usr/share/doc/radiusclient-ng-0.5.6/README
radiusclient-ng           /usr/share/doc/radiusclient-ng-0.5.6/instop.html
radiusclient-ng           /usr/share/radiusclient-ng
radiusclient-ng           /usr/share/radiusclient-ng/dictionary
radiusclient-ng           /usr/share/radiusclient-ng/dictionary.ascend
radiusclient-ng           /usr/share/radiusclient-ng/dictionary.compat
radiusclient-ng           /usr/share/radiusclient-ng/dictionary.merit
radiusclient-ng           /usr/share/radiusclient-ng/dictionary.sip

Open in new window


Sorry but i'm not expert in linux, i should install radiusclient-ng ?
0
 
LVL 3

Author Comment

by:re-searcher
ID: 36933500
i install radiusclient-ng with following command:
# rpm -ivh radiusclient-ng-0.5.6-5.el5.rf.i386.rpm
warning: radiusclient-ng-0.5.6-5.el5.rf.i386.rpm: Header V3 DSA signature: NOKEY, key ID 6b8d79e6
Preparing...                ########################################### [100%]
   1:radiusclient-ng        ########################################### [100%]

Open in new window


now i should do like articles which you share their links to me?
0
 
LVL 81

Expert Comment

by:arnold
ID: 36933776
Yes,  /etc/radiusclient/server etc. see whether pptpd via ppp initiates the radius request to freeradius. and then go a step at a time.  If you can debug freeradius while you are making the test attempts, post the debug output to make it easier to describe what is going on and what is happening..
0
 
LVL 3

Author Comment

by:re-searcher
ID: 36935044
Ok, i see

here it is my "radiusd -X" result:
# radiusd -X
FreeRADIUS Version 2.1.7, for host i686-redhat-linux-gnu, built on May 19 2010 at 13:10:59
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. 
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A 
PARTICULAR PURPOSE. 
You may redistribute copies of FreeRADIUS under the terms of the 
GNU General Public License v2. 
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/sql.conf
including configuration file /etc/raddb/sql/mysql/dialup.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/control-socket
group = radiusd
user = radiusd
including dictionary file /etc/raddb/dictionary
main {
	prefix = "/usr"
	localstatedir = "/var"
	logdir = "/var/log/radius"
	libdir = "/usr/lib/freeradius"
	radacctdir = "/var/log/radius/radacct"
	hostname_lookups = no
	max_request_time = 40
	cleanup_delay = 5
	max_requests = 1024
	allow_core_dumps = no
	pidfile = "/var/run/radiusd/radiusd.pid"
	checkrad = "/usr/sbin/checkrad"
	debug_level = 0
	proxy_requests = yes
 log {
	stripped_names = no
	auth = no
	auth_badpass = no
	auth_goodpass = no
 }
 security {
	max_attributes = 200
	reject_delay = 1
	status_server = yes
 }
}
radiusd: #### Loading Realms and Home Servers ####
 proxy server {
	retry_delay = 5
	retry_count = 3
	default_fallback = no
	dead_time = 120
	wake_all_if_all_dead = no
 }
 home_server localhost {
	ipaddr = 127.0.0.1
	port = 1812
	type = "auth"
	secret = "testing123"
	response_window = 20
	max_outstanding = 65536
	require_message_authenticator = no
	zombie_period = 40
	status_check = "status-server"
	ping_interval = 30
	check_interval = 30
	num_answers_to_alive = 3
	num_pings_to_alive = 3
	revive_interval = 120
	status_check_timeout = 4
	irt = 2
	mrt = 16
	mrc = 5
	mrd = 30
 }
 home_server_pool my_auth_failover {
	type = fail-over
	home_server = localhost
 }
 realm example.com {
	auth_pool = my_auth_failover
 }
 realm LOCAL {
 }
radiusd: #### Loading Clients ####
 client localhost {
	ipaddr = 127.0.0.1
	require_message_authenticator = no
	secret = "wW50|>7@$%fhgdnDJOBSviovbfKOG@)2EROC("
	nastype = "other"
 }
radiusd: #### Instantiating modules ####
 instantiate {
 Module: Linked to module rlm_exec
 Module: Instantiating exec
  exec {
	wait = no
	input_pairs = "request"
	shell_escape = yes
  }
 Module: Linked to module rlm_expr
 Module: Instantiating expr
 Module: Linked to module rlm_expiration
 Module: Instantiating expiration
  expiration {
	reply-message = "Password Has Expired  "
  }
 Module: Linked to module rlm_logintime
 Module: Instantiating logintime
  logintime {
	reply-message = "You are calling outside your allowed timespan  "
	minimum-timeout = 60
  }
 }
radiusd: #### Loading Virtual Servers ####
server inner-tunnel {
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_pap
 Module: Instantiating pap
  pap {
	encryption_scheme = "auto"
	auto_header = no
  }
 Module: Linked to module rlm_chap
 Module: Instantiating chap
 Module: Linked to module rlm_mschap
 Module: Instantiating mschap
  mschap {
	use_mppe = yes
	require_encryption = no
	require_strong = no
	with_ntdomain_hack = no
  }
 Module: Linked to module rlm_unix
 Module: Instantiating unix
  unix {
	radwtmp = "/var/log/radius/radwtmp"
  }
 Module: Linked to module rlm_eap
 Module: Instantiating eap
  eap {
	default_eap_type = "md5"
	timer_expire = 60
	ignore_unknown_eap_types = no
	cisco_accounting_username_bug = no
	max_sessions = 2048
  }
 Module: Linked to sub-module rlm_eap_md5
 Module: Instantiating eap-md5
 Module: Linked to sub-module rlm_eap_leap
 Module: Instantiating eap-leap
 Module: Linked to sub-module rlm_eap_gtc
 Module: Instantiating eap-gtc
   gtc {
	challenge = "Password: "
	auth_type = "PAP"
   }
 Module: Linked to sub-module rlm_eap_tls
 Module: Instantiating eap-tls
   tls {
	rsa_key_exchange = no
	dh_key_exchange = yes
	rsa_key_length = 512
	dh_key_length = 512
	verify_depth = 0
	pem_file_type = yes
	private_key_file = "/etc/raddb/certs/server.pem"
	certificate_file = "/etc/raddb/certs/server.pem"
	CA_file = "/etc/raddb/certs/ca.pem"
	private_key_password = "whatever"
	dh_file = "/etc/raddb/certs/dh"
	random_file = "/etc/raddb/certs/random"
	fragment_size = 1024
	include_length = yes
	check_crl = no
	cipher_list = "DEFAULT"
	make_cert_command = "/etc/raddb/certs/bootstrap"
    cache {
	enable = no
	lifetime = 24
	max_entries = 255
    }
   }
 Module: Linked to sub-module rlm_eap_ttls
 Module: Instantiating eap-ttls
   ttls {
	default_eap_type = "md5"
	copy_request_to_tunnel = no
	use_tunneled_reply = no
	virtual_server = "inner-tunnel"
	include_length = yes
   }
 Module: Linked to sub-module rlm_eap_peap
 Module: Instantiating eap-peap
   peap {
	default_eap_type = "mschapv2"
	copy_request_to_tunnel = no
	use_tunneled_reply = no
	proxy_tunneled_request_as_eap = yes
	virtual_server = "inner-tunnel"
   }
 Module: Linked to sub-module rlm_eap_mschapv2
 Module: Instantiating eap-mschapv2
   mschapv2 {
	with_ntdomain_hack = no
   }
 Module: Checking authorize {...} for more modules to load
 Module: Linked to module rlm_realm
 Module: Instantiating suffix
  realm suffix {
	format = "suffix"
	delimiter = "@"
	ignore_default = no
	ignore_null = no
  }
 Module: Linked to module rlm_files
 Module: Instantiating files
  files {
	usersfile = "/etc/raddb/users"
	acctusersfile = "/etc/raddb/acct_users"
	preproxy_usersfile = "/etc/raddb/preproxy_users"
	compat = "no"
  }
 Module: Checking session {...} for more modules to load
 Module: Linked to module rlm_radutmp
 Module: Instantiating radutmp
  radutmp {
	filename = "/var/log/radius/radutmp"
	username = "%{User-Name}"
	case_sensitive = yes
	check_with_nas = yes
	perm = 384
	callerid = yes
  }
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 Module: Linked to module rlm_attr_filter
 Module: Instantiating attr_filter.access_reject
  attr_filter attr_filter.access_reject {
	attrsfile = "/etc/raddb/attrs.access_reject"
	key = "%{User-Name}"
  }
 } # modules
} # server
server {
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Checking authorize {...} for more modules to load
 Module: Linked to module rlm_preprocess
 Module: Instantiating preprocess
  preprocess {
	huntgroups = "/etc/raddb/huntgroups"
	hints = "/etc/raddb/hints"
	with_ascend_hack = no
	ascend_channels_per_line = 23
	with_ntdomain_hack = no
	with_specialix_jetstream_hack = no
	with_cisco_vsa_hack = no
	with_alvarion_vsa_hack = no
  }
 Module: Linked to module rlm_sql
 Module: Instantiating sql
  sql {
	driver = "rlm_sql_mysql"
	server = "localhost"
	port = ""
	login = "raduser"
	password = "link2@@2"
	radius_db = "rdb"
	read_groups = yes
	sqltrace = no
	sqltracefile = "/var/log/radius/sqltrace.sql"
	readclients = yes
	deletestalesessions = yes
	num_sql_socks = 5
	lifetime = 0
	max_queries = 0
	sql_user_name = "%{User-Name}"
	default_user_profile = ""
	nas_query = "SELECT id, nasname, shortname, type, secret FROM nas"
	authorize_check_query = "SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id"
	authorize_reply_query = "SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id"
	authorize_group_check_query = "SELECT id, groupname, attribute,           Value, op           FROM radgroupcheck           WHERE groupname = '%{Sql-Group}'           ORDER BY id"
	authorize_group_reply_query = "SELECT id, groupname, attribute,           value, op           FROM radgroupreply           WHERE groupname = '%{Sql-Group}'           ORDER BY id"
	accounting_onoff_query = "          UPDATE radacct           SET              acctstoptime       =  '%S',              acctsessiontime    =  unix_timestamp('%S') -                                    unix_timestamp(acctstarttime),              acctterminatecause =  '%{Acct-Terminate-Cause}',              acctstopdelay      =  %{%{Acct-Delay-Time}:-0}           WHERE acctstoptime IS NULL           AND nasipaddress      =  '%{NAS-IP-Address}'           AND acctstarttime     <= '%S'"
	accounting_update_query = "           UPDATE radacct           SET              framedipaddress = '%{Framed-IP-Address}',              acctsessiontime     = '%{Acct-Session-Time}',              acctinputoctets     = '%{%{Acct-Input-Gigawords}:-0}'  << 32 |                                    '%{%{Acct-Input-Octets}:-0}',              acctoutputoctets    = '%{%{Acct-Output-Gigawords}:-0}' << 32 |                                    '%{%{Acct-Output-Octets}:-0}'           WHERE acctsessionid = '%{Acct-Session-Id}'           AND username        = '%{SQL-User-Name}'           AND nasipaddress    = '%{NAS-IP-Address}'"
	accounting_update_query_alt = "           INSERT INTO radacct             (acctsessionid,    acctuniqueid,      username,              realm,            nasipaddress,      nasportid,              nasporttype,      acctstarttime,     acctsessiontime,              acctauthentic,    connectinfo_start, acctinputoctets,              acctoutputoctets, calledstationid,   callingstationid,              servicetype,      framedprotocol,    framedipaddress,              acctstartdelay,   xascendsessionsvrkey)           VALUES             ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',              '%{SQL-User-Name}',              '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',              '%{NAS-Port-Type}',              DATE_SUB('%S',                       INTERVAL (%{%{Acct-Session-Time}:-0} +                                 %{%{Acct-Delay-Time}:-0}) SECOND),                       '%{Acct-Session-Time}',              '%{Acct-Authentic}', '',              '%{%{Acct-Input-Gigawords}:-0}' << 32 |              '%{%{Acct-Input-Octets}:-0}',              '%{%{Acct-Output-Gigawords}:-0}' << 32 |              '%{%{Acct-Output-Octets}:-0}',              '%{Called-Station-Id}', '%{Calling-Station-Id}',              '%{Service-Type}', '%{Framed-Protocol}',              '%{Framed-IP-Address}',              '0', '%{X-Ascend-Session-Svr-Key}')"
	accounting_start_query = "           INSERT INTO radacct             (acctsessionid,    acctuniqueid,     username,              realm,            nasipaddress,     nasportid,              nasporttype,      acctstarttime,    acctstoptime,              acctsessiontime,  acctauthentic,    connectinfo_start,              connectinfo_stop, acctinputoctets,  acctoutputoctets,              calledstationid,  callingstationid, acctterminatecause,              servicetype,      framedprotocol,   framedipaddress,              acctstartdelay,   acctstopdelay,    xascendsessionsvrkey)           VALUES             ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',              '%{SQL-User-Name}',              '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',              '%{NAS-Port-Type}', '%S', NULL,              '0', '%{Acct-Authentic}', '%{Connect-Info}',              '', '0', '0',              '%{Called-Station-Id}', '%{Calling-Station-Id}', '',              '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}',              '%{%{Acct-Delay-Time}:-0}', '0', '%{X-Ascend-Session-Svr-Key}')"
	accounting_start_query_alt = "           UPDATE radacct SET              acctstarttime     = '%S',              acctstartdelay    = '%{%{Acct-Delay-Time}:-0}',              connectinfo_start = '%{Connect-Info}'           WHERE acctsessionid  = '%{Acct-Session-Id}'           AND username         = '%{SQL-User-Name}'           AND nasipaddress     = '%{NAS-IP-Address}'"
	accounting_stop_query = "           UPDATE radacct SET              acctstoptime       = '%S',              acctsessiontime    = '%{Acct-Session-Time}',              acctinputoctets    = '%{%{Acct-Input-Gigawords}:-0}' << 32 |                                   '%{%{Acct-Input-Octets}:-0}',              acctoutputoctets   = '%{%{Acct-Output-Gigawords}:-0}' << 32 |                                   '%{%{Acct-Output-Octets}:-0}',              acctterminatecause = '%{Acct-Terminate-Cause}',              acctstopdelay      = '%{%{Acct-Delay-Time}:-0}',              connectinfo_stop   = '%{Connect-Info}'           WHERE acctsessionid   = '%{Acct-Session-Id}'           AND username          = '%{SQL-User-Name}'           AND nasipaddress      = '%{NAS-IP-Address}'"
	accounting_stop_query_alt = "           INSERT INTO radacct             (acctsessionid, acctuniqueid, username,              realm, nasipaddress, nasportid,              nasporttype, acctstarttime, acctstoptime,              acctsessiontime, acctauthentic, connectinfo_start,              connectinfo_stop, acctinputoctets, acctoutputoctets,              calledstationid, callingstationid, acctterminatecause,              servicetype, framedprotocol, framedipaddress,              acctstartdelay, acctstopdelay)           VALUES             ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',              '%{SQL-User-Name}',              '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',              '%{NAS-Port-Type}',              DATE_SUB('%S',                  INTERVAL (%{%{Acct-Session-Time}:-0} +                  %{%{Acct-Delay-Time}:-0}) SECOND),              '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '',              '%{Connect-Info}',              '%{%{Acct-Input-Gigawords}:-0}' << 32 |              '%{%{Acct-Input-Octets}:-0}',              '%{%{Acct-Output-Gigawords}:-0}' << 32 |              '%{%{Acct-Output-Octets}:-0}',              '%{Called-Station-Id}', '%{Calling-Station-Id}',              '%{Acct-Terminate-Cause}',              '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}',              '0', '%{%{Acct-Delay-Time}:-0}')"
	group_membership_query = "SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority"
	connect_failure_retry_delay = 60
	simul_count_query = ""
	simul_verify_query = "SELECT radacctid, acctsessionid, username,                                nasipaddress, nasportid, framedipaddress,                                callingstationid, framedprotocol                                FROM radacct                                WHERE username = '%{SQL-User-Name}'                                AND acctstoptime IS NULL"
	postauth_query = "INSERT INTO radpostauth                           (username, pass, reply, authdate)                           VALUES (                           '%{User-Name}',                           '%{%{User-Password}:-%{Chap-Password}}',                           '%{reply:Packet-Type}', '%S')"
	safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
  }
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
rlm_sql (sql): Attempting to connect to raduser@localhost:/rdb
rlm_sql (sql): starting 0
rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
rlm_sql_mysql: Starting connect to MySQL server for #0
rlm_sql (sql): Connected new DB handle, #0
rlm_sql (sql): starting 1
rlm_sql (sql): Attempting to connect rlm_sql_mysql #1
rlm_sql_mysql: Starting connect to MySQL server for #1
rlm_sql (sql): Connected new DB handle, #1
rlm_sql (sql): starting 2
rlm_sql (sql): Attempting to connect rlm_sql_mysql #2
rlm_sql_mysql: Starting connect to MySQL server for #2
rlm_sql (sql): Connected new DB handle, #2
rlm_sql (sql): starting 3
rlm_sql (sql): Attempting to connect rlm_sql_mysql #3
rlm_sql_mysql: Starting connect to MySQL server for #3
rlm_sql (sql): Connected new DB handle, #3
rlm_sql (sql): starting 4
rlm_sql (sql): Attempting to connect rlm_sql_mysql #4
rlm_sql_mysql: Starting connect to MySQL server for #4
rlm_sql (sql): Connected new DB handle, #4
rlm_sql (sql): Processing generate_sql_clients
rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret FROM nas
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql (sql): Released sql socket id: 4
 Module: Checking preacct {...} for more modules to load
 Module: Linked to module rlm_acct_unique
 Module: Instantiating acct_unique
  acct_unique {
	key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
  }
 Module: Checking accounting {...} for more modules to load
 Module: Linked to module rlm_detail
 Module: Instantiating detail
  detail {
	detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
	header = "%t"
	detailperm = 384
	dirperm = 493
	locking = no
	log_packet_header = no
  }
 Module: Instantiating attr_filter.accounting_response
  attr_filter attr_filter.accounting_response {
	attrsfile = "/etc/raddb/attrs.accounting_response"
	key = "%{User-Name}"
  }
 Module: Checking session {...} for more modules to load
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 } # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
	type = "auth"
	ipaddr = *
	port = 0
}
listen {
	type = "acct"
	ipaddr = *
	port = 0
}
listen {
	type = "control"
 listen {
	socket = "/var/run/radiusd/radiusd.sock"
 }
}
Listening on authentication interface eth0 address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on proxy address * port 1814
Ready to process requests.

Open in new window



when i try to connect from remote computer with VPN Connection i receiving "Authentication Failed" while i don't see any information in my debug console.

I have firewall and IDS on computer which rules should add to firewall?
0
 
LVL 81

Assisted Solution

by:arnold
arnold earned 2000 total points
ID: 36936630
Make sure to also debug the pptpd server and ppp so that you can see what is going on at each stage.
The information you have shows that freeradius did not receive a request.
configure freeradius to also listen on the 1645 auth and 1646 acct ports just in the event the radiusclient defaults to the older radius port sets.
0
 
LVL 3

Author Comment

by:re-searcher
ID: 36936650
you mean i set freeradius auth and acct listening on 1645 and 1646 and after test return it to previous state?
0
 
LVL 3

Author Comment

by:re-searcher
ID: 36936674
i change it as your request. from "/etc/raddb/radiusd.conf", but again i receive authentication failed error , and debug show nothing.
again i think firewall block this port, are you sure which i should not set any command to firewall for allow incoming requests?
Listening on authentication interface eth0 address * port 1645
Listening on accounting address * port 1646
Listening on command file /var/run/radiusd/radiusd.sock
Listening on proxy address * port 1647
Ready to process requests.

Open in new window


can i chat with your on skype or with e-mail? would you mind tell me one of this?
0
 
LVL 81

Expert Comment

by:arnold
ID: 36936728
You can configure freeradius to listen on both 1812, 1645 and 1813, 1646.
Not sure why you are defining a proxy address. but that is unimportant.

Were you able to establish a PPTP connection while using local users? This is how you can confirm that your PPTP configuration is correct. Walk before you try to run.
Once you know that your PPTP client side configuration is correct and works with your PPTP server while using locally defined users, then and only then you start adjusting the PPTP server configuration for remote authentication.

1) configure pptp server with local users
2) configure pptp client to connect to server.
3) test the connection while pptp server is in debug mode to reflect what is going on so that you can adjust. Based on info repeat 1/2.

1723 is the PPTP port that has to be opened on the firewall to allow the client request through, but based on the error you get, it seems the packet makes it to the pptp server and is being rejected.


0
 
LVL 3

Author Comment

by:re-searcher
ID: 36936753
as i told before.
I config this server for VPN Server. I wanna send user name and password to somebody and allow them to connect to my server and surf internet with my server IPs.

you don't help me with details, i'm newbie and with general help i can't do it as well.

please, help me what i do know?
i told you my mission, if for my mission proxy not necessary please, tell me how to disable it.

when i run "radiusd -X" it's go to listen as well, so why it's not receive details from client?
I add localhost with secret keys on "/etc/ppp/options.pptpd" so what's there i don't do?
it's 3rd topic which i open regarding my problem but i don't get good answer which resolve my problem.

Please, help me.
0
 
LVL 3

Author Comment

by:re-searcher
ID: 36936842
Arnold,

I have an question, i just add "localhost xyzwpygbv" to "/etc/radiusclient-ng/servers"
and "/etc/ppp/chap-secrets & pap-secrert" just contain " * &ldap *"
and i change "/etc/raddb/clients.conf" acct and auth port to ports which you said in previous post.

ppptp and freeradius server both are in one server, is ppp need i open firewall for connect to freeradius?
0
 
LVL 81

Expert Comment

by:arnold
ID: 36937014
http://www.anindya.com/installing-configuring-pptp-vpn-rhel-centos/
This will guide you through the setup of pptpd on your system with local authentication.

If your goal is to allow other users to browse through your system, there are other options i.e. proxy server.
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Radius
With each question you pose a clearer picture of what you are trying to do is revealed.

Could you answer, "what is the result you want to achieve?"
i.e. point A other users [black box] Point B browse the net.
0
 
LVL 3

Author Comment

by:re-searcher
ID: 36937028
- Arnold
my "/etc/rc.d/rc.firewall.local" contain following contents:
# Custom firewall rules.
# This file is executed by the firewall on stop/start/restart.
iptables -t filter -I FORWARD -i pptp+ -j ACCEPT
iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE

Open in new window


in first article i should add following content
Next, configure iptables to do NAT.

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Next, we need to allow TCP port 1723 and the GRE protocol through iptables.

iptables -A INPUT -i eth0 -p tcp --dport 1723 -j ACCEPT
iptables -A INPUT -i eth0 -p gre -j ACCEPT

The following iptables rules are necessary if you want to be able to route all your internet traffic through the VPN server.

iptables -A FORWARD -i ppp+ -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o ppp+ -j ACCEPT

Now start the PPTP server if you haven’t already.

Open in new window


currently i can connect to server without freeradius and browse internet with server ip.
you think i should add this new rules?

would you mind help me more with send e-mail to me or tell me your e-mail?
my e-mail is: exsolodev [at] gmail ...
0
 
LVL 3

Author Comment

by:re-searcher
ID: 36937034
regarding your last question.
I need create users with daloradius and authenticate them with freeradius.
i wanna users connect to my server with PPTP/L2TP/OpenVPN connection.
but most important things is PPTP.

currently i do step by step by step article and when i run "radiusd -X" and try connect with PPTP connection to server i receive authentication faild error.

i wanna know, should i allow to default port of radius which receive requests from external net?
or i just allow to PPTP for accept incoming connections and PPTP will contact to radius server locally?
0
 
LVL 3

Author Comment

by:re-searcher
ID: 36937038
what's relation between last link which you send to my question?
my problem is i can't connect to my server with PPTP connection and "radiusd -X" don't show any information in debug mode.
0
 
LVL 81

Expert Comment

by:arnold
ID: 36937052
To confirm the existing stage of your setup
1) freeradius/mysql/daloradius is setup
2) pptp server with local login is setup and users can connect.

create the /etc/ppp/options.pptpd


http://linux.die.net/man/8/pppd-radius

Can you upload your configuration files:
/etc/pptpd.conf
/etc/ppp/options.pptpd

in /etc/pptpd.conf do you start ppp?

http://poptop.sourceforge.net/dox/pptpd.conf.txt

within the /etc/ppp/options.pptpd
plugin radius.so
radius-config-file /etc/radiusclient/radiusclient.conf

It is best to address this in this forum.
0
 
LVL 3

Author Comment

by:re-searcher
ID: 36937068
before i change configurations PPTP work and i connect to server and browse internet.

in ClearOS PPTP work with users which we make with LDAP (internal user creation app).

/etc/pptpd.conf
################################################################################
#
# Sample PoPToP configuration file
#
# for PoPToP version 1.0.1
#
################################################################################

# TAG: speed
#
#	Specifies the speed for the PPP daemon to talk at.
#	Some PPP daemons will ignore this value.
#
speed 115200

# TAG: option
#
#	Specifies the location of the PPP options file.
#	By default PPP looks in '/etc/ppp/options'
#
option /etc/ppp/options.pptpd

# TAG: debug
#
#	Turns on (more) debugging to syslog.
#
#debug

# TAG: localip
# TAG: remoteip
#
#	Specifies the local and remote IP address ranges.
#
#	You can specify single IP addresses seperated by commas or you can
#	specify ranges, or both. For example:
#
#		192.168.0.234,192.168.0.245-249,192.168.0.254
#
#	IMPORTANT RESTRICTIONS:
#
#	1. No spaces are permitted between commas or within addresses.
#
#	2. If you give more IP addresses than MAX_CONNECTIONS, it will
#	   start at the beginning of the list and go until it gets
#	   MAX_CONNECTIONS IPs. Others will be ignored.
#
#	3. No shortcuts in ranges! ie. 234-8 does not mean 234 to 238,
#	   you must type 234-238 if you mean this.
#
#	4. If you give a single localIP, that's ok - all local IPs will
#	   be set to the given one. You MUST still give at least one remote
#	   IP for each simultaneous client.
#
localip 192.168.1.101-200
remoteip 192.168.2.101-200

# TAG: ipxnets
#
#	This gives the range of IPX networks to allocate to clients.  By
#	default IPX network number allocation is not handled internally.
#	By putting a low and high network number here a pool of IPX networks
#	can be defined.  If this is done then there must be one IPX network
#	per client.
#
#	The format is a pair of hex numbers without any 0x prefix separated
#	by a hyphen.
#
#ipxnets 00001000-00001FFF

# TAG: listen
#
#	Defines the IP address of the local interface on which pptpd
#	should listen for connections.  The default is to listen on all
#	local interfaces (even ones brought up by pptp connections, thus
#	permitting pptp tunnels inside the pptp tunnels).
#
#listen 192.168.0.1

# TAG: pidfile
#
#	This defines the file name in which pptpd should store its process
#	ID (or pid).  The default is /var/run/pptpd.pid.
#
#pidfile /var/run/pptpd.pid

Open in new window



/etc/options.pptpd
lock
ms-dns 66.96.80.194
ms-dns 66.96.80.43
ms-wins 66.96.80.194
ms-wins 66.96.80.43
devname pptp
name pptp-vpn
auth
proxyarp
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
lcp-echo-failure 10
lcp-echo-interval 30
nobsdcomp
#file /etc/ppp/options.ldap
plugin radius.so

Open in new window

0
 
LVL 3

Author Comment

by:re-searcher
ID: 36937073
as you said in previous post I add "radius-config-file /etc/radiusclient-ng/radiusclient.conf" at the end of file.

because, as your help I installed radiusclient-ng instead of radiusclient.
0
 
LVL 3

Author Comment

by:re-searcher
ID: 36937080
#radiusd -X don't show any detail when i trying to connect to server with PPTP connection (after i add "radius-config-file /etc/radiusclient-ng/radiusclient.conf").

password which i create with daloradius is crypt-password and i don't save it in clear-text mode.

for accept pptp request it's enough or i should add some other attributes?
0
 
LVL 81

Expert Comment

by:arnold
ID: 36937084
note your location of options.pptpd is not in the path where you have it defined in /etc/pptpd.conf
copy /etc/options.pptpd to /etc/ppp/options.pptpd

you also need to add in the options.pptpd
radius-config-file /etc/radiusclient-ng/radiusclient.conf

Enable the debug in /etc/pptpd.conf so you can see what is going on on the pptpd server as well as the radius server.
0
 
LVL 3

Author Comment

by:re-searcher
ID: 36937106
sorry for my mistake options.pptpd is available in /etc/ppp/options.pptpd
i paste /etc/ppp/options.pptpd content just i mistake to type file path.

as you see options.pptpd contain radius-config-file value.

how i should enable debug in /etc/pptpd.conf ?
0
 
LVL 3

Author Comment

by:re-searcher
ID: 36937119
i search and find command for pptp debugging and i send results here
# pppd pty 'pptp server --nolaunchpppd' call tunnel debug dump logfd 2 nodetach 
Plugin radius.so loaded.
RADIUS plugin initialized.
pppd: Can't open options file /etc/ppp/peers/tunnel: No such file or directory

Open in new window

0
 
LVL 3

Author Comment

by:re-searcher
ID: 36937167
- Arnold

I found new problem after that i install radiusclient-ng, freeradius not response to my requests.

i attack my last "radiusd -X" results:
# radiusd -X
FreeRADIUS Version 2.1.7, for host i686-redhat-linux-gnu, built on May 19 2010 at 13:10:59
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. 
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A 
PARTICULAR PURPOSE. 
You may redistribute copies of FreeRADIUS under the terms of the 
GNU General Public License v2. 
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/sql.conf
including configuration file /etc/raddb/sql/mysql/dialup.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/control-socket
group = radiusd
user = radiusd
including dictionary file /etc/raddb/dictionary
main {
	prefix = "/usr"
	localstatedir = "/var"
	logdir = "/var/log/radius"
	libdir = "/usr/lib/freeradius"
	radacctdir = "/var/log/radius/radacct"
	hostname_lookups = no
	max_request_time = 40
	cleanup_delay = 5
	max_requests = 1024
	allow_core_dumps = no
	pidfile = "/var/run/radiusd/radiusd.pid"
	checkrad = "/usr/sbin/checkrad"
	debug_level = 0
	proxy_requests = yes
 log {
	stripped_names = no
	auth = no
	auth_badpass = no
	auth_goodpass = no
 }
 security {
	max_attributes = 200
	reject_delay = 1
	status_server = yes
 }
}
radiusd: #### Loading Realms and Home Servers ####
 proxy server {
	retry_delay = 5
	retry_count = 3
	default_fallback = no
	dead_time = 120
	wake_all_if_all_dead = no
 }
 home_server localhost {
	ipaddr = 127.0.0.1
	port = 1812
	type = "auth"
	secret = "testing123"
	response_window = 20
	max_outstanding = 65536
	require_message_authenticator = no
	zombie_period = 40
	status_check = "status-server"
	ping_interval = 30
	check_interval = 30
	num_answers_to_alive = 3
	num_pings_to_alive = 3
	revive_interval = 120
	status_check_timeout = 4
	irt = 2
	mrt = 16
	mrc = 5
	mrd = 30
 }
 home_server_pool my_auth_failover {
	type = fail-over
	home_server = localhost
 }
 realm example.com {
	auth_pool = my_auth_failover
 }
 realm LOCAL {
 }
radiusd: #### Loading Clients ####
 client localhost {
	ipaddr = 127.0.0.1
	require_message_authenticator = no
	secret = "k8Yyt4WpzcgNubfbZh7"
	nastype = "other"
 }
radiusd: #### Instantiating modules ####
 instantiate {
 Module: Linked to module rlm_exec
 Module: Instantiating exec
  exec {
	wait = no
	input_pairs = "request"
	shell_escape = yes
  }
 Module: Linked to module rlm_expr
 Module: Instantiating expr
 Module: Linked to module rlm_expiration
 Module: Instantiating expiration
  expiration {
	reply-message = "Password Has Expired  "
  }
 Module: Linked to module rlm_logintime
 Module: Instantiating logintime
  logintime {
	reply-message = "You are calling outside your allowed timespan  "
	minimum-timeout = 60
  }
 }
radiusd: #### Loading Virtual Servers ####
server inner-tunnel {
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_pap
 Module: Instantiating pap
  pap {
	encryption_scheme = "auto"
	auto_header = no
  }
 Module: Linked to module rlm_chap
 Module: Instantiating chap
 Module: Linked to module rlm_mschap
 Module: Instantiating mschap
  mschap {
	use_mppe = yes
	require_encryption = no
	require_strong = no
	with_ntdomain_hack = no
  }
 Module: Linked to module rlm_unix
 Module: Instantiating unix
  unix {
	radwtmp = "/var/log/radius/radwtmp"
  }
 Module: Linked to module rlm_eap
 Module: Instantiating eap
  eap {
	default_eap_type = "md5"
	timer_expire = 60
	ignore_unknown_eap_types = no
	cisco_accounting_username_bug = no
	max_sessions = 2048
  }
 Module: Linked to sub-module rlm_eap_md5
 Module: Instantiating eap-md5
 Module: Linked to sub-module rlm_eap_leap
 Module: Instantiating eap-leap
 Module: Linked to sub-module rlm_eap_gtc
 Module: Instantiating eap-gtc
   gtc {
	challenge = "Password: "
	auth_type = "PAP"
   }
 Module: Linked to sub-module rlm_eap_tls
 Module: Instantiating eap-tls
   tls {
	rsa_key_exchange = no
	dh_key_exchange = yes
	rsa_key_length = 512
	dh_key_length = 512
	verify_depth = 0
	pem_file_type = yes
	private_key_file = "/etc/raddb/certs/server.pem"
	certificate_file = "/etc/raddb/certs/server.pem"
	CA_file = "/etc/raddb/certs/ca.pem"
	private_key_password = "whatever"
	dh_file = "/etc/raddb/certs/dh"
	random_file = "/etc/raddb/certs/random"
	fragment_size = 1024
	include_length = yes
	check_crl = no
	cipher_list = "DEFAULT"
	make_cert_command = "/etc/raddb/certs/bootstrap"
    cache {
	enable = no
	lifetime = 24
	max_entries = 255
    }
   }
 Module: Linked to sub-module rlm_eap_ttls
 Module: Instantiating eap-ttls
   ttls {
	default_eap_type = "md5"
	copy_request_to_tunnel = no
	use_tunneled_reply = no
	virtual_server = "inner-tunnel"
	include_length = yes
   }
 Module: Linked to sub-module rlm_eap_peap
 Module: Instantiating eap-peap
   peap {
	default_eap_type = "mschapv2"
	copy_request_to_tunnel = no
	use_tunneled_reply = no
	proxy_tunneled_request_as_eap = yes
	virtual_server = "inner-tunnel"
   }
 Module: Linked to sub-module rlm_eap_mschapv2
 Module: Instantiating eap-mschapv2
   mschapv2 {
	with_ntdomain_hack = no
   }
 Module: Checking authorize {...} for more modules to load
 Module: Linked to module rlm_realm
 Module: Instantiating suffix
  realm suffix {
	format = "suffix"
	delimiter = "@"
	ignore_default = no
	ignore_null = no
  }
 Module: Linked to module rlm_files
 Module: Instantiating files
  files {
	usersfile = "/etc/raddb/users"
	acctusersfile = "/etc/raddb/acct_users"
	preproxy_usersfile = "/etc/raddb/preproxy_users"
	compat = "no"
  }
 Module: Checking session {...} for more modules to load
 Module: Linked to module rlm_radutmp
 Module: Instantiating radutmp
  radutmp {
	filename = "/var/log/radius/radutmp"
	username = "%{User-Name}"
	case_sensitive = yes
	check_with_nas = yes
	perm = 384
	callerid = yes
  }
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 Module: Linked to module rlm_attr_filter
 Module: Instantiating attr_filter.access_reject
  attr_filter attr_filter.access_reject {
	attrsfile = "/etc/raddb/attrs.access_reject"
	key = "%{User-Name}"
  }
 } # modules
} # server
server {
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Checking authorize {...} for more modules to load
 Module: Linked to module rlm_preprocess
 Module: Instantiating preprocess
  preprocess {
	huntgroups = "/etc/raddb/huntgroups"
	hints = "/etc/raddb/hints"
	with_ascend_hack = no
	ascend_channels_per_line = 23
	with_ntdomain_hack = no
	with_specialix_jetstream_hack = no
	with_cisco_vsa_hack = no
	with_alvarion_vsa_hack = no
  }
 Module: Linked to module rlm_sql
 Module: Instantiating sql
  sql {
	driver = "rlm_sql_mysql"
	server = "localhost"
	port = ""
	login = "raduser"
	password = "link2@@2"
	radius_db = "rdb"
	read_groups = yes
	sqltrace = no
	sqltracefile = "/var/log/radius/sqltrace.sql"
	readclients = yes
	deletestalesessions = yes
	num_sql_socks = 5
	lifetime = 0
	max_queries = 0
	sql_user_name = "%{User-Name}"
	default_user_profile = ""
	nas_query = "SELECT id, nasname, shortname, type, secret FROM nas"
	authorize_check_query = "SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id"
	authorize_reply_query = "SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id"
	authorize_group_check_query = "SELECT id, groupname, attribute,           Value, op           FROM radgroupcheck           WHERE groupname = '%{Sql-Group}'           ORDER BY id"
	authorize_group_reply_query = "SELECT id, groupname, attribute,           value, op           FROM radgroupreply           WHERE groupname = '%{Sql-Group}'           ORDER BY id"
	accounting_onoff_query = "          UPDATE radacct           SET              acctstoptime       =  '%S',              acctsessiontime    =  unix_timestamp('%S') -                                    unix_timestamp(acctstarttime),              acctterminatecause =  '%{Acct-Terminate-Cause}',              acctstopdelay      =  %{%{Acct-Delay-Time}:-0}           WHERE acctstoptime IS NULL           AND nasipaddress      =  '%{NAS-IP-Address}'           AND acctstarttime     <= '%S'"
	accounting_update_query = "           UPDATE radacct           SET              framedipaddress = '%{Framed-IP-Address}',              acctsessiontime     = '%{Acct-Session-Time}',              acctinputoctets     = '%{%{Acct-Input-Gigawords}:-0}'  << 32 |                                    '%{%{Acct-Input-Octets}:-0}',              acctoutputoctets    = '%{%{Acct-Output-Gigawords}:-0}' << 32 |                                    '%{%{Acct-Output-Octets}:-0}'           WHERE acctsessionid = '%{Acct-Session-Id}'           AND username        = '%{SQL-User-Name}'           AND nasipaddress    = '%{NAS-IP-Address}'"
	accounting_update_query_alt = "           INSERT INTO radacct             (acctsessionid,    acctuniqueid,      username,              realm,            nasipaddress,      nasportid,              nasporttype,      acctstarttime,     acctsessiontime,              acctauthentic,    connectinfo_start, acctinputoctets,              acctoutputoctets, calledstationid,   callingstationid,              servicetype,      framedprotocol,    framedipaddress,              acctstartdelay,   xascendsessionsvrkey)           VALUES             ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',              '%{SQL-User-Name}',              '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',              '%{NAS-Port-Type}',              DATE_SUB('%S',                       INTERVAL (%{%{Acct-Session-Time}:-0} +                                 %{%{Acct-Delay-Time}:-0}) SECOND),                       '%{Acct-Session-Time}',              '%{Acct-Authentic}', '',              '%{%{Acct-Input-Gigawords}:-0}' << 32 |              '%{%{Acct-Input-Octets}:-0}',              '%{%{Acct-Output-Gigawords}:-0}' << 32 |              '%{%{Acct-Output-Octets}:-0}',              '%{Called-Station-Id}', '%{Calling-Station-Id}',              '%{Service-Type}', '%{Framed-Protocol}',              '%{Framed-IP-Address}',              '0', '%{X-Ascend-Session-Svr-Key}')"
	accounting_start_query = "           INSERT INTO radacct             (acctsessionid,    acctuniqueid,     username,              realm,            nasipaddress,     nasportid,              nasporttype,      acctstarttime,    acctstoptime,              acctsessiontime,  acctauthentic,    connectinfo_start,              connectinfo_stop, acctinputoctets,  acctoutputoctets,              calledstationid,  callingstationid, acctterminatecause,              servicetype,      framedprotocol,   framedipaddress,              acctstartdelay,   acctstopdelay,    xascendsessionsvrkey)           VALUES             ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',              '%{SQL-User-Name}',              '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',              '%{NAS-Port-Type}', '%S', NULL,              '0', '%{Acct-Authentic}', '%{Connect-Info}',              '', '0', '0',              '%{Called-Station-Id}', '%{Calling-Station-Id}', '',              '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}',              '%{%{Acct-Delay-Time}:-0}', '0', '%{X-Ascend-Session-Svr-Key}')"
	accounting_start_query_alt = "           UPDATE radacct SET              acctstarttime     = '%S',              acctstartdelay    = '%{%{Acct-Delay-Time}:-0}',              connectinfo_start = '%{Connect-Info}'           WHERE acctsessionid  = '%{Acct-Session-Id}'           AND username         = '%{SQL-User-Name}'           AND nasipaddress     = '%{NAS-IP-Address}'"
	accounting_stop_query = "           UPDATE radacct SET              acctstoptime       = '%S',              acctsessiontime    = '%{Acct-Session-Time}',              acctinputoctets    = '%{%{Acct-Input-Gigawords}:-0}' << 32 |                                   '%{%{Acct-Input-Octets}:-0}',              acctoutputoctets   = '%{%{Acct-Output-Gigawords}:-0}' << 32 |                                   '%{%{Acct-Output-Octets}:-0}',              acctterminatecause = '%{Acct-Terminate-Cause}',              acctstopdelay      = '%{%{Acct-Delay-Time}:-0}',              connectinfo_stop   = '%{Connect-Info}'           WHERE acctsessionid   = '%{Acct-Session-Id}'           AND username          = '%{SQL-User-Name}'           AND nasipaddress      = '%{NAS-IP-Address}'"
	accounting_stop_query_alt = "           INSERT INTO radacct             (acctsessionid, acctuniqueid, username,              realm, nasipaddress, nasportid,              nasporttype, acctstarttime, acctstoptime,              acctsessiontime, acctauthentic, connectinfo_start,              connectinfo_stop, acctinputoctets, acctoutputoctets,              calledstationid, callingstationid, acctterminatecause,              servicetype, framedprotocol, framedipaddress,              acctstartdelay, acctstopdelay)           VALUES             ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',              '%{SQL-User-Name}',              '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',              '%{NAS-Port-Type}',              DATE_SUB('%S',                  INTERVAL (%{%{Acct-Session-Time}:-0} +                  %{%{Acct-Delay-Time}:-0}) SECOND),              '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '',              '%{Connect-Info}',              '%{%{Acct-Input-Gigawords}:-0}' << 32 |              '%{%{Acct-Input-Octets}:-0}',              '%{%{Acct-Output-Gigawords}:-0}' << 32 |              '%{%{Acct-Output-Octets}:-0}',              '%{Called-Station-Id}', '%{Calling-Station-Id}',              '%{Acct-Terminate-Cause}',              '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}',              '0', '%{%{Acct-Delay-Time}:-0}')"
	group_membership_query = "SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority"
	connect_failure_retry_delay = 60
	simul_count_query = ""
	simul_verify_query = "SELECT radacctid, acctsessionid, username,                                nasipaddress, nasportid, framedipaddress,                                callingstationid, framedprotocol                                FROM radacct                                WHERE username = '%{SQL-User-Name}'                                AND acctstoptime IS NULL"
	postauth_query = "INSERT INTO radpostauth                           (username, pass, reply, authdate)                           VALUES (                           '%{User-Name}',                           '%{%{User-Password}:-%{Chap-Password}}',                           '%{reply:Packet-Type}', '%S')"
	safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
  }
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
rlm_sql (sql): Attempting to connect to raduser@localhost:/rdb
rlm_sql (sql): starting 0
rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
rlm_sql_mysql: Starting connect to MySQL server for #0
rlm_sql (sql): Connected new DB handle, #0
rlm_sql (sql): starting 1
rlm_sql (sql): Attempting to connect rlm_sql_mysql #1
rlm_sql_mysql: Starting connect to MySQL server for #1
rlm_sql (sql): Connected new DB handle, #1
rlm_sql (sql): starting 2
rlm_sql (sql): Attempting to connect rlm_sql_mysql #2
rlm_sql_mysql: Starting connect to MySQL server for #2
rlm_sql (sql): Connected new DB handle, #2
rlm_sql (sql): starting 3
rlm_sql (sql): Attempting to connect rlm_sql_mysql #3
rlm_sql_mysql: Starting connect to MySQL server for #3
rlm_sql (sql): Connected new DB handle, #3
rlm_sql (sql): starting 4
rlm_sql (sql): Attempting to connect rlm_sql_mysql #4
rlm_sql_mysql: Starting connect to MySQL server for #4
rlm_sql (sql): Connected new DB handle, #4
rlm_sql (sql): Processing generate_sql_clients
rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret FROM nas
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql (sql): Released sql socket id: 4
 Module: Checking preacct {...} for more modules to load
 Module: Linked to module rlm_acct_unique
 Module: Instantiating acct_unique
  acct_unique {
	key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
  }
 Module: Checking accounting {...} for more modules to load
 Module: Linked to module rlm_detail
 Module: Instantiating detail
  detail {
	detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
	header = "%t"
	detailperm = 384
	dirperm = 493
	locking = no
	log_packet_header = no
  }
 Module: Instantiating attr_filter.accounting_response
  attr_filter attr_filter.accounting_response {
	attrsfile = "/etc/raddb/attrs.accounting_response"
	key = "%{User-Name}"
  }
 Module: Checking session {...} for more modules to load
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 } # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
	type = "auth"
	ipaddr = *
	port = 0
}
listen {
	type = "acct"
	ipaddr = *
	port = 0
}
listen {
	type = "control"
 listen {
	socket = "/var/run/radiusd/radiusd.sock"
 }
}
Listening on authentication interface eth0 address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on proxy address * port 1814
Ready to process requests.

Open in new window

0
 
LVL 3

Author Comment

by:re-searcher
ID: 36937170
in radius debug results i don't say radiusclient-ng directories and files.

do you know why?
0
 
LVL 3

Author Comment

by:re-searcher
ID: 36937196
i change loclhost secret key from testing123 to xyzxyz123 but in debug result it's previous secret key.
0
 
LVL 81

Expert Comment

by:arnold
ID: 36937251
Where are you making these changes?
within the radtest or within /etc/raddb/clients?
Can you post the radius debug of the received request?
0
 
LVL 3

Author Comment

by:re-searcher
ID: 36937255
Both.

i set new secret key on /etc/raddb/clients.conf and for testing i use my new secret key
0
 
LVL 3

Author Comment

by:re-searcher
ID: 36937259
after time which i install radiusclient-ng it's occur.
so, i will remove radiusclient-ng and install radiusclient from
http://pkgs.repoforge.org/radiusclient/

file name: radiusclient-0.3.2-0.2.el5.rf.i386.rpm
0
 
LVL 81

Expert Comment

by:arnold
ID: 36937271
After making changes to any configuration files, you have to restart the radius service.

If you feel more comfortable with this one, do so.  

You still only configure freeradius to listen on one port while it might be that the request from ppp via radiusclient-ng or radiusclient will be comming in on the old default port which was 1645 and is often the default in several components.

radiusd -p 1645 -p 1812
or try within the configuration radius.conf
port="1812"
port=1645
or
while debuggin
radiusd -X -p 1645 -p 1812
0
 
LVL 81

Expert Comment

by:arnold
ID: 36937283
rpm -ql | grep -i freeradius
rpm --verify <freeradius package name>

radiusclient-ng is using the radiusclient-ng in the naming convention such that it is improbable that it will overwrite your prior existing items.
 
0
 
LVL 3

Author Comment

by:re-searcher
ID: 36937302
# rpm -ivh radiusclient-0.3.2-0.2.el5.rf.i386.rpm
warning: radiusclient-0.3.2-0.2.el5.rf.i386.rpm: Header V3 DSA signature: NOKEY, key ID 6b8d79e6
Preparing...                ########################################### [100%]
	package radiusclient-0.3.2-0.2.el5.rf.i386 is already installed
# rpm -ql | grep -i freeradius2
rpmq: no arguments given for query
# rpm -ql | grep -i freeradius
rpmq: no arguments given for query
[# rpm --verify radiusclient-0.3.2-0.2.el5.rf.i386.rpm
package radiusclient-0.3.2-0.2.el5.rf.i386.rpm is not installed

Open in new window

0
 
LVL 3

Author Comment

by:re-searcher
ID: 36937306
If i do everythings as well so why it's occur?
0
 
LVL 3

Author Comment

by:re-searcher
ID: 36937325
it's not possible which i run radiusd on port 1645 because it's on use.
Failed binding to accounting address * port 1645: Address already in use 
/etc/raddb/radiusd.conf[316]: Error binding to port for 0.0.0.0 port 1645
[root@uss01-nova ~]# service radiusd status
radiusd is stopped

Open in new window


i reboot my server and receive this error again.
0
 
LVL 81

Expert Comment

by:arnold
ID: 36937333
I do not know what occurred.
The issue is also since you are using mysql as the backend for freeradius, the settings might be stored within the mysql database and the /etc/raddb/ related configurations for clients/etc. are not considered.

sorry for the typo
rpm -qa | grep -i freeradius
rpm -qa | grep -i  radiusclient

rpm --verify <packagename as listed in the rpm -qa | grep results>

when you use the .rpm as in rpm --verify radiusclient-0.3.2-0.2.el5.rf.i386.rpm the package is likely radiusclient-0.3.2-0.2.el5.rf.i386
rpm --verify radiusclient-0.3.2-0.2.el5.rf.i386
0
 
LVL 81

Expert Comment

by:arnold
ID: 36937336
/usr/sbin/lsof -i:1645 to see what you have running and listening on this port.
0
 
LVL 3

Author Comment

by:re-searcher
ID: 36937341
I see.
here it is result of that commands:
# rpm -ivh radiusclient-0.3.2-0.2.el5.rf.i386.rpm
warning: radiusclient-0.3.2-0.2.el5.rf.i386.rpm: Header V3 DSA signature: NOKEY, key ID 6b8d79e6
Preparing...                ########################################### [100%]
	package radiusclient-0.3.2-0.2.el5.rf.i386 is already installed
# rpm -qa | grep -i freeradius
freeradius2-2.1.7-7.v5
freeradius2-utils-2.1.7-7.v5
freeradius2-mysql-2.1.7-7.v5
# rpm -qa | grep -i  radiusclient
radiusclient-0.3.2-0.2.el5.rf
# rpm --verify radiusclient-0.3.2-0.2.el5.rf.i386.rpm
package radiusclient-0.3.2-0.2.el5.rf.i386.rpm is not installed

Open in new window

0
 
LVL 3

Author Comment

by:re-searcher
ID: 36937345

# /usr/sbin/lsof -i:1645
# 

Open in new window

0
 
LVL 3

Author Comment

by:re-searcher
ID: 36937354
i add NAS to daloradius but again i receive server not response error and radiusd -X don't show anythings.

Listening on authentication interface eth0 address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Ready to process requests.

Open in new window


# radtest testuser testpass 127.0.0.1 0 k8Yyt4WpzcgNubfbZh7
Sending Access-Request of id 173 to 127.0.0.1 port 1812
	User-Name = "testuser"
	User-Password = "testpass"
	NAS-IP-Address = 206.2.1.150
	NAS-Port = 0
Sending Access-Request of id 173 to 127.0.0.1 port 1812
	User-Name = "testuser"
	User-Password = "testpass"
	NAS-IP-Address = 206.2.1.150
	NAS-Port = 0
Sending Access-Request of id 173 to 127.0.0.1 port 1812
	User-Name = "testuser"
	User-Password = "testpass"
	NAS-IP-Address = 206.2.1.150
	NAS-Port = 0
radclient: no response from server for ID 173 socket 3

Open in new window

0
 
LVL 81

Expert Comment

by:arnold
ID: 36937355
rpm --verify radiusclient-0.3.2-0.2.el5.rf.i386
rpm --verify freeradius2-2.1.7-7.v5

but if you run radiusd -X -p 1812 while in a second windows you run /usr/sbin/lsof -i:1645 does it return the PID radiusd that you have running that includes 1812?
Can you post the lsof output?  Have not looked at it recently to see whether freeradius auto listens on the old 1645 port.
0
 
LVL 81

Expert Comment

by:arnold
ID: 36937362
What is the output from below?
radtest -d /etc/raddb testuser testpass 127.0.0.1

Is the secret you are using the correct secret for a client 127.0.0.1?

While working on this, did you make any changes to the freeradius/mysql/daloradius configurations?
0
 
LVL 3

Author Comment

by:re-searcher
ID: 36937366
i sent Lsof result in previous post but again i will run radiusd in debug mode and test lsof.

# rpm --verify radiusclient-0.3.2-0.2.el5.rf.i386
S.5....T  c /etc/radiusclient/servers
# rpm --verify freeradius2-2.1.7-7.v5
S.5....T  c /etc/raddb/clients.conf
S.5....T  c /etc/raddb/proxy.conf
S.5....T  c /etc/raddb/radiusd.conf
S.5....T  c /etc/raddb/sites-available/default
S.5....T  c /etc/raddb/sql.conf

Open in new window


# radiusd -X -p 1812
radiusd: The options -i and -p cannot be used individually.

Open in new window


# radiusd -X 
FreeRADIUS Version 2.1.7, for host i686-redhat-linux-gnu, built on May 19 2010 at 13:10:59
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. 
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A 
PARTICULAR PURPOSE. 
You may redistribute copies of FreeRADIUS under the terms of the 
GNU General Public License v2. 
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/sql.conf
including configuration file /etc/raddb/sql/mysql/dialup.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/control-socket
group = radiusd
user = radiusd
including dictionary file /etc/raddb/dictionary
main {
	prefix = "/usr"
	localstatedir = "/var"
	logdir = "/var/log/radius"
	libdir = "/usr/lib/freeradius"
	radacctdir = "/var/log/radius/radacct"
	hostname_lookups = no
	max_request_time = 40
	cleanup_delay = 5
	max_requests = 1024
	allow_core_dumps = no
	pidfile = "/var/run/radiusd/radiusd.pid"
	checkrad = "/usr/sbin/checkrad"
	debug_level = 0
	proxy_requests = no
 log {
	stripped_names = no
	auth = no
	auth_badpass = no
	auth_goodpass = no
 }
 security {
	max_attributes = 200
	reject_delay = 1
	status_server = yes
 }
}
radiusd: #### Loading Realms and Home Servers ####
radiusd: #### Loading Clients ####
 client localhost {
	ipaddr = 127.0.0.1
	require_message_authenticator = no
	secret = "k8Yyt4WpzcgNubfbZh7"
	nastype = "other"
 }
radiusd: #### Instantiating modules ####
 instantiate {
 Module: Linked to module rlm_exec
 Module: Instantiating exec
  exec {
	wait = no
	input_pairs = "request"
	shell_escape = yes
  }
 Module: Linked to module rlm_expr
 Module: Instantiating expr
 Module: Linked to module rlm_expiration
 Module: Instantiating expiration
  expiration {
	reply-message = "Password Has Expired  "
  }
 Module: Linked to module rlm_logintime
 Module: Instantiating logintime
  logintime {
	reply-message = "You are calling outside your allowed timespan  "
	minimum-timeout = 60
  }
 }
radiusd: #### Loading Virtual Servers ####
server inner-tunnel {
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_pap
 Module: Instantiating pap
  pap {
	encryption_scheme = "auto"
	auto_header = no
  }
 Module: Linked to module rlm_chap
 Module: Instantiating chap
 Module: Linked to module rlm_mschap
 Module: Instantiating mschap
  mschap {
	use_mppe = yes
	require_encryption = no
	require_strong = no
	with_ntdomain_hack = no
  }
 Module: Linked to module rlm_unix
 Module: Instantiating unix
  unix {
	radwtmp = "/var/log/radius/radwtmp"
  }
 Module: Linked to module rlm_eap
 Module: Instantiating eap
  eap {
	default_eap_type = "md5"
	timer_expire = 60
	ignore_unknown_eap_types = no
	cisco_accounting_username_bug = no
	max_sessions = 2048
  }
 Module: Linked to sub-module rlm_eap_md5
 Module: Instantiating eap-md5
 Module: Linked to sub-module rlm_eap_leap
 Module: Instantiating eap-leap
 Module: Linked to sub-module rlm_eap_gtc
 Module: Instantiating eap-gtc
   gtc {
	challenge = "Password: "
	auth_type = "PAP"
   }
 Module: Linked to sub-module rlm_eap_tls
 Module: Instantiating eap-tls
   tls {
	rsa_key_exchange = no
	dh_key_exchange = yes
	rsa_key_length = 512
	dh_key_length = 512
	verify_depth = 0
	pem_file_type = yes
	private_key_file = "/etc/raddb/certs/server.pem"
	certificate_file = "/etc/raddb/certs/server.pem"
	CA_file = "/etc/raddb/certs/ca.pem"
	private_key_password = "whatever"
	dh_file = "/etc/raddb/certs/dh"
	random_file = "/etc/raddb/certs/random"
	fragment_size = 1024
	include_length = yes
	check_crl = no
	cipher_list = "DEFAULT"
	make_cert_command = "/etc/raddb/certs/bootstrap"
    cache {
	enable = no
	lifetime = 24
	max_entries = 255
    }
   }
 Module: Linked to sub-module rlm_eap_ttls
 Module: Instantiating eap-ttls
   ttls {
	default_eap_type = "md5"
	copy_request_to_tunnel = no
	use_tunneled_reply = no
	virtual_server = "inner-tunnel"
	include_length = yes
   }
 Module: Linked to sub-module rlm_eap_peap
 Module: Instantiating eap-peap
   peap {
	default_eap_type = "mschapv2"
	copy_request_to_tunnel = no
	use_tunneled_reply = no
	proxy_tunneled_request_as_eap = yes
	virtual_server = "inner-tunnel"
   }
 Module: Linked to sub-module rlm_eap_mschapv2
 Module: Instantiating eap-mschapv2
   mschapv2 {
	with_ntdomain_hack = no
   }
 Module: Checking authorize {...} for more modules to load
 Module: Linked to module rlm_realm
 Module: Instantiating suffix
  realm suffix {
	format = "suffix"
	delimiter = "@"
	ignore_default = no
	ignore_null = no
  }
 Module: Linked to module rlm_files
 Module: Instantiating files
  files {
	usersfile = "/etc/raddb/users"
	acctusersfile = "/etc/raddb/acct_users"
	preproxy_usersfile = "/etc/raddb/preproxy_users"
	compat = "no"
  }
 Module: Checking session {...} for more modules to load
 Module: Linked to module rlm_radutmp
 Module: Instantiating radutmp
  radutmp {
	filename = "/var/log/radius/radutmp"
	username = "%{User-Name}"
	case_sensitive = yes
	check_with_nas = yes
	perm = 384
	callerid = yes
  }
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 Module: Linked to module rlm_attr_filter
 Module: Instantiating attr_filter.access_reject
  attr_filter attr_filter.access_reject {
	attrsfile = "/etc/raddb/attrs.access_reject"
	key = "%{User-Name}"
  }
 } # modules
} # server
server {
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Checking authorize {...} for more modules to load
 Module: Linked to module rlm_preprocess
 Module: Instantiating preprocess
  preprocess {
	huntgroups = "/etc/raddb/huntgroups"
	hints = "/etc/raddb/hints"
	with_ascend_hack = no
	ascend_channels_per_line = 23
	with_ntdomain_hack = no
	with_specialix_jetstream_hack = no
	with_cisco_vsa_hack = no
	with_alvarion_vsa_hack = no
  }
 Module: Linked to module rlm_sql
 Module: Instantiating sql
  sql {
	driver = "rlm_sql_mysql"
	server = "localhost"
	port = ""
	login = "raduser"
	password = "link2@@2"
	radius_db = "rdb"
	read_groups = yes
	sqltrace = no
	sqltracefile = "/var/log/radius/sqltrace.sql"
	readclients = yes
	deletestalesessions = yes
	num_sql_socks = 5
	lifetime = 0
	max_queries = 0
	sql_user_name = "%{User-Name}"
	default_user_profile = ""
	nas_query = "SELECT id, nasname, shortname, type, secret FROM nas"
	authorize_check_query = "SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id"
	authorize_reply_query = "SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id"
	authorize_group_check_query = "SELECT id, groupname, attribute,           Value, op           FROM radgroupcheck           WHERE groupname = '%{Sql-Group}'           ORDER BY id"
	authorize_group_reply_query = "SELECT id, groupname, attribute,           value, op           FROM radgroupreply           WHERE groupname = '%{Sql-Group}'           ORDER BY id"
	accounting_onoff_query = "          UPDATE radacct           SET              acctstoptime       =  '%S',              acctsessiontime    =  unix_timestamp('%S') -                                    unix_timestamp(acctstarttime),              acctterminatecause =  '%{Acct-Terminate-Cause}',              acctstopdelay      =  %{%{Acct-Delay-Time}:-0}           WHERE acctstoptime IS NULL           AND nasipaddress      =  '%{NAS-IP-Address}'           AND acctstarttime     <= '%S'"
	accounting_update_query = "           UPDATE radacct           SET              framedipaddress = '%{Framed-IP-Address}',              acctsessiontime     = '%{Acct-Session-Time}',              acctinputoctets     = '%{%{Acct-Input-Gigawords}:-0}'  << 32 |                                    '%{%{Acct-Input-Octets}:-0}',              acctoutputoctets    = '%{%{Acct-Output-Gigawords}:-0}' << 32 |                                    '%{%{Acct-Output-Octets}:-0}'           WHERE acctsessionid = '%{Acct-Session-Id}'           AND username        = '%{SQL-User-Name}'           AND nasipaddress    = '%{NAS-IP-Address}'"
	accounting_update_query_alt = "           INSERT INTO radacct             (acctsessionid,    acctuniqueid,      username,              realm,            nasipaddress,      nasportid,              nasporttype,      acctstarttime,     acctsessiontime,              acctauthentic,    connectinfo_start, acctinputoctets,              acctoutputoctets, calledstationid,   callingstationid,              servicetype,      framedprotocol,    framedipaddress,              acctstartdelay,   xascendsessionsvrkey)           VALUES             ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',              '%{SQL-User-Name}',              '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',              '%{NAS-Port-Type}',              DATE_SUB('%S',                       INTERVAL (%{%{Acct-Session-Time}:-0} +                                 %{%{Acct-Delay-Time}:-0}) SECOND),                       '%{Acct-Session-Time}',              '%{Acct-Authentic}', '',              '%{%{Acct-Input-Gigawords}:-0}' << 32 |              '%{%{Acct-Input-Octets}:-0}',              '%{%{Acct-Output-Gigawords}:-0}' << 32 |              '%{%{Acct-Output-Octets}:-0}',              '%{Called-Station-Id}', '%{Calling-Station-Id}',              '%{Service-Type}', '%{Framed-Protocol}',              '%{Framed-IP-Address}',              '0', '%{X-Ascend-Session-Svr-Key}')"
	accounting_start_query = "           INSERT INTO radacct             (acctsessionid,    acctuniqueid,     username,              realm,            nasipaddress,     nasportid,              nasporttype,      acctstarttime,    acctstoptime,              acctsessiontime,  acctauthentic,    connectinfo_start,              connectinfo_stop, acctinputoctets,  acctoutputoctets,              calledstationid,  callingstationid, acctterminatecause,              servicetype,      framedprotocol,   framedipaddress,              acctstartdelay,   acctstopdelay,    xascendsessionsvrkey)           VALUES             ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',              '%{SQL-User-Name}',              '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',              '%{NAS-Port-Type}', '%S', NULL,              '0', '%{Acct-Authentic}', '%{Connect-Info}',              '', '0', '0',              '%{Called-Station-Id}', '%{Calling-Station-Id}', '',              '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}',              '%{%{Acct-Delay-Time}:-0}', '0', '%{X-Ascend-Session-Svr-Key}')"
	accounting_start_query_alt = "           UPDATE radacct SET              acctstarttime     = '%S',              acctstartdelay    = '%{%{Acct-Delay-Time}:-0}',              connectinfo_start = '%{Connect-Info}'           WHERE acctsessionid  = '%{Acct-Session-Id}'           AND username         = '%{SQL-User-Name}'           AND nasipaddress     = '%{NAS-IP-Address}'"
	accounting_stop_query = "           UPDATE radacct SET              acctstoptime       = '%S',              acctsessiontime    = '%{Acct-Session-Time}',              acctinputoctets    = '%{%{Acct-Input-Gigawords}:-0}' << 32 |                                   '%{%{Acct-Input-Octets}:-0}',              acctoutputoctets   = '%{%{Acct-Output-Gigawords}:-0}' << 32 |                                   '%{%{Acct-Output-Octets}:-0}',              acctterminatecause = '%{Acct-Terminate-Cause}',              acctstopdelay      = '%{%{Acct-Delay-Time}:-0}',              connectinfo_stop   = '%{Connect-Info}'           WHERE acctsessionid   = '%{Acct-Session-Id}'           AND username          = '%{SQL-User-Name}'           AND nasipaddress      = '%{NAS-IP-Address}'"
	accounting_stop_query_alt = "           INSERT INTO radacct             (acctsessionid, acctuniqueid, username,              realm, nasipaddress, nasportid,              nasporttype, acctstarttime, acctstoptime,              acctsessiontime, acctauthentic, connectinfo_start,              connectinfo_stop, acctinputoctets, acctoutputoctets,              calledstationid, callingstationid, acctterminatecause,              servicetype, framedprotocol, framedipaddress,              acctstartdelay, acctstopdelay)           VALUES             ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',              '%{SQL-User-Name}',              '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',              '%{NAS-Port-Type}',              DATE_SUB('%S',                  INTERVAL (%{%{Acct-Session-Time}:-0} +                  %{%{Acct-Delay-Time}:-0}) SECOND),              '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '',              '%{Connect-Info}',              '%{%{Acct-Input-Gigawords}:-0}' << 32 |              '%{%{Acct-Input-Octets}:-0}',              '%{%{Acct-Output-Gigawords}:-0}' << 32 |              '%{%{Acct-Output-Octets}:-0}',              '%{Called-Station-Id}', '%{Calling-Station-Id}',              '%{Acct-Terminate-Cause}',              '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}',              '0', '%{%{Acct-Delay-Time}:-0}')"
	group_membership_query = "SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority"
	connect_failure_retry_delay = 60
	simul_count_query = ""
	simul_verify_query = "SELECT radacctid, acctsessionid, username,                                nasipaddress, nasportid, framedipaddress,                                callingstationid, framedprotocol                                FROM radacct                                WHERE username = '%{SQL-User-Name}'                                AND acctstoptime IS NULL"
	postauth_query = "INSERT INTO radpostauth                           (username, pass, reply, authdate)                           VALUES (                           '%{User-Name}',                           '%{%{User-Password}:-%{Chap-Password}}',                           '%{reply:Packet-Type}', '%S')"
	safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
  }
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
rlm_sql (sql): Attempting to connect to raduser@localhost:/rdb
rlm_sql (sql): starting 0
rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
rlm_sql_mysql: Starting connect to MySQL server for #0
rlm_sql (sql): Connected new DB handle, #0
rlm_sql (sql): starting 1
rlm_sql (sql): Attempting to connect rlm_sql_mysql #1
rlm_sql_mysql: Starting connect to MySQL server for #1
rlm_sql (sql): Connected new DB handle, #1
rlm_sql (sql): starting 2
rlm_sql (sql): Attempting to connect rlm_sql_mysql #2
rlm_sql_mysql: Starting connect to MySQL server for #2
rlm_sql (sql): Connected new DB handle, #2
rlm_sql (sql): starting 3
rlm_sql (sql): Attempting to connect rlm_sql_mysql #3
rlm_sql_mysql: Starting connect to MySQL server for #3
rlm_sql (sql): Connected new DB handle, #3
rlm_sql (sql): starting 4
rlm_sql (sql): Attempting to connect rlm_sql_mysql #4
rlm_sql_mysql: Starting connect to MySQL server for #4
rlm_sql (sql): Connected new DB handle, #4
rlm_sql (sql): Processing generate_sql_clients
rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret FROM nas
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql (sql): Read entry nasname=localhost,shortname=localhost,secret=k8Yyt4WpzcgNubfbZh7
rlm_sql (sql): Adding client 127.0.0.1 (localhost, server=<none>) to clients list
WARNING: Ignoring duplicate client 127.0.0.1
rlm_sql (sql): Released sql socket id: 4
 Module: Checking preacct {...} for more modules to load
 Module: Linked to module rlm_acct_unique
 Module: Instantiating acct_unique
  acct_unique {
	key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
  }
 Module: Checking accounting {...} for more modules to load
 Module: Linked to module rlm_detail
 Module: Instantiating detail
  detail {
	detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
	header = "%t"
	detailperm = 384
	dirperm = 493
	locking = no
	log_packet_header = no
  }
 Module: Instantiating attr_filter.accounting_response
  attr_filter attr_filter.accounting_response {
	attrsfile = "/etc/raddb/attrs.accounting_response"
	key = "%{User-Name}"
  }
 Module: Checking session {...} for more modules to load
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 } # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
	type = "auth"
	ipaddr = *
	port = 0
}
listen {
	type = "acct"
	ipaddr = *
	port = 0
}
listen {
	type = "control"
 listen {
	socket = "/var/run/radiusd/radiusd.sock"
 }
}
Listening on authentication interface eth0 address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Ready to process requests.

Open in new window



lsof return nothing
# /usr/sbin/lsof -i:1645

# /usr/sbin/lsof -i:1812
COMMAND  PID    USER   FD   TYPE DEVICE SIZE NODE NAME
radiusd 7939 radiusd   11u  IPv4 143243       UDP *:radius 

# /usr/sbin/lsof -i:1813
COMMAND  PID    USER   FD   TYPE DEVICE SIZE NODE NAME
radiusd 7939 radiusd   12u  IPv4 143244       UDP *:radius-acct 

# radtest testuser testpass 127.0.0.1 0 k8Yyt4WpzcgNubfbZh7
Sending Access-Request of id 219 to 127.0.0.1 port 1812
	User-Name = "testuser"
	User-Password = "testpass"
	NAS-IP-Address = 206.1.2.150
	NAS-Port = 0
Sending Access-Request of id 219 to 127.0.0.1 port 1812
	User-Name = "testuser"
	User-Password = "testpass"
	NAS-IP-Address = 206.2.1.150
	NAS-Port = 0
Sending Access-Request of id 219 to 127.0.0.1 port 1812
	User-Name = "testuser"
	User-Password = "testpass"
	NAS-IP-Address = 206.2.1.150
	NAS-Port = 0
radclient: no response from server for ID 219 socket 3

Open in new window




0
 
LVL 3

Author Comment

by:re-searcher
ID: 36937367
yes secret key exactly like "/etc/raddb/radiusd.conf" secret key.

i just do like articles which you send here.

if it's better which i remove freeradius and freeradius modules, let me know i will do all of them again.
0
 
LVL 3

Author Comment

by:re-searcher
ID: 36937371
in 2nd previous post i send radiusd -X result. online 96 you can see which secret key is right.
0
 
LVL 3

Author Comment

by:re-searcher
ID: 36937374
if you send me an e-mail exsolodev [at] gmail i will send SSH details for checking yourself. (be sure i will not ask question which i don't send in expert-echanges).
0
 
LVL 3

Author Comment

by:re-searcher
ID: 36939148
Dear Arnold,

I reinstall freeradius2 , freeradius2-mysql and freeradius2-utils + radiusclient-ng,

i config /raddb/certs and radiusd.conf and sql.conf, i receive following error on debuging:

# radiusd -X
FreeRADIUS Version 2.1.7, for host i686-redhat-linux-gnu, built on May 19 2010 at 13:10:59
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. 
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A 
PARTICULAR PURPOSE. 
You may redistribute copies of FreeRADIUS under the terms of the 
GNU General Public License v2. 
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/control-socket
group = radiusd
user = radiusd
including dictionary file /etc/raddb/dictionary
main {
	prefix = "/usr"
	localstatedir = "/var"
	logdir = "/var/log/radius"
	libdir = "/usr/lib/freeradius"
	radacctdir = "/var/log/radius/radacct"
	hostname_lookups = no
	max_request_time = 30
	cleanup_delay = 5
	max_requests = 1024
	allow_core_dumps = no
	pidfile = "/var/run/radiusd/radiusd.pid"
	checkrad = "/usr/sbin/checkrad"
	debug_level = 0
	proxy_requests = no
 log {
	stripped_names = no
	auth = no
	auth_badpass = no
	auth_goodpass = no
 }
 security {
	max_attributes = 200
	reject_delay = 1
	status_server = yes
 }
}
radiusd: #### Loading Realms and Home Servers ####
radiusd: #### Loading Clients ####
 client localhost {
	ipaddr = 127.0.0.1
	require_message_authenticator = no
	secret = "testing123"
	nastype = "other"
 }
radiusd: #### Instantiating modules ####
 instantiate {
 Module: Linked to module rlm_exec
 Module: Instantiating exec
  exec {
	wait = no
	input_pairs = "request"
	shell_escape = yes
  }
 Module: Linked to module rlm_expr
 Module: Instantiating expr
 Module: Linked to module rlm_expiration
 Module: Instantiating expiration
  expiration {
	reply-message = "Password Has Expired  "
  }
 Module: Linked to module rlm_logintime
 Module: Instantiating logintime
  logintime {
	reply-message = "You are calling outside your allowed timespan  "
	minimum-timeout = 60
  }
 }
radiusd: #### Loading Virtual Servers ####
server inner-tunnel {
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_pap
 Module: Instantiating pap
  pap {
	encryption_scheme = "auto"
	auto_header = no
  }
 Module: Linked to module rlm_chap
 Module: Instantiating chap
 Module: Linked to module rlm_mschap
 Module: Instantiating mschap
  mschap {
	use_mppe = yes
	require_encryption = no
	require_strong = no
	with_ntdomain_hack = no
  }
 Module: Linked to module rlm_unix
 Module: Instantiating unix
  unix {
	radwtmp = "/var/log/radius/radwtmp"
  }
 Module: Linked to module rlm_eap
 Module: Instantiating eap
  eap {
	default_eap_type = "md5"
	timer_expire = 60
	ignore_unknown_eap_types = no
	cisco_accounting_username_bug = no
	max_sessions = 2048
  }
 Module: Linked to sub-module rlm_eap_md5
 Module: Instantiating eap-md5
 Module: Linked to sub-module rlm_eap_leap
 Module: Instantiating eap-leap
 Module: Linked to sub-module rlm_eap_gtc
 Module: Instantiating eap-gtc
   gtc {
	challenge = "Password: "
	auth_type = "PAP"
   }
 Module: Linked to sub-module rlm_eap_tls
 Module: Instantiating eap-tls
   tls {
	rsa_key_exchange = no
	dh_key_exchange = yes
	rsa_key_length = 512
	dh_key_length = 512
	verify_depth = 0
	pem_file_type = yes
	private_key_file = "/etc/raddb/certs/server.pem"
	certificate_file = "/etc/raddb/certs/server.pem"
	CA_file = "/etc/raddb/certs/ca.pem"
	private_key_password = "whatever"
	dh_file = "/etc/raddb/certs/dh"
	random_file = "/etc/raddb/certs/random"
	fragment_size = 1024
	include_length = yes
	check_crl = no
	cipher_list = "DEFAULT"
	make_cert_command = "/etc/raddb/certs/bootstrap"
    cache {
	enable = no
	lifetime = 24
	max_entries = 255
    }
   }
rlm_eap: SSL error error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt
rlm_eap_tls: Error reading private key file /etc/raddb/certs/server.pem
rlm_eap: Failed to initialize type tls
/etc/raddb/eap.conf[17]: Instantiation failed for module "eap"
/etc/raddb/sites-enabled/inner-tunnel[223]: Failed to find module "eap".
/etc/raddb/sites-enabled/inner-tunnel[176]: Errors parsing authenticate section. 
# 

Open in new window

0
 
LVL 3

Author Comment

by:re-searcher
ID: 36939267
i fixed it myself.
i reconfig raddb contents.
0
 
LVL 81

Expert Comment

by:arnold
ID: 36939274
Did you create/recreate the certificate?
/etc/raddb/certs/server.pem
What is in there?
did you also fill in a CA.
This is the source of the error:
rlm_eap: SSL error error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt
rlm_eap_tls: Error reading private key file /etc/raddb/certs/server.pem
rlm_eap: Failed to initialize type tls


Freeradius was working, I am not sure what changes you made that broke it.

What was the result of running
rpm --verify <freeradius>?

0
 
LVL 3

Author Comment

by:re-searcher
ID: 36939291
as i said in previous port i fix certification error and edit certificates step-by-step like "/etc/raddb/certs/README".

problem is from eap.conf and radiusd -X work as well.

# yum list \*radius\*
Loading "kmod" plugin
Loading "protect-packages" plugin
Installed Packages
freeradius2.i386                         2.1.7-7.v5             installed       
freeradius2-mysql.i386                   2.1.7-7.v5             installed       
freeradius2-utils.i386                   2.1.7-7.v5             installed       
radiusclient-ng.i386                     0.5.6-5.el5.rf         installed   

Open in new window

0
 
LVL 3

Author Comment

by:re-searcher
ID: 36939344
do you know what's/etc/radiusclient-ng/port-id-map ?
and how i should fill it?
it's contain following datas:
/dev/tty1	1
/dev/tty2	2
/dev/tty3	3
/dev/tty4	4
/dev/tty5	5
/dev/tty6	6
/dev/tty7	7
/dev/tty8	8
/dev/ttyS0	9
/dev/ttyS1	10
/dev/ttyS2	11
/dev/ttyS3	12
/dev/ttyS4	13
/dev/ttyS5	14
/dev/ttyS6	15
/dev/ttyS7	16

Open in new window


how can i check this contents?
0
 
LVL 3

Author Comment

by:re-searcher
ID: 36939356
- Arnold
I don't have /etc/modules.conf and instead of it i have modprobe.conf and it's contain following contents:
alias eth0 r8169
alias scsi_hostadapter ata_piix
alias scsi_hostadapter1 usb-storage

Open in new window


and in http://poptop.sourceforge.net/dox/radius_mysql.html i read it which i should use some values in /etc/modules.conf :
alias char-major-108 ppp_generic
alias tty-ldisc-3 ppp_async
alias tty-ldisc-14 ppp_synctty
alias ppp-compress-18 ppp_mppe
alias ppp-comress-21 bsd_comp
alias ppp-compress-24 ppp_deflate
alias ppp-compress-26 ppp_deflate

Open in new window


should i add it to /etc/modprobe.conf?
0
 
LVL 81

Expert Comment

by:arnold
ID: 36939364
Can you check whether you have /etc/ppp/options.pptpd with contents
plugin radius.so
radius-config-file /etc/radiusclient-ng/radiusclient.conf
/etc/radiusclient-ng/servers
define the 127.0.0.1 secret as described in the example

then enable debug in /etc/pptpd.conf
see what it is doing during start with pptpd.
Attempt a connection and see whether it is generating the radius packet and to where it is generating it.
Check the freeradius output and see whether it is getting the packet and what it is doing with it.
0
 
LVL 3

Author Comment

by:re-searcher
ID: 36939375
yes i add radius.so and radius-config-file to /etc/ppp/options.pptpd
and add "localhost    testing123" to /etc/radiusclient-ng/servers.

i just again ask my question please, read my previous post.

i don't know how i should enable debug in /etc/pptpd.conf how i should do it?
0
 
LVL 81

Expert Comment

by:arnold
ID: 36939381
Open pptpd.conf and the second item says Debug uncomment the entry at the end of the description:
instead of
#debug
make it.
debug

alternatively, if you want to run it in the same way you were testing radiusd -X
pptpd -d -f -c /etc/pptpd.conf
0
 
LVL 3

Author Comment

by:re-searcher
ID: 36939412
i do it and receive authentication faild error again and run pptpd in debug mode.

how i should view ppp debug details/logs?
0
 
LVL 3

Author Comment

by:re-searcher
ID: 36939419
i don't edit /etc/ppp/chap-secrets and pap-secret ,are you sure i should leave it without any modifications?

i can run radiusd in debug mode and with radtest command it's work as well.

so, problem not from radius side it should be from ppp or some other configurations.
0
 
LVL 3

Author Comment

by:re-searcher
ID: 36939473
i just wanna know do you install and integrate freeradius and freeradius-mysql with poptop?
however i know you're not responsible for my question but i wanna be sure which i spend my time in right way
0
 
LVL 81

Expert Comment

by:arnold
ID: 36939578
There is a link for the poptop example.  When you use the plugin radius.so, the ppp chap/pap are ignored.  Ref. the subsequent links I provided.

grep -i ptpp /var/log/messages | more

Can you run pptpd on a command line in the same way you ran radiusd:
In one window:
/usr/sbin/pptpd -d -f -c /etc/ppptd.conf
in the other windows:
radiusd -X

now make pptp connection attempts.
What do you see in each?
0
 
LVL 3

Author Comment

by:re-searcher
ID: 36939613
with "/usr/sbin/pptpd -d -f -c /etc/ppptd.conf " it not go to debug mode like radiusd -X and just after enter i see command like again.
0
 
LVL 3

Author Comment

by:re-searcher
ID: 36939633
in some articles i read it which we should add "radattr.so" and the end of pptpd.options like radius.so
is it necessary or it's not?

because i don't saw any other information regarding radattr.so
0
 
LVL 3

Author Comment

by:re-searcher
ID: 36939637
sorry for mistake i mean /etc/ppp/options.pptpd
0
 
LVL 81

Expert Comment

by:arnold
ID: 36940418
I do not believe you need radattr.so.  IT deals with alterations to the connection based on the additional parameters that a accept response will have.
IT is further down the line and at this time, lets just deal with getting the PPTP connection attemps to generate a radius request from the PPTPd server via PPP to the local radius server.

Could you post the output of running pptpd -f -d -c /etc/pptpd.conf while in a separate windows run radiusd -X
What is registered on the pptpd server when you make a pptp connection attempt?
What is happening on the radiusd side?
0
 
LVL 3

Author Comment

by:re-searcher
ID: 36940431
- Arnold

I think problem is from PPTPd server, because on clearos poptop is not like standard version and it installed with some changes (custom poptop).

I unistall if from my server and try to installing PPTPd + ppp from poptop.sourceforge. but it's not installed with the reason of "confilict with clearos ppp".

however I can unistall ppp,too. but i contact with clearos and waiting for their answers. after time which they approve it i will do it.

and send results here.
0
 
LVL 3

Author Comment

by:re-searcher
ID: 36945867
Ok Arnold,

I install standard version of ppp (ppp-2.4.4-14.1.rhel5.i386) and pptpd (pptpd-1.3.4-2.rhel5.i386)

I have a question, I want accept connect request for All type of devices like windows 98 to 7, Mac OS, Linux and etc.

which value should i use in /etc/ppp/options.pptpd?
for example can i use both require-mschap and require-mschap-v2 ?
Please, help me if you can send all values
0
 
LVL 3

Author Comment

by:re-searcher
ID: 36946369
again pptpd don't go to debug mode and when i try to connect with my vpn connection radiusd -X don't show anythings.

please, help me.
I'm in critical situation.
0
 
LVL 81

Expert Comment

by:arnold
ID: 36946679
You keep jumping from one set to another which means that every time you have to start from scratch.

The settings you reference for mschap etc are part of the /etc/pptpd.conf since this is the rules by which credentails will be exchanged between the PPTP clients and the PPTP server.
Now that you have made changes again, I need to see what your configurations are.

The means of authentication on the backend /etc/ppp/options.pptpd is irrelavent for the purpose of the PPTP connection between the client and server.
I.e. if you walk to a door and hit the door bell, as long as the door opens you do not care whether there is a person that opened the door or there was someone who called someone else and they authorized the opening of the door, etc.
What is the result of running pptpd -f -d ? What do you see?  Does it show that it loaded radius.so?

If you take out the reference to /etc/ppp/options.pptpd from the /etc/pptpd.conf file can those clients establish a pptp connection?
0
 
LVL 3

Author Comment

by:re-searcher
ID: 36946860
i remove ClearOS and currently trying to Installing Ubuntu, because i like ubuntu (it's seems like Debian).

I don't jump and don't like jumping from one set to another, when i do everythings in your posts and pptpd not work i trying to find another ways which you don't tell here...

Currently I trying to install ubuntu.
you commands pptpd -f -d not work and don't show anythings.

would you mind in one post explain all of it and i accept it as solution?
0
 
LVL 81

Expert Comment

by:arnold
ID: 36948428
Changing everything on a failure where you are not providing the output of what I am asking for, I have no idea what is the issue on your end to suggest a fix.
I can not explain what I can not see as the cause for your issue.

But this exercise will help you acquire troubleshooting skills.

The links I previously posted are of guides that got this to work.
The only thing I could think of is that your radiusclient.conf file was not configured as suggested in the several links.
0
 
LVL 3

Author Comment

by:re-searcher
ID: 36959467
I Installed Ubuntu and config freeradius + mysql + daloradius and poptop.

with daloradius i test user and it's work as well.

but again it's not work.

when i enter "/usr/sbin/pptpd -d -f -c /etc/ppptd.conf" it don't show anything:
wwsmanager@uss01:/etc/radiusclient$ sudo /usr/sbin/pptpd -d -f -c /etc/ppptd.conf
wwsmanager@uss01:/etc/radiusclient$ 
wwsmanager@uss01:/etc/radiusclient$ /usr/sbin/pptpd -d -f -c /etc/ppptd.conf
wwsmanager@uss01:/etc/radiusclient$ 

Open in new window


I think we don't do some important configurations.
0
 
LVL 81

Expert Comment

by:arnold
ID: 36959607
can you post the contents of your /etc/pptpd.conf file?
sudo bash
lsof -i:1723
if it returns nothing, run
/usr/sbin/pptpd -d -f -c /etc/pptpd.conf

grep -i pptp /var/log/messages any entries there?
0
 
LVL 3

Author Comment

by:re-searcher
ID: 36959620
root@uss01:~# lsof -i:1723
COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
pptpd   4479 root    6u  IPv4  23879      0t0  TCP *:1723 (LISTEN)
root@uss01:~# /usr/sbin/pptpd -d -f -c /etc/pptpd.conf
root@uss01:~# grep -i pptp /var/log/messages
Oct 11 23:56:15 uss01 pppd[4787]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
Oct 12 02:06:40 uss01 pppd[8715]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
Oct 12 02:06:44 uss01 pppd[8718]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
Oct 12 04:19:18 uss01 pppd[12733]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
Oct 12 05:39:33 uss01 pppd[15177]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
Oct 12 05:39:38 uss01 pppd[15179]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
Oct 12 14:27:18 uss01 pppd[4865]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
Oct 12 14:32:21 uss01 pppd[5156]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
Oct 12 14:32:33 uss01 pppd[5164]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
Oct 12 14:32:45 uss01 pppd[5172]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
Oct 12 17:38:32 uss01 pppd[23795]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
Oct 12 17:38:38 uss01 pppd[23803]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
Oct 12 17:38:43 uss01 pppd[23810]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
Oct 12 17:38:54 uss01 pppd[23819]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
Oct 12 17:39:03 uss01 pppd[23880]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
Oct 12 17:39:16 uss01 pppd[23888]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
Oct 12 17:39:22 uss01 pppd[23896]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
Oct 12 17:39:34 uss01 pppd[23905]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
Oct 12 17:42:56 uss01 pppd[24193]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
Oct 12 18:11:46 uss01 pppd[26906]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
Oct 12 19:44:54 uss01 pppd[1680]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
Oct 12 19:54:27 uss01 pppd[3611]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
Oct 12 20:42:30 uss01 pppd[4510]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
Oct 12 20:42:30 uss01 pppd[4510]: pptpd-logwtmp: $Version$
root@uss01:~# 

Open in new window




root@uss01:/etc# cat /etc/pptpd.conf
###############################################################################
# $Id: pptpd.conf 4255 2004-10-03 18:44:00Z rene $
#
# Sample Poptop configuration file /etc/pptpd.conf
#
# Changes are effective when pptpd is restarted.
###############################################################################

# TAG: ppp
#	Path to the pppd program, default '/usr/sbin/pppd' on Linux
#
#ppp /usr/sbin/pppd

# TAG: option
#	Specifies the location of the PPP options file.
#	By default PPP looks in '/etc/ppp/options'
#
option /etc/ppp/pptpd-options

# TAG: debug
#	Turns on (more) debugging to syslog
#
#debug

# TAG: stimeout
#	Specifies timeout (in seconds) on starting ctrl connection
#
# stimeout 10

# TAG: noipparam
#       Suppress the passing of the client's IP address to PPP, which is
#       done by default otherwise.
#
#noipparam

# TAG: logwtmp
#	Use wtmp(5) to record client connections and disconnections.
#
logwtmp

# TAG: bcrelay <if>
#	Turns on broadcast relay to clients from interface <if>
#
#bcrelay eth1

# TAG: localip
# TAG: remoteip
#	Specifies the local and remote IP address ranges.
#
#       Any addresses work as long as the local machine takes care of the
#       routing.  But if you want to use MS-Windows networking, you should
#       use IP addresses out of the LAN address space and use the proxyarp
#       option in the pppd options file, or run bcrelay.
#
#	You can specify single IP addresses seperated by commas or you can
#	specify ranges, or both. For example:
#
#		192.168.0.234,192.168.0.245-249,192.168.0.254
#
#	IMPORTANT RESTRICTIONS:
#
#	1. No spaces are permitted between commas or within addresses.
#
#	2. If you give more IP addresses than MAX_CONNECTIONS, it will
#	   start at the beginning of the list and go until it gets 
#	   MAX_CONNECTIONS IPs. Others will be ignored.
#
#	3. No shortcuts in ranges! ie. 234-8 does not mean 234 to 238,
#	   you must type 234-238 if you mean this.
#
#	4. If you give a single localIP, that's ok - all local IPs will
#	   be set to the given one. You MUST still give at least one remote
#	   IP for each simultaneous client.
#
# (Recommended)
#localip 192.168.0.1
#remoteip 192.168.0.234-238,192.168.0.245
# or
#localip 192.168.0.234-238,192.168.0.245
#remoteip 192.168.1.234-238,192.168.1.245
localip 192.168.121.1
remoteip 192.168.121.2-254
root@uss01:/etc# 

Open in new window

0
 
LVL 3

Author Comment

by:re-searcher
ID: 36959656
Here you can see log when i tried to connect to servers with PPTP connection from my mac os x:
# tail -f /var/log/debug
Oct 12 21:02:15 uss01 pppd[11653]: using channel 2
Oct 12 21:02:15 uss01 pppd[11653]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MD5> <magic 0x2d318763> <pcomp> <accomp>]
Oct 12 21:02:16 uss01 pppd[11653]: rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x24ba188b> <pcomp> <accomp>]
Oct 12 21:02:16 uss01 pppd[11653]: sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x24ba188b> <pcomp> <accomp>]
Oct 12 21:02:18 uss01 pppd[11653]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MD5> <magic 0x2d318763> <pcomp> <accomp>]
Oct 12 21:02:19 uss01 pppd[11653]: rcvd [LCP ConfNak id=0x1 <auth chap MS-v2>]
Oct 12 21:02:19 uss01 pppd[11653]: sent [LCP ConfReq id=0x2 <asyncmap 0x0> <auth chap MS-v2> <magic 0x2d318763> <pcomp> <accomp>]
Oct 12 21:02:19 uss01 pppd[11653]: rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x24ba188b> <pcomp> <accomp>]
Oct 12 21:02:19 uss01 pppd[11653]: sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x24ba188b> <pcomp> <accomp>]
Oct 12 21:02:19 uss01 pppd[11653]: rcvd [LCP ConfAck id=0x2 <asyncmap 0x0> <auth chap MS-v2> <magic 0x2d318763> <pcomp> <accomp>]
Oct 12 21:02:19 uss01 pppd[11653]: sent [LCP EchoReq id=0x0 magic=0x2d318763]
Oct 12 21:02:19 uss01 pppd[11653]: sent [CHAP Challenge id=0xaf <3703c65d33323154f87e69f6ab9a0025>, name = "pptpd"]
Oct 12 21:02:19 uss01 pppd[11653]: rcvd [LCP EchoReq id=0x0 magic=0x24ba188b]
Oct 12 21:02:19 uss01 pppd[11653]: sent [LCP EchoRep id=0x0 magic=0x2d318763]
Oct 12 21:02:20 uss01 pppd[11653]: rcvd [LCP EchoRep id=0x0 magic=0x24ba188b]
Oct 12 21:02:20 uss01 pppd[11653]: rcvd [CHAP Response id=0xaf <2729c5926cfec882a88c6dbeb2e1f4b40000000000000000c387943b75a56e4c90f09db92f3aef2fba3106f25b21077000>, name = "testuser"]
Oct 12 21:02:20 uss01 pppd[11653]: sent [CHAP Failure id=0xaf ""]
Oct 12 21:02:20 uss01 pppd[11653]: sent [LCP TermReq id=0x3 "Authentication failed"]
Oct 12 21:02:20 uss01 pppd[11653]: rcvd [LCP TermReq id=0x2 "Failed to authenticate ourselves to peer"]
Oct 12 21:02:20 uss01 pppd[11653]: sent [LCP TermAck id=0x2]
Oct 12 21:02:20 uss01 pptpd[11652]: CTRL: Reaping child PPP[11653]
Oct 12 21:02:20 uss01 pppd[11653]: RADATTR plugin removed file /var/run/radattr.ppp0.
Oct 12 21:02:22 uss01 slapd[4788]: connection_read(25): no connection!

Open in new window

0
 
LVL 3

Author Comment

by:re-searcher
ID: 36959671
/etc/ppp/pptpd-options
root@uss01:/etc/ppp# cat /etc/ppp/pptpd-options
###############################################################################
# $Id: pptpd-options 4643 2006-11-06 18:42:43Z rene $
#
# Sample Poptop PPP options file /etc/ppp/pptpd-options
# Options used by PPP when a connection arrives from a client.
# This file is pointed to by /etc/pptpd.conf option keyword.
# Changes are effective on the next connection.  See "man pppd".
#
# You are expected to change this file to suit your system.  As
# packaged, it requires PPP 2.4.2 and the kernel MPPE module.
###############################################################################


# Authentication

# Name of the local system for authentication purposes 
# (must match the second field in /etc/ppp/chap-secrets entries)
name pptpd

# Optional: domain name to use for authentication
# domain mydomain.net

# Strip the domain prefix from the username before authentication.
# (applies if you use pppd with chapms-strip-domain patch)
#chapms-strip-domain


# Encryption
# Debian: on systems with a kernel built with the package
# kernel-patch-mppe >= 2.4.2 and using ppp >= 2.4.2, ...
# {{{
require-pap
require-chap
require-mschap
# Require the peer to authenticate itself using MS-CHAPv2 [Microsoft
# Challenge Handshake Authentication Protocol, Version 2] authentication.
require-mschap-v2
# Require MPPE 128-bit encryption
# (note that MPPE requires the use of MSCHAP-V2 during authentication)
require-mppe-128
# }}}




# Network and Routing

# If pppd is acting as a server for Microsoft Windows clients, this
# option allows pppd to supply one or two DNS (Domain Name Server)
# addresses to the clients.  The first instance of this option
# specifies the primary DNS address; the second instance (if given)
# specifies the secondary DNS address.
# Attention! This information may not be taken into account by a Windows
# client. See KB311218 in Microsoft's knowledge base for more information.
ms-dns 66.96.80.194
ms-dns 66.96.80.43

# If pppd is acting as a server for Microsoft Windows or "Samba"
# clients, this option allows pppd to supply one or two WINS (Windows
# Internet Name Services) server addresses to the clients.  The first
# instance of this option specifies the primary WINS address; the
# second instance (if given) specifies the secondary WINS address.
ms-wins 66.96.80.194
ms-wins 66.96.80.43

# Add an entry to this system's ARP [Address Resolution Protocol]
# table with the IP address of the peer and the Ethernet address of this
# system.  This will have the effect of making the peer appear to other
# systems to be on the local ethernet.
# (you do not need this if your PPTP server is responsible for routing
# packets to the clients -- James Cameron)
proxyarp

# Debian: do not replace the default route
nodefaultroute


# Logging

# Enable connection debugging facilities.
# (see your syslog configuration for where pppd sends to)
debug

# Print out all the option values which have been set.
# (often requested by mailing list to verify options)
#dump


# Miscellaneous

# Create a UUCP-style lock file for the pseudo-tty to ensure exclusive
# access.
lock

# Disable BSD-Compress compression
nobsdcomp 

#plugins
plugin radius.so
plugin radattr.so
root@uss01:/etc/ppp# 

Open in new window

0
 
LVL 3

Author Comment

by:re-searcher
ID: 36960010
Dear Arnold,

After 3 month which i trying to install it i hope today it's done.
I will post full details here, please, read all of them exactly.
Thanks for your great help and times which you spend to answer to my question and solving my problems.

I attach All Configuration files (freeradius and pptpd) in this post (just rename all files to txt because of attachment rules).

log while i trying connect to server with PPTP Connection on my Mac OS X, in second terminal which i run freeradius -X nothing happened.
#tail -f /var/log/message
Oct 12 23:23:24 uss01 pptpd[5878]: MGR: Launching /usr/sbin/pptpctrl to handle client
Oct 12 23:23:24 uss01 pptpd[5878]: CTRL: local address = 192.168.121.1
Oct 12 23:23:24 uss01 pptpd[5878]: CTRL: remote address = 192.168.121.2
Oct 12 23:23:24 uss01 pptpd[5878]: CTRL: pppd options file = /etc/ppp/pptpd-options
Oct 12 23:23:24 uss01 pptpd[5878]: CTRL: Received PPTP Control Message (type: 1)
Oct 12 23:23:24 uss01 pptpd[5878]: CTRL: Made a START CTRL CONN RPLY packet
Oct 12 23:23:24 uss01 pptpd[5878]: CTRL: I wrote 156 bytes to the client.
Oct 12 23:23:24 uss01 pptpd[5878]: CTRL: Sent packet to client
Oct 12 23:23:24 uss01 pptpd[5878]: CTRL: Received PPTP Control Message (type: 7)
Oct 12 23:23:24 uss01 pptpd[5878]: CTRL: Set parameters to 100000000 maxbps, 64 window size
Oct 12 23:23:24 uss01 pptpd[5878]: CTRL: Made a OUT CALL RPLY packet
Oct 12 23:23:24 uss01 pptpd[5878]: CTRL: pty_fd = 6
Oct 12 23:23:24 uss01 pptpd[5878]: CTRL: tty_fd = 7
Oct 12 23:23:24 uss01 pptpd[5878]: CTRL: I wrote 32 bytes to the client.
Oct 12 23:23:24 uss01 pptpd[5879]: CTRL (PPPD Launcher): program binary = /usr/sbin/pppd
Oct 12 23:23:24 uss01 pptpd[5879]: CTRL (PPPD Launcher): local address = 192.168.121.1
Oct 12 23:23:24 uss01 pptpd[5879]: CTRL (PPPD Launcher): remote address = 192.168.121.2
Oct 12 23:23:24 uss01 pptpd[5878]: CTRL: Sent packet to client
Oct 12 23:23:24 uss01 pppd[5879]: using channel 1
Oct 12 23:23:24 uss01 pppd[5879]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xada88021> <pcomp> <accomp>]
Oct 12 23:23:24 uss01 pptpd[5878]: CTRL: Received PPTP Control Message (type: 15)
Oct 12 23:23:24 uss01 pptpd[5878]: CTRL: Got a SET LINK INFO packet with standard ACCMs
Oct 12 23:23:24 uss01 pptpd[5878]: GRE: accepting packet #1
Oct 12 23:23:24 uss01 pppd[5879]: rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x48834e69> <pcomp> <accomp>]
Oct 12 23:23:24 uss01 pppd[5879]: sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x48834e69> <pcomp> <accomp>]
Oct 12 23:23:25 uss01 pptpd[5878]: GRE: accepting packet #2
Oct 12 23:23:25 uss01 pppd[5879]: rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xada88021> <pcomp> <accomp>]
Oct 12 23:23:25 uss01 pppd[5879]: sent [LCP EchoReq id=0x0 magic=0xada88021]
Oct 12 23:23:25 uss01 pppd[5879]: sent [CHAP Challenge id=0x59 <6ceb872c83af9a069364a49fbeea830e>, name = "pptpd"]
Oct 12 23:23:25 uss01 pptpd[5878]: GRE: accepting packet #3
Oct 12 23:23:25 uss01 pppd[5879]: rcvd [LCP EchoReq id=0x0 magic=0x48834e69]
Oct 12 23:23:25 uss01 pppd[5879]: sent [LCP EchoRep id=0x0 magic=0xada88021]
Oct 12 23:23:25 uss01 pptpd[5878]: GRE: accepting packet #4
Oct 12 23:23:25 uss01 pptpd[5878]: GRE: accepting packet #5
Oct 12 23:23:25 uss01 pppd[5879]: rcvd [LCP EchoRep id=0x0 magic=0x48834e69]
Oct 12 23:23:25 uss01 pppd[5879]: rcvd [CHAP Response id=0x59 <0da741da5ada8e72f2b2b1afcade3e1000000000000000008ba5dea7e2eab57a69dae7a2e66f0a128d9e3a9026bb9e1d00>, name = "testuser"]
Oct 12 23:23:25 uss01 pppd[5879]: sent [CHAP Failure id=0x59 ""]
Oct 12 23:23:25 uss01 pppd[5879]: sent [LCP TermReq id=0x2 "Authentication failed"]
Oct 12 23:23:25 uss01 pptpd[5878]: GRE: accepting packet #6
Oct 12 23:23:25 uss01 pppd[5879]: rcvd [LCP TermReq id=0x2 "Failed to authenticate ourselves to peer"]
Oct 12 23:23:25 uss01 pppd[5879]: sent [LCP TermAck id=0x2]
Oct 12 23:23:25 uss01 pptpd[5878]: CTRL: Reaping child PPP[5879]
Oct 12 23:23:25 uss01 pppd[5879]: RADATTR plugin removed file /var/run/radattr.ppp0.
Oct 12 23:23:25 uss01 pptpd[5878]: CTRL: Exiting now
Oct 12 23:23:25 uss01 pptpd[2418]: MGR: Reaped child 5878

Open in new window


Some other informations:
root@uss01:~# dpkg -s freeradius
Package: freeradius
Architecture: amd64
Version: 2.1.8+dfsg-1ubuntu1
Provides: radius-server
Depends: lsb-base (>= 3.1-23.2), libc6 (>= 2.4), libfreeradius2 (= 2.1.8+dfsg-1ubuntu1), libgdbm3 (>= 1.8.3), libltdl7 (>= 2.2.6b), libpam0g (>= 0.99.7.1), libperl5.10 (>= 5.10.0), libpython2.6 (>= 2.6), libssl0.9.8 (>= 0.9.8k-1), zlib1g (>= 1:1.1.4), freeradius-common, ssl-cert, adduser


root@uss01:~# dpkg -s radiusclient1
Architecture: amd64
Source: radiusclient
Version: 0.3.2-13
Depends: libradius1, perl5, libc6 (>= 2.4)

root@uss01:~# dpkg -s pptpd
Package: pptpd
Architecture: amd64
Version: 1.3.4-2.1ubuntu1.9.04.2
Depends: libc6 (>= 2.4), libwrap0 (>= 7.6-4~), ppp (>= 2.4.4), netbase, debconf | debconf-2.0, bcrelay

root@uss01:~# dpkg -s ppp
Package: ppp
Architecture: amd64
Version: 2.4.5~git20081126t100229-0ubuntu3
Replaces: ppp-pam, ppp-udeb
Depends: libc6 (>= 2.11), libpam0g (>= 0.99.7.1), libpcap0.8 (>= 0.9.8), libpam-modules, libpam-runtime (>= 0.76-13.1), netbase, procps

Open in new window



poptop Configurations
pptpd.conf.txtpptpd-options.txtoptions.txtpap-secrets.txtchap-secrets.txt

Freeradius Configurations
radiusd.conf.txt sql.conf.txt clients.conf.txt default.txt

Radiusclient Configurations
 radiusclient.conf.txt servers.txt dictionary.txt dictionary.microsoft.txt
0
 
LVL 81

Expert Comment

by:arnold
ID: 36962650
http://poptop.sourceforge.net/dox/radius_mysql.html

I do not see where your pptpd/ppp loads plugin radius.so

try the /etc/ppp/options-pptpd to be the exact copy of  the one in the link above.
Make sure to avoid the error in the link and point pptpd.conf to the correct location where you have /etc/ppp/pptpd-options
0
 
LVL 3

Author Comment

by:re-searcher
ID: 36965059
at the end of /etc/ppp/pptpd-options you can see i used it:
# plugins
plugin radius.so
radius-config-file /etc/radiusclient/radiusclient.conf
plugin radattr.so

Open in new window


link to my previous post attachment (pptpd-options): http://filedb.experts-exchange.com/incoming/2011/10_w42/511631/pptpd-options.txt
0
 
LVL 81

Expert Comment

by:arnold
ID: 36965670
I saw it  in the configuration file, but the output from your log still shows that the authentication is using chap/pap and not using radius.
Oct 12 23:23:25 uss01 pppd[5879]: rcvd [CHAP Response id=0x59 <0da741da5ada8e72f2b2b1afcade3e1000000000000000008ba5dea7e2eab57a69dae7a2e66f0a128d9e3a9026bb9e1d00>, name = "testuser"]
Oct 12 23:23:25 uss01 pppd[5879]: sent [CHAP Failure id=0x59 ""]

0
 
LVL 3

Author Comment

by:re-searcher
ID: 36971765
what i should to do?
0
 
LVL 3

Author Comment

by:re-searcher
ID: 36971769
my /etc/ppp/chap-secrets & pap-secrets is empty, is it right or i should type some configurations in these files?
0
 
LVL 81

Expert Comment

by:arnold
ID: 36971866
Since you are using plugin radius.so the chap/pap are ignored.  But for one reason or another your configuration does not seem to load/reflect that pppd uses radius.
Presumably if you comment out the plugin radius.so, your pptp CONNECTION gets established.

Can you remove the plugin radattr,so or have both plugins on the same line?
plugin radius.so radattr.so

Not sure whether the two plugin lines gets pppd to only use the last one it read
Oct 12 23:23:25 uss01 pppd[5879]: RADATTR plugin removed file /var/run/radattr.ppp0.

I am looking for a similar line where pppd loads radius.so plugin.
0
 
LVL 3

Author Comment

by:re-searcher
ID: 36971955
it's not work.

if it's possible for me send message to you privately, i can send SSH login details and you check it yourself instead of sending many posts....

0
 
LVL 81

Expert Comment

by:arnold
ID: 36973714
What is a valid username to test with for pptp?

You had disabled the client config such that freeradius would ignore all requests if they came.
0
 
LVL 3

Author Comment

by:re-searcher
ID: 36973733
user: testuser
password: testpass
0
 
LVL 3

Author Comment

by:re-searcher
ID: 36973751
please, check your e-mail i send some additional information regarding daloradius web management panel for user management.
0
 
LVL 81

Expert Comment

by:arnold
ID: 36973867
The issue you have deals with radiusclient not being able to parse dictionary.microsoft line 22 which is what prevents it from even generating the radius packets.grep ppp /var/log/syslog
At this point the issue is radiusclient and dictionary.microsoft.
0
 
LVL 3

Author Comment

by:re-searcher
ID: 36973966
so, how it's possible to fix this problem.
0
 
LVL 3

Author Comment

by:re-searcher
ID: 36974519
do you have any solution for this problem?
0
 
LVL 81

Expert Comment

by:arnold
ID: 36974540
First have to determine whether the radiusclient you have installed is the issue since it is the one that is supposed to parse the dictionary files and perform the action.

You should try installing the radiusclient-ng and follow the example in the link and see if that helps.  Seen a patch for radiusclient dealing with altering which radius libraries it should use libradiusclient. or a different set.
At this point the issue seems to be related to the tie in between the plugin radius.so with the radiusclient.
the suggestion deals with creating a symbolic link from /etc/radiusclient-ng to /etc/radiusclient to minimize alterations to the various configurations.  
0
 
LVL 3

Author Comment

by:re-searcher
ID: 36974609
you mean i should do it my self? :)
OK, thanks
0
 
LVL 3

Author Comment

by:re-searcher
ID: 36974642
how i should install radiusclient-ng on ubuntu?
i can't find any article regarding it.
0
 
LVL 81

Expert Comment

by:arnold
ID: 36974696
Patience is a virtue.
http://packages.ubuntu.com/maverick/libradiusclient-ng2

Do not make changes to anything else.
Sine this is your system, I did not nor want to make any changes i.e. installing new software while removing old software.
0
 
LVL 3

Author Comment

by:re-searcher
ID: 36974744
i install radiusclient-ng2
but freeradius -X don't show anythings.
0
 
LVL 81

Assisted Solution

by:arnold
arnold earned 2000 total points
ID: 36975818

1) There was an error in the radisclient.conf dealing with a bindaddr which was reflected in the /var/log/syslog. Commented that line out.
2) The file port-id-map was also missing. Created an empty file touch /etc/radiusclient/port-id-map

Connection attempted and established.

You're good to go.

Good luck with your other stuff.
0
 
LVL 3

Author Closing Comment

by:re-searcher
ID: 36976313
Thanks Arnold,

connection established,
I think it's enough for post more tickets with just 500 point.

With best wishes,
r
0
 
LVL 3

Author Comment

by:re-searcher
ID: 37016592
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
Often times it's very very easy to extend a volume on a Linux instance in AWS, but impossible to shrink it. I wanted to contribute to the experts-exchange community a way of providing a procedure that works on an AWS instance. It can also be used on…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Suggested Courses
Course of the Month18 days, 10 hours left to enroll

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question