re-searcher
asked on
Integrate PPP and OpenVPN user authentication with Freeradius2 on CentOS
Hello,
I installed freeradius2 with mysql module on centos. and everything works well. i mean i create user on mysql database and test it with "radtest" and received request-accept message.
Now, I wanna connect to server with PPTP, L2TP and OpenVPN connection and when to trying it i receive error and connection not established.
anyone know how I should do it?
I installed freeradius2 with mysql module on centos. and everything works well. i mean i create user on mysql database and test it with "radtest" and received request-accept message.
Now, I wanna connect to server with PPTP, L2TP and OpenVPN connection and when to trying it i receive error and connection not established.
anyone know how I should do it?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I wanna provide different VPN services to my employees not all of them.
i wanna be able to set user use all of pptp/l2tp/openvpn or one of them.
i wanna be able to set user use all of pptp/l2tp/openvpn or one of them.
openVPN you need to use a plug-in
http://www.imped.net/oss/misc/openvpn-2.0-howto-edit.html#auth
http://openvpn.net/archive/openvpn-users/2006-07/msg00138.html
each application you use to provide has its own configuration setting. Which application do you use for PPTP?
The links I provided in the question deal with making adjustments to /etc/ppp to reference an external application for authentication. The external script will be the one that will generate the rad-access-request and will await the response.
in the file /etc/ppp/options.pptpd it adds the plugin radius.so
Then you need the radiusclient installed and which is used by radius.so from /etc/radiusclient/server file where you configure the information about the server it will be querying.
http://poptop.sourceforge.net/dox/radius_mysql.html
The application you choose to provide the services has to support the option for external authentication.
http://www.imped.net/oss/misc/openvpn-2.0-howto-edit.html#auth
http://openvpn.net/archive/openvpn-users/2006-07/msg00138.html
each application you use to provide has its own configuration setting. Which application do you use for PPTP?
The links I provided in the question deal with making adjustments to /etc/ppp to reference an external application for authentication. The external script will be the one that will generate the rad-access-request and will await the response.
in the file /etc/ppp/options.pptpd it adds the plugin radius.so
Then you need the radiusclient installed and which is used by radius.so from /etc/radiusclient/server file where you configure the information about the server it will be querying.
http://poptop.sourceforge.net/dox/radius_mysql.html
The application you choose to provide the services has to support the option for external authentication.
ASKER
Thanks for your answer,
regarding PPTP:
regarding PPTP:
ppp.i386 2.4.3-14.3.v5 installed
pptpd.i386 1.3.0-3.1.v5 installed
Check the manual pages for those on whether they support the use of external programs/scripts for authentication.
Those that can, usually can be extended to do tasks you want which I found many opensource resources are.
/etc/ppp/options.pptpd
http://ppp.samba.org/pppd.html
/etc/ppp/options.pptpd
within this file the link I posted deals with including the radius.so
which ties into radiusclient that you need to install which relies on /etc/radiusclient/server
i.e.
pptpd only binds to an IP where the request will be received.
it will use /usr/sbin/ppp to establish a channel of communication initially for authentication
ppp based on the ... will initiate the exchange of data username/password and then use the local configuration to validate the data provided.
when testing, make sure to run freeradius in debug mode which will tell you what it received and what it responded with. This way you can narrow down the cause if the response is not what you expected.
i.e. the type of connection (NAS-Type) alters the response freeradius sends. etc.
Those that can, usually can be extended to do tasks you want which I found many opensource resources are.
/etc/ppp/options.pptpd
http://ppp.samba.org/pppd.html
/etc/ppp/options.pptpd
within this file the link I posted deals with including the radius.so
which ties into radiusclient that you need to install which relies on /etc/radiusclient/server
i.e.
pptpd only binds to an IP where the request will be received.
it will use /usr/sbin/ppp to establish a channel of communication initially for authentication
ppp based on the ... will initiate the exchange of data username/password and then use the local configuration to validate the data provided.
when testing, make sure to run freeradius in debug mode which will tell you what it received and what it responded with. This way you can narrow down the cause if the response is not what you expected.
i.e. the type of connection (NAS-Type) alters the response freeradius sends. etc.
ASKER
Arnold,
i don't have radiusclient directory on "/etc" instead of "radiusclient" directory i have a "raddb".
in addition i don't have a "server" sub-directory in "raddb".
What' i should to do?
i don't have radiusclient directory on "/etc" instead of "radiusclient" directory i have a "raddb".
in addition i don't have a "server" sub-directory in "raddb".
What' i should to do?
yum search radius
yum install radiusclient
http://joysofprogramming.com/install-radiusclient-ng-fedora-rhel/
Which centos version are you using?
http://pkgs.org/centos-5-rhel-5/rpmforge-i386/radiusclient-ng-0.5.6-5.el5.rf.i386.rpm.html
http://wiki.freeradius.org/RADIUS-Clients
yum install radiusclient
http://joysofprogramming.com/install-radiusclient-ng-fedora-rhel/
Which centos version are you using?
http://pkgs.org/centos-5-rhel-5/rpmforge-i386/radiusclient-ng-0.5.6-5.el5.rf.i386.rpm.html
http://wiki.freeradius.org/RADIUS-Clients
ASKER
I installed freeradius2 on ClearOS which it's based of CentOS.
[root@researcher ~]# yum search radius
Loading "kmod" plugin
Loading "protect-packages" plugin
base-kernels | 951 B 00:00
base-updates | 951 B 00:00
clearcentos-os | 951 B 00:00
base-supplements | 951 B 00:00
base-os | 1.1 kB 00:00
clearcentos-updates | 951 B 00:00
base-console | 951 B 00:00
freeradius2-mysql.i386 : MySQL support for freeradius
freeradius2-postgresql.i386 : Postgresql support for freeradius
freeradius2.i386 : High-performance and highly configurable free RADIUS server
freeradius2-unixODBC.i386 : Unix ODBC support for freeradius
freeradius2-ldap.i386 : LDAP support for freeradius
freeradius.i386 : High-performance and highly configurable free RADIUS server.
freeradius-mysql.i386 : MySQL bindings for freeradius
freeradius2-python.i386 : Python support for freeradius
freeradius-unixODBC.i386 : unixODBC bindings for freeradius
freeradius2-utils.i386 : FreeRADIUS utilities
freeradius2-mysql.i386 : MySQL support for freeradius
freeradius2.i386 : High-performance and highly configurable free RADIUS server
freeradius2-krb5.i386 : Kerberos 5 support for freeradius
freeradius-postgresql.i386 : postgresql bindings for freeradius
freeradius2-utils.i386 : FreeRADIUS utilities
freeradius2-perl.i386 : Perl support for freeradius
ASKER
[root@researcher ~]# uname -a
Linux researcher.lan 2.6.18-194.8.1.v5PAE #1 SMP Thu Jul 15 02:01:47 EDT 2010 i686 i686 i386 GNU/Linux
http://pkgs.org/centos-5-rhel-5/rpmforge-i386/radiusclient-ng-0.5.6-5.el5.rf.i386.rpm.html
download the above and get a listing of what is within
rpm -q --filesbypkg -p radiusclient-ng-0.5.6-5.el 5.rf.i386. rpm | more
this will list the contents of the package without installing it/altering your system.
Check what is being installed versus what you already have on the system.
radclient should be part of the freeradius utils.
download the above and get a listing of what is within
rpm -q --filesbypkg -p radiusclient-ng-0.5.6-5.el
this will list the contents of the package without installing it/altering your system.
Check what is being installed versus what you already have on the system.
radclient should be part of the freeradius utils.
ASKER
# rpm -q --filesbypkg -p radiusclient-ng-0.5.6-5.el5.rf.i386.rpm | more
warning: radiusclient-ng-0.5.6-5.el5.rf.i386.rpm: Header V3 DSA signature: NOKEY, key ID 6b8d79e6
radiusclient-ng /etc/radiusclient-ng
radiusclient-ng /etc/radiusclient-ng/issue
radiusclient-ng /etc/radiusclient-ng/port-id-map
radiusclient-ng /etc/radiusclient-ng/radiusclient.conf
radiusclient-ng /etc/radiusclient-ng/servers
radiusclient-ng /usr/lib/libradiusclient-ng.so.2
radiusclient-ng /usr/lib/libradiusclient-ng.so.2.0.0
radiusclient-ng /usr/share/doc/radiusclient-ng-0.5.6
radiusclient-ng /usr/share/doc/radiusclient-ng-0.5.6/BUGS
radiusclient-ng /usr/share/doc/radiusclient-ng-0.5.6/CHANGES
radiusclient-ng /usr/share/doc/radiusclient-ng-0.5.6/COPYRIGHT
radiusclient-ng /usr/share/doc/radiusclient-ng-0.5.6/README
radiusclient-ng /usr/share/doc/radiusclient-ng-0.5.6/instop.html
radiusclient-ng /usr/share/radiusclient-ng
radiusclient-ng /usr/share/radiusclient-ng/dictionary
radiusclient-ng /usr/share/radiusclient-ng/dictionary.ascend
radiusclient-ng /usr/share/radiusclient-ng/dictionary.compat
radiusclient-ng /usr/share/radiusclient-ng/dictionary.merit
radiusclient-ng /usr/share/radiusclient-ng/dictionary.sip
Sorry but i'm not expert in linux, i should install radiusclient-ng ?
ASKER
i install radiusclient-ng with following command:
now i should do like articles which you share their links to me?
# rpm -ivh radiusclient-ng-0.5.6-5.el5.rf.i386.rpm
warning: radiusclient-ng-0.5.6-5.el5.rf.i386.rpm: Header V3 DSA signature: NOKEY, key ID 6b8d79e6
Preparing... ########################################### [100%]
1:radiusclient-ng ########################################### [100%]
now i should do like articles which you share their links to me?
Yes, /etc/radiusclient/server etc. see whether pptpd via ppp initiates the radius request to freeradius. and then go a step at a time. If you can debug freeradius while you are making the test attempts, post the debug output to make it easier to describe what is going on and what is happening..
ASKER
Ok, i see
here it is my "radiusd -X" result:
when i try to connect from remote computer with VPN Connection i receiving "Authentication Failed" while i don't see any information in my debug console.
I have firewall and IDS on computer which rules should add to firewall?
here it is my "radiusd -X" result:
# radiusd -X
FreeRADIUS Version 2.1.7, for host i686-redhat-linux-gnu, built on May 19 2010 at 13:10:59
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/sql.conf
including configuration file /etc/raddb/sql/mysql/dialup.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/control-socket
group = radiusd
user = radiusd
including dictionary file /etc/raddb/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/radius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 40
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = no
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "wW50|>7@$%fhgdnDJOBSviovbfKOG@)2EROC("
nastype = "other"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server inner-tunnel {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
Module: Linked to module rlm_unix
Module: Instantiating unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = "/etc/raddb/certs/server.pem"
certificate_file = "/etc/raddb/certs/server.pem"
CA_file = "/etc/raddb/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/etc/raddb/certs/dh"
random_file = "/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/etc/raddb/certs/bootstrap"
cache {
enable = no
lifetime = 24
max_entries = 255
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_realm
Module: Instantiating suffix
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating files
files {
usersfile = "/etc/raddb/users"
acctusersfile = "/etc/raddb/acct_users"
preproxy_usersfile = "/etc/raddb/preproxy_users"
compat = "no"
}
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Linked to module rlm_attr_filter
Module: Instantiating attr_filter.access_reject
attr_filter attr_filter.access_reject {
attrsfile = "/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
}
} # modules
} # server
server {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = "/etc/raddb/huntgroups"
hints = "/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_sql
Module: Instantiating sql
sql {
driver = "rlm_sql_mysql"
server = "localhost"
port = ""
login = "raduser"
password = "link2@@2"
radius_db = "rdb"
read_groups = yes
sqltrace = no
sqltracefile = "/var/log/radius/sqltrace.sql"
readclients = yes
deletestalesessions = yes
num_sql_socks = 5
lifetime = 0
max_queries = 0
sql_user_name = "%{User-Name}"
default_user_profile = ""
nas_query = "SELECT id, nasname, shortname, type, secret FROM nas"
authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id"
authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id"
accounting_onoff_query = " UPDATE radacct SET acctstoptime = '%S', acctsessiontime = unix_timestamp('%S') - unix_timestamp(acctstarttime), acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = %{%{Acct-Delay-Time}:-0} WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= '%S'"
accounting_update_query = " UPDATE radacct SET framedipaddress = '%{Framed-IP-Address}', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'"
accounting_update_query_alt = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctsessiontime, acctauthentic, connectinfo_start, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, servicetype, framedprotocol, framedipaddress, acctstartdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{%{Acct-Session-Time}:-0} + %{%{Acct-Delay-Time}:-0}) SECOND), '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{X-Ascend-Session-Svr-Key}')"
accounting_start_query = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{%{Acct-Delay-Time}:-0}', '0', '%{X-Ascend-Session-Svr-Key}')"
accounting_start_query_alt = " UPDATE radacct SET acctstarttime = '%S', acctstartdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_start = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'"
accounting_stop_query = " UPDATE radacct SET acctstoptime = '%S', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_stop = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'"
accounting_stop_query_alt = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{%{Acct-Session-Time}:-0} + %{%{Acct-Delay-Time}:-0}) SECOND), '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Connect-Info}', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{%{Acct-Delay-Time}:-0}')"
group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority"
connect_failure_retry_delay = 60
simul_count_query = ""
simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL"
postauth_query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')"
safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
}
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
rlm_sql (sql): Attempting to connect to raduser@localhost:/rdb
rlm_sql (sql): starting 0
rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
rlm_sql_mysql: Starting connect to MySQL server for #0
rlm_sql (sql): Connected new DB handle, #0
rlm_sql (sql): starting 1
rlm_sql (sql): Attempting to connect rlm_sql_mysql #1
rlm_sql_mysql: Starting connect to MySQL server for #1
rlm_sql (sql): Connected new DB handle, #1
rlm_sql (sql): starting 2
rlm_sql (sql): Attempting to connect rlm_sql_mysql #2
rlm_sql_mysql: Starting connect to MySQL server for #2
rlm_sql (sql): Connected new DB handle, #2
rlm_sql (sql): starting 3
rlm_sql (sql): Attempting to connect rlm_sql_mysql #3
rlm_sql_mysql: Starting connect to MySQL server for #3
rlm_sql (sql): Connected new DB handle, #3
rlm_sql (sql): starting 4
rlm_sql (sql): Attempting to connect rlm_sql_mysql #4
rlm_sql_mysql: Starting connect to MySQL server for #4
rlm_sql (sql): Connected new DB handle, #4
rlm_sql (sql): Processing generate_sql_clients
rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret FROM nas
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql (sql): Released sql socket id: 4
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating detail
detail {
detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating attr_filter.accounting_response
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "control"
listen {
socket = "/var/run/radiusd/radiusd.sock"
}
}
Listening on authentication interface eth0 address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on proxy address * port 1814
Ready to process requests.
when i try to connect from remote computer with VPN Connection i receiving "Authentication Failed" while i don't see any information in my debug console.
I have firewall and IDS on computer which rules should add to firewall?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
you mean i set freeradius auth and acct listening on 1645 and 1646 and after test return it to previous state?
ASKER
i change it as your request. from "/etc/raddb/radiusd.conf", but again i receive authentication failed error , and debug show nothing.
again i think firewall block this port, are you sure which i should not set any command to firewall for allow incoming requests?
can i chat with your on skype or with e-mail? would you mind tell me one of this?
again i think firewall block this port, are you sure which i should not set any command to firewall for allow incoming requests?
Listening on authentication interface eth0 address * port 1645
Listening on accounting address * port 1646
Listening on command file /var/run/radiusd/radiusd.sock
Listening on proxy address * port 1647
Ready to process requests.
can i chat with your on skype or with e-mail? would you mind tell me one of this?
You can configure freeradius to listen on both 1812, 1645 and 1813, 1646.
Not sure why you are defining a proxy address. but that is unimportant.
Were you able to establish a PPTP connection while using local users? This is how you can confirm that your PPTP configuration is correct. Walk before you try to run.
Once you know that your PPTP client side configuration is correct and works with your PPTP server while using locally defined users, then and only then you start adjusting the PPTP server configuration for remote authentication.
1) configure pptp server with local users
2) configure pptp client to connect to server.
3) test the connection while pptp server is in debug mode to reflect what is going on so that you can adjust. Based on info repeat 1/2.
1723 is the PPTP port that has to be opened on the firewall to allow the client request through, but based on the error you get, it seems the packet makes it to the pptp server and is being rejected.
Not sure why you are defining a proxy address. but that is unimportant.
Were you able to establish a PPTP connection while using local users? This is how you can confirm that your PPTP configuration is correct. Walk before you try to run.
Once you know that your PPTP client side configuration is correct and works with your PPTP server while using locally defined users, then and only then you start adjusting the PPTP server configuration for remote authentication.
1) configure pptp server with local users
2) configure pptp client to connect to server.
3) test the connection while pptp server is in debug mode to reflect what is going on so that you can adjust. Based on info repeat 1/2.
1723 is the PPTP port that has to be opened on the firewall to allow the client request through, but based on the error you get, it seems the packet makes it to the pptp server and is being rejected.
ASKER
as i told before.
I config this server for VPN Server. I wanna send user name and password to somebody and allow them to connect to my server and surf internet with my server IPs.
you don't help me with details, i'm newbie and with general help i can't do it as well.
please, help me what i do know?
i told you my mission, if for my mission proxy not necessary please, tell me how to disable it.
when i run "radiusd -X" it's go to listen as well, so why it's not receive details from client?
I add localhost with secret keys on "/etc/ppp/options.pptpd" so what's there i don't do?
it's 3rd topic which i open regarding my problem but i don't get good answer which resolve my problem.
Please, help me.
I config this server for VPN Server. I wanna send user name and password to somebody and allow them to connect to my server and surf internet with my server IPs.
you don't help me with details, i'm newbie and with general help i can't do it as well.
please, help me what i do know?
i told you my mission, if for my mission proxy not necessary please, tell me how to disable it.
when i run "radiusd -X" it's go to listen as well, so why it's not receive details from client?
I add localhost with secret keys on "/etc/ppp/options.pptpd" so what's there i don't do?
it's 3rd topic which i open regarding my problem but i don't get good answer which resolve my problem.
Please, help me.
ASKER
Arnold,
I have an question, i just add "localhost xyzwpygbv" to "/etc/radiusclient-ng/serv ers"
and "/etc/ppp/chap-secrets & pap-secrert" just contain " * &ldap *"
and i change "/etc/raddb/clients.conf" acct and auth port to ports which you said in previous post.
ppptp and freeradius server both are in one server, is ppp need i open firewall for connect to freeradius?
I have an question, i just add "localhost xyzwpygbv" to "/etc/radiusclient-ng/serv
and "/etc/ppp/chap-secrets & pap-secrert" just contain " * &ldap *"
and i change "/etc/raddb/clients.conf" acct and auth port to ports which you said in previous post.
ppptp and freeradius server both are in one server, is ppp need i open firewall for connect to freeradius?
http://www.anindya.com/installing-configuring-pptp-vpn-rhel-centos/
This will guide you through the setup of pptpd on your system with local authentication.
If your goal is to allow other users to browse through your system, there are other options i.e. proxy server.
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Radius
With each question you pose a clearer picture of what you are trying to do is revealed.
Could you answer, "what is the result you want to achieve?"
i.e. point A other users [black box] Point B browse the net.
This will guide you through the setup of pptpd on your system with local authentication.
If your goal is to allow other users to browse through your system, there are other options i.e. proxy server.
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Radius
With each question you pose a clearer picture of what you are trying to do is revealed.
Could you answer, "what is the result you want to achieve?"
i.e. point A other users [black box] Point B browse the net.
ASKER
- Arnold
my "/etc/rc.d/rc.firewall.loc al" contain following contents:
in first article i should add following content
currently i can connect to server without freeradius and browse internet with server ip.
you think i should add this new rules?
would you mind help me more with send e-mail to me or tell me your e-mail?
my e-mail is: exsolodev [at] gmail ...
my "/etc/rc.d/rc.firewall.loc
# Custom firewall rules.
# This file is executed by the firewall on stop/start/restart.
iptables -t filter -I FORWARD -i pptp+ -j ACCEPT
iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
in first article i should add following content
Next, configure iptables to do NAT.
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Next, we need to allow TCP port 1723 and the GRE protocol through iptables.
iptables -A INPUT -i eth0 -p tcp --dport 1723 -j ACCEPT
iptables -A INPUT -i eth0 -p gre -j ACCEPT
The following iptables rules are necessary if you want to be able to route all your internet traffic through the VPN server.
iptables -A FORWARD -i ppp+ -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o ppp+ -j ACCEPT
Now start the PPTP server if you haven’t already.
currently i can connect to server without freeradius and browse internet with server ip.
you think i should add this new rules?
would you mind help me more with send e-mail to me or tell me your e-mail?
my e-mail is: exsolodev [at] gmail ...
ASKER
regarding your last question.
I need create users with daloradius and authenticate them with freeradius.
i wanna users connect to my server with PPTP/L2TP/OpenVPN connection.
but most important things is PPTP.
currently i do step by step by step article and when i run "radiusd -X" and try connect with PPTP connection to server i receive authentication faild error.
i wanna know, should i allow to default port of radius which receive requests from external net?
or i just allow to PPTP for accept incoming connections and PPTP will contact to radius server locally?
I need create users with daloradius and authenticate them with freeradius.
i wanna users connect to my server with PPTP/L2TP/OpenVPN connection.
but most important things is PPTP.
currently i do step by step by step article and when i run "radiusd -X" and try connect with PPTP connection to server i receive authentication faild error.
i wanna know, should i allow to default port of radius which receive requests from external net?
or i just allow to PPTP for accept incoming connections and PPTP will contact to radius server locally?
ASKER
what's relation between last link which you send to my question?
my problem is i can't connect to my server with PPTP connection and "radiusd -X" don't show any information in debug mode.
my problem is i can't connect to my server with PPTP connection and "radiusd -X" don't show any information in debug mode.
To confirm the existing stage of your setup
1) freeradius/mysql/daloradiu s is setup
2) pptp server with local login is setup and users can connect.
create the /etc/ppp/options.pptpd
http://linux.die.net/man/8/pppd-radius
Can you upload your configuration files:
/etc/pptpd.conf
/etc/ppp/options.pptpd
in /etc/pptpd.conf do you start ppp?
http://poptop.sourceforge.net/dox/pptpd.conf.txt
within the /etc/ppp/options.pptpd
plugin radius.so
radius-config-file /etc/radiusclient/radiuscl ient.conf
It is best to address this in this forum.
1) freeradius/mysql/daloradiu
2) pptp server with local login is setup and users can connect.
create the /etc/ppp/options.pptpd
http://linux.die.net/man/8/pppd-radius
Can you upload your configuration files:
/etc/pptpd.conf
/etc/ppp/options.pptpd
in /etc/pptpd.conf do you start ppp?
http://poptop.sourceforge.net/dox/pptpd.conf.txt
within the /etc/ppp/options.pptpd
plugin radius.so
radius-config-file /etc/radiusclient/radiuscl
It is best to address this in this forum.
ASKER
before i change configurations PPTP work and i connect to server and browse internet.
in ClearOS PPTP work with users which we make with LDAP (internal user creation app).
/etc/pptpd.conf
/etc/options.pptpd
in ClearOS PPTP work with users which we make with LDAP (internal user creation app).
/etc/pptpd.conf
################################################################################
#
# Sample PoPToP configuration file
#
# for PoPToP version 1.0.1
#
################################################################################
# TAG: speed
#
# Specifies the speed for the PPP daemon to talk at.
# Some PPP daemons will ignore this value.
#
speed 115200
# TAG: option
#
# Specifies the location of the PPP options file.
# By default PPP looks in '/etc/ppp/options'
#
option /etc/ppp/options.pptpd
# TAG: debug
#
# Turns on (more) debugging to syslog.
#
#debug
# TAG: localip
# TAG: remoteip
#
# Specifies the local and remote IP address ranges.
#
# You can specify single IP addresses seperated by commas or you can
# specify ranges, or both. For example:
#
# 192.168.0.234,192.168.0.245-249,192.168.0.254
#
# IMPORTANT RESTRICTIONS:
#
# 1. No spaces are permitted between commas or within addresses.
#
# 2. If you give more IP addresses than MAX_CONNECTIONS, it will
# start at the beginning of the list and go until it gets
# MAX_CONNECTIONS IPs. Others will be ignored.
#
# 3. No shortcuts in ranges! ie. 234-8 does not mean 234 to 238,
# you must type 234-238 if you mean this.
#
# 4. If you give a single localIP, that's ok - all local IPs will
# be set to the given one. You MUST still give at least one remote
# IP for each simultaneous client.
#
localip 192.168.1.101-200
remoteip 192.168.2.101-200
# TAG: ipxnets
#
# This gives the range of IPX networks to allocate to clients. By
# default IPX network number allocation is not handled internally.
# By putting a low and high network number here a pool of IPX networks
# can be defined. If this is done then there must be one IPX network
# per client.
#
# The format is a pair of hex numbers without any 0x prefix separated
# by a hyphen.
#
#ipxnets 00001000-00001FFF
# TAG: listen
#
# Defines the IP address of the local interface on which pptpd
# should listen for connections. The default is to listen on all
# local interfaces (even ones brought up by pptp connections, thus
# permitting pptp tunnels inside the pptp tunnels).
#
#listen 192.168.0.1
# TAG: pidfile
#
# This defines the file name in which pptpd should store its process
# ID (or pid). The default is /var/run/pptpd.pid.
#
#pidfile /var/run/pptpd.pid
/etc/options.pptpd
lock
ms-dns 66.96.80.194
ms-dns 66.96.80.43
ms-wins 66.96.80.194
ms-wins 66.96.80.43
devname pptp
name pptp-vpn
auth
proxyarp
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
lcp-echo-failure 10
lcp-echo-interval 30
nobsdcomp
#file /etc/ppp/options.ldap
plugin radius.so
ASKER
as you said in previous post I add "radius-config-file /etc/radiusclient-ng/radiu sclient.co nf" at the end of file.
because, as your help I installed radiusclient-ng instead of radiusclient.
because, as your help I installed radiusclient-ng instead of radiusclient.
ASKER
#radiusd -X don't show any detail when i trying to connect to server with PPTP connection (after i add "radius-config-file /etc/radiusclient-ng/radiu sclient.co nf").
password which i create with daloradius is crypt-password and i don't save it in clear-text mode.
for accept pptp request it's enough or i should add some other attributes?
password which i create with daloradius is crypt-password and i don't save it in clear-text mode.
for accept pptp request it's enough or i should add some other attributes?
note your location of options.pptpd is not in the path where you have it defined in /etc/pptpd.conf
copy /etc/options.pptpd to /etc/ppp/options.pptpd
you also need to add in the options.pptpd
radius-config-file /etc/radiusclient-ng/radiu sclient.co nf
Enable the debug in /etc/pptpd.conf so you can see what is going on on the pptpd server as well as the radius server.
copy /etc/options.pptpd to /etc/ppp/options.pptpd
you also need to add in the options.pptpd
radius-config-file /etc/radiusclient-ng/radiu
Enable the debug in /etc/pptpd.conf so you can see what is going on on the pptpd server as well as the radius server.
ASKER
sorry for my mistake options.pptpd is available in /etc/ppp/options.pptpd
i paste /etc/ppp/options.pptpd content just i mistake to type file path.
as you see options.pptpd contain radius-config-file value.
how i should enable debug in /etc/pptpd.conf ?
i paste /etc/ppp/options.pptpd content just i mistake to type file path.
as you see options.pptpd contain radius-config-file value.
how i should enable debug in /etc/pptpd.conf ?
ASKER
i search and find command for pptp debugging and i send results here
# pppd pty 'pptp server --nolaunchpppd' call tunnel debug dump logfd 2 nodetach
Plugin radius.so loaded.
RADIUS plugin initialized.
pppd: Can't open options file /etc/ppp/peers/tunnel: No such file or directory
ASKER
- Arnold
I found new problem after that i install radiusclient-ng, freeradius not response to my requests.
i attack my last "radiusd -X" results:
I found new problem after that i install radiusclient-ng, freeradius not response to my requests.
i attack my last "radiusd -X" results:
# radiusd -X
FreeRADIUS Version 2.1.7, for host i686-redhat-linux-gnu, built on May 19 2010 at 13:10:59
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/sql.conf
including configuration file /etc/raddb/sql/mysql/dialup.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/control-socket
group = radiusd
user = radiusd
including dictionary file /etc/raddb/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/radius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 40
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = no
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "k8Yyt4WpzcgNubfbZh7"
nastype = "other"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server inner-tunnel {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
Module: Linked to module rlm_unix
Module: Instantiating unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = "/etc/raddb/certs/server.pem"
certificate_file = "/etc/raddb/certs/server.pem"
CA_file = "/etc/raddb/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/etc/raddb/certs/dh"
random_file = "/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/etc/raddb/certs/bootstrap"
cache {
enable = no
lifetime = 24
max_entries = 255
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_realm
Module: Instantiating suffix
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating files
files {
usersfile = "/etc/raddb/users"
acctusersfile = "/etc/raddb/acct_users"
preproxy_usersfile = "/etc/raddb/preproxy_users"
compat = "no"
}
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Linked to module rlm_attr_filter
Module: Instantiating attr_filter.access_reject
attr_filter attr_filter.access_reject {
attrsfile = "/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
}
} # modules
} # server
server {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = "/etc/raddb/huntgroups"
hints = "/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_sql
Module: Instantiating sql
sql {
driver = "rlm_sql_mysql"
server = "localhost"
port = ""
login = "raduser"
password = "link2@@2"
radius_db = "rdb"
read_groups = yes
sqltrace = no
sqltracefile = "/var/log/radius/sqltrace.sql"
readclients = yes
deletestalesessions = yes
num_sql_socks = 5
lifetime = 0
max_queries = 0
sql_user_name = "%{User-Name}"
default_user_profile = ""
nas_query = "SELECT id, nasname, shortname, type, secret FROM nas"
authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id"
authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id"
accounting_onoff_query = " UPDATE radacct SET acctstoptime = '%S', acctsessiontime = unix_timestamp('%S') - unix_timestamp(acctstarttime), acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = %{%{Acct-Delay-Time}:-0} WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= '%S'"
accounting_update_query = " UPDATE radacct SET framedipaddress = '%{Framed-IP-Address}', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'"
accounting_update_query_alt = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctsessiontime, acctauthentic, connectinfo_start, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, servicetype, framedprotocol, framedipaddress, acctstartdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{%{Acct-Session-Time}:-0} + %{%{Acct-Delay-Time}:-0}) SECOND), '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{X-Ascend-Session-Svr-Key}')"
accounting_start_query = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{%{Acct-Delay-Time}:-0}', '0', '%{X-Ascend-Session-Svr-Key}')"
accounting_start_query_alt = " UPDATE radacct SET acctstarttime = '%S', acctstartdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_start = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'"
accounting_stop_query = " UPDATE radacct SET acctstoptime = '%S', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_stop = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'"
accounting_stop_query_alt = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{%{Acct-Session-Time}:-0} + %{%{Acct-Delay-Time}:-0}) SECOND), '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Connect-Info}', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{%{Acct-Delay-Time}:-0}')"
group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority"
connect_failure_retry_delay = 60
simul_count_query = ""
simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL"
postauth_query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')"
safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
}
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
rlm_sql (sql): Attempting to connect to raduser@localhost:/rdb
rlm_sql (sql): starting 0
rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
rlm_sql_mysql: Starting connect to MySQL server for #0
rlm_sql (sql): Connected new DB handle, #0
rlm_sql (sql): starting 1
rlm_sql (sql): Attempting to connect rlm_sql_mysql #1
rlm_sql_mysql: Starting connect to MySQL server for #1
rlm_sql (sql): Connected new DB handle, #1
rlm_sql (sql): starting 2
rlm_sql (sql): Attempting to connect rlm_sql_mysql #2
rlm_sql_mysql: Starting connect to MySQL server for #2
rlm_sql (sql): Connected new DB handle, #2
rlm_sql (sql): starting 3
rlm_sql (sql): Attempting to connect rlm_sql_mysql #3
rlm_sql_mysql: Starting connect to MySQL server for #3
rlm_sql (sql): Connected new DB handle, #3
rlm_sql (sql): starting 4
rlm_sql (sql): Attempting to connect rlm_sql_mysql #4
rlm_sql_mysql: Starting connect to MySQL server for #4
rlm_sql (sql): Connected new DB handle, #4
rlm_sql (sql): Processing generate_sql_clients
rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret FROM nas
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql (sql): Released sql socket id: 4
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating detail
detail {
detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating attr_filter.accounting_response
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "control"
listen {
socket = "/var/run/radiusd/radiusd.sock"
}
}
Listening on authentication interface eth0 address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on proxy address * port 1814
Ready to process requests.
ASKER
in radius debug results i don't say radiusclient-ng directories and files.
do you know why?
do you know why?
ASKER
i change loclhost secret key from testing123 to xyzxyz123 but in debug result it's previous secret key.
Where are you making these changes?
within the radtest or within /etc/raddb/clients?
Can you post the radius debug of the received request?
within the radtest or within /etc/raddb/clients?
Can you post the radius debug of the received request?
ASKER
Both.
i set new secret key on /etc/raddb/clients.conf and for testing i use my new secret key
i set new secret key on /etc/raddb/clients.conf and for testing i use my new secret key
ASKER
after time which i install radiusclient-ng it's occur.
so, i will remove radiusclient-ng and install radiusclient from
http://pkgs.repoforge.org/radiusclient/
file name: radiusclient-0.3.2-0.2.el5 .rf.i386.r pm
so, i will remove radiusclient-ng and install radiusclient from
http://pkgs.repoforge.org/radiusclient/
file name: radiusclient-0.3.2-0.2.el5
After making changes to any configuration files, you have to restart the radius service.
If you feel more comfortable with this one, do so.
You still only configure freeradius to listen on one port while it might be that the request from ppp via radiusclient-ng or radiusclient will be comming in on the old default port which was 1645 and is often the default in several components.
radiusd -p 1645 -p 1812
or try within the configuration radius.conf
port="1812"
port=1645
or
while debuggin
radiusd -X -p 1645 -p 1812
If you feel more comfortable with this one, do so.
You still only configure freeradius to listen on one port while it might be that the request from ppp via radiusclient-ng or radiusclient will be comming in on the old default port which was 1645 and is often the default in several components.
radiusd -p 1645 -p 1812
or try within the configuration radius.conf
port="1812"
port=1645
or
while debuggin
radiusd -X -p 1645 -p 1812
rpm -ql | grep -i freeradius
rpm --verify <freeradius package name>
radiusclient-ng is using the radiusclient-ng in the naming convention such that it is improbable that it will overwrite your prior existing items.
rpm --verify <freeradius package name>
radiusclient-ng is using the radiusclient-ng in the naming convention such that it is improbable that it will overwrite your prior existing items.
ASKER
# rpm -ivh radiusclient-0.3.2-0.2.el5.rf.i386.rpm
warning: radiusclient-0.3.2-0.2.el5.rf.i386.rpm: Header V3 DSA signature: NOKEY, key ID 6b8d79e6
Preparing... ########################################### [100%]
package radiusclient-0.3.2-0.2.el5.rf.i386 is already installed
# rpm -ql | grep -i freeradius2
rpmq: no arguments given for query
# rpm -ql | grep -i freeradius
rpmq: no arguments given for query
[# rpm --verify radiusclient-0.3.2-0.2.el5.rf.i386.rpm
package radiusclient-0.3.2-0.2.el5.rf.i386.rpm is not installed
ASKER
If i do everythings as well so why it's occur?
ASKER
it's not possible which i run radiusd on port 1645 because it's on use.
i reboot my server and receive this error again.
Failed binding to accounting address * port 1645: Address already in use
/etc/raddb/radiusd.conf[316]: Error binding to port for 0.0.0.0 port 1645
[root@uss01-nova ~]# service radiusd status
radiusd is stopped
i reboot my server and receive this error again.
I do not know what occurred.
The issue is also since you are using mysql as the backend for freeradius, the settings might be stored within the mysql database and the /etc/raddb/ related configurations for clients/etc. are not considered.
sorry for the typo
rpm -qa | grep -i freeradius
rpm -qa | grep -i radiusclient
rpm --verify <packagename as listed in the rpm -qa | grep results>
when you use the .rpm as in rpm --verify radiusclient-0.3.2-0.2.el5 .rf.i386.r pm the package is likely radiusclient-0.3.2-0.2.el5 .rf.i386
rpm --verify radiusclient-0.3.2-0.2.el5 .rf.i386
The issue is also since you are using mysql as the backend for freeradius, the settings might be stored within the mysql database and the /etc/raddb/ related configurations for clients/etc. are not considered.
sorry for the typo
rpm -qa | grep -i freeradius
rpm -qa | grep -i radiusclient
rpm --verify <packagename as listed in the rpm -qa | grep results>
when you use the .rpm as in rpm --verify radiusclient-0.3.2-0.2.el5
rpm --verify radiusclient-0.3.2-0.2.el5
/usr/sbin/lsof -i:1645 to see what you have running and listening on this port.
ASKER
I see.
here it is result of that commands:
here it is result of that commands:
# rpm -ivh radiusclient-0.3.2-0.2.el5.rf.i386.rpm
warning: radiusclient-0.3.2-0.2.el5.rf.i386.rpm: Header V3 DSA signature: NOKEY, key ID 6b8d79e6
Preparing... ########################################### [100%]
package radiusclient-0.3.2-0.2.el5.rf.i386 is already installed
# rpm -qa | grep -i freeradius
freeradius2-2.1.7-7.v5
freeradius2-utils-2.1.7-7.v5
freeradius2-mysql-2.1.7-7.v5
# rpm -qa | grep -i radiusclient
radiusclient-0.3.2-0.2.el5.rf
# rpm --verify radiusclient-0.3.2-0.2.el5.rf.i386.rpm
package radiusclient-0.3.2-0.2.el5.rf.i386.rpm is not installed
ASKER
# /usr/sbin/lsof -i:1645
#
ASKER
i add NAS to daloradius but again i receive server not response error and radiusd -X don't show anythings.
Listening on authentication interface eth0 address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Ready to process requests.
# radtest testuser testpass 127.0.0.1 0 k8Yyt4WpzcgNubfbZh7
Sending Access-Request of id 173 to 127.0.0.1 port 1812
User-Name = "testuser"
User-Password = "testpass"
NAS-IP-Address = 206.2.1.150
NAS-Port = 0
Sending Access-Request of id 173 to 127.0.0.1 port 1812
User-Name = "testuser"
User-Password = "testpass"
NAS-IP-Address = 206.2.1.150
NAS-Port = 0
Sending Access-Request of id 173 to 127.0.0.1 port 1812
User-Name = "testuser"
User-Password = "testpass"
NAS-IP-Address = 206.2.1.150
NAS-Port = 0
radclient: no response from server for ID 173 socket 3
rpm --verify radiusclient-0.3.2-0.2.el5 .rf.i386
rpm --verify freeradius2-2.1.7-7.v5
but if you run radiusd -X -p 1812 while in a second windows you run /usr/sbin/lsof -i:1645 does it return the PID radiusd that you have running that includes 1812?
Can you post the lsof output? Have not looked at it recently to see whether freeradius auto listens on the old 1645 port.
rpm --verify freeradius2-2.1.7-7.v5
but if you run radiusd -X -p 1812 while in a second windows you run /usr/sbin/lsof -i:1645 does it return the PID radiusd that you have running that includes 1812?
Can you post the lsof output? Have not looked at it recently to see whether freeradius auto listens on the old 1645 port.
What is the output from below?
radtest -d /etc/raddb testuser testpass 127.0.0.1
Is the secret you are using the correct secret for a client 127.0.0.1?
While working on this, did you make any changes to the freeradius/mysql/daloradiu s configurations?
radtest -d /etc/raddb testuser testpass 127.0.0.1
Is the secret you are using the correct secret for a client 127.0.0.1?
While working on this, did you make any changes to the freeradius/mysql/daloradiu
ASKER
i sent Lsof result in previous post but again i will run radiusd in debug mode and test lsof.
lsof return nothing
# rpm --verify radiusclient-0.3.2-0.2.el5.rf.i386
S.5....T c /etc/radiusclient/servers
# rpm --verify freeradius2-2.1.7-7.v5
S.5....T c /etc/raddb/clients.conf
S.5....T c /etc/raddb/proxy.conf
S.5....T c /etc/raddb/radiusd.conf
S.5....T c /etc/raddb/sites-available/default
S.5....T c /etc/raddb/sql.conf
# radiusd -X -p 1812
radiusd: The options -i and -p cannot be used individually.
# radiusd -X
FreeRADIUS Version 2.1.7, for host i686-redhat-linux-gnu, built on May 19 2010 at 13:10:59
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/sql.conf
including configuration file /etc/raddb/sql/mysql/dialup.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/control-socket
group = radiusd
user = radiusd
including dictionary file /etc/raddb/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/radius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 40
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = no
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "k8Yyt4WpzcgNubfbZh7"
nastype = "other"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server inner-tunnel {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
Module: Linked to module rlm_unix
Module: Instantiating unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = "/etc/raddb/certs/server.pem"
certificate_file = "/etc/raddb/certs/server.pem"
CA_file = "/etc/raddb/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/etc/raddb/certs/dh"
random_file = "/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/etc/raddb/certs/bootstrap"
cache {
enable = no
lifetime = 24
max_entries = 255
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_realm
Module: Instantiating suffix
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating files
files {
usersfile = "/etc/raddb/users"
acctusersfile = "/etc/raddb/acct_users"
preproxy_usersfile = "/etc/raddb/preproxy_users"
compat = "no"
}
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Linked to module rlm_attr_filter
Module: Instantiating attr_filter.access_reject
attr_filter attr_filter.access_reject {
attrsfile = "/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
}
} # modules
} # server
server {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = "/etc/raddb/huntgroups"
hints = "/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_sql
Module: Instantiating sql
sql {
driver = "rlm_sql_mysql"
server = "localhost"
port = ""
login = "raduser"
password = "link2@@2"
radius_db = "rdb"
read_groups = yes
sqltrace = no
sqltracefile = "/var/log/radius/sqltrace.sql"
readclients = yes
deletestalesessions = yes
num_sql_socks = 5
lifetime = 0
max_queries = 0
sql_user_name = "%{User-Name}"
default_user_profile = ""
nas_query = "SELECT id, nasname, shortname, type, secret FROM nas"
authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id"
authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id"
accounting_onoff_query = " UPDATE radacct SET acctstoptime = '%S', acctsessiontime = unix_timestamp('%S') - unix_timestamp(acctstarttime), acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = %{%{Acct-Delay-Time}:-0} WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= '%S'"
accounting_update_query = " UPDATE radacct SET framedipaddress = '%{Framed-IP-Address}', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'"
accounting_update_query_alt = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctsessiontime, acctauthentic, connectinfo_start, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, servicetype, framedprotocol, framedipaddress, acctstartdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{%{Acct-Session-Time}:-0} + %{%{Acct-Delay-Time}:-0}) SECOND), '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{X-Ascend-Session-Svr-Key}')"
accounting_start_query = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{%{Acct-Delay-Time}:-0}', '0', '%{X-Ascend-Session-Svr-Key}')"
accounting_start_query_alt = " UPDATE radacct SET acctstarttime = '%S', acctstartdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_start = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'"
accounting_stop_query = " UPDATE radacct SET acctstoptime = '%S', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_stop = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'"
accounting_stop_query_alt = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{%{Acct-Session-Time}:-0} + %{%{Acct-Delay-Time}:-0}) SECOND), '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Connect-Info}', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{%{Acct-Delay-Time}:-0}')"
group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority"
connect_failure_retry_delay = 60
simul_count_query = ""
simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL"
postauth_query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')"
safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
}
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
rlm_sql (sql): Attempting to connect to raduser@localhost:/rdb
rlm_sql (sql): starting 0
rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
rlm_sql_mysql: Starting connect to MySQL server for #0
rlm_sql (sql): Connected new DB handle, #0
rlm_sql (sql): starting 1
rlm_sql (sql): Attempting to connect rlm_sql_mysql #1
rlm_sql_mysql: Starting connect to MySQL server for #1
rlm_sql (sql): Connected new DB handle, #1
rlm_sql (sql): starting 2
rlm_sql (sql): Attempting to connect rlm_sql_mysql #2
rlm_sql_mysql: Starting connect to MySQL server for #2
rlm_sql (sql): Connected new DB handle, #2
rlm_sql (sql): starting 3
rlm_sql (sql): Attempting to connect rlm_sql_mysql #3
rlm_sql_mysql: Starting connect to MySQL server for #3
rlm_sql (sql): Connected new DB handle, #3
rlm_sql (sql): starting 4
rlm_sql (sql): Attempting to connect rlm_sql_mysql #4
rlm_sql_mysql: Starting connect to MySQL server for #4
rlm_sql (sql): Connected new DB handle, #4
rlm_sql (sql): Processing generate_sql_clients
rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret FROM nas
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql (sql): Read entry nasname=localhost,shortname=localhost,secret=k8Yyt4WpzcgNubfbZh7
rlm_sql (sql): Adding client 127.0.0.1 (localhost, server=<none>) to clients list
WARNING: Ignoring duplicate client 127.0.0.1
rlm_sql (sql): Released sql socket id: 4
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating detail
detail {
detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating attr_filter.accounting_response
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "control"
listen {
socket = "/var/run/radiusd/radiusd.sock"
}
}
Listening on authentication interface eth0 address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Ready to process requests.
lsof return nothing
# /usr/sbin/lsof -i:1645
# /usr/sbin/lsof -i:1812
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
radiusd 7939 radiusd 11u IPv4 143243 UDP *:radius
# /usr/sbin/lsof -i:1813
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
radiusd 7939 radiusd 12u IPv4 143244 UDP *:radius-acct
# radtest testuser testpass 127.0.0.1 0 k8Yyt4WpzcgNubfbZh7
Sending Access-Request of id 219 to 127.0.0.1 port 1812
User-Name = "testuser"
User-Password = "testpass"
NAS-IP-Address = 206.1.2.150
NAS-Port = 0
Sending Access-Request of id 219 to 127.0.0.1 port 1812
User-Name = "testuser"
User-Password = "testpass"
NAS-IP-Address = 206.2.1.150
NAS-Port = 0
Sending Access-Request of id 219 to 127.0.0.1 port 1812
User-Name = "testuser"
User-Password = "testpass"
NAS-IP-Address = 206.2.1.150
NAS-Port = 0
radclient: no response from server for ID 219 socket 3
ASKER
yes secret key exactly like "/etc/raddb/radiusd.conf" secret key.
i just do like articles which you send here.
if it's better which i remove freeradius and freeradius modules, let me know i will do all of them again.
i just do like articles which you send here.
if it's better which i remove freeradius and freeradius modules, let me know i will do all of them again.
ASKER
in 2nd previous post i send radiusd -X result. online 96 you can see which secret key is right.
ASKER
if you send me an e-mail exsolodev [at] gmail i will send SSH details for checking yourself. (be sure i will not ask question which i don't send in expert-echanges).
ASKER
Dear Arnold,
I reinstall freeradius2 , freeradius2-mysql and freeradius2-utils + radiusclient-ng,
i config /raddb/certs and radiusd.conf and sql.conf, i receive following error on debuging:
I reinstall freeradius2 , freeradius2-mysql and freeradius2-utils + radiusclient-ng,
i config /raddb/certs and radiusd.conf and sql.conf, i receive following error on debuging:
# radiusd -X
FreeRADIUS Version 2.1.7, for host i686-redhat-linux-gnu, built on May 19 2010 at 13:10:59
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/control-socket
group = radiusd
user = radiusd
including dictionary file /etc/raddb/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/radius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = no
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server inner-tunnel {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
Module: Linked to module rlm_unix
Module: Instantiating unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = "/etc/raddb/certs/server.pem"
certificate_file = "/etc/raddb/certs/server.pem"
CA_file = "/etc/raddb/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/etc/raddb/certs/dh"
random_file = "/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/etc/raddb/certs/bootstrap"
cache {
enable = no
lifetime = 24
max_entries = 255
}
}
rlm_eap: SSL error error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt
rlm_eap_tls: Error reading private key file /etc/raddb/certs/server.pem
rlm_eap: Failed to initialize type tls
/etc/raddb/eap.conf[17]: Instantiation failed for module "eap"
/etc/raddb/sites-enabled/inner-tunnel[223]: Failed to find module "eap".
/etc/raddb/sites-enabled/inner-tunnel[176]: Errors parsing authenticate section.
#
ASKER
i fixed it myself.
i reconfig raddb contents.
i reconfig raddb contents.
Did you create/recreate the certificate?
/etc/raddb/certs/server.pe m
What is in there?
did you also fill in a CA.
This is the source of the error:
rlm_eap: SSL error error:06065064:digital envelope routines:EVP_DecryptFinal_ ex:bad decrypt
rlm_eap_tls: Error reading private key file /etc/raddb/certs/server.pe m
rlm_eap: Failed to initialize type tls
Freeradius was working, I am not sure what changes you made that broke it.
What was the result of running
rpm --verify <freeradius>?
/etc/raddb/certs/server.pe
What is in there?
did you also fill in a CA.
This is the source of the error:
rlm_eap: SSL error error:06065064:digital envelope routines:EVP_DecryptFinal_
rlm_eap_tls: Error reading private key file /etc/raddb/certs/server.pe
rlm_eap: Failed to initialize type tls
Freeradius was working, I am not sure what changes you made that broke it.
What was the result of running
rpm --verify <freeradius>?
ASKER
as i said in previous port i fix certification error and edit certificates step-by-step like "/etc/raddb/certs/README".
problem is from eap.conf and radiusd -X work as well.
problem is from eap.conf and radiusd -X work as well.
# yum list \*radius\*
Loading "kmod" plugin
Loading "protect-packages" plugin
Installed Packages
freeradius2.i386 2.1.7-7.v5 installed
freeradius2-mysql.i386 2.1.7-7.v5 installed
freeradius2-utils.i386 2.1.7-7.v5 installed
radiusclient-ng.i386 0.5.6-5.el5.rf installed
ASKER
do you know what's/etc/radiusclient-ng /port-id-m ap ?
and how i should fill it?
it's contain following datas:
how can i check this contents?
and how i should fill it?
it's contain following datas:
/dev/tty1 1
/dev/tty2 2
/dev/tty3 3
/dev/tty4 4
/dev/tty5 5
/dev/tty6 6
/dev/tty7 7
/dev/tty8 8
/dev/ttyS0 9
/dev/ttyS1 10
/dev/ttyS2 11
/dev/ttyS3 12
/dev/ttyS4 13
/dev/ttyS5 14
/dev/ttyS6 15
/dev/ttyS7 16
how can i check this contents?
ASKER
- Arnold
I don't have /etc/modules.conf and instead of it i have modprobe.conf and it's contain following contents:
and in http://poptop.sourceforge.net/dox/radius_mysql.html i read it which i should use some values in /etc/modules.conf :
should i add it to /etc/modprobe.conf?
I don't have /etc/modules.conf and instead of it i have modprobe.conf and it's contain following contents:
alias eth0 r8169
alias scsi_hostadapter ata_piix
alias scsi_hostadapter1 usb-storage
and in http://poptop.sourceforge.net/dox/radius_mysql.html i read it which i should use some values in /etc/modules.conf :
alias char-major-108 ppp_generic
alias tty-ldisc-3 ppp_async
alias tty-ldisc-14 ppp_synctty
alias ppp-compress-18 ppp_mppe
alias ppp-comress-21 bsd_comp
alias ppp-compress-24 ppp_deflate
alias ppp-compress-26 ppp_deflate
should i add it to /etc/modprobe.conf?
Can you check whether you have /etc/ppp/options.pptpd with contents
plugin radius.so
radius-config-file /etc/radiusclient-ng/radiu sclient.co nf
/etc/radiusclient-ng/serve rs
define the 127.0.0.1 secret as described in the example
then enable debug in /etc/pptpd.conf
see what it is doing during start with pptpd.
Attempt a connection and see whether it is generating the radius packet and to where it is generating it.
Check the freeradius output and see whether it is getting the packet and what it is doing with it.
plugin radius.so
radius-config-file /etc/radiusclient-ng/radiu
/etc/radiusclient-ng/serve
define the 127.0.0.1 secret as described in the example
then enable debug in /etc/pptpd.conf
see what it is doing during start with pptpd.
Attempt a connection and see whether it is generating the radius packet and to where it is generating it.
Check the freeradius output and see whether it is getting the packet and what it is doing with it.
ASKER
yes i add radius.so and radius-config-file to /etc/ppp/options.pptpd
and add "localhost testing123" to /etc/radiusclient-ng/serve rs.
i just again ask my question please, read my previous post.
i don't know how i should enable debug in /etc/pptpd.conf how i should do it?
and add "localhost testing123" to /etc/radiusclient-ng/serve
i just again ask my question please, read my previous post.
i don't know how i should enable debug in /etc/pptpd.conf how i should do it?
Open pptpd.conf and the second item says Debug uncomment the entry at the end of the description:
instead of
#debug
make it.
debug
alternatively, if you want to run it in the same way you were testing radiusd -X
pptpd -d -f -c /etc/pptpd.conf
instead of
#debug
make it.
debug
alternatively, if you want to run it in the same way you were testing radiusd -X
pptpd -d -f -c /etc/pptpd.conf
ASKER
i do it and receive authentication faild error again and run pptpd in debug mode.
how i should view ppp debug details/logs?
how i should view ppp debug details/logs?
ASKER
i don't edit /etc/ppp/chap-secrets and pap-secret ,are you sure i should leave it without any modifications?
i can run radiusd in debug mode and with radtest command it's work as well.
so, problem not from radius side it should be from ppp or some other configurations.
i can run radiusd in debug mode and with radtest command it's work as well.
so, problem not from radius side it should be from ppp or some other configurations.
ASKER
i just wanna know do you install and integrate freeradius and freeradius-mysql with poptop?
however i know you're not responsible for my question but i wanna be sure which i spend my time in right way
however i know you're not responsible for my question but i wanna be sure which i spend my time in right way
There is a link for the poptop example. When you use the plugin radius.so, the ppp chap/pap are ignored. Ref. the subsequent links I provided.
grep -i ptpp /var/log/messages | more
Can you run pptpd on a command line in the same way you ran radiusd:
In one window:
/usr/sbin/pptpd -d -f -c /etc/ppptd.conf
in the other windows:
radiusd -X
now make pptp connection attempts.
What do you see in each?
grep -i ptpp /var/log/messages | more
Can you run pptpd on a command line in the same way you ran radiusd:
In one window:
/usr/sbin/pptpd -d -f -c /etc/ppptd.conf
in the other windows:
radiusd -X
now make pptp connection attempts.
What do you see in each?
ASKER
with "/usr/sbin/pptpd -d -f -c /etc/ppptd.conf " it not go to debug mode like radiusd -X and just after enter i see command like again.
ASKER
in some articles i read it which we should add "radattr.so" and the end of pptpd.options like radius.so
is it necessary or it's not?
because i don't saw any other information regarding radattr.so
is it necessary or it's not?
because i don't saw any other information regarding radattr.so
ASKER
sorry for mistake i mean /etc/ppp/options.pptpd
I do not believe you need radattr.so. IT deals with alterations to the connection based on the additional parameters that a accept response will have.
IT is further down the line and at this time, lets just deal with getting the PPTP connection attemps to generate a radius request from the PPTPd server via PPP to the local radius server.
Could you post the output of running pptpd -f -d -c /etc/pptpd.conf while in a separate windows run radiusd -X
What is registered on the pptpd server when you make a pptp connection attempt?
What is happening on the radiusd side?
IT is further down the line and at this time, lets just deal with getting the PPTP connection attemps to generate a radius request from the PPTPd server via PPP to the local radius server.
Could you post the output of running pptpd -f -d -c /etc/pptpd.conf while in a separate windows run radiusd -X
What is registered on the pptpd server when you make a pptp connection attempt?
What is happening on the radiusd side?
ASKER
- Arnold
I think problem is from PPTPd server, because on clearos poptop is not like standard version and it installed with some changes (custom poptop).
I unistall if from my server and try to installing PPTPd + ppp from poptop.sourceforge. but it's not installed with the reason of "confilict with clearos ppp".
however I can unistall ppp,too. but i contact with clearos and waiting for their answers. after time which they approve it i will do it.
and send results here.
I think problem is from PPTPd server, because on clearos poptop is not like standard version and it installed with some changes (custom poptop).
I unistall if from my server and try to installing PPTPd + ppp from poptop.sourceforge. but it's not installed with the reason of "confilict with clearos ppp".
however I can unistall ppp,too. but i contact with clearos and waiting for their answers. after time which they approve it i will do it.
and send results here.
ASKER
Ok Arnold,
I install standard version of ppp (ppp-2.4.4-14.1.rhel5.i386 ) and pptpd (pptpd-1.3.4-2.rhel5.i386)
I have a question, I want accept connect request for All type of devices like windows 98 to 7, Mac OS, Linux and etc.
which value should i use in /etc/ppp/options.pptpd?
for example can i use both require-mschap and require-mschap-v2 ?
Please, help me if you can send all values
I install standard version of ppp (ppp-2.4.4-14.1.rhel5.i386
I have a question, I want accept connect request for All type of devices like windows 98 to 7, Mac OS, Linux and etc.
which value should i use in /etc/ppp/options.pptpd?
for example can i use both require-mschap and require-mschap-v2 ?
Please, help me if you can send all values
ASKER
again pptpd don't go to debug mode and when i try to connect with my vpn connection radiusd -X don't show anythings.
please, help me.
I'm in critical situation.
please, help me.
I'm in critical situation.
You keep jumping from one set to another which means that every time you have to start from scratch.
The settings you reference for mschap etc are part of the /etc/pptpd.conf since this is the rules by which credentails will be exchanged between the PPTP clients and the PPTP server.
Now that you have made changes again, I need to see what your configurations are.
The means of authentication on the backend /etc/ppp/options.pptpd is irrelavent for the purpose of the PPTP connection between the client and server.
I.e. if you walk to a door and hit the door bell, as long as the door opens you do not care whether there is a person that opened the door or there was someone who called someone else and they authorized the opening of the door, etc.
What is the result of running pptpd -f -d ? What do you see? Does it show that it loaded radius.so?
If you take out the reference to /etc/ppp/options.pptpd from the /etc/pptpd.conf file can those clients establish a pptp connection?
The settings you reference for mschap etc are part of the /etc/pptpd.conf since this is the rules by which credentails will be exchanged between the PPTP clients and the PPTP server.
Now that you have made changes again, I need to see what your configurations are.
The means of authentication on the backend /etc/ppp/options.pptpd is irrelavent for the purpose of the PPTP connection between the client and server.
I.e. if you walk to a door and hit the door bell, as long as the door opens you do not care whether there is a person that opened the door or there was someone who called someone else and they authorized the opening of the door, etc.
What is the result of running pptpd -f -d ? What do you see? Does it show that it loaded radius.so?
If you take out the reference to /etc/ppp/options.pptpd from the /etc/pptpd.conf file can those clients establish a pptp connection?
ASKER
i remove ClearOS and currently trying to Installing Ubuntu, because i like ubuntu (it's seems like Debian).
I don't jump and don't like jumping from one set to another, when i do everythings in your posts and pptpd not work i trying to find another ways which you don't tell here...
Currently I trying to install ubuntu.
you commands pptpd -f -d not work and don't show anythings.
would you mind in one post explain all of it and i accept it as solution?
I don't jump and don't like jumping from one set to another, when i do everythings in your posts and pptpd not work i trying to find another ways which you don't tell here...
Currently I trying to install ubuntu.
you commands pptpd -f -d not work and don't show anythings.
would you mind in one post explain all of it and i accept it as solution?
Changing everything on a failure where you are not providing the output of what I am asking for, I have no idea what is the issue on your end to suggest a fix.
I can not explain what I can not see as the cause for your issue.
But this exercise will help you acquire troubleshooting skills.
The links I previously posted are of guides that got this to work.
The only thing I could think of is that your radiusclient.conf file was not configured as suggested in the several links.
I can not explain what I can not see as the cause for your issue.
But this exercise will help you acquire troubleshooting skills.
The links I previously posted are of guides that got this to work.
The only thing I could think of is that your radiusclient.conf file was not configured as suggested in the several links.
ASKER
I Installed Ubuntu and config freeradius + mysql + daloradius and poptop.
with daloradius i test user and it's work as well.
but again it's not work.
when i enter "/usr/sbin/pptpd -d -f -c /etc/ppptd.conf" it don't show anything:
I think we don't do some important configurations.
with daloradius i test user and it's work as well.
but again it's not work.
when i enter "/usr/sbin/pptpd -d -f -c /etc/ppptd.conf" it don't show anything:
wwsmanager@uss01:/etc/radiusclient$ sudo /usr/sbin/pptpd -d -f -c /etc/ppptd.conf
wwsmanager@uss01:/etc/radiusclient$
wwsmanager@uss01:/etc/radiusclient$ /usr/sbin/pptpd -d -f -c /etc/ppptd.conf
wwsmanager@uss01:/etc/radiusclient$
I think we don't do some important configurations.
can you post the contents of your /etc/pptpd.conf file?
sudo bash
lsof -i:1723
if it returns nothing, run
/usr/sbin/pptpd -d -f -c /etc/pptpd.conf
grep -i pptp /var/log/messages any entries there?
sudo bash
lsof -i:1723
if it returns nothing, run
/usr/sbin/pptpd -d -f -c /etc/pptpd.conf
grep -i pptp /var/log/messages any entries there?
ASKER
root@uss01:~# lsof -i:1723
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
pptpd 4479 root 6u IPv4 23879 0t0 TCP *:1723 (LISTEN)
root@uss01:~# /usr/sbin/pptpd -d -f -c /etc/pptpd.conf
root@uss01:~# grep -i pptp /var/log/messages
Oct 11 23:56:15 uss01 pppd[4787]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
Oct 12 02:06:40 uss01 pppd[8715]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
Oct 12 02:06:44 uss01 pppd[8718]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
Oct 12 04:19:18 uss01 pppd[12733]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
Oct 12 05:39:33 uss01 pppd[15177]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
Oct 12 05:39:38 uss01 pppd[15179]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
Oct 12 14:27:18 uss01 pppd[4865]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
Oct 12 14:32:21 uss01 pppd[5156]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
Oct 12 14:32:33 uss01 pppd[5164]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
Oct 12 14:32:45 uss01 pppd[5172]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
Oct 12 17:38:32 uss01 pppd[23795]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
Oct 12 17:38:38 uss01 pppd[23803]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
Oct 12 17:38:43 uss01 pppd[23810]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
Oct 12 17:38:54 uss01 pppd[23819]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
Oct 12 17:39:03 uss01 pppd[23880]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
Oct 12 17:39:16 uss01 pppd[23888]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
Oct 12 17:39:22 uss01 pppd[23896]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
Oct 12 17:39:34 uss01 pppd[23905]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
Oct 12 17:42:56 uss01 pppd[24193]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
Oct 12 18:11:46 uss01 pppd[26906]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
Oct 12 19:44:54 uss01 pppd[1680]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
Oct 12 19:54:27 uss01 pppd[3611]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
Oct 12 20:42:30 uss01 pppd[4510]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
Oct 12 20:42:30 uss01 pppd[4510]: pptpd-logwtmp: $Version$
root@uss01:~#
root@uss01:/etc# cat /etc/pptpd.conf
###############################################################################
# $Id: pptpd.conf 4255 2004-10-03 18:44:00Z rene $
#
# Sample Poptop configuration file /etc/pptpd.conf
#
# Changes are effective when pptpd is restarted.
###############################################################################
# TAG: ppp
# Path to the pppd program, default '/usr/sbin/pppd' on Linux
#
#ppp /usr/sbin/pppd
# TAG: option
# Specifies the location of the PPP options file.
# By default PPP looks in '/etc/ppp/options'
#
option /etc/ppp/pptpd-options
# TAG: debug
# Turns on (more) debugging to syslog
#
#debug
# TAG: stimeout
# Specifies timeout (in seconds) on starting ctrl connection
#
# stimeout 10
# TAG: noipparam
# Suppress the passing of the client's IP address to PPP, which is
# done by default otherwise.
#
#noipparam
# TAG: logwtmp
# Use wtmp(5) to record client connections and disconnections.
#
logwtmp
# TAG: bcrelay <if>
# Turns on broadcast relay to clients from interface <if>
#
#bcrelay eth1
# TAG: localip
# TAG: remoteip
# Specifies the local and remote IP address ranges.
#
# Any addresses work as long as the local machine takes care of the
# routing. But if you want to use MS-Windows networking, you should
# use IP addresses out of the LAN address space and use the proxyarp
# option in the pppd options file, or run bcrelay.
#
# You can specify single IP addresses seperated by commas or you can
# specify ranges, or both. For example:
#
# 192.168.0.234,192.168.0.245-249,192.168.0.254
#
# IMPORTANT RESTRICTIONS:
#
# 1. No spaces are permitted between commas or within addresses.
#
# 2. If you give more IP addresses than MAX_CONNECTIONS, it will
# start at the beginning of the list and go until it gets
# MAX_CONNECTIONS IPs. Others will be ignored.
#
# 3. No shortcuts in ranges! ie. 234-8 does not mean 234 to 238,
# you must type 234-238 if you mean this.
#
# 4. If you give a single localIP, that's ok - all local IPs will
# be set to the given one. You MUST still give at least one remote
# IP for each simultaneous client.
#
# (Recommended)
#localip 192.168.0.1
#remoteip 192.168.0.234-238,192.168.0.245
# or
#localip 192.168.0.234-238,192.168.0.245
#remoteip 192.168.1.234-238,192.168.1.245
localip 192.168.121.1
remoteip 192.168.121.2-254
root@uss01:/etc#
ASKER
Here you can see log when i tried to connect to servers with PPTP connection from my mac os x:
# tail -f /var/log/debug
# tail -f /var/log/debug
Oct 12 21:02:15 uss01 pppd[11653]: using channel 2
Oct 12 21:02:15 uss01 pppd[11653]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MD5> <magic 0x2d318763> <pcomp> <accomp>]
Oct 12 21:02:16 uss01 pppd[11653]: rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x24ba188b> <pcomp> <accomp>]
Oct 12 21:02:16 uss01 pppd[11653]: sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x24ba188b> <pcomp> <accomp>]
Oct 12 21:02:18 uss01 pppd[11653]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MD5> <magic 0x2d318763> <pcomp> <accomp>]
Oct 12 21:02:19 uss01 pppd[11653]: rcvd [LCP ConfNak id=0x1 <auth chap MS-v2>]
Oct 12 21:02:19 uss01 pppd[11653]: sent [LCP ConfReq id=0x2 <asyncmap 0x0> <auth chap MS-v2> <magic 0x2d318763> <pcomp> <accomp>]
Oct 12 21:02:19 uss01 pppd[11653]: rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x24ba188b> <pcomp> <accomp>]
Oct 12 21:02:19 uss01 pppd[11653]: sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x24ba188b> <pcomp> <accomp>]
Oct 12 21:02:19 uss01 pppd[11653]: rcvd [LCP ConfAck id=0x2 <asyncmap 0x0> <auth chap MS-v2> <magic 0x2d318763> <pcomp> <accomp>]
Oct 12 21:02:19 uss01 pppd[11653]: sent [LCP EchoReq id=0x0 magic=0x2d318763]
Oct 12 21:02:19 uss01 pppd[11653]: sent [CHAP Challenge id=0xaf <3703c65d33323154f87e69f6ab9a0025>, name = "pptpd"]
Oct 12 21:02:19 uss01 pppd[11653]: rcvd [LCP EchoReq id=0x0 magic=0x24ba188b]
Oct 12 21:02:19 uss01 pppd[11653]: sent [LCP EchoRep id=0x0 magic=0x2d318763]
Oct 12 21:02:20 uss01 pppd[11653]: rcvd [LCP EchoRep id=0x0 magic=0x24ba188b]
Oct 12 21:02:20 uss01 pppd[11653]: rcvd [CHAP Response id=0xaf <2729c5926cfec882a88c6dbeb2e1f4b40000000000000000c387943b75a56e4c90f09db92f3aef2fba3106f25b21077000>, name = "testuser"]
Oct 12 21:02:20 uss01 pppd[11653]: sent [CHAP Failure id=0xaf ""]
Oct 12 21:02:20 uss01 pppd[11653]: sent [LCP TermReq id=0x3 "Authentication failed"]
Oct 12 21:02:20 uss01 pppd[11653]: rcvd [LCP TermReq id=0x2 "Failed to authenticate ourselves to peer"]
Oct 12 21:02:20 uss01 pppd[11653]: sent [LCP TermAck id=0x2]
Oct 12 21:02:20 uss01 pptpd[11652]: CTRL: Reaping child PPP[11653]
Oct 12 21:02:20 uss01 pppd[11653]: RADATTR plugin removed file /var/run/radattr.ppp0.
Oct 12 21:02:22 uss01 slapd[4788]: connection_read(25): no connection!
ASKER
/etc/ppp/pptpd-options
root@uss01:/etc/ppp# cat /etc/ppp/pptpd-options
###############################################################################
# $Id: pptpd-options 4643 2006-11-06 18:42:43Z rene $
#
# Sample Poptop PPP options file /etc/ppp/pptpd-options
# Options used by PPP when a connection arrives from a client.
# This file is pointed to by /etc/pptpd.conf option keyword.
# Changes are effective on the next connection. See "man pppd".
#
# You are expected to change this file to suit your system. As
# packaged, it requires PPP 2.4.2 and the kernel MPPE module.
###############################################################################
# Authentication
# Name of the local system for authentication purposes
# (must match the second field in /etc/ppp/chap-secrets entries)
name pptpd
# Optional: domain name to use for authentication
# domain mydomain.net
# Strip the domain prefix from the username before authentication.
# (applies if you use pppd with chapms-strip-domain patch)
#chapms-strip-domain
# Encryption
# Debian: on systems with a kernel built with the package
# kernel-patch-mppe >= 2.4.2 and using ppp >= 2.4.2, ...
# {{{
require-pap
require-chap
require-mschap
# Require the peer to authenticate itself using MS-CHAPv2 [Microsoft
# Challenge Handshake Authentication Protocol, Version 2] authentication.
require-mschap-v2
# Require MPPE 128-bit encryption
# (note that MPPE requires the use of MSCHAP-V2 during authentication)
require-mppe-128
# }}}
# Network and Routing
# If pppd is acting as a server for Microsoft Windows clients, this
# option allows pppd to supply one or two DNS (Domain Name Server)
# addresses to the clients. The first instance of this option
# specifies the primary DNS address; the second instance (if given)
# specifies the secondary DNS address.
# Attention! This information may not be taken into account by a Windows
# client. See KB311218 in Microsoft's knowledge base for more information.
ms-dns 66.96.80.194
ms-dns 66.96.80.43
# If pppd is acting as a server for Microsoft Windows or "Samba"
# clients, this option allows pppd to supply one or two WINS (Windows
# Internet Name Services) server addresses to the clients. The first
# instance of this option specifies the primary WINS address; the
# second instance (if given) specifies the secondary WINS address.
ms-wins 66.96.80.194
ms-wins 66.96.80.43
# Add an entry to this system's ARP [Address Resolution Protocol]
# table with the IP address of the peer and the Ethernet address of this
# system. This will have the effect of making the peer appear to other
# systems to be on the local ethernet.
# (you do not need this if your PPTP server is responsible for routing
# packets to the clients -- James Cameron)
proxyarp
# Debian: do not replace the default route
nodefaultroute
# Logging
# Enable connection debugging facilities.
# (see your syslog configuration for where pppd sends to)
debug
# Print out all the option values which have been set.
# (often requested by mailing list to verify options)
#dump
# Miscellaneous
# Create a UUCP-style lock file for the pseudo-tty to ensure exclusive
# access.
lock
# Disable BSD-Compress compression
nobsdcomp
#plugins
plugin radius.so
plugin radattr.so
root@uss01:/etc/ppp#
ASKER
Dear Arnold,
After 3 month which i trying to install it i hope today it's done.
I will post full details here, please, read all of them exactly.
Thanks for your great help and times which you spend to answer to my question and solving my problems.
I attach All Configuration files (freeradius and pptpd) in this post (just rename all files to txt because of attachment rules).
log while i trying connect to server with PPTP Connection on my Mac OS X, in second terminal which i run freeradius -X nothing happened.
Some other informations:
poptop Configurations
pptpd.conf.txtpptpd-options.txtoptions.txtpap-secrets.txtchap-secrets.txt
Freeradius Configurations
radiusd.conf.txt sql.conf.txt clients.conf.txt default.txt
Radiusclient Configurations
radiusclient.conf.txt servers.txt dictionary.txt dictionary.microsoft.txt
After 3 month which i trying to install it i hope today it's done.
I will post full details here, please, read all of them exactly.
Thanks for your great help and times which you spend to answer to my question and solving my problems.
I attach All Configuration files (freeradius and pptpd) in this post (just rename all files to txt because of attachment rules).
log while i trying connect to server with PPTP Connection on my Mac OS X, in second terminal which i run freeradius -X nothing happened.
#tail -f /var/log/message
Oct 12 23:23:24 uss01 pptpd[5878]: MGR: Launching /usr/sbin/pptpctrl to handle client
Oct 12 23:23:24 uss01 pptpd[5878]: CTRL: local address = 192.168.121.1
Oct 12 23:23:24 uss01 pptpd[5878]: CTRL: remote address = 192.168.121.2
Oct 12 23:23:24 uss01 pptpd[5878]: CTRL: pppd options file = /etc/ppp/pptpd-options
Oct 12 23:23:24 uss01 pptpd[5878]: CTRL: Received PPTP Control Message (type: 1)
Oct 12 23:23:24 uss01 pptpd[5878]: CTRL: Made a START CTRL CONN RPLY packet
Oct 12 23:23:24 uss01 pptpd[5878]: CTRL: I wrote 156 bytes to the client.
Oct 12 23:23:24 uss01 pptpd[5878]: CTRL: Sent packet to client
Oct 12 23:23:24 uss01 pptpd[5878]: CTRL: Received PPTP Control Message (type: 7)
Oct 12 23:23:24 uss01 pptpd[5878]: CTRL: Set parameters to 100000000 maxbps, 64 window size
Oct 12 23:23:24 uss01 pptpd[5878]: CTRL: Made a OUT CALL RPLY packet
Oct 12 23:23:24 uss01 pptpd[5878]: CTRL: pty_fd = 6
Oct 12 23:23:24 uss01 pptpd[5878]: CTRL: tty_fd = 7
Oct 12 23:23:24 uss01 pptpd[5878]: CTRL: I wrote 32 bytes to the client.
Oct 12 23:23:24 uss01 pptpd[5879]: CTRL (PPPD Launcher): program binary = /usr/sbin/pppd
Oct 12 23:23:24 uss01 pptpd[5879]: CTRL (PPPD Launcher): local address = 192.168.121.1
Oct 12 23:23:24 uss01 pptpd[5879]: CTRL (PPPD Launcher): remote address = 192.168.121.2
Oct 12 23:23:24 uss01 pptpd[5878]: CTRL: Sent packet to client
Oct 12 23:23:24 uss01 pppd[5879]: using channel 1
Oct 12 23:23:24 uss01 pppd[5879]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xada88021> <pcomp> <accomp>]
Oct 12 23:23:24 uss01 pptpd[5878]: CTRL: Received PPTP Control Message (type: 15)
Oct 12 23:23:24 uss01 pptpd[5878]: CTRL: Got a SET LINK INFO packet with standard ACCMs
Oct 12 23:23:24 uss01 pptpd[5878]: GRE: accepting packet #1
Oct 12 23:23:24 uss01 pppd[5879]: rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x48834e69> <pcomp> <accomp>]
Oct 12 23:23:24 uss01 pppd[5879]: sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x48834e69> <pcomp> <accomp>]
Oct 12 23:23:25 uss01 pptpd[5878]: GRE: accepting packet #2
Oct 12 23:23:25 uss01 pppd[5879]: rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xada88021> <pcomp> <accomp>]
Oct 12 23:23:25 uss01 pppd[5879]: sent [LCP EchoReq id=0x0 magic=0xada88021]
Oct 12 23:23:25 uss01 pppd[5879]: sent [CHAP Challenge id=0x59 <6ceb872c83af9a069364a49fbeea830e>, name = "pptpd"]
Oct 12 23:23:25 uss01 pptpd[5878]: GRE: accepting packet #3
Oct 12 23:23:25 uss01 pppd[5879]: rcvd [LCP EchoReq id=0x0 magic=0x48834e69]
Oct 12 23:23:25 uss01 pppd[5879]: sent [LCP EchoRep id=0x0 magic=0xada88021]
Oct 12 23:23:25 uss01 pptpd[5878]: GRE: accepting packet #4
Oct 12 23:23:25 uss01 pptpd[5878]: GRE: accepting packet #5
Oct 12 23:23:25 uss01 pppd[5879]: rcvd [LCP EchoRep id=0x0 magic=0x48834e69]
Oct 12 23:23:25 uss01 pppd[5879]: rcvd [CHAP Response id=0x59 <0da741da5ada8e72f2b2b1afcade3e1000000000000000008ba5dea7e2eab57a69dae7a2e66f0a128d9e3a9026bb9e1d00>, name = "testuser"]
Oct 12 23:23:25 uss01 pppd[5879]: sent [CHAP Failure id=0x59 ""]
Oct 12 23:23:25 uss01 pppd[5879]: sent [LCP TermReq id=0x2 "Authentication failed"]
Oct 12 23:23:25 uss01 pptpd[5878]: GRE: accepting packet #6
Oct 12 23:23:25 uss01 pppd[5879]: rcvd [LCP TermReq id=0x2 "Failed to authenticate ourselves to peer"]
Oct 12 23:23:25 uss01 pppd[5879]: sent [LCP TermAck id=0x2]
Oct 12 23:23:25 uss01 pptpd[5878]: CTRL: Reaping child PPP[5879]
Oct 12 23:23:25 uss01 pppd[5879]: RADATTR plugin removed file /var/run/radattr.ppp0.
Oct 12 23:23:25 uss01 pptpd[5878]: CTRL: Exiting now
Oct 12 23:23:25 uss01 pptpd[2418]: MGR: Reaped child 5878
Some other informations:
root@uss01:~# dpkg -s freeradius
Package: freeradius
Architecture: amd64
Version: 2.1.8+dfsg-1ubuntu1
Provides: radius-server
Depends: lsb-base (>= 3.1-23.2), libc6 (>= 2.4), libfreeradius2 (= 2.1.8+dfsg-1ubuntu1), libgdbm3 (>= 1.8.3), libltdl7 (>= 2.2.6b), libpam0g (>= 0.99.7.1), libperl5.10 (>= 5.10.0), libpython2.6 (>= 2.6), libssl0.9.8 (>= 0.9.8k-1), zlib1g (>= 1:1.1.4), freeradius-common, ssl-cert, adduser
root@uss01:~# dpkg -s radiusclient1
Architecture: amd64
Source: radiusclient
Version: 0.3.2-13
Depends: libradius1, perl5, libc6 (>= 2.4)
root@uss01:~# dpkg -s pptpd
Package: pptpd
Architecture: amd64
Version: 1.3.4-2.1ubuntu1.9.04.2
Depends: libc6 (>= 2.4), libwrap0 (>= 7.6-4~), ppp (>= 2.4.4), netbase, debconf | debconf-2.0, bcrelay
root@uss01:~# dpkg -s ppp
Package: ppp
Architecture: amd64
Version: 2.4.5~git20081126t100229-0ubuntu3
Replaces: ppp-pam, ppp-udeb
Depends: libc6 (>= 2.11), libpam0g (>= 0.99.7.1), libpcap0.8 (>= 0.9.8), libpam-modules, libpam-runtime (>= 0.76-13.1), netbase, procps
poptop Configurations
pptpd.conf.txtpptpd-options.txtoptions.txtpap-secrets.txtchap-secrets.txt
Freeradius Configurations
radiusd.conf.txt sql.conf.txt clients.conf.txt default.txt
Radiusclient Configurations
radiusclient.conf.txt servers.txt dictionary.txt dictionary.microsoft.txt
http://poptop.sourceforge.net/dox/radius_mysql.html
I do not see where your pptpd/ppp loads plugin radius.so
try the /etc/ppp/options-pptpd to be the exact copy of the one in the link above.
Make sure to avoid the error in the link and point pptpd.conf to the correct location where you have /etc/ppp/pptpd-options
I do not see where your pptpd/ppp loads plugin radius.so
try the /etc/ppp/options-pptpd to be the exact copy of the one in the link above.
Make sure to avoid the error in the link and point pptpd.conf to the correct location where you have /etc/ppp/pptpd-options
ASKER
at the end of /etc/ppp/pptpd-options you can see i used it:
link to my previous post attachment (pptpd-options): http://filedb.experts-exchange.com/incoming/2011/10_w42/511631/pptpd-options.txt
# plugins
plugin radius.so
radius-config-file /etc/radiusclient/radiusclient.conf
plugin radattr.so
link to my previous post attachment (pptpd-options): http://filedb.experts-exchange.com/incoming/2011/10_w42/511631/pptpd-options.txt
I saw it in the configuration file, but the output from your log still shows that the authentication is using chap/pap and not using radius.
Oct 12 23:23:25 uss01 pppd[5879]: rcvd [CHAP Response id=0x59 <0da741da5ada8e72f2b2b1afc ade3e10000 0000000000 0008ba5dea 7e2eab57a6 9dae7a2e66 f0a128d9e3 a9026bb9e1 d00>, name = "testuser"]
Oct 12 23:23:25 uss01 pppd[5879]: sent [CHAP Failure id=0x59 ""]
Oct 12 23:23:25 uss01 pppd[5879]: rcvd [CHAP Response id=0x59 <0da741da5ada8e72f2b2b1afc
Oct 12 23:23:25 uss01 pppd[5879]: sent [CHAP Failure id=0x59 ""]
ASKER
what i should to do?
ASKER
my /etc/ppp/chap-secrets & pap-secrets is empty, is it right or i should type some configurations in these files?
Since you are using plugin radius.so the chap/pap are ignored. But for one reason or another your configuration does not seem to load/reflect that pppd uses radius.
Presumably if you comment out the plugin radius.so, your pptp CONNECTION gets established.
Can you remove the plugin radattr,so or have both plugins on the same line?
plugin radius.so radattr.so
Not sure whether the two plugin lines gets pppd to only use the last one it read
Oct 12 23:23:25 uss01 pppd[5879]: RADATTR plugin removed file /var/run/radattr.ppp0.
I am looking for a similar line where pppd loads radius.so plugin.
Presumably if you comment out the plugin radius.so, your pptp CONNECTION gets established.
Can you remove the plugin radattr,so or have both plugins on the same line?
plugin radius.so radattr.so
Not sure whether the two plugin lines gets pppd to only use the last one it read
Oct 12 23:23:25 uss01 pppd[5879]: RADATTR plugin removed file /var/run/radattr.ppp0.
I am looking for a similar line where pppd loads radius.so plugin.
ASKER
it's not work.
if it's possible for me send message to you privately, i can send SSH login details and you check it yourself instead of sending many posts....
if it's possible for me send message to you privately, i can send SSH login details and you check it yourself instead of sending many posts....
What is a valid username to test with for pptp?
You had disabled the client config such that freeradius would ignore all requests if they came.
You had disabled the client config such that freeradius would ignore all requests if they came.
ASKER
user: testuser
password: testpass
password: testpass
ASKER
please, check your e-mail i send some additional information regarding daloradius web management panel for user management.
The issue you have deals with radiusclient not being able to parse dictionary.microsoft line 22 which is what prevents it from even generating the radius packets.grep ppp /var/log/syslog
At this point the issue is radiusclient and dictionary.microsoft.
At this point the issue is radiusclient and dictionary.microsoft.
ASKER
so, how it's possible to fix this problem.
ASKER
do you have any solution for this problem?
First have to determine whether the radiusclient you have installed is the issue since it is the one that is supposed to parse the dictionary files and perform the action.
You should try installing the radiusclient-ng and follow the example in the link and see if that helps. Seen a patch for radiusclient dealing with altering which radius libraries it should use libradiusclient. or a different set.
At this point the issue seems to be related to the tie in between the plugin radius.so with the radiusclient.
the suggestion deals with creating a symbolic link from /etc/radiusclient-ng to /etc/radiusclient to minimize alterations to the various configurations.
You should try installing the radiusclient-ng and follow the example in the link and see if that helps. Seen a patch for radiusclient dealing with altering which radius libraries it should use libradiusclient. or a different set.
At this point the issue seems to be related to the tie in between the plugin radius.so with the radiusclient.
the suggestion deals with creating a symbolic link from /etc/radiusclient-ng to /etc/radiusclient to minimize alterations to the various configurations.
ASKER
you mean i should do it my self? :)
OK, thanks
OK, thanks
ASKER
how i should install radiusclient-ng on ubuntu?
i can't find any article regarding it.
i can't find any article regarding it.
Patience is a virtue.
http://packages.ubuntu.com/maverick/libradiusclient-ng2
Do not make changes to anything else.
Sine this is your system, I did not nor want to make any changes i.e. installing new software while removing old software.
http://packages.ubuntu.com/maverick/libradiusclient-ng2
Do not make changes to anything else.
Sine this is your system, I did not nor want to make any changes i.e. installing new software while removing old software.
ASKER
i install radiusclient-ng2
but freeradius -X don't show anythings.
but freeradius -X don't show anythings.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Arnold,
connection established,
I think it's enough for post more tickets with just 500 point.
With best wishes,
r
connection established,
I think it's enough for post more tickets with just 500 point.
With best wishes,
r
ASKER
- Arnold,
would you mind help me on this topic -> https://www.experts-exchange.com/questions/27408110/PPTP-Poptop-auto-disconnect-Problem-on-Linux.html?cid=239
would you mind help me on this topic -> https://www.experts-exchange.com/questions/27408110/PPTP-Poptop-auto-disconnect-Problem-on-Linux.html?cid=239
ASKER