MikroTik

Community discussions
https://forum.mikrotik.com/

Freeradius 2.1.3 realm problem

https://forum.mikrotik.com/viewtopic.php?t=29299

Page 1 of 1

Freeradius 2.1.3 realm problem

Posted: Sun Jan 25, 2009 2:50 am
by sojicmk
Few days I have problem with authentication with freeradius 2.1.3

Here is details
Code: Select all
Listening on authentication address * port 1812

Listening on accounting address * port 1813

Listening on proxy address * port 1814

Ready to process requests.

rad_recv: Access-Request packet from host 10.20.30.4 port 51512, id=75, length=192

        Service-Type = Framed-User

        Framed-Protocol = PPP

        NAS-Port = 178

        NAS-Port-Type = Ethernet

        User-Name = "apo@airo.net.mk"

        Calling-Station-Id = "00:21:29:65:5D:7C"

        Called-Station-Id = "aironet1"

        NAS-Port-Id = "Aironet-1"

        MS-CHAP-Domain = "airo.net.mk"

        CHAP-Challenge = 0x7f82ecacdf503c47e1015de1816780ec

        CHAP-Password = 0x01a7fae70a629086451740bb0df1e889c4

        NAS-Identifier = "MikroTik"

        NAS-IP-Address = 10.20.30.4

        Mikrotik-Realm = "airo.net.mk"

+- entering group authorize {...}

++[preprocess] returns ok

[chap] Setting 'Auth-Type := CHAP'

++[chap] returns ok

++[mschap] returns noop

[suffix] Looking up realm "airo.net.mk" for User-Name = "apo@airo.net.mk"

[suffix] No such realm "airo.net.mk"

++[suffix] returns noop

[eap] No EAP-Message, not doing EAP

++[eap] returns noop

++[unix] returns notfound

[files] users: Matched entry DEFAULT at line 172

++[files] returns ok

++[expiration] returns noop

++[logintime] returns noop

[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.

++[pap] returns noop

Found Auth-Type = CHAP

+- entering group CHAP {...}

[chap] login attempt by "apo@airo.net.mk" with CHAP password

[chap] Cleartext-Password is required for authentication

++[chap] returns invalid

Failed to authenticate the user.

Using Post-Auth-Type Reject

+- entering group REJECT {...}

[attr_filter.access_reject]     expand: %{User-Name} -> apo@airo.net.mk

 attr_filter: Matched entry DEFAULT at line 11

++[attr_filter.access_reject] returns updated

Delaying reject of request 0 for 1 seconds

Going to the next request

Waking up in 0.9 seconds.

rad_recv: Access-Request packet from host 10.20.30.4 port 51512, id=75, length=192

Waiting to send Access-Reject to client bazna1 port 51512 - ID: 75

Waking up in 0.5 seconds.

rad_recv: Access-Request packet from host 10.20.30.4 port 51512, id=75, length=192

Waiting to send Access-Reject to client bazna1 port 51512 - ID: 75

Sending delayed reject for request 0

Sending Access-Reject of id 75 to 10.20.30.4 port 51512

Waking up in 4.9 seconds.

Cleaning up request 0 ID 75 with timestamp +12

Ready to process requests.

rad_recv: Access-Request packet from host 10.20.30.4 port 59025, id=76, length=192

        Service-Type = Framed-User

        Framed-Protocol = PPP

        NAS-Port = 179

        NAS-Port-Type = Ethernet

        User-Name = "apo@airo.net.mk"

        Calling-Station-Id = "00:21:29:65:5D:7C"

        Called-Station-Id = "aironet1"

        NAS-Port-Id = "Aironet-1"

        MS-CHAP-Domain = "airo.net.mk"

        CHAP-Challenge = 0x349f005de93160fcdb4a7b5d36273d86

        CHAP-Password = 0x0126926f7e8c962ce91fb1022c01199d9e

        NAS-Identifier = "MikroTik"

        NAS-IP-Address = 10.20.30.4

        Mikrotik-Realm = "airo.net.mk"

+- entering group authorize {...}

++[preprocess] returns ok

[chap] Setting 'Auth-Type := CHAP'

++[chap] returns ok

++[mschap] returns noop

[suffix] Looking up realm "airo.net.mk" for User-Name = "apo@airo.net.mk"

[suffix] No such realm "airo.net.mk"

++[suffix] returns noop

[eap] No EAP-Message, not doing EAP

++[eap] returns noop

++[unix] returns notfound

[files] users: Matched entry DEFAULT at line 172

++[files] returns ok

++[expiration] returns noop

++[logintime] returns noop

[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.

++[pap] returns noop

Found Auth-Type = CHAP

+- entering group CHAP {...}

[chap] login attempt by "apo@airo.net.mk" with CHAP password

[chap] Cleartext-Password is required for authentication

++[chap] returns invalid

Failed to authenticate the user.

Using Post-Auth-Type Reject

+- entering group REJECT {...}

[attr_filter.access_reject]     expand: %{User-Name} -> apo@airo.net.mk

 attr_filter: Matched entry DEFAULT at line 11

++[attr_filter.access_reject] returns updated

Delaying reject of request 1 for 1 seconds

Going to the next request

Waking up in 1.0 seconds.

rad_recv: Access-Request packet from host 10.20.30.4 port 59025, id=76, length=192

Waiting to send Access-Reject to client bazna1 port 59025 - ID: 76

Waking up in 0.5 seconds.

rad_recv: Access-Request packet from host 10.20.30.4 port 59025, id=76, length=192

Waiting to send Access-Reject to client bazna1 port 59025 - ID: 76

Sending delayed reject for request 1

Sending Access-Reject of id 76 to 10.20.30.4 port 59025

Waking up in 4.9 seconds.

Cleaning up request 1 ID 76 with timestamp +20

Ready to process requests.
In mysql I have user "apo@airo.net.mk", but what is the problem with realm?

Re: Freeradius 2.1.3 realm problem

Posted: Sun Jan 25, 2009 12:11 pm
by SurferTim
Greetings! What is your goal? The realm is for a proxy radius server. See here:
http://wiki.freeradius.org/Proxy

Are you looking to use the remote radius server to authenticate your hotspot/pppoe clients?
Do you use multiple radius servers?

Take a look at this thread and see if that may be what you are looking for.
http://forum.mikrotik.com/viewtopic.php?f=2&t=28404

If it is, then the username should be entered in each radius server database without the @domain.com. Just the username.

Re: Freeradius 2.1.3 realm problem

Posted: Sun Jan 25, 2009 3:31 pm
by apo
Failed to authenticate the user. Thats the real problem in this case .. client is trying to connect with the accurate username and password which is in mysql, but still for some weird reason he can't login, why?

Re: Freeradius 2.1.3 realm problem

Posted: Sun Jan 25, 2009 3:46 pm
by SurferTim
How does it do without the domain in the radius entry? Try entering a username "test" with a password, and see if you can login with the username "test" and that password.

I usually use the program radtest from a shell on the radius server first.
radtest user password 127.0.0.1 0 radiussecret
That should show you all that is being returned. Saves much time in debugging.

ADD: Insure that you have changed the default user type in the radiusd users file. You should have a couple of lines like this:
Code: Select all
DEFAULT Auth-Type=System
   Fall-Through=1
It should be:
Code: Select all
DEFAULT Auth-Type=Local
   Fall-Through=1
Also, insure all the default user/passwords are removed. If they figure out you use FreeRadius, they will try those user/passwords in the users file.
ESPECIALLY user "steve" with password "testing" !!
All times are UTC+02:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/