Hints file and Strip-User-Name

Paul Khavkine paul.khavkine at distributel.ca
Tue Jun 3 20:16:04 CEST 2008 


files is there in authentication { } section.

authenticate {
        #
        #  PAP authentication, when a back-end database listed
        #  in the 'authorize' section supplies a password.  The
        #  password can be clear-text, or encrypted.
        Auth-Type PAP {
                pap
        }

        #
        #  Most people want CHAP authentication
        #  A back-end database listed in the 'authorize' section
        #  MUST supply a CLEAR TEXT password.  Encrypted passwords
        #  won't work.
        Auth-Type CHAP {
                chap
        }

        #
        #  MSCHAP authentication.
        Auth-Type MS-CHAP {
                mschap
        }

        #
        #  If you have a Cisco SIP server authenticating against
        #  FreeRADIUS, uncomment the following line, and the 'digest'
        #  line in the 'authorize' section.
#       digest

        #
        #  Pluggable Authentication Modules.
#       pam

        #
        #  See 'man getpwent' for information on how the 'unix'
        #  module checks the users password.  Note that packets
        #  containing CHAP-Password attributes CANNOT be authenticated
        #  against /etc/passwd!  See the FAQ for details.
        #
#       unix

        # Uncomment it if you want to use ldap for authentication
        #
        # Note that this means "check plain-text password against
        # the ldap database", which means that EAP won't work,
        # as it does not supply a plain-text password.
#       Auth-Type LDAP {
#               ldap
#       }

        #
        #  Allow EAP authentication.
        eap
        files
 }


Paul



-----Original Message-----
From:
freeradius-users-bounces+paul.khavkine=distributel.ca at lists.freeradius.o
rg
[mailto:freeradius-users-bounces+paul.khavkine=distributel.ca at lists.free
radius.org] On Behalf Of Ivan Kalik
Sent: June 3, 2008 2:07 PM
To: FreeRadius users mailing list
Subject: Re: Hints file and Strip-User-Name

>
>When run radiusd -W I can see it enter the preprocess module and match
>an entry, but the suffix is not being stripped and entry in users file
>not being matched:
>

Not being stripped? You think that's the problem.

> 
>
>Tue Jun  3 12:54:15 2008 : Debug: +- entering group authorize
>
>Tue Jun  3 12:54:15 2008 : Debug:   modsingle[authorize]: calling
suffix
>(rlm_realm) for request 0
..
>Tue Jun  3 12:54:15 2008 : Debug:   modsingle[authorize]: calling
>preprocess (rlm_preprocess) for request 0
>
..
>Tue Jun  3 12:54:15 2008 : Debug: auth: No authenticate method
>(Auth-Type) configuration found for the request: Rejecting the user
>

You haven't hacked away at the default configuration by any chance?
Users file entry is not matched because you prevented the server from
looking there. Even if you put "files" back in it still won't work as
you have broken every single authentication method. Well done! Now put
the configuration back the way it was and watch it work.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list