Freeradius error

Andrei M. Castillo Andrei.Castillo at alliedtelesis.com
Thu Apr 28 02:06:59 CEST 2011


Hi guys,

New to Freeradius. I installed freeradius in a virtualbox but cant get it work. This is the error that I get.
rad_recv: Access-Request packet from host 127.0.0.1 port 52378, id=160, length=119
      User-Name = "test-01"
      User-Password = "test-01"
      NAS-IP-Address = 127.0.1.1
      NAS-Port = 1812
      Message-Authenticator = 0xb4f32db02020dde2dea54abf00aad93e
      State = 0x1924712819bb75814c2d329074168479
      EAP-Message = 0x029f00160410804938cd9f788564d605731c54d4ceaf
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "test-01", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 159 length 22
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/md5
[eap] processing type md5
rlm_eap_md5: Cleartext-Password is required for EAP-MD5 authentication
[eap] Handler failed in EAP/md5
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]   expand: %{User-Name} -> test-01
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 5 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 5
Sending Access-Reject of id 160 to 127.0.0.1 port 52378
      EAP-Message = 0x049f0004
      Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
Cleaning up request 4 ID 159 with timestamp +5907
Waking up in 0.9 seconds.
Cleaning up request 5 ID 160 with timestamp +5907
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 37217, id=174, length=91
      User-Name = "test-01"
      User-Password = "test-01"
      NAS-IP-Address = 127.0.1.1
      NAS-Port = 1812
      Message-Authenticator = 0x3731176813fa2d963f45aad0433d91ce
      EAP-Message = 0x02ad000c01746573742d3031
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "test-01", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 173 length 12
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 174 to 127.0.0.1 port 37217
      EAP-Message = 0x01ae00160410dd3b9e060bc20ab6c7618dabcbaba135
      Message-Authenticator = 0x00000000000000000000000000000000
      State = 0x254299cc25ec9d2a127daea22ca93a94
Finished request 6.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 37217, id=175, length=119
      User-Name = "test-01"
      User-Password = "test-01"
      NAS-IP-Address = 127.0.1.1
      NAS-Port = 1812
      Message-Authenticator = 0x74c8493a76c0fd7a58208e5ea899acfe
      State = 0x254299cc25ec9d2a127daea22ca93a94
      EAP-Message = 0x02ae0016041005754627c66e7e1f2dd289bddf3faede
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "test-01", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 174 length 22
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/md5
[eap] processing type md5
rlm_eap_md5: Cleartext-Password is required for EAP-MD5 authentication
[eap] Handler failed in EAP/md5
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]   expand: %{User-Name} -> test-01
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 7 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 7
Sending Access-Reject of id 175 to 127.0.0.1 port 37217
      EAP-Message = 0x04ae0004
      Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
Cleaning up request 6 ID 174 with timestamp +6089
Waking up in 0.9 seconds.
Cleaning up request 7 ID 175 with timestamp +6089
Ready to process requests.



Kindly check my users conf.

#test-01    Cleartext-Password := "test-01"
#
#     Please read the documentation file ../doc/processing_users_file,
#     or 'man 5 users' (after installing the server) for more information.
#
#     This file contains authentication security and configuration
#     information for each user.  Accounting requests are NOT processed
#     through this file.  Instead, see 'acct_users', in this directory.
#
#     The first field is the user's name and can be up to
#     253 characters in length.  This is followed (on the same line) with
#     the list of authentication requirements for that user.  This can
#     include password, comm server name, comm server port number, protocol
#     type (perhaps set by the "hints" file), and huntgroup name (set by
#     the "huntgroups" file).
#
#     If you are not sure why a particular reply is being sent by the
#     server, then run the server in debugging mode (radiusd -X), and
#     you will see which entries in this file are matched.
#
#     When an authentication request is received from the comm server,
#     these values are tested. Only the first match is used unless the
#     "Fall-Through" variable is set to "Yes".
#
#     A special user named "DEFAULT" matches on all usernames.
#     You can have several DEFAULT entries. All entries are processed
#     in the order they appear in this file. The first entry that
#     matches the login-request will stop processing unless you use
#     the Fall-Through variable.
#
#     If you use the database support to turn this file into a .db or .dbm
#     file, the DEFAULT entries _have_ to be at the end of this file and
#     you can't have multiple entries for one username.
#
#     Indented (with the tab character) lines following the first
#     line indicate the configuration values to be passed back to
#     the comm server to allow the initiation of a user session.
#     This can include things like the PPP configuration values
#     or the host to log the user onto.
#
#     You can include another `users' file with `$INCLUDE users.other'
#

#
#     For a list of RADIUS attributes, and links to their definitions,
#     see:
#
#     http://www.freeradius.org/rfc/attributes.html
#

#
# Deny access for a specific user.  Note that this entry MUST
# be before any other 'Auth-Type' attribute which results in the user
# being authenticated.
#
# Note that there is NO 'Fall-Through' attribute, so the user will not
# be given any additional resources.
#
#lameuser   Auth-Type := Reject
#           Reply-Message = "Your account has been disabled."

#
# Deny access for a group of users.
#
# Note that there is NO 'Fall-Through' attribute, so the user will not
# be given any additional resources.
#
#DEFAULT    Group == "disabled", Auth-Type := Reject
#           Reply-Message = "Your account has been disabled."
#

#
# This is a complete entry for "steve". Note that there is no Fall-Through
# entry so that no DEFAULT entry will be used, and the user will NOT
# get any attributes in addition to the ones listed here.
#
steve Cleartext-Password := "testing"
Auth-Type := pap
#     Service-Type = Framed-User,
#     Framed-Protocol = PPP,
#     Framed-IP-Address = 172.16.3.33,
#     Framed-IP-Netmask = 255.255.255.0,
#     Framed-Routing = Broadcast-Listen,
#     Framed-Filter-Id = "std.ppp",
#     Framed-MTU = 1500,
#     Framed-Compression = Van-Jacobsen-TCP-IP


#     Auth-Type := md5,
#     Service-Type = Administrative-user,
#     Framed-Protocol = PPP,
#     Framed-IP-Address = 172.16.3.33,
#     Framed-IP-Netmask = 255.255.255.0,
#     Framed-Routing = Broadcast-Listen,
#     Framed-Filter-Id = "std.ppp",
#     Framed-MTU = 1500,
#     Framed-Compression = Van-Jacobsen-TCP-IP

#
# This is an entry for a user with a space in their name.
# Note the double quotes surrounding the name.
#
#"John Doe" Cleartext-Password := "hello"
#           Reply-Message = "Hello, %{User-Name}"

#
# Dial user back and telnet to the default host for that port
#
#Deg  Cleartext-Password := "ge55ged"
#     Service-Type = Callback-Login-User,
#     Login-IP-Host = 0.0.0.0,
#     Callback-Number = "9,5551212",
#     Login-Service = Telnet,
#     Login-TCP-Port = Telnet

#
# Another complete entry. After the user "dialbk" has logged in, the
# connection will be broken and the user will be dialed back after which
# he will get a connection to the host "timeshare1".
#
#dialbk     Cleartext-Password := "callme"
#     Service-Type = Callback-Login-User,
#     Login-IP-Host = timeshare1,
#     Login-Service = PortMaster,
#     Callback-Number = "9,1-800-555-1212"

#
# user "swilson" will only get a static IP number if he logs in with
# a framed protocol on a terminal server in Alphen (see the huntgroups file).
#
# Note that by setting "Fall-Through", other attributes will be added from
# the following DEFAULT entries
#
#swilson    Service-Type == Framed-User, Huntgroup-Name == "alphen"
#           Framed-IP-Address = 192.168.1.65,
#           Fall-Through = Yes

#
# If the user logs in as 'username.shell', then authenticate them
# using the default method, give them shell access, and stop processing
# the rest of the file.
#
#DEFAULT    Suffix == ".shell"
#           Service-Type = Login-User,
#           Login-Service = Telnet,
#           Login-IP-Host = your.shell.machine


#
# The rest of this file contains the several DEFAULT entries.
# DEFAULT entries match with all login names.
# Note that DEFAULT entries can also Fall-Through (see first entry).
# A name-value pair from a DEFAULT entry will _NEVER_ override
# an already existing name-value pair.
#

#
# Set up different IP address pools for the terminal servers.
# Note that the "+" behind the IP address means that this is the "base"
# IP address. The Port-Id (S0, S1 etc) will be added to it.
#
#DEFAULT    Service-Type == Framed-User, Huntgroup-Name == "alphen"
#           Framed-IP-Address = 192.168.1.32+,
#           Fall-Through = Yes

#DEFAULT    Service-Type == Framed-User, Huntgroup-Name == "delft"
#           Framed-IP-Address = 192.168.2.32+,
#           Fall-Through = Yes

#
# Sample defaults for all framed connections.
#
#DEFAULT    Service-Type == Framed-User
#     Framed-IP-Address = 255.255.255.254,
#     Framed-MTU = 576,
#     Service-Type = Framed-User,
#     Fall-Through = Yes

#
# Default for PPP: dynamic IP address, PPP mode, VJ-compression.
# NOTE: we do not use Hint = "PPP", since PPP might also be auto-detected
#     by the terminal server in which case there may not be a "P" suffix.
#     The terminal server sends "Framed-Protocol = PPP" for auto PPP.
#
DEFAULT     Framed-Protocol == PPP
      Framed-Protocol = PPP,
      Framed-Compression = Van-Jacobson-TCP-IP

#
# Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression.
#
DEFAULT     Hint == "CSLIP"
      Framed-Protocol = SLIP,
      Framed-Compression = Van-Jacobson-TCP-IP

#
# Default for SLIP: dynamic IP address, SLIP mode.
#
DEFAULT     Hint == "SLIP"
      Framed-Protocol = SLIP

#
# Last default: rlogin to our main server.
#
#DEFAULT
#     Service-Type = Login-User,
#     Login-Service = Rlogin,
#     Login-IP-Host = shellbox.ispdomain.com

# #
# # Last default: shell on the local terminal server.
# #
# DEFAULT
#     Service-Type = Administrative-User

# On no match, the user is denied access.

Thank you.
Drei
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110428/b158380f/attachment.html>


More information about the Freeradius-Users mailing list