Radius Squid authentication REJECT

Matthias Nagel matthias.h.nagel at gmail.com
Thu Apr 11 11:50:49 CEST 2013 

Hello,

perhaps it is an encoding problem between the browser and squid. You should check what kind of encoding squid expects the browser to use and what encoding the browser actually uses. But this is not a radius problem, hence I cannot help you on that problem.

Anyway, somewhere on the link "browser <-> squid <-> radius" the password gets screwed up. If the problem was between the browser and squid, the user name likely would screwed up, too. Hence, I still believe the problem is between squid and radius. But if a wrong secret isn't the solution, I am out. Sorry.

Regards, Matthias

Am Donnerstag 11 April 2013, 16:35:33 schrieb Iftakhul Anwar:
> I just use enter after my shared secret.
> 
> Any suggestions ?
> 
> 
> On Thu, Apr 11, 2013 at 4:17 PM, Matthias Nagel
> <matthias.h.nagel at gmail.com>wrote:
> 
> > Hello,
> >
> > Am Donnerstag 11 April 2013, 16:07:08 schrieb Iftakhul Anwar:
> > > Hi Matthias,
> > >
> > > I don't use " " on my squid_rad_auth.conf
> >
> > I know, that is the reason why I asked you to check for non-printable
> > characters AFTER your shared secret.
> >
> > > No space on my scret.
> >
> > And what is between the last printable character of your secret and the
> > new line?
> >
> > Matthias
> >
> >
> > > This is my squid_rad_auth.conf
> > >
> > > server 192.168.2.3
> > > secret testing123
> > >
> > > On my radcheck, i also using Cleartext-Password on my racheck table
> > >
> > > Any another clue ?
> > >
> > > Thanks
> > >
> > >
> > >
> > > On Thu, Apr 11, 2013 at 3:59 PM, Matthias Nagel
> > > <matthias.h.nagel at gmail.com>wrote:
> > >
> > > > Hello,
> > > >
> > > > did you do what the warning says and double checked the shared secret?
> > > >
> > > > As far as I see the squid_rad_auth.conf does not use quotation marks
> > ("")
> > > > to delimit the shared secret. Hence, perhaps you have trailing white
> > spaces
> > > > or something like that at the end of the line. Delete the line
> > "secret" in
> > > > squid_rad_auth.conf and type it again. I really mean to delete it in
> > order
> > > > to get rid of unprintable characters you might not see.
> > > >
> > > > Matthias
> > > >
> > > > Am Donnerstag 11 April 2013, 15:47:33 schrieb Iftakhul Anwar:
> > > > > Hi All,
> > > > >
> > > > >
> > > > > I have successfully configure freeradius with mysql. i can radtest
> > using
> > > > > command :
> > > > >
> > > > > sudo radtest alice password 192.168.2.3 1812 testing123
> > > > > Sending Access-Request of id 187 to 192.168.2.3 port 1812
> > > > >     User-Name = "alice"
> > > > >     User-Password = "password"
> > > > >     NAS-IP-Address = 127.0.1.1
> > > > >     NAS-Port = 1812
> > > > >     Message-Authenticator = 0x00000000000000000000000000000000
> > > > >
> > > > > rad_recv: Access-Accept packet from host 192.168.2.3 port 1812,
> > > > > id=187, length=20
> > > > >
> > > > > Now i try squid using radius authentication.
> > > > >
> > > > > i followed step by step from :
> > > > >
> > > > >
> > http://safesrv.net/setup-squid-and-freeradius-on-centos-5/#comment-1043
> > > > >
> > > > > But i got error message log on cache.log
> > > > >
> > > > > Warning: Received invalid reply digest from server
> > > > > Warning: Received invalid reply digest from server
> > > > > Warning: Received invalid reply digest from server
> > > > > squid_rad_auth: No response from RADIUS server
> > > > >
> > > > > On radius -X debug there is error message like bellow :
> > > > >
> > > > > Sending duplicate reply to client localprivate port 42003 – ID: 2
> > > > > Sending Access-Reject of id 2 to 192.168.2.3 port 42003
> > > > > Waking up in 2.9 seconds.
> > > > > rad_recv: Access-Request packet from host 192.168.2.3 port 42003,
> > > > > id=2, length=63
> > > > > Sending duplicate reply to client localprivate port 42003 – ID: 2
> > > > > Sending Access-Reject of id 2 to 192.168.2.3 port 42003
> > > > > Waking up in 0.9 seconds.
> > > > > Found Auth-Type = PAP
> > > > > # Executing group from file
> > /usr/local/etc/raddb/sites-enabled/default
> > > > > +- entering group PAP {…}
> > > > > [pap] login attempt with password “b9?I? +�(�Ч�Y�?”
> > > > > [pap] Using clear text password “password”
> > > > > [pap] Passwords don’t match
> > > > > ++[pap] returns reject
> > > > > Failed to authenticate the user.
> > > > > WARNING: Unprintable characters in the password. Double-check the
> > > > > shared secret on the server and the NAS!
> > > > > Using Post-Auth-Type REJECT
> > > > >
> > > > > What is that error ? How i can solve this
> > > > >
> > > > > Thanks
> > > > >
> > > > >
> > > > ----------------------------------------------------------------------
> > > > Matthias Nagel
> > > > Willy-Andreas-Allee 1, Zimmer 506
> > > > 76131 Karlsruhe
> > > >
> > > > Telefon: +49-721-8695-1506
> > > > Mobil: +49-151-15998774
> > > > e-Mail: matthias.h.nagel at gmail.com
> > > > ICQ: 499797758
> > > > Skype: nagmat84
> > > >
> > > > -
> > > > List info/subscribe/unsubscribe? See
> > > > http://www.freeradius.org/list/users.html
> > >
> > >
> > >
> > >
> > >
> > ----------------------------------------------------------------------
> > Matthias Nagel
> > Willy-Andreas-Allee 1, Zimmer 506
> > 76131 Karlsruhe
> >
> > Telefon: +49-721-8695-1506
> > Mobil: +49-151-15998774
> > e-Mail: matthias.h.nagel at gmail.com
> > ICQ: 499797758
> > Skype: nagmat84
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
> 
> 
> 
> 
----------------------------------------------------------------------
Matthias Nagel
Willy-Andreas-Allee 1, Zimmer 506
76131 Karlsruhe

Telefon: +49-721-8695-1506
Mobil: +49-151-15998774
e-Mail: matthias.h.nagel at gmail.com
ICQ: 499797758
Skype: nagmat84

More information about the Freeradius-Users mailing list