Using OpenWRT nas, identical shared secret, told "Shared secret is incorrect."

A.L.M.Buxey at lboro.ac.uk A.L.M.Buxey at lboro.ac.uk
Wed Nov 11 20:01:41 CET 2015


Hi,

> Is there any way to see the request the client is sending the server?

err, yes - you posted it - its in the debug output!

>     User-Name = "Aviator"
>     NAS-IP-Address = 10.0.0.4
>     NAS-Port = 0
>     Message-Authenticator = 0xe601d87c9065c214eb5461f06cf2c55b
>     MS-CHAP-Challenge = 0xd2f6a4ad2ddb942b
>     MS-CHAP-Response =
> 0x00010000000000000000000000000000000000000000000000007da48d7397f9b0eebf6182b70846bd09671dd019baa4eea8


and the reject is caused by this:

> ++policy filter_username {
> +++? if (User-Name =~ / /)
> ? Evaluating (User-Name =~ / /) -> FALSE
> +++? if (User-Name =~ / /) -> FALSE
> +++? if (User-Name =~ /@.*@/ )
> ? Evaluating (User-Name =~ /@.*@/) -> FALSE
> +++? if (User-Name =~ /@.*@/ ) -> FALSE
> +++? if (User-Name =~ /\\.\\./ )
> ? Evaluating (User-Name =~ /\\.\\./) -> FALSE
> +++? if (User-Name =~ /\\.\\./ ) -> FALSE
> +++? if (User-Name !~ /@(.+)\\.(.+)$/)
> ? Evaluating (User-Name !~ /@(.+)\\.(.+)$/) -> TRUE
> +++? if (User-Name !~ /@(.+)\\.(.+)$/) -> TRUE
> +++if (User-Name !~ /@(.+)\\.(.+)$/) {
> ++++update reply {
> ++++} # update reply = noop
> ++++[reject] = reject



this policy is looking for an "@" to be present...which is isnt in the username "Aviator" - so if
you dont need such a policy, then edit the default virtual server to comment out the filter_username
policy or edit the policy.

alan


More information about the Freeradius-Users mailing list