Where is PAP problem
Tevfik Ceydeliler
tevfik.ceydeliler at astron.yasar.com.tr
Mon Sep 7 10:11:18 CEST 2015
Hi,
I try to authenticate my user from PFsense by using itself as NAS,
But I get auth-reject. Dont know why
Here is sites-available conf file and debug log:
r
authorize {
update reply {
Huntgroup-Name := "%{sql:SELECT groupname FROM radhuntgroup WHERE
nasipaddress='%{NAS-IP-Address}'}"
}
preprocess
chap
mschap
digest
suffix
eap {
ok = return
}
files
sql
expiration
logintime
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
digest
unix
eap
}
preacct {
preprocess
suffix
}
accounting {
detail
unix
radutmp
sqlippool
exec
}
session {
radutmp
}
post-auth {
sqlippool
reply_log
exec
}
}
pre-proxy {
}
post-proxy {
eap
}
--SQL User and Group attributes:
mysql> select * from radcheck where username like "tevfikceydeliler"
-> ;
+-----+------------------+--------------------+----+--------+
| id | username | attribute | op | value |
+-----+------------------+--------------------+----+--------+
| 595 | tevfikceydeliler | Cleartext-Password | := | Test01 |
+-----+------------------+--------------------+----+--------+
mysql> select * from radusergroup where username like "tevfikceydeliler"
-> ;
+------------------+---------------+----------+
| username | groupname | priority |
+------------------+---------------+----------+
| tevfikceydeliler | UGR_Test_Wifi | 0 |
+------------------+---------------+----------+
radgroupcheck is ;
+----+------------------------------------+----------------+----+---------------------------+
| id | groupname | attribute | op |
value |
+----+------------------------------------+----------------+----+---------------------------+
| 48 | UGR_Test_Wifi | NAS-IP-Address | != |
10.1.1.71 |
| 50 | UGR_Test_Wifi | Auth-Type | := |
Reject |
+----+------------------------------------+----------------+----+---------------------------+
--And debug log file is like that:
rad_recv: Access-Request packet from host 10.1.1.75 port 24348, id=217,
length=138
NAS-IP-Address = 10.1.1.75
NAS-Identifier = "fwguest.yasar.com.tr"
User-Name = "tevfikceydeliler"
User-Password = "Test01"
Service-Type = Login-User
NAS-Port-Type = Ethernet
NAS-Port = 2000
Framed-IP-Address = 192.168.67.50
Called-Station-Id = "10.1.1.75"
Calling-Station-Id = "c8:f7:33:38:20:ac"
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
sql_xlat
expand: %{User-Name} -> tevfikceydeliler
sql_set_user escaped user --> 'tevfikceydeliler'
expand: SELECT groupname FROM radhuntgroup WHERE
nasipaddress='%{NAS-IP-Address}' -> SELECT groupname FROM radhuntgroup
WHERE nasipaddress='10.1.1.75'
rlm_sql (sql): Reserving sql socket id: 0
sql_xlat finished
rlm_sql (sql): Released sql socket id: 0
expand: %{sql:SELECT groupname FROM radhuntgroup WHERE
nasipaddress='%{NAS-IP-Address}'} -> PfSense
++[reply] returns notfound
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "tevfikceydeliler", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[sql] expand: %{User-Name} -> tevfikceydeliler
[sql] sql_set_user escaped user --> 'tevfikceydeliler'
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = '%{SQL-User-Name}'
ORDER BY id -> SELECT id, username, attribute, value, op FROM
radcheck WHERE username = 'tevfikceydeliler'
ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op
FROM radreply WHERE username = '%{SQL-User-Name}'
ORDER BY id -> SELECT id, username, attribute, value, op FROM
radreply WHERE username = 'tevfikceydeliler'
ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
groupname FROM radusergroup WHERE username =
'tevfikceydeliler' ORDER BY priority
[sql] expand: SELECT id, groupname, attribute, Value,
op FROM radgroupcheck WHERE groupname =
'%{Sql-Group}' ORDER BY id -> SELECT id, groupname,
attribute, Value, op FROM radgroupcheck
WHERE groupnam
e = 'UGR_Test_Wifi' ORDER BY id
[sql] User found in group UGR_Test_Wifi
[sql] expand: SELECT id, groupname, attribute, value,
op FROM radgroupreply WHERE groupname =
'%{Sql-Group}' ORDER BY id -> SELECT id, groupname,
attribute, value, op FROM radgroupreply
WHERE groupnam
e = 'UGR_Test_Wifi' ORDER BY id
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = Reject
Auth-Type = Reject, rejecting user
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> tevfikceydeliler
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 5 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 5
Sending Access-Reject of id 217 to 10.1.1.75 port 24348
--
More information about the Freeradius-Users
mailing list