Trouble with FR3 users file format

Diggins Mike diggins at mcmaster.ca
Wed Jan 2 00:58:06 CET 2019


I played around with the users file after reading your reply. I added the 'Fall-Through Yes' parameter to the DEFAULT section and now it's working as expected. 

# Begin
$INCLUDE /home/radius-users/users.include
DEFAULT	Auth-Type = ntlm_auth
  	              Fall-Through = Yes
# end of user file

I don't believe the Fall-Through parameter is actually the fix itself because there is nothing to fall through to. I have just one DEFAULT user. Perhaps the default user needs a 'value' as well. I'm going to live with this "fix" unless I come across something else. I'm running the latest RHEL7 included FreeRadius package which is based on 3.x. I don't think that's the issue though.

-Mike

-----Original Message-----
From: Freeradius-Users <freeradius-users-bounces+diggins=mcmaster.ca at lists.freeradius.org> On Behalf Of Alan DeKok
Sent: Tuesday, January 1, 2019 4:25 PM
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Subject: Re: Trouble with FR3 users file format

On Jan 1, 2019, at 3:22 PM, Diggins Mike <diggins at mcmaster.ca> wrote:
> 
> I am building a new FR3 server running the latest version to replace my FR2 server. Both authenticate users using ntlm-auth only and Radtest confirms that is working for PAP and MSCHAP. However, my ported users file seems to be causing a change in behaviour. This is what the users file looks like (from FR2). 
> 
> userid2		Auth-Type = ntlm_auth
>                   	Reply-Message = "attr1, attr2"
> guest002           	Auth-Type = ntlm_auth
>                   	Reply-Message = "attr1, attr2"
> userid3            	Auth-Type = ntlm_auth
>                   	Reply-Message = "attr1, attr2"
> userid4            	Auth-Type = ntlm_auth
>                 	Reply-Message = "attr1, attr2"
> DEFAULT	Auth-Type = ntlm_auth

  That should be OK.  It's a little redundant, but whatever.

> Only some of my users are in this file and have reply attributes. All other users also use ntlm_auth but have no reply attributes and are not listed in the file. Again, this worked in FR2.
> 
> Using the same file in FR3, authentication works correctly whether the user is in the file or not which is correct. However, I do not get the Reply-Message attributes in the reply unless the user happens to be the very first one listed in the file (userid2 in this case). guest002 gets nothing returned nor do any of the others.

  What does the debug output show?  And which version of the server are you using?  3.0.17?

> If I remove the DEFAULT statement at the end of the file, any user in the users file authenticates correctly and gets the proper attributes returned in the Reply-Message. However, anyone not in the users file can no longer authenticate using PAP. Only MSCHAP works. I have users using both methods but no local passwords on the FR server.

  As *always*, read the debug output to see what the server is doing.

  In short, the default configuration works.  If you're just using the default config and the above "users" file, it should work.  If you've changed everything else, then who knows what's going on.

> It seems redundant to specify the ntlm_auth type for every user in my users file given that's the only available option for authentication. Is there a correct way to do this and restore the previous behaviour?

  You shouldn't need to do that.  The "users" file should work the same as in v2.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list