Guys,<br>I'm experiencing a strange problem. I use FreeRadius to control cmd line access to my routers and switches and I've configured FreeRadius to use a MySQL back-end and thus far it works fine except for one condition. If i supply a blank password when authenticating, FreeRadius allows the request and authenticates me once my username is correct. Why is this happening? Is there any way to have FreeRadius keep on prompting if a blank password is supplied or reject the request altogether?<br>
Thanks for your help.<br>Radius debug is below:<br><br>Ready to process requests.<br>rad_recv: Access-Request packet from host 192.168.1.1 port 1645, id=215, length=104<br> User-Name = "john.doe"<br> Reply-Message = "Password: "<br>
User-Password = ""<br> NAS-Port = 1<br> NAS-Port-Id = "tty1"<br> NAS-Port-Type = Virtual<br> Calling-Station-Id = "192.168.1.1"<br> NAS-IP-Address = 192.168.1.1<br>
+- entering group authorize<br>++[preprocess] returns ok<br>rlm_sql (sql): - sql_xlat<br> expand: %{User-Name} -> john.doe<br>rlm_sql (sql): sql_set_user escaped user --> 'john.doe'<br> expand: SELECT groupname FROM radhuntgroup WHERE nasipaddress="%{NAS-IP-Address}" AND nasportid LIKE IF (SUBSTRING("%{NAS-Port-Id}", 1, 3) = 'tty', 'tty', "%{NAS-Port-Id}") AND usergroup IN (SELECT groupname FROM radusergroup where username LIKE "%{User-Name}") -> SELECT groupname FROM radhuntgroup WHERE nasipaddress="192.168.1.1" AND nasportid LIKE IF (SUBSTRING("tty1", 1, 3) = 'tty', 'tty', "tty1") AND usergroup IN (SELECT groupname FROM radusergroup where username LIKE "john.doe")<br>
rlm_sql (sql): Reserving sql socket id: 3<br>rlm_sql (sql): - sql_xlat finished<br>rlm_sql (sql): Released sql socket id: 3<br> expand: %{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress="%{NAS-IP-Address}" AND nasportid LIKE IF (SUBSTRING("%{NAS-Port-Id}", 1, 3) = 'tty', 'tty', "%{NAS-Port-Id}") AND usergroup IN (SELECT groupname FROM radusergroup where username LIKE "%{User-Name}") } -> admin<br>
++[request] returns ok<br>++[chap] returns noop<br>++[mschap] returns noop<br> rlm_realm: No '@' in User-Name = "john.doe", looking up realm NULL<br> rlm_realm: No such realm "NULL"<br>++[suffix] returns noop<br>
rlm_eap: No EAP-Message, not doing EAP<br>++[eap] returns noop<br>++[unix] returns notfound<br> users: Matched entry DEFAULT at line 204<br>++[files] returns ok<br> expand: %{User-Name} -> john.doe<br>rlm_sql (sql): sql_set_user escaped user --> 'john.doe'<br>
rlm_sql (sql): Reserving sql socket id: 2<br> expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'john.doe' ORDER BY id<br>
rlm_sql (sql): User found in radcheck table<br> expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'john.doe' ORDER BY id<br>
expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'john.doe' ORDER BY priority<br>
expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'engineeringadmin' ORDER BY id<br>
rlm_sql (sql): User found in group engineeringadmin<br> expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'engineeringadmin' ORDER BY id<br>
rlm_sql (sql): Released sql socket id: 2<br>++[sql] returns ok<br>++[expiration] returns noop<br>++[logintime] returns noop<br>rlm_pap: Normalizing SHA-Password from hex encoding<br>rlm_pap: Found existing Auth-Type, not changing it.<br>
++[pap] returns noop<br> rad_check_password: Found Auth-Type Accept<br> rad_check_password: Auth-Type = Accept, accepting the user<br>Login OK: [john.doe] (from client routerA port 1 cli 192.168.1.1)<br>+- entering group post-auth<br>
++[exec] returns noop<br>Sending Access-Accept of id 215 to 192.168.1.1 port 1645<br> Service-Type := Administrative-User<br> Cisco-AVPair := "shell:priv-lvl=15"<br>Finished request 0.<br>Going to the next request<br>
Waking up in 4.9 seconds.<br>Cleaning up request 0 ID 215 with timestamp +9<br>Ready to process requests.<br><br>