<div dir="ltr"><span style="font-family:arial,sans-serif;font-size:13px">------------------------------</span><br style="font-family:arial,sans-serif;font-size:13px"><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">Message: 5</span><br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">Date: Mon, 23 Sep 2013 12:33:10 -0400 (EDT)</span><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">From: paul trader <</span><a href="mailto:fliptop@igolinux.com" style="font-family:arial,sans-serif;font-size:13px">fliptop@igolinux.com</a><span style="font-family:arial,sans-serif;font-size:13px">></span><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">To: </span><a href="mailto:freeradius-users@lists.freeradius.org" style="font-family:arial,sans-serif;font-size:13px">freeradius-users@lists.freeradius.org</a><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">Subject: pap always returns noop for windows dialup authentication</span><br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">Message-ID:</span><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px"> <alpine.DEB.2.02.</span><span style="font-family:arial,sans-serif;font-size:13px">1309231213040.7006@</span><span style="font-family:arial,sans-serif;font-size:13px">soundgarden.localdomain.local></span><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII</span><br style="font-family:arial,sans-serif;font-size:13px"><br style="font-family:arial,sans-serif;font-size:13px">
<br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">hi all - i've recently tried upgrading from v1 to v2. on a centos 6.4 box</span><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">w/ all latest updates, i installed freeradius v2, added one username and</span><br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">password to /etc/raddb/users:</span><br style="font-family:arial,sans-serif;font-size:13px">
<br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">test Cleartext-Password := "testing"</span><br style="font-family:arial,sans-serif;font-size:13px">
<br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">and the radtest command-line authentication works. i then added one</span><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">client for our blade server to /etc/raddb/clients.conf:</span><br style="font-family:arial,sans-serif;font-size:13px"><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">client x.x.x.x {</span><br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px"> secret = xxxxx</span><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px"> shortname = 3coms</span><br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">}</span><br style="font-family:arial,sans-serif;font-size:13px">
<br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">substituting the correct ip and secret for the x's.</span><br style="font-family:arial,sans-serif;font-size:13px">
<br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">testing from my linux box w/ a modem, authentication works. output from</span><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">radiusd -X shows all is well, my linux box receives an ip address and dns</span><br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">servers. relavant -X debug output shows:</span><br style="font-family:arial,sans-serif;font-size:13px">
<br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">++[pap] returns updated</span><br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">Found Auth-Type = PAP</span><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px"># Executing group from file /etc/raddb/sites-enabled/</span><span style="font-family:arial,sans-serif;font-size:13px">default</span><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">+- entering group PAP {...}</span><br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">[pap] login attempt with password "testing"</span><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">[pap] Using clear text password "testing"</span><br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">[pap] User authenticated successfully</span><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">++[pap] returns ok</span><br style="font-family:arial,sans-serif;font-size:13px"><br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">however, when trying to authenticate from a windows box, authentication</span><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">fails. every time. i've tried it from a windows xp machine and 2 windows</span><br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">7 machines. the debug output always says:</span><br style="font-family:arial,sans-serif;font-size:13px">
<br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">[pap] WARNING! No "known good" password found for the user.</span><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">Authentication may fail because of this.</span><br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">++[pap] returns noop</span><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">ERROR: No authenticate method (Auth-Type) found for the request: Rejecting</span><br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">the user</span><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">Failed to authenticate the user.</span><br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">Using Post-Auth-Type Reject</span><br style="font-family:arial,sans-serif;font-size:13px">
<br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">i've been over and over everything a dozen times, have tried changing the</span><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">windows dialup security settings to use pap only, and also have tried</span><br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">adding the following line to the users file:</span><br style="font-family:arial,sans-serif;font-size:13px">
<br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">Auth-Type = PAP</span><br style="font-family:arial,sans-serif;font-size:13px"><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">even though everything i've read said not to do that. still doesn't work.</span><br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">the only changes i've made to the default installation are to the users</span><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">and clients.conf files. i have spent hours searching the internet for a</span><br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">similar problem/solution and come up empty. windows boxes will not</span><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">authenticate, pap always returns noop, and the user is rejected.</span><br style="font-family:arial,sans-serif;font-size:13px"><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">am i doing something glaringly wrong, or just going plain crazy?</span><br style="font-family:arial,sans-serif;font-size:13px"><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">regards, paul</span><br style="font-family:arial,sans-serif;font-size:13px"><br style="font-family:arial,sans-serif;font-size:13px"><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">------------------------------</span><br style="font-family:arial,sans-serif;font-size:13px"><div style><font face="arial, sans-serif">Hi Paul,</font></div><div style>
<font face="arial, sans-serif"><br></font></div><div style><font face="arial, sans-serif">Your not crazy for sure. The problem authenticating with Windows boxen is that they only support MSCHAPv2…</font></div><div style><font face="arial, sans-serif">kudos to Microsoft.</font></div>
<div style><font face="arial, sans-serif"><br></font></div><div style><font face="arial, sans-serif">Regards,</font></div><div style><font face="arial, sans-serif">Rui</font></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">
On 23 September 2013 18:17, <span dir="ltr"><<a href="mailto:freeradius-users-request@lists.freeradius.org" target="_blank">freeradius-users-request@lists.freeradius.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Send Freeradius-Users mailing list submissions to<br>
<a href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a><br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
<a href="http://lists.freeradius.org/mailman/listinfo/freeradius-users" target="_blank">http://lists.freeradius.org/mailman/listinfo/freeradius-users</a><br>
or, via email, send a message with subject or body 'help' to<br>
<a href="mailto:freeradius-users-request@lists.freeradius.org">freeradius-users-request@lists.freeradius.org</a><br>
<br>
You can reach the person managing the list at<br>
<a href="mailto:freeradius-users-owner@lists.freeradius.org">freeradius-users-owner@lists.freeradius.org</a><br>
<br>
When replying, please edit your Subject line so it is more specific<br>
than "Re: Contents of Freeradius-Users digest..."<br>
<br>
<br>
Today's Topics:<br>
<br>
1. Re: FreeRadius Error " Access Rejected" Only On Some CISCO<br>
Switch Ports (Alan DeKok)<br>
2. FreeRadius Error " Access Rejected" Only On Some CISCO Switch<br>
Ports (Daniel Baker)<br>
3. Re: FreeRadius Error " Access Rejected" Only On Some CISCO<br>
Switch Ports (Daniel Baker)<br>
4. EAP-TLS Authentication (arvind132 .)<br>
5. pap always returns noop for windows dialup authentication<br>
(paul trader)<br>
6. Re: pap always returns noop for windows dialup authentication<br>
(Phil Mayers)<br>
7. Re: pap always returns noop for windows dialup authentication<br>
(paul trader)<br>
<br>
<br>
----------------------------------------------------------------------<br>
<br>
Message: 1<br>
Date: Mon, 23 Sep 2013 09:18:28 -0400<br>
From: Alan DeKok <<a href="mailto:aland@deployingradius.com">aland@deployingradius.com</a>><br>
To: FreeRadius users mailing list<br>
<<a href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a>><br>
Subject: Re: FreeRadius Error " Access Rejected" Only On Some CISCO<br>
Switch Ports<br>
Message-ID: <<a href="mailto:52403FA4.5090808@deployingradius.com">52403FA4.5090808@deployingradius.com</a>><br>
Content-Type: text/plain; charset=ISO-8859-1<br>
<br>
Daniel Baker wrote:<br>
> [ldap] performing search in dc=citlao,dc=local, with filter (uid=root)<br>
> [ldap] object not found<br>
> [ldap] search failed<br>
<br>
What part of that is unclear?<br>
<br>
> What can I try to fix the authentication issues so that all ports are being successfully authenticated ?<br>
<br>
Ensure that the people logging in have accounts in ldap.<br>
<br>
Alan DeKok.<br>
<br>
<br>
------------------------------<br>
<br>
Message: 2<br>
Date: Mon, 23 Sep 2013 20:39:44 +0700<br>
From: Daniel Baker <<a href="mailto:info@collisiondetection.biz">info@collisiondetection.biz</a>><br>
To: <a href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a><br>
Subject: FreeRadius Error " Access Rejected" Only On Some CISCO Switch<br>
Ports<br>
Message-ID: <<a href="mailto:524044A0.8000800@collisiondetection.biz">524044A0.8000800@collisiondetection.biz</a>><br>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed<br>
<br>
<br>
<br>
Hi Guys, we are trying to get Free Radius to authenticate our users who<br>
connect through a Cisco Small Business POE switch.<br>
<br>
<br>
When testing authentication with a shutdown / no shutdown command on<br>
port fa/17 which has an IP phone connected to it we receive the<br>
following errors:<br>
<br>
FREE RADIUS :<br>
<br>
[ldap] expand: %{User-Name} -> root<br>
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=root)<br>
[ldap] expand: dc=citlao,dc=local -> dc=citlao,dc=local<br>
[ldap] ldap_get_conn: Checking Id: 0<br>
[ldap] ldap_get_conn: Got Id: 0<br>
[ldap] performing search in dc=citlao,dc=local, with filter (uid=root)<br>
[ldap] object not found<br>
[ldap] search failed<br>
[ldap] ldap_release_conn: Release Id: 0<br>
++[ldap] returns notfound<br>
++[expiration] returns noop<br>
++[logintime] returns noop<br>
[pap] WARNING! No "known good" password found for the user.<br>
Authentication may fail because of this.<br>
++[pap] returns noop<br>
ERROR: No authenticate method (Auth-Type) found for the request:<br>
Rejecting the user<br>
Failed to authenticate the user.<br>
Login incorrect ( [ldap] User not found): [root/trash] (from client<br>
LTC-ROUTER port 2)<br>
Using Post-Auth-Type Reject<br>
# Executing group from file /etc/freeradius/sites-enabled/default<br>
+- entering group REJECT {...}<br>
[attr_filter.access_reject] expand: %{User-Name} -> root<br>
attr_filter: Matched entry DEFAULT at line 11<br>
++[attr_filter.access_reject] returns updated<br>
Delaying reject of request 12 for 1 seconds<br>
Going to the next request<br>
Waking up in 0.9 seconds.<br>
Sending delayed reject for request 12<br>
Sending Access-Reject of id 31 to 192.168.1.1 port 1645<br>
Waking up in 4.9 seconds.<br>
Cleaning up request 12 ID 31 with timestamp +10922<br>
Ready to process requests.<br>
<br>
CISCO POE SWITCH:<br>
<br>
<br>
SW-BN3-PoE(config-if)#shutdown<br>
SW-BN3-PoE(config-if)#23-Sep-2013 14:17:22 %LINK-W-Down: fa17<br>
<br>
SW-BN3-PoE(config-if)#<br>
SW-BN3-PoE(config-if)#no shutdown<br>
SW-BN3-PoE(config-if)#23-Sep-2013 14:17:42 %STP-W-PORTSTATUS: fa17: STP<br>
status Forwarding<br>
23-Sep-2013 14:17:42 %LINK-I-Up: fa17<br>
23-Sep-2013 14:17:43 %SEC-W-SUPPLICANTUNAUTHORIZED: MAC<br>
58:bf:ea:11:13:93 was rejected on port fa17 due to wrong user name or<br>
password in Radius server<br>
23-Sep-2013 14:18:07 %LINK-W-Down: fa17, aggregated (3)<br>
23-Sep-2013 14:18:09 %STP-W-PORTSTATUS: fa17: STP status Forwarding,<br>
aggregated (3)<br>
23-Sep-2013 14:18:09 %LINK-I-Up: fa17, aggregated (3)<br>
23-Sep-2013 14:18:18 %SEC-W-SUPPLICANTUNAUTHORIZED: MAC<br>
58:bf:ea:11:13:93 was rejected on port fa17 due to wrong user name or<br>
password in Radius server, aggregated (1)<br>
<br>
<br>
<br>
<br>
However when we try the same test on a port that has a PC connected to<br>
it we do not receive such an error.<br>
<br>
The CISCO switch says that we have the wrong user name and the Free<br>
Radius log says access rejected. Why would this only be the case when<br>
a CISCO IP phone tries to authenticate?<br>
<br>
The Cisco switch port configurations are exactly the same and are as<br>
follows :<br>
<br>
dot1x max-req 1<br>
dot1x reauthentication<br>
dot1x timeout quiet-period 30<br>
dot1x mac-authentication mac-only<br>
dot1x port-control auto<br>
storm-control broadcast enable<br>
storm-control broadcast level 10<br>
storm-control include-multicast<br>
spanning-tree portfast<br>
macro description "no_ip_phone_desktop | ip_phone_desktop"<br>
switchport trunk allowed vlan add 100<br>
macro auto smartport type ip_phone_desktop<br>
<br>
What can I try to fix the authentication issues so that all ports are being successfully authenticated ?<br>
<br>
<br>
Thanks for your assistance,<br>
<br>
Dan<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
------------------------------<br>
<br>
Message: 3<br>
Date: Mon, 23 Sep 2013 21:01:49 +0700<br>
From: Daniel Baker <<a href="mailto:info@collisiondetection.biz">info@collisiondetection.biz</a>><br>
To: <a href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a><br>
Subject: Re: FreeRadius Error " Access Rejected" Only On Some CISCO<br>
Switch Ports<br>
Message-ID: <<a href="mailto:524049CD.6030303@collisiondetection.biz">524049CD.6030303@collisiondetection.biz</a>><br>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed<br>
<br>
Thank you Alan I will pursue that line of inquiry further.<br>
<br>
<br>
On 9/23/2013 8:18 PM, Alan DeKok wrote:<br>
> Daniel Baker wrote:<br>
>> [ldap] performing search in dc=citlao,dc=local, with filter (uid=root)<br>
>> [ldap] object not found<br>
>> [ldap] search failed<br>
> What part of that is unclear?<br>
><br>
>> What can I try to fix the authentication issues so that all ports are being successfully authenticated ?<br>
> Ensure that the people logging in have accounts in ldap.<br>
><br>
> Alan DeKok.<br>
> -<br>
> List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br>
><br>
><br>
<br>
<br>
<br>
------------------------------<br>
<br>
Message: 4<br>
Date: Mon, 23 Sep 2013 20:15:14 +0530<br>
From: "arvind132 ." <<a href="mailto:arvindnb1@gmail.com">arvindnb1@gmail.com</a>><br>
To: <a href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a><br>
Subject: EAP-TLS Authentication<br>
Message-ID:<br>
<CABNrktRU1J02n-yAmcpYj8rxq5Sg79NtUf=<a href="mailto:syrYXnj06ANk3UQ@mail.gmail.com">syrYXnj06ANk3UQ@mail.gmail.com</a>><br>
Content-Type: text/plain; charset="iso-8859-1"<br>
<br>
Hi,<br>
I am facing some issues with 802.1x EAP-TLS Authentication.<br>
Please suggest any document which can help in better understanding on TLS<br>
Authentication.<br>
Thanks.<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130923/59640d8e/attachment-0001.html" target="_blank">http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130923/59640d8e/attachment-0001.html</a>><br>
<br>
------------------------------<br>
<br>
Message: 5<br>
Date: Mon, 23 Sep 2013 12:33:10 -0400 (EDT)<br>
From: paul trader <<a href="mailto:fliptop@igolinux.com">fliptop@igolinux.com</a>><br>
To: <a href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a><br>
Subject: pap always returns noop for windows dialup authentication<br>
Message-ID:<br>
<alpine.DEB.2.02.1309231213040.7006@soundgarden.localdomain.local><br>
Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII<br>
<br>
<br>
hi all - i've recently tried upgrading from v1 to v2. on a centos 6.4 box<br>
w/ all latest updates, i installed freeradius v2, added one username and<br>
password to /etc/raddb/users:<br>
<br>
test Cleartext-Password := "testing"<br>
<br>
and the radtest command-line authentication works. i then added one<br>
client for our blade server to /etc/raddb/clients.conf:<br>
<br>
client x.x.x.x {<br>
secret = xxxxx<br>
shortname = 3coms<br>
}<br>
<br>
substituting the correct ip and secret for the x's.<br>
<br>
testing from my linux box w/ a modem, authentication works. output from<br>
radiusd -X shows all is well, my linux box receives an ip address and dns<br>
servers. relavant -X debug output shows:<br>
<br>
++[pap] returns updated<br>
Found Auth-Type = PAP<br>
# Executing group from file /etc/raddb/sites-enabled/default<br>
+- entering group PAP {...}<br>
[pap] login attempt with password "testing"<br>
[pap] Using clear text password "testing"<br>
[pap] User authenticated successfully<br>
++[pap] returns ok<br>
<br>
however, when trying to authenticate from a windows box, authentication<br>
fails. every time. i've tried it from a windows xp machine and 2 windows<br>
7 machines. the debug output always says:<br>
<br>
[pap] WARNING! No "known good" password found for the user.<br>
Authentication may fail because of this.<br>
++[pap] returns noop<br>
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting<br>
the user<br>
Failed to authenticate the user.<br>
Using Post-Auth-Type Reject<br>
<br>
i've been over and over everything a dozen times, have tried changing the<br>
windows dialup security settings to use pap only, and also have tried<br>
adding the following line to the users file:<br>
<br>
Auth-Type = PAP<br>
<br>
even though everything i've read said not to do that. still doesn't work.<br>
the only changes i've made to the default installation are to the users<br>
and clients.conf files. i have spent hours searching the internet for a<br>
similar problem/solution and come up empty. windows boxes will not<br>
authenticate, pap always returns noop, and the user is rejected.<br>
<br>
am i doing something glaringly wrong, or just going plain crazy?<br>
<br>
regards, paul<br>
<br>
<br>
------------------------------<br>
<br>
Message: 6<br>
Date: Mon, 23 Sep 2013 17:52:53 +0100<br>
From: Phil Mayers <<a href="mailto:p.mayers@imperial.ac.uk">p.mayers@imperial.ac.uk</a>><br>
To: <a href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a><br>
Subject: Re: pap always returns noop for windows dialup authentication<br>
Message-ID: <<a href="mailto:524071E5.4090709@imperial.ac.uk">524071E5.4090709@imperial.ac.uk</a>><br>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed<br>
<br>
On 23/09/13 17:33, paul trader wrote:<br>
<br>
> am i doing something glaringly wrong, or just going plain crazy?<br>
<br>
It's difficult to say, because the debug you sent has all the useful<br>
bits trimmed out - like the original packet, and the full module<br>
processing chain.<br>
<br>
Send a full debug, and odds are someone will spot the issue.<br>
<br>
Most likely is that the Windows machine is sending a different format of<br>
username e.g. DOMAIN\user, so whatever database you're doing a lookup<br>
for the password or hash - SQL, LDAP, files - isn't matching. But that's<br>
a guess - post the full debug.<br>
<br>
<br>
------------------------------<br>
<br>
Message: 7<br>
Date: Mon, 23 Sep 2013 13:19:04 -0400 (EDT)<br>
From: paul trader <<a href="mailto:fliptop@igolinux.com">fliptop@igolinux.com</a>><br>
To: FreeRadius users mailing list<br>
<<a href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a>><br>
Subject: Re: pap always returns noop for windows dialup authentication<br>
Message-ID:<br>
<alpine.DEB.2.02.1309231310440.7633@soundgarden.localdomain.local><br>
Content-Type: TEXT/PLAIN; charset=US-ASCII<br>
<br>
eOn Mon, 23 Sep 2013 at 17:52, Phil Mayers opined:<br>
<br>
PM:It's difficult to say, because the debug you sent has all the useful<br>
PM:bits trimmed out - like the original packet, and the full module<br>
PM:processing chain.<br>
<br>
hi phil - ok, here's the full debug for a successful request:<br>
<br>
rad_recv: Access-Request packet from host x.x.x.x port 1812, id=37,<br>
length=133<br>
User-Name = "test"<br>
User-Password = "testing"<br>
User-Password = "testing"<br>
NAS-IP-Address = x.x.x.x<br>
NAS-Identifier = "x.x.x.x"<br>
NAS-Port = 2561<br>
Acct-Session-Id = "167773864"<br>
Service-Type = Login-User<br>
Calling-Station-Id = "xxxxxxxxxx"<br>
Called-Station-Id = "xxxxxxx"<br>
NAS-Port-Type = Async<br>
# Executing section authorize from file /etc/raddb/sites-enabled/default<br>
+- entering group authorize {...}<br>
++[preprocess] returns ok<br>
++[chap] returns noop<br>
++[mschap] returns noop<br>
++[digest] returns noop<br>
[suffix] No '@' in User-Name = "test", looking up realm NULL<br>
[suffix] No such realm "NULL"<br>
++[suffix] returns noop<br>
[eap] No EAP-Message, not doing EAP<br>
++[eap] returns noop<br>
[files] users: Matched entry test at line 1<br>
++[files] returns ok<br>
++[expiration] returns noop<br>
++[logintime] returns noop<br>
++[pap] returns updated<br>
Found Auth-Type = PAP<br>
# Executing group from file /etc/raddb/sites-enabled/default<br>
+- entering group PAP {...}<br>
[pap] login attempt with password "testing"<br>
[pap] Using clear text password "testing"<br>
[pap] User authenticated successfully<br>
++[pap] returns ok<br>
# Executing section post-auth from file /etc/raddb/sites-enabled/default<br>
+- entering group post-auth {...}<br>
++[exec] returns noop<br>
Sending Access-Accept of id 37 to x.x.x.x port 1812<br>
Finished request 2.<br>
Going to the next request<br>
Waking up in 4.9 seconds.<br>
Cleaning up request 2 ID 37 with timestamp +676<br>
<br>
<br>
and here's the full output of a failed request:<br>
<br>
Ready to process requests.<br>
rad_recv: Access-Request packet from host x.x.x.x port 1812, id=35,<br>
length=121<br>
User-Name = "test"<br>
User-Password = "testing"<br>
NAS-IP-Address = x.x.x.x<br>
NAS-Identifier = "x.x.x.x"<br>
NAS-Port = 2561<br>
Acct-Session-Id = "167773862"<br>
Service-Type = Framed-User<br>
Framed-Protocol = PPP<br>
Calling-Station-Id = "xxxxxxxxxx"<br>
Called-Station-Id = "xxxxxxx"<br>
NAS-Port-Type = Async<br>
# Executing section authorize from file /etc/raddb/sites-enabled/default<br>
+- entering group authorize {...}<br>
++[preprocess] returns ok<br>
++[chap] returns noop<br>
++[mschap] returns noop<br>
++[digest] returns noop<br>
[suffix] No '@' in User-Name = "test", looking up realm NULL<br>
[suffix] No such realm "NULL"<br>
++[suffix] returns noop<br>
[eap] No EAP-Message, not doing EAP<br>
++[eap] returns noop<br>
[files] users: Matched entry DEFAULT at line 172<br>
++[files] returns ok<br>
++[expiration] returns noop<br>
++[logintime] returns noop<br>
[pap] WARNING! No "known good" password found for the user.<br>
Authentication may fail because of this.<br>
++[pap] returns noop<br>
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting<br>
the user<br>
Failed to authenticate the user.<br>
Using Post-Auth-Type Reject<br>
# Executing group from file /etc/raddb/sites-enabled/default<br>
+- entering group REJECT {...}<br>
[attr_filter.access_reject] expand: %{User-Name} -> test<br>
attr_filter: Matched entry DEFAULT at line 11<br>
++[attr_filter.access_reject] returns updated<br>
Delaying reject of request 0 for 1 seconds<br>
Going to the next request<br>
Waking up in 0.9 seconds.<br>
Sending delayed reject for request 0<br>
Sending Access-Reject of id 35 to 64.214.93.3 port 1812<br>
Waking up in 4.9 seconds.<br>
Cleaning up request 0 ID 35 with timestamp +361<br>
<br>
from what i can see, the successful request finds the user's entry in the<br>
user table, but the failed request doesn't (and uses DEFAULT instead).<br>
but the usernames passed in seem to be the same. i don't know, we've used<br>
freeradius for years and this is the 1st time i'm having a problem.<br>
weird.<br>
<br>
regards, paul<br>
<br>
<br>
------------------------------<br>
<br>
-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br>
<br>
End of Freeradius-Users Digest, Vol 101, Issue 50<br>
*************************************************<br>
</blockquote></div><br></div>