<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-CA" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal">Hi there,<o:p></o:p></p>
<p class="MsoNormal">We are currently using FreeRadius to authenticate ADSL modems at customer locations to our ADSL service via PAP Auth. We have had this working for some time now. Recently, I have noticed a number of Auth Login Incorrect entries. It seems
that whenever a modem tries to authenticate using <a href="mailto:username@realm.com">
username@realm.com</a> / somepassword, we get a RADIUS auth request one second before with ‘realm.com’ / radius-secret.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Example seen here:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">rad_recv: Access-Request packet from host 192.168.9.6 port 1645, id=37, length=214<o:p></o:p></p>
<p class="MsoNormal"> User-Name = "<b>ourrealm.com</b>"<o:p></o:p></p>
<p class="MsoNormal"> User-Password = "<b>secret</b>"<o:p></o:p></p>
<p class="MsoNormal"> Calling-Station-Id = "GigabitEthernet 5/0/4.4210116:421-116#587310171#804 GE1 WNDSON1431W-WNDSON1434W##pppoe 00:24:c9:90:ca:72#"<o:p></o:p></p>
<p class="MsoNormal"> Connect-Info = "1000000000"<o:p></o:p></p>
<p class="MsoNormal"> NAS-Port-Type = Virtual<o:p></o:p></p>
<p class="MsoNormal"> NAS-Port = 693<o:p></o:p></p>
<p class="MsoNormal"> NAS-Port-Id = "Uniq-Sess-ID693"<o:p></o:p></p>
<p class="MsoNormal"> Service-Type = Dialout-Framed-User<o:p></o:p></p>
<p class="MsoNormal"> NAS-IP-Address = 192.168.9.6<o:p></o:p></p>
<p class="MsoNormal">+- entering group authorize {...}<o:p></o:p></p>
<p class="MsoNormal">++[preprocess] returns ok<o:p></o:p></p>
<p class="MsoNormal">[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.9.6/auth-detail-20140630<o:p></o:p></p>
<p class="MsoNormal">[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.9.6/auth-detail-20140630<o:p></o:p></p>
<p class="MsoNormal">[auth_log] expand: %t -> Mon Jun 30 19:44:09 2014<o:p></o:p></p>
<p class="MsoNormal">++[auth_log] returns ok<o:p></o:p></p>
<p class="MsoNormal">++[chap] returns noop<o:p></o:p></p>
<p class="MsoNormal">++[mschap] returns noop<o:p></o:p></p>
<p class="MsoNormal">[suffix] No '@' in User-Name = "ourrealm.com", looking up realm NULL<o:p></o:p></p>
<p class="MsoNormal">[suffix] No such realm "NULL"<o:p></o:p></p>
<p class="MsoNormal">++[suffix] returns noop<o:p></o:p></p>
<p class="MsoNormal">[eap] No EAP-Message, not doing EAP<o:p></o:p></p>
<p class="MsoNormal">++[eap] returns noop<o:p></o:p></p>
<p class="MsoNormal">++[unix] returns notfound<o:p></o:p></p>
<p class="MsoNormal">++[files] returns noop<o:p></o:p></p>
<p class="MsoNormal">++[expiration] returns noop<o:p></o:p></p>
<p class="MsoNormal">++[logintime] returns noop<o:p></o:p></p>
<p class="MsoNormal">[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.<o:p></o:p></p>
<p class="MsoNormal">++[pap] returns noop<o:p></o:p></p>
<p class="MsoNormal">No authenticate method (Auth-Type) configuration found for the request: Rejecting the user<o:p></o:p></p>
<p class="MsoNormal">Failed to authenticate the user.<o:p></o:p></p>
<p class="MsoNormal">Login incorrect: [ourrealm.com/secret] (from client cisco-router port 693 cli GigabitEthernet 5/0/4.4210116:421-116#587310171#804 GE1 WNDSON1431W-WNDSON1434W##pppoe 00:24:c9:90:ca:72#)<o:p></o:p></p>
<p class="MsoNormal">Using Post-Auth-Type Reject<o:p></o:p></p>
<p class="MsoNormal">+- entering group REJECT {...}<o:p></o:p></p>
<p class="MsoNormal">[attr_filter.access_reject] expand: %{User-Name} -> ourrealm.com<o:p></o:p></p>
<p class="MsoNormal">attr_filter: Matched entry DEFAULT at line 11<o:p></o:p></p>
<p class="MsoNormal">++[attr_filter.access_reject] returns updated<o:p></o:p></p>
<p class="MsoNormal">Delaying reject of request 0 for 1 seconds<o:p></o:p></p>
<p class="MsoNormal">Going to the next request<o:p></o:p></p>
<p class="MsoNormal">Waking up in 0.9 seconds.<o:p></o:p></p>
<p class="MsoNormal">Sending delayed reject for request 0<o:p></o:p></p>
<p class="MsoNormal">Sending Access-Reject of id 37 to 192.168.9.6 port 1645<o:p></o:p></p>
<p class="MsoNormal">Waking up in 4.9 seconds.<o:p></o:p></p>
<p class="MsoNormal">rad_recv: Access-Request packet from host 192.168.9.6 port 1645, id=38, length=226<o:p></o:p></p>
<p class="MsoNormal"> Framed-Protocol = PPP<o:p></o:p></p>
<p class="MsoNormal"> User-Name = "validuser@ourrealm.com"<o:p></o:p></p>
<p class="MsoNormal"> User-Password = "validpassword"<o:p></o:p></p>
<p class="MsoNormal"> Calling-Station-Id = "GigabitEthernet 5/0/4.4210116:421-116#587310171#804 GE1 WNDSON1431W-WNDSON1434W##pppoe 00:24:c9:90:ca:72#"<o:p></o:p></p>
<p class="MsoNormal"> Connect-Info = "1000000000"<o:p></o:p></p>
<p class="MsoNormal"> NAS-Port-Type = Virtual<o:p></o:p></p>
<p class="MsoNormal"> NAS-Port = 693<o:p></o:p></p>
<p class="MsoNormal"> NAS-Port-Id = "Uniq-Sess-ID693"<o:p></o:p></p>
<p class="MsoNormal"> Service-Type = Framed-User<o:p></o:p></p>
<p class="MsoNormal"> NAS-IP-Address = 192.168.9.6<o:p></o:p></p>
<p class="MsoNormal">+- entering group authorize {...}<o:p></o:p></p>
<p class="MsoNormal">++[preprocess] returns ok<o:p></o:p></p>
<p class="MsoNormal">[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.9.6/auth-detail-20140630<o:p></o:p></p>
<p class="MsoNormal">[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.9.6/auth-detail-20140630<o:p></o:p></p>
<p class="MsoNormal">[auth_log] expand: %t -> Mon Jun 30 19:44:10 2014<o:p></o:p></p>
<p class="MsoNormal">++[auth_log] returns ok<o:p></o:p></p>
<p class="MsoNormal">++[chap] returns noop<o:p></o:p></p>
<p class="MsoNormal">++[mschap] returns noop<o:p></o:p></p>
<p class="MsoNormal">[suffix] Looking up realm "ourrealm.com" for User-Name = "validuser@ourrealm.com"<o:p></o:p></p>
<p class="MsoNormal">[suffix] No such realm "ourrealm.com"<o:p></o:p></p>
<p class="MsoNormal">++[suffix] returns noop<o:p></o:p></p>
<p class="MsoNormal">[eap] No EAP-Message, not doing EAP<o:p></o:p></p>
<p class="MsoNormal">++[eap] returns noop<o:p></o:p></p>
<p class="MsoNormal">++[unix] returns notfound<o:p></o:p></p>
<p class="MsoNormal">[files] users: Matched entry validuser@ourrealm.com at line 87<o:p></o:p></p>
<p class="MsoNormal">++[files] returns ok<o:p></o:p></p>
<p class="MsoNormal">++[expiration] returns noop<o:p></o:p></p>
<p class="MsoNormal">++[logintime] returns noop<o:p></o:p></p>
<p class="MsoNormal">++[pap] returns updated<o:p></o:p></p>
<p class="MsoNormal">Found Auth-Type = PAP<o:p></o:p></p>
<p class="MsoNormal">+- entering group PAP {...}<o:p></o:p></p>
<p class="MsoNormal">[pap] login attempt with password "validpassword"<o:p></o:p></p>
<p class="MsoNormal">[pap] Using clear text password "validpassword"<o:p></o:p></p>
<p class="MsoNormal">[pap] User authenticated successfully<o:p></o:p></p>
<p class="MsoNormal">++[pap] returns ok<o:p></o:p></p>
<p class="MsoNormal">Login OK: [validuser@ourrealm.com/validpassword] (from client cisco-router port 693 cli GigabitEthernet 5/0/4.4210116:421-116#587310171#804 GE1 WNDSON1431W-WNDSON1434W##pppoe 00:24:c9:90:ca:72#)<o:p></o:p></p>
<p class="MsoNormal">+- entering group post-auth {...}<o:p></o:p></p>
<p class="MsoNormal">[reply_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d -> /var/log/radius/radacct/192.168.9.6/reply-detail-20140630<o:p></o:p></p>
<p class="MsoNormal">[reply_log] /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.9.6/reply-detail-20140630<o:p></o:p></p>
<p class="MsoNormal">[reply_log] expand: %t -> Mon Jun 30 19:44:10 2014<o:p></o:p></p>
<p class="MsoNormal">++[reply_log] returns ok<o:p></o:p></p>
<p class="MsoNormal">++[exec] returns noop<o:p></o:p></p>
<p class="MsoNormal">Sending Access-Accept of id 38 to 192.168.9.6 port 1645<o:p></o:p></p>
<p class="MsoNormal"> Framed-IP-Address = 10.40.100.82<o:p></o:p></p>
<p class="MsoNormal">Finished request 1.<o:p></o:p></p>
<p class="MsoNormal">Going to the next request<o:p></o:p></p>
<p class="MsoNormal">Waking up in 4.9 seconds.<o:p></o:p></p>
<p class="MsoNormal">Cleaning up request 0 ID 37 with timestamp +32<o:p></o:p></p>
<p class="MsoNormal">Cleaning up request 1 ID 38 with timestamp +33<o:p></o:p></p>
<p class="MsoNormal">Ready to process requests.<o:p></o:p></p>
</div>
</body>
</html>