it is the radiusd -X out of the radtast here are the fail and success Success Received Access-Accept Id 131 from 127.0.0.1:1812 to 0.0.0.0:0 via lo length 20 [root@radius current]# radtest bind-user testing123 127.0.0.1:1812 0 testing123 shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory Sent Access-Request Id 109 from 0.0.0.0:47510 to 127.0.0.1:1812 length 78 User-Name = "bind-user" User-Password = "testing123" (1) Received Access-Request Id 116 from 127.0.0.1:47073 to 127.0.0.1:1812 via lo length 78 (1) User-Name = "bind-user" (1) User-Password = "testing123" (1) NAS-IP-Address = 127.0.53.53 (1) NAS-Port = 0 (1) Message-Authenticator = 0x2d0e4248001ea3516c62b1cd7157e8ce (1) Running section authorize from file /usr/local/etc/raddb/sites-enabled/default (1) authorize { rlm_ldap (ldap) - Closing connection (1): Hit idle_timeout, was idle for 73 seconds rlm_ldap (ldap) - Closing connection (2): Hit idle_timeout, was idle for 72 seconds rlm_ldap (ldap) - Closing connection (3): Hit idle_timeout, was idle for 72 seconds rlm_ldap (ldap) - Closing connection (4): Hit idle_timeout, was idle for 72 seconds rlm_ldap (ldap) - You probably need to lower "min" rlm_ldap (ldap) - Closing connection (0): Hit idle_timeout, was idle for 69 seconds rlm_ldap (ldap) - You probably need to lower "min" rlm_ldap (ldap) - Closing connection (5): Hit idle_timeout, was idle for 68 seconds rlm_ldap (ldap) - You probably need to lower "min" (1) ldap - 0 of 0 connections in use. You may need to increase "spare" rlm_ldap (ldap) - Opening additional connection (6), 1 of 32 pending slots used rlm_ldap (ldap) - Connecting to ldaps://ldap.jumpcloud.com:636 TLS: error: the certificate '/usr/local/etc/raddb/certs/current/radius.crt' could not be found in the database - error -5939:No more entries in the directory. TLS: certificate '/usr/local/etc/raddb/certs/current/radius.crt' successfully loaded from PEM file. TLS: no unlocked certificate for certificate 'E=noname@noname.com ,CN=radius,OU=fail,O=company,L=city,ST=CA,C=US'. TLS: certificate [OU=Go Daddy Class 2 Certification Authority,O="The Go Daddy Group, Inc.",C=US] is not valid - error -8172:Peer's certificate issuer has been marked as not trusted by the user.. rlm_ldap (ldap) - Waiting for bind result... rlm_ldap (ldap) - Bind successful (1) ldap - Reserved connection (6) (1) ldap - EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (1) ldap - --> (uid=bind-user) (1) ldap - Performing search in "ou=Users,dc=jumpcloud,dc=com" with filter "(uid=bind-user)", scope "sub" (1) ldap - Waiting for search result... (1) ldap - User object found at DN "uid=bind-user,ou=Users,dc=jumpcloud,dc=com" (1) ldap - Processing user attributes (1) ldap - &control:Password-With-Header += {CRYPT}$6$cbea6d7932dfa76b$YgORZH6XtDXmFEDrcBnX3Ao6JDxACy.BRMTNZ8DkF0idg3cM2D3gPEHRfA05f8dQx14o/4Fi575xXJ.2yDkDA/ (1) ldap - Released connection (6) rlm_ldap (ldap) - Need 2 more connections to reach 10 spares rlm_ldap (ldap) - Opening additional connection (7), 1 of 31 pending slots used rlm_ldap (ldap) - Connecting to ldaps://ldap.jumpcloud.com:636 TLS: error: the certificate '/usr/local/etc/raddb/certs/current/radius.crt' could not be found in the database - error -5939:No more entries in the directory. TLS: certificate '/usr/local/etc/raddb/certs/current/radius.crt' successfully loaded from PEM file. TLS: no unlocked certificate for certificate 'E=noname@noname.com ,CN=radius,OU=fail,O=company,L=city,ST=CA,C=US'. TLS: certificate [OU=Go Daddy Class 2 Certification Authority,O="The Go Daddy Group, Inc.",C=US] is not valid - error -8172:Peer's certificate issuer has been marked as not trusted by the user.. rlm_ldap (ldap) - Waiting for bind result... rlm_ldap (ldap) - Bind successful (1) ldap (updated) (1) pap - Converted: Password-With-Header -> Crypt-Password (1) pap - Removing &control:Password-With-Header (1) pap (updated) (1) } # authorize (updated) (1) Using 'Auth-Type = PAP' for authenticate {...} (1) Running Auth-Type PAP from file /usr/local/etc/raddb/sites-enabled/default (1) Auth-Type PAP { (1) pap - Login attempt with password (1) pap - Comparing with "known-good" Crypt-password (1) pap - User authenticated successfully (1) pap (ok) (1) } # Auth-Type PAP (ok) (1) Running section post-auth from file /usr/local/etc/raddb/sites-enabled/default (1) post-auth { (1) update { (1) &reply: skipped: No values available (1) } # update (noop) (1) exec (noop) (1) remove_reply_message_if_eap { (1) if (&reply:EAP-Message && &reply:Reply-Message) { (1) ... (1) } (1) else { (1) noop (noop) (1) } # else (noop) (1) } # remove_reply_message_if_eap (noop) (1) } # post-auth (noop) (1) Sent Access-Accept Id 116 from 127.0.0.1:1812 to 127.0.0.1:47073 via lo length 0 (1) Finished request Waking up in 4.9 seconds. (1) Cleaning up request packet ID 116 with timestamp +72 Ready to process requests Fail (0) Received Access-Request Id 65 from 127.0.0.1:39452 to 127.0.0.1:1812 via lo length 76 (0) User-Name = "user" (0) User-Password = "testing123" (0) NAS-IP-Address = 127.0.53.53 (0) NAS-Port = 0 (0) Message-Authenticator = 0x94179f0d815d4f3a96cf008f6d3bbcf9 (0) Running section authorize from file /usr/local/etc/raddb/sites-enabled/default (0) authorize { (0) ldap - Reserved connection (0) (0) ldap - EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (0) ldap - --> (uid=user) (0) ldap - Performing search in "ou=Users,dc=myhost,dc=com" with filter "(uid=user)", scope "sub" (0) ldap - Waiting for search result... (0) ldap - User object found at DN "uid=user,ou=Users,dc=myhost,dc=com" (0) ldap - Processing user attributes (0) ldap - WARNING: No "known good" password added. Set 'identity' to the dn of an account that has permission to read the user's password attribute (0) ldap - Released connection (0) rlm_ldap (ldap) - Need 5 more connections to reach 10 spares rlm_ldap (ldap) - Opening additional connection (5), 1 of 27 pending slots used rlm_ldap (ldap) - Connecting to ldaps://ldap.myhost.com:636 TLS: error: the certificate '/usr/local/etc/raddb/certs/current/radius.crt' could not be found in the database - error -5939:No more entries in the directory. TLS: certificate '/usr/local/etc/raddb/certs/current/radius.crt' successfully loaded from PEM file. TLS: no unlocked certificate for certificate 'E=noname@noname.com ,CN=radius,OU=fail,O=company,L=city,ST=CA,C=US'. TLS: certificate [OU=Go Daddy Class 2 Certification Authority,O="The Go Daddy Group, Inc.",C=US] is not valid - error -8172:Peer's certificate issuer has been marked as not trusted by the user.. rlm_ldap (ldap) - Waiting for bind result... rlm_ldap (ldap) - Bind successful (0) ldap (ok) (0) pap - WARNING: No "known good" password found for the user. Not setting Auth-Type (0) pap - WARNING: Authentication will fail unless a "known good" password is available (0) pap (noop) (0) } # authorize (ok) (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (0) Failed to authenticate the user (0) Using Post-Auth-Type Reject (0) Running Post-Auth-Type Reject from file /usr/local/etc/raddb/sites-enabled/default (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject - EXPAND %{User-Name} (0) attr_filter.access_reject - --> user (0) attr_filter.access_reject - Matched entry DEFAULT at line 11 (0) attr_filter.access_reject (updated) (0) eap (noop) (0) remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) ... (0) } (0) else { (0) noop (noop) (0) } # else (noop) (0) } # remove_reply_message_if_eap (noop) (0) } # Post-Auth-Type REJECT (updated) (0) Delaying response for 1.000000 seconds Waking up in 0.9 seconds. (0) - Sending delayed response (0) - Sent Access-Reject Id 65 from 127.0.0.1:1812 to 127.0.0.1:39452 via lo length 20 Waking up in 3.9 seconds. (0) Cleaning up request packet ID 65 with timestamp +4 Ready to process requests On Tue, Feb 2, 2016 at 12:34 PM, Arran Cudbard-Bell < a.cudbardb@freeradius.org> wrote:
You need to provide the rest of the debug output up to the point where
it sends an Access-Challenge.
or reject
-Arran
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html