I'm having a strange problem I hope you can help me figure out. We're finally moving from an ancient Livingston RADIUS to FreeRADIUS. I compiled and installed version 2.0.5 on a freshly installed CentOS 5 box, read all the documentation I could find, installed our old users file and adapted it until it now (mostly) works correctly. System info: # radiusd -v radiusd: FreeRADIUS Version 2.0.5, for host i686-redhat-linux-gnu, built on Aug 5 2008 at 15:40:15 # uname -a Linux ****.*******.com 2.6.18-92.1.6.el5 #1 SMP Wed Jun 25 13:49:24 EDT 2008 i686 i686 i386 GNU/Linux The problem I'm having is that we have a lot of legacy users still logging in with "Pusername" for PPP connections. I've tried to set it up in both the users file and the hints file (separately) and get the same result. No matter what I do, it tries to authenticate (System auth type) the username "Pusername" instead of "username". If I add a user named "Pusername" everything works correctly. It hits the right default entry and authenticates fine, so it's just not stripping off the "P" when authenticating. I have also tried suffixes (".ppp") to test if it was just the prefix that wasn't working. Same problem. We're not using any realms, proxying, LDAP, SQL, etc at this time. Just a very simple single RADIUS server reading from a users file and authenticating against the system password file. I first tried to set it up in the users file. I commented out everything in the hints file. Here's what the DEFAULT entry looks like in the users file: DEFAULT Auth-Type := System, Prefix == "P" User-Service-Type = Framed-User, Session-Timeout = 36000, Idle-Timeout = 600, Port-Limit = 1, Framed-Protocol = PPP, Framed-Address = 255.255.255.254, Framed-Netmask = 255.255.255.255, Framed-Routing = None, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP I attempt to authenticate: # radtest Psweaver ******** localhost 0 testing123 Sending Access-Request of id 43 to 127.0.0.1 port 1645 User-Name = "Psweaver" User-Password = "********" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 rad_recv: Access-Reject packet from host 127.0.0.1 port 1645, id=43, length=20 Things are working otherwise; without the "P" it works fine: # radtest sweaver ******** localhost 0 testing123 Sending Access-Request of id 223 to 127.0.0.1 port 1645 User-Name = "sweaver" User-Password = "********" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1 port 1645, id=223, length=56 Session-Timeout = 36000 Idle-Timeout = 600 Port-Limit = 1 Service-Type = Login-User Login-IP-Host = ***.***.***.*** Login-Service = Rlogin With the "P", here's the output of radiusd -X rad_recv: Access-Request packet from host 127.0.0.1 port 35915, id=175, length=6 0 User-Name = "Psweaver" User-Password = "********" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 +- entering group authorize ++[preprocess] returns ok expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/127.0.0.1/auth-detail-20080812 rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20080812 expand: %t -> Tue Aug 12 10:10:44 2008 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "Psweaver", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound users: Matched entry DEFAULT at line 3526 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop rad_check_password: Found Auth-Type System auth: type "System" +- entering group authenticate ++[unix] returns notfound auth: Failed to validate the user. Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> Psweaver attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 175 to 127.0.0.1 port 35915 Finished request 2. Going to the next request Waking up in 4.9 seconds. Cleaning up request 2 ID 175 with timestamp +1013 Ready to process requests. Note that it's matching line 3526, which is indeed the DEFAULT entry I listed above. If I move prefix information to the hints file, I end up with this in the hints file: DEFAULT Prefix == "P", Strip-User-Name = Yes Hint = "PPP" and this in the users file: DEFAULT Auth-Type := System, Hint == "PPP" User-Service-Type = Framed-User, Session-Timeout = 36000, Idle-Timeout = 600, Port-Limit = 1, Framed-Protocol = PPP, Framed-Address = 255.255.255.254, Framed-Netmask = 255.255.255.255, Framed-Routing = None, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP Test fails: # radtest Psweaver ******** localhost 0 testing123 Sending Access-Request of id 161 to 127.0.0.1 port 1645 User-Name = "Psweaver" User-Password = "********" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 rad_recv: Access-Reject packet from host 127.0.0.1 port 1645, id=161, length=20 radiusd -X output: rad_recv: Access-Request packet from host 127.0.0.1 port 35924, id=161, length=60 User-Name = "Psweaver" User-Password = "********" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 +- entering group authorize hints: Matched DEFAULT at 65 ++[preprocess] returns ok expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/127.0.0.1/auth-detail-20080812 rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20080812 expand: %t -> Tue Aug 12 10:44:04 2008 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "Psweaver", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound users: Matched entry DEFAULT at line 3526 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop rad_check_password: Found Auth-Type System auth: type "System" +- entering group authenticate ++[unix] returns notfound auth: Failed to validate the user. Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> Psweaver attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 161 to 127.0.0.1 port 35924 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 161 with timestamp +4 Ready to process requests. It hits line 65 in the hints file (my "P" entry), and line 3526 in the users file (my "PPP" entry.) When using the hints file, it even logs this to the detail file showing that it's been stripped: Tue Aug 12 10:44:04 2008 Packet-Type = Access-Request User-Name = "Psweaver" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Stripped-User-Name = "sweaver" Hint = "PPP" Either way, everything works if I add a Psweaver entry to the password file, and not if I don't. I'm out of ideas. Anyone have any I can borrow? :) TIA, SW -- Steven Weaver sweaver@inebraska.com IT Director (402) 434-8680 x101 Internet Nebraska http://www.inebraska.com/