On Thu, Nov 12, 2015 at 10:13 AM, Alan DeKok <aland@deployingradius.com> wrote:
On Nov 11, 2015, at 8:02 PM, Tim Chen <gphoto6@gmail.com> wrote:
However, I did more tests: ... 2. if I change modules/passwd into passwd passwdf1 { filename = /home/radius/passwd1 format = "*Stripped-User-Name:NT-Password:" Then ALL authentication tests FAILED
What does the debug output show?
When I tried to set modules/passwd into passwd passwdf1 { format = "*Stripped-User-Name:NT-Password:" And test by the following command: radtest john@eduroam.example.edu PASS 140.X.X.X 1812 testing123 (PAP) I got the following error: rad_recv: Access-Request packet from host XXX port 60992, id=162, length=92 User-Name = "john@eduroam.example.edu" User-Password = "PASS" NAS-IP-Address = XXX NAS-Port = 1812 Message-Authenticator = 0x35f44df400fa512aef4a447642eeff85 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[passwdf1] = notfound ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "eduroam.example.edu" for User-Name = " john@eduroam.example.edu" [suffix] Found realm "eduroam.example.edu" [suffix] Adding Stripped-User-Name = "john" [suffix] Adding Realm = "eduroam.example.edu" [suffix] Proxying request from user john to realm eduroam.example.edu [suffix] Preparing to proxy authentication request to realm " eduroam.example.edu" ++[suffix] = updated [eap] No EAP-Message, not doing EAP ++[eap] = noop [files] file_common ++[files] = noop ++[expiration] = noop ++[logintime] = noop ++[pap] = noop +} # group authorize = updated WARNING: Empty pre-proxy section. Using default return values. Sending Access-Request of id 187 to 127.0.0.1 port 1812 User-Name = "john" User-Password = "PASS" NAS-IP-Address = XXX NAS-Port = 1812 Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x313632 Proxying request 0 to home server 127.0.0.1 port 1812 Sending Access-Request of id 187 to 127.0.0.1 port 1812 User-Name = "john" User-Password = "PASS" NAS-IP-Address = XXX NAS-Port = 1812 Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x313632 Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=187, length=78 User-Name = "john" User-Password = "PASS" NAS-IP-Address = XXX NAS-Port = 1812 Message-Authenticator = 0x3755dea88f500f9d9ec1b923f614b849 Proxy-State = 0x313632 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[passwdf1] = notfound ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "john", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "john" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] No EAP-Message, not doing EAP ++[eap] = noop [files] file_common ++[files] = noop ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = ok ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Login incorrect: [john/PASS] (from client localhost port 1812) Using Post-Auth-Type Reject # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group REJECT { [eap] Request didn't contain an EAP-Message, not inserting EAP-Failure ++[eap] = noop [attr_filter.access_reject] expand: %{User-Name} -> john attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 187 to 127.0.0.1 port 1814 Proxy-State = 0x313632 Waking up in 4.9 seconds. rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=187, length=25 Proxy-State = 0x313632 # Executing section post-proxy from file /usr/local/etc/raddb/sites-enabled/default +group post-proxy { [eap] No pre-existing handler found ++[eap] = noop +} # group post-proxy = noop Login incorrect (Home Server says so): [john@eduroam.example.edu/PASS] (from client network8 port 1812) Using Post-Auth-Type Reject # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group REJECT { [eap] Request didn't contain an EAP-Message, not inserting EAP-Failure ++[eap] = noop [attr_filter.access_reject] expand: %{User-Name} -> john@eduroam.example.edu attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Sending Access-Reject of id 162 to XXX port 60992 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 1 ID 187 with timestamp +31 Cleaning up request 0 ID 162 with timestamp +31 Ready to process requests.