Hello! It seems that your client is using a quite unusual character in his password. That leads to encoding problems with your database backend. The solution is to either list that character in safe_characters for the database (I don't really recommend that, given that \240 is a bit too unusual) or store the password not literal in the database, but properly encoded. the rlm_sql module will then take the user's password, encode it, and check it against the same-encoded string in the database. Of course, the problem might also be that your shared secret for this client isn't correct, as the end of the failed attempt suggests. But given that all but one character in the password are nicely printable, my guess is that it's really just a weird character in the password. In any case, you can verify that using a more straightforward password and see it that works. Greetings, Stefan Winter Am Freitag, 30. Juni 2006 09:37 schrieb Kun Niu:
Dear all,
I've just installed freeradius 1.0.2 on my debian3.1 system. I've got two radius clients. One can be authorized normally and the other one failed to be authorized.
Here's my log. Would anyone be kind enough to analyze it for me? Thanks in advance and any help would be appreciated.
The failing one:
rad_recv: Access-Request packet from host 192.168.1.2:1026, id=199, length=239 User-Name = "abc" Service-Type = Login-User NAS-Port-Type = Ethernet NAS-IP-Address = 192.168.1.2 WISPr-Logoff-URL = "https://10.10.10.1/logout.user" WISPr-Location-Name = "GEMTEK_SYSTEMS,Terminal_Worldwide" WISPr-Location-ID = "isocc=us,cc=1,ac=408,network=GEMTEK_SYSTEMS" Framed-IP-Address = 10.10.10.10 Calling-Station-Id = "0060B325AB48" Called-Station-Id = "00904BBDFAD0" Acct-Session-Id = "44A4C9148546" User-Password = "Ye~\2409" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "abc", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 1 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 1 radius_xlat: 'abc' rlm_sql (sql): sql_set_user escaped user --> 'abc' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'abc' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 3 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupch eck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'abc' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'abc' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupre ply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'abc' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): No matching entry in the database for request from user [abc] rlm_sql (sql): Released sql socket id: 3 modcall[authorize]: module "sql" returns notfound for request 1 modcall: group authorize returns ok for request 1 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 modcall[authenticate]: module "unix" returns notfound for request 1 modcall: group authenticate returns notfound for request 1 auth: Failed to validate the user. WARNING: Unprintable characters in the password. ? Double-check the shared secret on the server and the NAS! Delaying request 1 for 1 seconds Finished request 1
The successful one:
rad_recv: Access-Request packet from host 192.168.1.1:32812, id=0, length=84 User-Name = "abc" CHAP-Password = 0x04f97271e7e12220a7f6397cc15a62f7e2 NAS-IP-Address = 192.168.1.1 Acct-Session-Id = "5b010000" NAS-Port = 3 CHAP-Challenge = 0x00ac45bdd7e79c6af29ee0b413c874a8 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module "chap" returns ok for request 2 modcall[authorize]: module "mschap" returns noop for request 2 rlm_realm: No '@' in User-Name = "abc", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 2 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 2 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 2 radius_xlat: 'abc' rlm_sql (sql): sql_set_user escaped user --> 'abc' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'abc' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 2 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupch eck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'abc' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'abc' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupre ply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'abc' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 2 modcall[authorize]: module "sql" returns ok for request 2 modcall: group authorize returns ok for request 2 rad_check_password: Found Auth-Type Local auth: type Local auth: user supplied CHAP-Password matches local User-Password Processing the post-auth section of radiusd.conf modcall: entering group post-auth for request 2 rlm_sql (sql): Processing sql_postauth radius_xlat: 'abc' rlm_sql (sql): sql_set_user escaped user --> 'abc' radius_xlat: 'INSERT into radpostauth (id, user, pass, reply, date) values ('', 'abc', 'Chap-Password', 'Access-Accept', NOW())' rlm_sql (sql) in sql_postauth: query is INSERT into radpostauth (id, user, pass, reply, date) values ('', 'abc', 'Chap-Password', 'Access-Accept', NOW()) rlm_sql (sql): Reserving sql socket id: 1 rlm_sql (sql): Released sql socket id: 1 modcall[post-auth]: module "sql" returns ok for request 2 modcall: group post-auth returns ok for request 2 Sending Access-Accept of id 0 to 192.168.1.1:32812 NAS-IP-Address := 255.255.255.255 Finished request 2
Sincerely, Kun - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: stefan.winter@restena.lu Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473