On Thu, Feb 1, 2018, Nathan Ward wrote:
Usual expectation is that you show a radius debug with the packets being processed. The one you have pasted only shows the process starting up and config being parsed and such. You’ve sort of included some of that debug under (A) and (B) sections so you’ve definitely got it, but for some reason you haven’t posted it. If you could post the whole thing, people can likely help you more.
Apologies, entire "radiusd -X" output from radclient executions are below. I get what's going on with everything except the part that I marked: ## Mike: where could this Login incorrect be coming from?
From what I can tell, group authorize was never called, so who/what/where is nacking this username?
Any reason you’re using 2.2.10 for what I presume is a new build? You should use 3.0.16 if you can.
Unfortunately, this is the build that Synology is currently shipping: https://www.synology.com/en-us/dsm/packages/RadiusServer So it's the path of least resistance to get this older version working. If this isn't possible, I'll look at running a newer version in a docker instance, but that's a decent bit more work. Thanks Nathan. -Mike rad_recv: Access-Request packet from host 10.10.10.10 port 36379, id=65, length=48 User-Name = "mikesart" User-Password = "password" # Executing section authorize from file /usr/local/synoradius/rad_site_def_local +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "mikesart", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] No EAP-Message, not doing EAP ++[eap] = noop rlm_unix: Find real name [mikesart] -> [mikesart] ++[unix] = updated ++[files] = noop [smbpasswd] Added LM-Password: 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' to config_items [smbpasswd] Added NT-Password: '8846F7EAEE8FB117AD06BDD830B7586C' to config_items [smbpasswd] Added SMB-Account-CTRL-TEXT: '[U ]' to config_items ++[smbpasswd] = ok ++[expiration] = noop ++[logintime] = noop [pap] Normalizing LM-Password from base64 encoding [pap] Normalizing NT-Password from hex encoding ++[pap] = updated +} # group authorize = updated Found Auth-Type = PAP # Executing group from file /usr/local/synoradius/rad_site_def_local +group PAP { [pap] login attempt with password "password" [pap] Using CRYPT password "$6$tTVl/E3frQR2gIJl$RXuU9/AT0F2SLYRRbcJ.NeF5cOLBLL5u7uws7JIqMTMm.Ws7cIbiyPhit3.94TXEyOO4CSTXRrDiXeHELhZbN1" [pap] User authenticated successfully ++[pap] = ok +} # group PAP = ok Login OK: [mikesart/password] (from client radiusclient port 0) # Executing section post-auth from file /usr/local/synoradius/rad_site_def_local +group post-auth { ++[exec] = noop +} # group post-auth = noop Sending Access-Accept of id 65 to 10.10.10.10 port 36379 Finished request 1. Going to the next request Waking up in 4.9 seconds. Cleaning up request 1 ID 65 with timestamp +24 Ready to process requests. rad_recv: Access-Request packet from host 10.10.10.10 port 51390, id=195, length=45 User-Name = "alice" User-Password = "passme" ## ## Mike: where could this Login incorrect be coming from? ## Login incorrect: Incorrect user name (input name [alice], full name [alice]) There was no response configured: rejecting request 2 Using Post-Auth-Type Reject # Executing group from file /usr/local/synoradius/rad_site_def_local +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> alice attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 2 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 2 Sending Access-Reject of id 195 to 10.10.10.10 port 51390 Waking up in 4.9 seconds. Cleaning up request 2 ID 195 with timestamp +55 Ready to process requests.