(and I am changing that testuser’s pw, fyi) —Douglas
On Jan 18, 2018, at 3:13 PM, Douglas C Ward <douglas@ugutech.com> wrote:
I appreciate the help. I am new to this, and sorry if by newbie requests are annoying. I’m just hoping to get to a basic functionality, and then will keep learning on my own. I have done my homework in trying to search the list archives and other sources, and am not trying to be a “solve it for me” kind of guy.
Here’s the full output of the debug log from the initial “Ready to process requests” through my radtest request. I this enough to see what’s going on?
###########################################
(0) Received Access-Request Id 35 from 127.0.0.1:62745 to 127.0.0.1:1812 length 95 (0) User-Name = "dward@iacollaborative.com <mailto:dward@iacollaborative.com>" (0) User-Password = "//55/Red/Turtle" (0) NAS-IP-Address = 172.16.172.19 (0) NAS-Port = 0 (0) Message-Authenticator = 0xc3b3015c813572dcd8f1de884017f5a8 (0) # Executing section authorize from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: Looking up realm "iacollaborative.com <http://iacollaborative.com/>" for User-Name = "dward@iacollaborative.com <mailto:dward@iacollaborative.com>" (0) suffix: No such realm "iacollaborative.com <http://iacollaborative.com/>" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) [files] = noop (0) [expiration] = noop (0) [logintime] = noop (0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (0) pap: WARNING: Authentication will fail unless a "known good" password is available (0) [pap] = noop (0) } # authorize = ok (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (0) Failed to authenticate the user (0) Using Post-Auth-Type Reject (0) # Executing group from file /usr/local/Cellar/freeradius-server/3.0.15/etc/raddb/sites-enabled/default (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject: EXPAND %{User-Name} (0) attr_filter.access_reject: --> dward@iacollaborative.com <mailto:dward@iacollaborative.com> (0) attr_filter.access_reject: Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) [eap] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (0) Sending delayed response (0) Sent Access-Reject Id 35 from 127.0.0.1:1812 to 127.0.0.1:62745 length 20 Waking up in 3.9 seconds. (0) Cleaning up request packet ID 35 with timestamp +13 Ready to process requests
###########################################
—Douglas
On Jan 18, 2018, at 2:57 PM, Alan Buxey <alan.buxey@gmail.com <mailto:alan.buxey@gmail.com>> wrote:
provide full debug not the bits that interest you (as noted, you are new to this and so without understanding all the minutae of details only providing minimal (and wrong bits) of output we end up playing a guessing game)
note that some of the stuff in the virtual servers is older - and in fact, pre-fixed with a warning. if you read the ldap module you will find further instruction eg
# Note: set_auth_type was removed in v3.x.x # Equivalent functionality can be achieved by adding the following # stanza to the authorize {} section of your virtual server. # # ldap # if ((ok || updated) && User-Password) { # update { # control:Auth-Type := ldap # } # }
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>