Here is the debug info: ... adding new socket proxy address * port 52796 Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 10.253.82.100 port 65457, id=165, length=79 User-Name = "gnssra9" User-Password = "\325\353\nI>\t\362\373\0240\351\333\177\352\313l" NAS-Identifier = "8200-FL-R" Calling-Station-Id = "172.20.148.80" NAS-IP-Address = 10.253.82.100 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "gnssra9", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry DEFAULT at line 2 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = ntlm_auth # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=gnssra9 [ntlm_auth] expand: --password=%{User-Password} -> --password=▒▒ I> ▒▒?0▒▒▒l Child PID 29411 (/usr/bin/ntlm_auth) is taking too much time: forcing failure and killing child. ++[ntlm_auth] returns reject Failed to authenticate the user. WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> gnssra9 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 165 to 10.253.82.100 port 65457 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.253.82.100 port 65457, id=165, length=79 Sending duplicate reply to client 10.253.82.100 port 65457 - ID: 165 Sending Access-Reject of id 165 to 10.253.82.100 port 65457 Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.253.82.100 port 65457, id=165, length=79 Sending duplicate reply to client 10.253.82.100 port 65457 - ID: 165 Sending Access-Reject of id 165 to 10.253.82.100 port 65457 Waking up in 4.9 seconds. Cleaning up request 0 ID 165 with timestamp +51 Ready to process requests. Thanks. -----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+sahmad=darden.com@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Thursday, July 09, 2015 11:48 AM To: FreeRadius users mailing list Subject: Re: radtest works but Device Fails Authentication On Jul 8, 2015, at 4:28 PM, Syed Rais Ahmad NON DRI <SAhmad@darden.com> wrote:
I have the FreeRadius setup to use ntlm_auth for authentication. When I use radtest utility to test the setup, it returns Access-Accept. However, when I use the same credentials on a Juniper firewall, it gets Access-Reject with NT_STATUS_WRONG_PASSWORD: Wrong Password.
Any idea what could be wrong? Apparently, the Juniper is changing the password when it's presenting it to freeRadius.
Run the server in debug mode as suggested in the FAQ, "man" page, web pages, and daily on this list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This e-mail message is for the sole use of the intended recipient and may contain information that is confidential, proprietary or privileged. Any unauthorized review, use, distribution, copying or disclosure is strictly prohibited. If you are not the intended recipient, or the employee or agent responsible for delivering it to the intended recipient, please notify sender of the delivery error by replying to this message and then delete it from your system. Receipt by anyone other than the intended recipient is not a waiver of confidentiality or privilege.