Hi list, I'm currently - trying to - set up a radius server. The backend used is MySQL. I'm using FreeRADIUS 2.1.11 on FreeBSD 8 During my tests, for the same user I used "test" password, then "blabla" password. Now, I use "blabla" and it's not working. instead "test" is still working ... I tested with a third string ("ahaha") , there's a third error output... I tried restarting radiusd and the jail it's running into, this does changes nothing. All this commands/outputs are from the same running server (I mean no reboot). How can this happen ? radtest commands : # radtest -t mschap bsemene test 10.1.8.4 0 testing123 Sending Access-Request of id 166 to 10.1.8.4 port 1812 User-Name = "bsemene" NAS-IP-Address = 10.1.8.4 NAS-Port = 0 MS-CHAP-Challenge = 0x244e451f6d9cec8a MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000048485d333f46de4d66241b5be289340fd16f37838c63c542 rad_recv: Access-Accept packet from host 10.1.8.4 port 1812, id=166, length=90 Framed-MTU = 1400 MS-CHAP-MPPE-Keys = 0x01fc5a6be7bc69292066656e05c22f3a995ad9ecfed913d60000000000000000 MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 /usr/local/etc/raddb# radtest -t mschap bsemene blabla 10.1.8.4 0 testing123 Sending Access-Request of id 87 to 10.1.8.4 port 1812 User-Name = "bsemene" NAS-IP-Address = 10.1.8.4 NAS-Port = 0 MS-CHAP-Challenge = 0xfabeb87636c4a8d1 MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000091fbe9a51db58f3684cd91ebde311aedfcbe19271848ee45 rad_recv: Access-Reject packet from host 10.1.8.4 port 1812, id=87, length=38 MS-CHAP-Error = "\000E=691 R=1" /usr/local/etc/raddb# radtest -t mschap bsemene ahaha 10.1.8.4 0 testing123 Sending Access-Request of id 222 to 10.1.8.4 port 1812 User-Name = "bsemene" NAS-IP-Address = 10.1.8.4 NAS-Port = 0 MS-CHAP-Challenge = 0xc0d0a9ded19cb497 MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000058d55aa0e11a251eee1a70f03438ff09fd872fc81b27c614 rad_recv: Access-Reject packet from host 10.1.8.4 port 1812, id=222, length=38 MS-CHAP-Error = "\000E=691 R=1" debug mode outputs : password "test" : [sql] expand: %{Stripped-User-Name} -> [sql] ... expanding second conditional [sql] expand: %{User-Name} -> bsemene [sql] expand: %{%{User-Name}:-DEFAULT} -> bsemene [sql] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> bsemene [sql] sql_set_user escaped user --> 'bsemene' rlm_sql (sql): Reserving sql socket id: 1 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'bsemene' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'bsemene' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'bsemene' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'dynamic' ORDER BY id [sql] User found in group dynamic [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'dynamic' ORDER BY id rlm_sql (sql): Released sql socket id: 1 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = MSCHAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv1 with NT-Password [mschap] adding MS-CHAPv1 MPPE keys ++[mschap] returns ok password blabla: [sql] expand: %{Stripped-User-Name} -> [sql] ... expanding second conditional [sql] expand: %{User-Name} -> bsemene [sql] expand: %{%{User-Name}:-DEFAULT} -> bsemene [sql] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> bsemene [sql] sql_set_user escaped user --> 'bsemene' rlm_sql (sql): Reserving sql socket id: 0 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'bsemene' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'bsemene' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'bsemene' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'dynamic' ORDER BY id [sql] User found in group dynamic [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'dynamic' ORDER BY id rlm_sql (sql): Released sql socket id: 0 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = MSCHAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv1 with NT-Password [mschap] MS-CHAP-Response is incorrect. ++[mschap] returns reject Failed to authenticate the user. password ahaha : [sql] expand: %{Stripped-User-Name} -> [sql] ... expanding second conditional [sql] expand: %{User-Name} -> ahaha [sql] expand: %{%{User-Name}:-DEFAULT} -> ahaha [sql] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> ahaha [sql] sql_set_user escaped user --> 'ahaha' rlm_sql (sql): Reserving sql socket id: 2 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'ahaha' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'ahaha' ORDER BY priority rlm_sql (sql): Released sql socket id: 2 [sql] User ahaha not found ++[sql] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = MSCHAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv1 with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] MS-CHAP-Response is incorrect. ++[mschap] returns reject Failed to authenticate the user. SQL=>radcheck table : mysql> SELECT * FROM radcheck\G *************************** 1. row *************************** id: 2525 username: bsemene attribute: dynamic op: := value: blabla 1 row in set (0.00 sec) Users file : # cat users | grep -v "^[[:space:]]*#" | grep -v "^$" DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "CSLIP" Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "SLIP" Framed-Protocol = SLIP default server : # cat sites-available/default | grep -v "^[[:space:]]*#" | grep -v "^$" authorize { preprocess chap mschap digest suffix eap { ok = return } files sql expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } digest unix eap } preacct { preprocess acct_unique suffix files } accounting { detail unix radutmp sql exec attr_filter.accounting_response } session { radutmp } post-auth { exec Post-Auth-Type REJECT { attr_filter.access_reject } } pre-proxy { } post-proxy { eap } inner-tunnel server : # cat sites-available/inner-tunnel | grep -v "^[[:space:]]*#" | grep -v "^$" server inner-tunnel { listen { ipaddr = 127.0.0.1 port = 18120 type = auth } authorize { chap mschap suffix update control { Proxy-To-Realm := LOCAL } eap { ok = return } files sql expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix eap } session { radutmp } post-auth { Post-Auth-Type REJECT { attr_filter.access_reject } } pre-proxy { } post-proxy { eap } } # inner-tunnel server block -- If you think experts are expensive, wait to see what amateurs will cost you -- Bastien Semene Administrateur Réseau& Système Cyanide Studio - FRANCE