Sorry about that. As you suggested, when I replace BOTH op and attribute with ':=' and 'Cleartext-Password', the authentication proceeds properly. As to the duplicate requests, I did this test with only one host configured to use this freeradius server and there were two requests and two responses, like this and in this order with nothing in between: -Jan 31 08:08:13 debug iprulesmgr Sending RADIUS Access Request (id='14') -rad_recv: Access-Request packet from host xxx.xxx.xxx.58 port 1024, id=14, length=196 -Sending Access-Accept of id 14 to xxx.xxx.xxx.58 port 1024 -Jan 31 08:08:14 debug iprulesmgr Received RADIUS Access Accept (id='14') -Jan 31 08:08:14 debug iprulesmgr Sending RADIUS Access Request (id='240') -rad_recv: Access-Request packet from host xxx.xxx.xxx.58 port 1024, id=240, length=196 -Sending Access-Accept of id 240 to xxx.xxx.xxx.58 port 1024 -Jan 31 08:08:14 debug iprulesmgr Received RADIUS Access Accept (id='240') There were no intermediate requests sent from the client to any other hosts, so I can only say that there is something in the client (Colubris CN3200) which is not obeying the traffic laws by sending consecutive requests so far apart in number... Ivan, thank you. Also, kudos to all developers for making the debug output so much more precise! - Andrew Long EWS Solutions 2008/1/31 Ivan Kalik <tnt@kalik.net>:
OK, you replaced the operator. Why didn't you replace User-Password with Cleartext-Password as debug so clearly suggests (and so did someone else on the list; I was under impression that you have done that)?
As for 2 requests - they seem to be 120 requests apart. NAS usually sends a new request about 2 seconds after sending the first one (if it gets no response). If you have 120 requests in 2 seconds it's likely that your database is having hard time coping. Where are all those requests coming from?
Ivan Kalik Kalik Informatika ISP
Dana 31/1/2008, "Andrew Long" <fursink@gmail.com> piše:
With attribute `User-Password' and op = `==' we get this:
rlm_sql (sql): Reserving sql socket id: 4 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'mainaroma_cn3200' ORDER BY id WARNING: Found User-Password == "...". WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See "man rlm_pap" for more information. rlm_sql (sql): User found in radcheck table
mysql> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'mainaroma_cn3200' ORDER BY id; +-----+------------------+---------------+-------------+----+ | id | username | attribute | value | op | +-----+------------------+---------------+-------------+----+ | 409 | mainaroma_cn3200 | User-Password | nicepassword | == | +-----+------------------+---------------+-------------+----+ 1 row in set (0.01 sec)
========
Now, with `op' = `:=' rather than `==' as Ivan suggests : we see the same error...
rad_check_password: Found Auth-Type CHAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! auth: type "CHAP" +- entering group CHAP rlm_chap: login attempt by "mainaroma_cn3200" with CHAP password rlm_chap: Using clear text password "aromaescape" for user mainaroma_cn3200 authentication. rlm_chap: chap user mainaroma_cn3200 authenticated succesfully ++[chap] returns ok
The only difference is that when I use `:=' there are two access-requests from the host and two access-accepts: access-request id 40 --> access-accept id 40 and then immediately access-request id 160 --> access-accept id 160.
None of this is in users file; we pass the info from sql.
Andrew EWS Solutions
======================================================= On Jan 30, 2008 5:21 PM, Kevin Bonner <keb@pa.net> wrote:
On Wednesday 30 January 2008 15:31:51 Andrew Long wrote:
If I change the attribute to `Cleartext-Password', authentication fails and I see:
rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop rad_check_password: Found Auth-Type CHAP auth: type "CHAP" +- entering group CHAP rlm_chap: login attempt by "elmaroma_cn3000" with CHAP password rlm_chap: Cleartext-Password is required for authentication ++[chap] returns invalid auth: Failed to validate the user. Login incorrect (rlm_chap: Clear text password not available): [elmaroma_cn3000/<CHAP-Password>] (from client cn3000_aroma port 0 cli 00-02-6F-xx-xx-92)
Thanks muchly, Andrew Long EWS
2008/1/30 Ivan Kalik <tnt@kalik.net>:
Can you post users entry in the database. it's quite likely that you left == as the operator instead of using :=.
Ivan Kalik Kalik Informatika ISP
Dana 30/1/2008, "Andrew Long" <fursink@gmail.com> piše:
When I have (radcheck) attribute `User-Password', authentication succeeds but we see the following:
rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type CHAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! auth: type "CHAP" +- entering group CHAP rlm_chap: login attempt by "elmaroma_cn3000" with CHAP password rlm_chap: Using clear text password "aromaescape" for user elmaroma_cn3000 authentication. rlm_chap: chap user elmaroma_cn3000 authenticated succesfully ++[chap] returns ok
If I change the attribute to `Cleartext-Password', authentication fails and I see:
rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop rad_check_password: Found Auth-Type CHAP auth: type "CHAP" +- entering group CHAP rlm_chap: login attempt by "elmaroma_cn3000" with CHAP password rlm_chap: Cleartext-Password is required for authentication ++[chap] returns invalid auth: Failed to validate the user. Login incorrect (rlm_chap: Clear text password not available): [elmaroma_cn3000/<CHAP-Password>] (from client cn3000_aroma port 0 cli 00-02-6F-xx-xx-92)
The "users" file ---------------------- DEFAULT Fall-Through = 1 DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP --------------------- authorize { preprocess chap mschap suffix unix files sql expiration logintime noresetcounter dailycounter monthlycounter daypasscounter pap} authenticate { pap chap mschap}
Thanks muchly,
Andrew Long EWS - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/usershtml
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html