When I have (radcheck) attribute `User-Password', authentication succeeds but we see the following: rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type CHAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! auth: type "CHAP" +- entering group CHAP rlm_chap: login attempt by "elmaroma_cn3000" with CHAP password rlm_chap: Using clear text password "aromaescape" for user elmaroma_cn3000 authentication. rlm_chap: chap user elmaroma_cn3000 authenticated succesfully ++[chap] returns ok If I change the attribute to `Cleartext-Password', authentication fails and I see: rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop rad_check_password: Found Auth-Type CHAP auth: type "CHAP" +- entering group CHAP rlm_chap: login attempt by "elmaroma_cn3000" with CHAP password rlm_chap: Cleartext-Password is required for authentication ++[chap] returns invalid auth: Failed to validate the user. Login incorrect (rlm_chap: Clear text password not available): [elmaroma_cn3000/<CHAP-Password>] (from client cn3000_aroma port 0 cli 00-02-6F-xx-xx-92) The "users" file ---------------------- DEFAULT Fall-Through = 1 DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP --------------------- authorize { preprocess chap mschap suffix unix files sql expiration logintime noresetcounter dailycounter monthlycounter daypasscounter pap} authenticate { pap chap mschap} Thanks muchly, Andrew Long EWS
On Wednesday 30 January 2008 15:31:51 Andrew Long wrote:
If I change the attribute to `Cleartext-Password', authentication fails and I see:
rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop rad_check_password: Found Auth-Type CHAP auth: type "CHAP" +- entering group CHAP rlm_chap: login attempt by "elmaroma_cn3000" with CHAP password rlm_chap: Cleartext-Password is required for authentication ++[chap] returns invalid auth: Failed to validate the user. Login incorrect (rlm_chap: Clear text password not available): [elmaroma_cn3000/<CHAP-Password>] (from client cn3000_aroma port 0 cli 00-02-6F-xx-xx-92)
Thanks muchly, Andrew Long EWS
Can you run the radcheck query manually and post the output? Is the operator correct? Does it do the same thing when you move the SQL entry to the users file and make the same attribute name changes? Kevin Bonner
Can you post users entry in the database. it's quite likely that you left == as the operator instead of using :=. Ivan Kalik Kalik Informatika ISP Dana 30/1/2008, "Andrew Long" <fursink@gmail.com> piše:
When I have (radcheck) attribute `User-Password', authentication succeeds but we see the following:
rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type CHAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! auth: type "CHAP" +- entering group CHAP rlm_chap: login attempt by "elmaroma_cn3000" with CHAP password rlm_chap: Using clear text password "aromaescape" for user elmaroma_cn3000 authentication. rlm_chap: chap user elmaroma_cn3000 authenticated succesfully ++[chap] returns ok
If I change the attribute to `Cleartext-Password', authentication fails and I see:
rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop rad_check_password: Found Auth-Type CHAP auth: type "CHAP" +- entering group CHAP rlm_chap: login attempt by "elmaroma_cn3000" with CHAP password rlm_chap: Cleartext-Password is required for authentication ++[chap] returns invalid auth: Failed to validate the user. Login incorrect (rlm_chap: Clear text password not available): [elmaroma_cn3000/<CHAP-Password>] (from client cn3000_aroma port 0 cli 00-02-6F-xx-xx-92)
The "users" file ---------------------- DEFAULT Fall-Through = 1 DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP --------------------- authorize { preprocess chap mschap suffix unix files sql expiration logintime noresetcounter dailycounter monthlycounter daypasscounter pap} authenticate { pap chap mschap}
Thanks muchly,
Andrew Long EWS - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
With attribute `User-Password' and op = `==' we get this: rlm_sql (sql): Reserving sql socket id: 4 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'mainaroma_cn3200' ORDER BY id WARNING: Found User-Password == "...". WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See "man rlm_pap" for more information. rlm_sql (sql): User found in radcheck table mysql> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'mainaroma_cn3200' ORDER BY id; +-----+------------------+---------------+-------------+----+ | id | username | attribute | value | op | +-----+------------------+---------------+-------------+----+ | 409 | mainaroma_cn3200 | User-Password | nicepassword | == | +-----+------------------+---------------+-------------+----+ 1 row in set (0.01 sec) ======== Now, with `op' = `:=' rather than `==' as Ivan suggests : we see the same error... rad_check_password: Found Auth-Type CHAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! auth: type "CHAP" +- entering group CHAP rlm_chap: login attempt by "mainaroma_cn3200" with CHAP password rlm_chap: Using clear text password "aromaescape" for user mainaroma_cn3200 authentication. rlm_chap: chap user mainaroma_cn3200 authenticated succesfully ++[chap] returns ok The only difference is that when I use `:=' there are two access-requests from the host and two access-accepts: access-request id 40 --> access-accept id 40 and then immediately access-request id 160 --> access-accept id 160. None of this is in users file; we pass the info from sql. Andrew EWS Solutions ======================================================= On Jan 30, 2008 5:21 PM, Kevin Bonner <keb@pa.net> wrote:
On Wednesday 30 January 2008 15:31:51 Andrew Long wrote:
If I change the attribute to `Cleartext-Password', authentication fails and I see:
rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop rad_check_password: Found Auth-Type CHAP auth: type "CHAP" +- entering group CHAP rlm_chap: login attempt by "elmaroma_cn3000" with CHAP password rlm_chap: Cleartext-Password is required for authentication ++[chap] returns invalid auth: Failed to validate the user. Login incorrect (rlm_chap: Clear text password not available): [elmaroma_cn3000/<CHAP-Password>] (from client cn3000_aroma port 0 cli 00-02-6F-xx-xx-92)
Thanks muchly, Andrew Long EWS
2008/1/30 Ivan Kalik <tnt@kalik.net>:
Can you post users entry in the database. it's quite likely that you left == as the operator instead of using :=.
Ivan Kalik Kalik Informatika ISP
Dana 30/1/2008, "Andrew Long" <fursink@gmail.com> piše:
When I have (radcheck) attribute `User-Password', authentication succeeds but we see the following:
rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type CHAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! auth: type "CHAP" +- entering group CHAP rlm_chap: login attempt by "elmaroma_cn3000" with CHAP password rlm_chap: Using clear text password "aromaescape" for user elmaroma_cn3000 authentication. rlm_chap: chap user elmaroma_cn3000 authenticated succesfully ++[chap] returns ok
If I change the attribute to `Cleartext-Password', authentication fails and I see:
rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop rad_check_password: Found Auth-Type CHAP auth: type "CHAP" +- entering group CHAP rlm_chap: login attempt by "elmaroma_cn3000" with CHAP password rlm_chap: Cleartext-Password is required for authentication ++[chap] returns invalid auth: Failed to validate the user. Login incorrect (rlm_chap: Clear text password not available): [elmaroma_cn3000/<CHAP-Password>] (from client cn3000_aroma port 0 cli 00-02-6F-xx-xx-92)
The "users" file ---------------------- DEFAULT Fall-Through = 1 DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP --------------------- authorize { preprocess chap mschap suffix unix files sql expiration logintime noresetcounter dailycounter monthlycounter daypasscounter pap} authenticate { pap chap mschap}
Thanks muchly,
Andrew Long EWS - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
OK, you replaced the operator. Why didn't you replace User-Password with Cleartext-Password as debug so clearly suggests (and so did someone else on the list; I was under impression that you have done that)? As for 2 requests - they seem to be 120 requests apart. NAS usually sends a new request about 2 seconds after sending the first one (if it gets no response). If you have 120 requests in 2 seconds it's likely that your database is having hard time coping. Where are all those requests coming from? Ivan Kalik Kalik Informatika ISP Dana 31/1/2008, "Andrew Long" <fursink@gmail.com> piše:
With attribute `User-Password' and op = `==' we get this:
rlm_sql (sql): Reserving sql socket id: 4 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'mainaroma_cn3200' ORDER BY id WARNING: Found User-Password == "...". WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See "man rlm_pap" for more information. rlm_sql (sql): User found in radcheck table
mysql> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'mainaroma_cn3200' ORDER BY id; +-----+------------------+---------------+-------------+----+ | id | username | attribute | value | op | +-----+------------------+---------------+-------------+----+ | 409 | mainaroma_cn3200 | User-Password | nicepassword | == | +-----+------------------+---------------+-------------+----+ 1 row in set (0.01 sec)
========
Now, with `op' = `:=' rather than `==' as Ivan suggests : we see the same error...
rad_check_password: Found Auth-Type CHAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! auth: type "CHAP" +- entering group CHAP rlm_chap: login attempt by "mainaroma_cn3200" with CHAP password rlm_chap: Using clear text password "aromaescape" for user mainaroma_cn3200 authentication. rlm_chap: chap user mainaroma_cn3200 authenticated succesfully ++[chap] returns ok
The only difference is that when I use `:=' there are two access-requests from the host and two access-accepts: access-request id 40 --> access-accept id 40 and then immediately access-request id 160 --> access-accept id 160.
None of this is in users file; we pass the info from sql.
Andrew EWS Solutions
======================================================= On Jan 30, 2008 5:21 PM, Kevin Bonner <keb@pa.net> wrote:
On Wednesday 30 January 2008 15:31:51 Andrew Long wrote:
If I change the attribute to `Cleartext-Password', authentication fails and I see:
rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop rad_check_password: Found Auth-Type CHAP auth: type "CHAP" +- entering group CHAP rlm_chap: login attempt by "elmaroma_cn3000" with CHAP password rlm_chap: Cleartext-Password is required for authentication ++[chap] returns invalid auth: Failed to validate the user. Login incorrect (rlm_chap: Clear text password not available): [elmaroma_cn3000/<CHAP-Password>] (from client cn3000_aroma port 0 cli 00-02-6F-xx-xx-92)
Thanks muchly, Andrew Long EWS
2008/1/30 Ivan Kalik <tnt@kalik.net>:
Can you post users entry in the database. it's quite likely that you left == as the operator instead of using :=.
Ivan Kalik Kalik Informatika ISP
Dana 30/1/2008, "Andrew Long" <fursink@gmail.com> piše:
When I have (radcheck) attribute `User-Password', authentication succeeds but we see the following:
rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type CHAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! auth: type "CHAP" +- entering group CHAP rlm_chap: login attempt by "elmaroma_cn3000" with CHAP password rlm_chap: Using clear text password "aromaescape" for user elmaroma_cn3000 authentication. rlm_chap: chap user elmaroma_cn3000 authenticated succesfully ++[chap] returns ok
If I change the attribute to `Cleartext-Password', authentication fails and I see:
rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop rad_check_password: Found Auth-Type CHAP auth: type "CHAP" +- entering group CHAP rlm_chap: login attempt by "elmaroma_cn3000" with CHAP password rlm_chap: Cleartext-Password is required for authentication ++[chap] returns invalid auth: Failed to validate the user. Login incorrect (rlm_chap: Clear text password not available): [elmaroma_cn3000/<CHAP-Password>] (from client cn3000_aroma port 0 cli 00-02-6F-xx-xx-92)
The "users" file ---------------------- DEFAULT Fall-Through = 1 DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP --------------------- authorize { preprocess chap mschap suffix unix files sql expiration logintime noresetcounter dailycounter monthlycounter daypasscounter pap} authenticate { pap chap mschap}
Thanks muchly,
Andrew Long EWS - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/usershtml
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sorry about that. As you suggested, when I replace BOTH op and attribute with ':=' and 'Cleartext-Password', the authentication proceeds properly. As to the duplicate requests, I did this test with only one host configured to use this freeradius server and there were two requests and two responses, like this and in this order with nothing in between: -Jan 31 08:08:13 debug iprulesmgr Sending RADIUS Access Request (id='14') -rad_recv: Access-Request packet from host xxx.xxx.xxx.58 port 1024, id=14, length=196 -Sending Access-Accept of id 14 to xxx.xxx.xxx.58 port 1024 -Jan 31 08:08:14 debug iprulesmgr Received RADIUS Access Accept (id='14') -Jan 31 08:08:14 debug iprulesmgr Sending RADIUS Access Request (id='240') -rad_recv: Access-Request packet from host xxx.xxx.xxx.58 port 1024, id=240, length=196 -Sending Access-Accept of id 240 to xxx.xxx.xxx.58 port 1024 -Jan 31 08:08:14 debug iprulesmgr Received RADIUS Access Accept (id='240') There were no intermediate requests sent from the client to any other hosts, so I can only say that there is something in the client (Colubris CN3200) which is not obeying the traffic laws by sending consecutive requests so far apart in number... Ivan, thank you. Also, kudos to all developers for making the debug output so much more precise! - Andrew Long EWS Solutions 2008/1/31 Ivan Kalik <tnt@kalik.net>:
OK, you replaced the operator. Why didn't you replace User-Password with Cleartext-Password as debug so clearly suggests (and so did someone else on the list; I was under impression that you have done that)?
As for 2 requests - they seem to be 120 requests apart. NAS usually sends a new request about 2 seconds after sending the first one (if it gets no response). If you have 120 requests in 2 seconds it's likely that your database is having hard time coping. Where are all those requests coming from?
Ivan Kalik Kalik Informatika ISP
Dana 31/1/2008, "Andrew Long" <fursink@gmail.com> piše:
With attribute `User-Password' and op = `==' we get this:
rlm_sql (sql): Reserving sql socket id: 4 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'mainaroma_cn3200' ORDER BY id WARNING: Found User-Password == "...". WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See "man rlm_pap" for more information. rlm_sql (sql): User found in radcheck table
mysql> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'mainaroma_cn3200' ORDER BY id; +-----+------------------+---------------+-------------+----+ | id | username | attribute | value | op | +-----+------------------+---------------+-------------+----+ | 409 | mainaroma_cn3200 | User-Password | nicepassword | == | +-----+------------------+---------------+-------------+----+ 1 row in set (0.01 sec)
========
Now, with `op' = `:=' rather than `==' as Ivan suggests : we see the same error...
rad_check_password: Found Auth-Type CHAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! auth: type "CHAP" +- entering group CHAP rlm_chap: login attempt by "mainaroma_cn3200" with CHAP password rlm_chap: Using clear text password "aromaescape" for user mainaroma_cn3200 authentication. rlm_chap: chap user mainaroma_cn3200 authenticated succesfully ++[chap] returns ok
The only difference is that when I use `:=' there are two access-requests from the host and two access-accepts: access-request id 40 --> access-accept id 40 and then immediately access-request id 160 --> access-accept id 160.
None of this is in users file; we pass the info from sql.
Andrew EWS Solutions
======================================================= On Jan 30, 2008 5:21 PM, Kevin Bonner <keb@pa.net> wrote:
On Wednesday 30 January 2008 15:31:51 Andrew Long wrote:
If I change the attribute to `Cleartext-Password', authentication fails and I see:
rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop rad_check_password: Found Auth-Type CHAP auth: type "CHAP" +- entering group CHAP rlm_chap: login attempt by "elmaroma_cn3000" with CHAP password rlm_chap: Cleartext-Password is required for authentication ++[chap] returns invalid auth: Failed to validate the user. Login incorrect (rlm_chap: Clear text password not available): [elmaroma_cn3000/<CHAP-Password>] (from client cn3000_aroma port 0 cli 00-02-6F-xx-xx-92)
Thanks muchly, Andrew Long EWS
2008/1/30 Ivan Kalik <tnt@kalik.net>:
Can you post users entry in the database. it's quite likely that you left == as the operator instead of using :=.
Ivan Kalik Kalik Informatika ISP
Dana 30/1/2008, "Andrew Long" <fursink@gmail.com> piše:
When I have (radcheck) attribute `User-Password', authentication succeeds but we see the following:
rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type CHAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! auth: type "CHAP" +- entering group CHAP rlm_chap: login attempt by "elmaroma_cn3000" with CHAP password rlm_chap: Using clear text password "aromaescape" for user elmaroma_cn3000 authentication. rlm_chap: chap user elmaroma_cn3000 authenticated succesfully ++[chap] returns ok
If I change the attribute to `Cleartext-Password', authentication fails and I see:
rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop rad_check_password: Found Auth-Type CHAP auth: type "CHAP" +- entering group CHAP rlm_chap: login attempt by "elmaroma_cn3000" with CHAP password rlm_chap: Cleartext-Password is required for authentication ++[chap] returns invalid auth: Failed to validate the user. Login incorrect (rlm_chap: Clear text password not available): [elmaroma_cn3000/<CHAP-Password>] (from client cn3000_aroma port 0 cli 00-02-6F-xx-xx-92)
The "users" file ---------------------- DEFAULT Fall-Through = 1 DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP --------------------- authorize { preprocess chap mschap suffix unix files sql expiration logintime noresetcounter dailycounter monthlycounter daypasscounter pap} authenticate { pap chap mschap}
Thanks muchly,
Andrew Long EWS - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/usershtml
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-Jan 31 08:08:14 debug iprulesmgr Received RADIUS Access Accept (id='14') -Jan 31 08:08:14 debug iprulesmgr Sending RADIUS Access Request (id='240')
Even stranger is that it did recieve accept packet but still sent out another request. Debug ppp on that NAS and see what's going on. Ivan Kalik Kalik Informatika ISP
Any idea why making the same change ( to attribute 'Cleartext-Password and op ':=') on 1.1.7 would lead to failed authentications? Same sql setup, chap. as is, using attitribute 'password' or 'User-Password' (both work) and op '=='. Andrew On Jan 31, 2008 8:07 AM, Ivan Kalik <tnt@kalik.net> wrote:
-Jan 31 08:08:14 debug iprulesmgr Received RADIUS Access Accept (id='14') -Jan 31 08:08:14 debug iprulesmgr Sending RADIUS Access Request (id='240')
Even stranger is that it did recieve accept packet but still sent out another request. Debug ppp on that NAS and see what's going on.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
A brief second test indicates I probably goofed my update query; I just tried again on 1.1.7 and it worked. Good thing I'm not in charge of financial records. - Andrew On Feb 1, 2008 2:22 AM, Ivan Kalik <tnt@kalik.net> wrote:
Any idea why making the same change ( to attribute 'Cleartext-Password and op ':=') on 1.1.7 would lead to failed authentications?
Send the debug for that one.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Andrew Long -
Ivan Kalik -
Kevin Bonner