getting access-reject not sure why
So I decided to blow away my FreeRADIUS v3 setup to authenticate from my cisco devices. I am doing this for documentation purposes. I am currently running CentOS 7.3. Here is what I have in my users file: test1 Cleartext-Password := "hello" Service-Type = Administrative-User, Auth-Type := Accept, Reply-Message := "Hello, %{User-Name}", Cisco-AVPair = "shell:roles=network-admin", Cisco-AVPair = "shell:priv-lvl=15" Here is my clients config: clients network-equipment { ipaddr = 10.150.1.0/24 secret = Infotech5! nas_type = cisco shortname = network-equipment } clients linux-servers { ipaddr = 10.150.10.0/24 secret = Infotech5! proto = * nas_type = other shortname = linux-servers } Everything else is default. Here is the debug output log: Ready to process requests Waking up in 0.3 seconds. (1) Received Access-Request packet from host 10.150.1.213 port 1645, id=11, length=98 (1) User-Name = 'test1' (1) Reply-Message = 'Password: ' (1) User-Password = '\305ɥ\273\306\335\026\257l{\033)z\017\343o' (1) NAS-Port = 1 (1) NAS-Port-Type = Virtual (1) Calling-Station-Id = '10.150.1.250' (1) NAS-IP-Address = 10.150.1.213 (1) NAS-Identifier = 'ASMCAP1' (1) # Executing section authorize from file /etc/raddb/sites-enabled/default (1) # Executing group from file /etc/raddb/sites-enabled/default (1) pap : Login attempt with password (1) ERROR: pap : Cleartext password does not match "known good" password (1) pap : Passwords don't match (1) # Executing group from file /etc/raddb/sites-enabled/default Waking up in 0.6 seconds. (1) Sending Access-Reject packet to host 10.150.1.213 port 1645, id=11, length=0 (1) Reply-Message = 'Hello, test1' Waking up in 3.9 seconds. Ready to process requests Waking up in 0.3 seconds. (2) Received Access-Request packet from host 10.150.1.213 port 1645, id=11, length=98 (2) User-Name = 'test1' (2) Reply-Message = 'Password: ' (2) User-Password = '\305ɥ\273\306\335\026\257l{\033)z\017\343o' (2) NAS-Port = 1 (2) NAS-Port-Type = Virtual (2) Calling-Station-Id = '10.150.1.250' (2) NAS-IP-Address = 10.150.1.213 (2) NAS-Identifier = 'ASMCAP1' (2) # Executing section authorize from file /etc/raddb/sites-enabled/default (2) # Executing group from file /etc/raddb/sites-enabled/default (2) pap : Login attempt with password (2) ERROR: pap : Cleartext password does not match "known good" password (2) pap : Passwords don't match (2) # Executing group from file /etc/raddb/sites-enabled/default Waking up in 0.6 seconds. (2) Sending Access-Reject packet to host 10.150.1.213 port 1645, id=11, length=0 (2) Reply-Message = 'Hello, test1' Waking up in 3.9 seconds. I don't understand why i'm getting a denied packet.
On 30 June 2017 19:37:44 BST, Andrew Meyer via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
(1) User-Password = '\305ɥ\273\306\335\026\257l{\033)z\017\343o'
I don't understand why i'm getting a denied packet.
I guess your shared secret is wrong. -- Matthew
Do I need to have quotes around the password? On Friday, June 30, 2017 1:43 PM, Matthew Newton <matthew@newtoncomputing.co.uk> wrote: On 30 June 2017 19:37:44 BST, Andrew Meyer via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
(1) User-Password = '\305ɥ\273\306\335\026\257l{\033)z\017\343o'
I don't understand why i'm getting a denied packet.
I guess your shared secret is wrong. -- Matthew
On 30 June 2017 19:52:39 BST, Andrew Meyer <andrewm659@yahoo.com> wrote:
Do I need to have quotes around the password?
No
(1) User-Password = '\305ɥ\273\306\335\026\257l{\033)z\017\343o'
I doubt that is the password you logged in with, which points to incorrect shared secret somewhere. -- Matthew
So I just changed my shared seceret and tested again. Same thing. I got the reply of "Hello $USER". On Friday, June 30, 2017 2:05 PM, Matthew Newton <matthew@newtoncomputing.co.uk> wrote: On 30 June 2017 19:52:39 BST, Andrew Meyer <andrewm659@yahoo.com> wrote:
Do I need to have quotes around the password?
No
(1) User-Password = '\305ɥ\273\306\335\026\257l{\033)z\017\343o'
I doubt that is the password you logged in with, which points to incorrect shared secret somewhere. -- Matthew
On Jun 30, 2017, at 3:06 PM, Andrew Meyer via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
So I just changed my shared seceret and tested again. Same thing. I got the reply of "Hello $USER".
Configure your shared secret in the RADIUS dissector in wireshark. If the secret is correct you'll see the decoded password in the packet trace. -Arran
I'm using NTRadPing to test. [me@asm-rancid01 ~]$ sudo tcpdump -vv -c 25 -i ens160 port radius or port radius-acct or port radius-dynauthtcpdump: listening on ens160, link-type EN10MB (Ethernet), capture size 65535 bytes14:27:05.939265 IP (tos 0x0, ttl 127, id 32326, offset 0, flags [none], proto UDP (17), length 73) 10.150.1.250.54985 > asm-rancid01.borg.local.radius: [udp sum ok] RADIUS, length: 45 Access Request (1), id: 0x0f, Authenticator: 20202020202031343938383530383034 Username Attribute (1), length: 7, Value: test1 0x0000: 7465 7374 31 Password Attribute (2), length: 18, Value: 0x0000: 95cd ee67 81b4 a45e bfd5 2e3f b1fb b50014:27:06.940510 IP (tos 0x0, ttl 64, id 64923, offset 0, flags [none], proto UDP (17), length 62) asm-rancid01.borg.local.radius > 10.150.1.250.54985: [bad udp cksum 0x2189 -> 0x817c!] RADIUS, length: 34 Access Reject (3), id: 0x0f, Authenticator: 5ab10ea4604f377f82ee855f1f2a2300 Reply Attribute (18), length: 14, Value: Hello, test1 0x0000: 4865 6c6c 6f2c 2074 6573 7431 On Friday, June 30, 2017 2:18 PM, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
On Jun 30, 2017, at 3:06 PM, Andrew Meyer via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
So I just changed my shared seceret and tested again. Same thing. I got the reply of "Hello $USER".
Configure your shared secret in the RADIUS dissector in wireshark. If the secret is correct you'll see the decoded password in the packet trace. -Arran
Ok I fixed one aspect of the issue. I found out that I didn't have VMWare tools running, and turned off TCP OFfloading. But still getting an Accept-Reject for the user. For my other test user "bob" it works fine. On Friday, June 30, 2017 2:29 PM, Andrew Meyer via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote: I'm using NTRadPing to test. [me@asm-rancid01 ~]$ sudo tcpdump -vv -c 25 -i ens160 port radius or port radius-acct or port radius-dynauthtcpdump: listening on ens160, link-type EN10MB (Ethernet), capture size 65535 bytes14:27:05.939265 IP (tos 0x0, ttl 127, id 32326, offset 0, flags [none], proto UDP (17), length 73) 10.150.1.250.54985 > asm-rancid01.borg.local.radius: [udp sum ok] RADIUS, length: 45 Access Request (1), id: 0x0f, Authenticator: 20202020202031343938383530383034 Username Attribute (1), length: 7, Value: test1 0x0000: 7465 7374 31 Password Attribute (2), length: 18, Value: 0x0000: 95cd ee67 81b4 a45e bfd5 2e3f b1fb b50014:27:06.940510 IP (tos 0x0, ttl 64, id 64923, offset 0, flags [none], proto UDP (17), length 62) asm-rancid01.borg.local.radius > 10.150.1.250.54985: [bad udp cksum 0x2189 -> 0x817c!] RADIUS, length: 34 Access Reject (3), id: 0x0f, Authenticator: 5ab10ea4604f377f82ee855f1f2a2300 Reply Attribute (18), length: 14, Value: Hello, test1 0x0000: 4865 6c6c 6f2c 2074 6573 7431 On Friday, June 30, 2017 2:18 PM, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
On Jun 30, 2017, at 3:06 PM, Andrew Meyer via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
So I just changed my shared seceret and tested again. Same thing. I got the reply of "Hello $USER".
Configure your shared secret in the RADIUS dissector in wireshark. If the secret is correct you'll see the decoded password in the packet trace. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
This is weird. I got it to work, however I had to manually specify my hosts connecting to the FreeRADIUS server. If I do a 10.150.1.0/24 It won't work. But if I specify the IP with the ipaddr = 10.150.1.250 it works fine. Has anyone seen this problem? My config looks correct. This is all a test so passwords will be changed. client network-equipment { ipaddr = 10.150.1.0/24 secret = NetworkControl1 nas_type = cisco shortname = network-equipment } client windows-pc { ipaddr = 10.150.1.250 secret = CellPhone nas_type = other shortname = windows } On Friday, June 30, 2017 3:42 PM, Andrew Meyer <andrewm659@yahoo.com> wrote: Ok I fixed one aspect of the issue. I found out that I didn't have VMWare tools running, and turned off TCP OFfloading. But still getting an Accept-Reject for the user. For my other test user "bob" it works fine. On Friday, June 30, 2017 2:29 PM, Andrew Meyer via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote: I'm using NTRadPing to test. [me@asm-rancid01 ~]$ sudo tcpdump -vv -c 25 -i ens160 port radius or port radius-acct or port radius-dynauthtcpdump: listening on ens160, link-type EN10MB (Ethernet), capture size 65535 bytes14:27:05.939265 IP (tos 0x0, ttl 127, id 32326, offset 0, flags [none], proto UDP (17), length 73) 10.150.1.250.54985 > asm-rancid01.borg.local.radius: [udp sum ok] RADIUS, length: 45 Access Request (1), id: 0x0f, Authenticator: 20202020202031343938383530383034 Username Attribute (1), length: 7, Value: test1 0x0000: 7465 7374 31 Password Attribute (2), length: 18, Value: 0x0000: 95cd ee67 81b4 a45e bfd5 2e3f b1fb b50014:27:06.940510 IP (tos 0x0, ttl 64, id 64923, offset 0, flags [none], proto UDP (17), length 62) asm-rancid01.borg.local.radius > 10.150.1.250.54985: [bad udp cksum 0x2189 -> 0x817c!] RADIUS, length: 34 Access Reject (3), id: 0x0f, Authenticator: 5ab10ea4604f377f82ee855f1f2a2300 Reply Attribute (18), length: 14, Value: Hello, test1 0x0000: 4865 6c6c 6f2c 2074 6573 7431 On Friday, June 30, 2017 2:18 PM, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
On Jun 30, 2017, at 3:06 PM, Andrew Meyer via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
So I just changed my shared seceret and tested again. Same thing. I got the reply of "Hello $USER".
Configure your shared secret in the RADIUS dissector in wireshark. If the secret is correct you'll see the decoded password in the packet trace. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
client network-equipment { ipv4addr = 10.150.1.0/24 secret = NetworkControl1 nas_type = cisco shortname = network-equipment } ? On 30 June 2017 at 22:17, Andrew Meyer via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
This is weird. I got it to work, however I had to manually specify my hosts connecting to the FreeRADIUS server. If I do a 10.150.1.0/24 It won't work. But if I specify the IP with the ipaddr = 10.150.1.250 it works fine. Has anyone seen this problem? My config looks correct. This is all a test so passwords will be changed.
client network-equipment { ipaddr = 10.150.1.0/24 secret = NetworkControl1 nas_type = cisco shortname = network-equipment }
client windows-pc { ipaddr = 10.150.1.250 secret = CellPhone nas_type = other shortname = windows }
On Friday, June 30, 2017 3:42 PM, Andrew Meyer <andrewm659@yahoo.com> wrote:
Ok I fixed one aspect of the issue. I found out that I didn't have VMWare tools running, and turned off TCP OFfloading. But still getting an Accept-Reject for the user. For my other test user "bob" it works fine.
On Friday, June 30, 2017 2:29 PM, Andrew Meyer via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I'm using NTRadPing to test. [me@asm-rancid01 ~]$ sudo tcpdump -vv -c 25 -i ens160 port radius or port radius-acct or port radius-dynauthtcpdump: listening on ens160, link-type EN10MB (Ethernet), capture size 65535 bytes14:27:05.939265 IP (tos 0x0, ttl 127, id 32326, offset 0, flags [none], proto UDP (17), length 73) 10.150.1.250.54985 > asm-rancid01.borg.local.radius: [udp sum ok] RADIUS, length: 45 Access Request (1), id: 0x0f, Authenticator: 20202020202031343938383530383034 Username Attribute (1), length: 7, Value: test1 0x0000: 7465 7374 31 Password Attribute (2), length: 18, Value: 0x0000: 95cd ee67 81b4 a45e bfd5 2e3f b1fb b50014:27:06.940510 IP (tos 0x0, ttl 64, id 64923, offset 0, flags [none], proto UDP (17), length 62) asm-rancid01.borg.local.radius > 10.150.1.250.54985: [bad udp cksum 0x2189 -> 0x817c!] RADIUS, length: 34 Access Reject (3), id: 0x0f, Authenticator: 5ab10ea4604f377f82ee855f1f2a2300 Reply Attribute (18), length: 14, Value: Hello, test1 0x0000: 4865 6c6c 6f2c 2074 6573 7431
On Friday, June 30, 2017 2:18 PM, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
On Jun 30, 2017, at 3:06 PM, Andrew Meyer via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
So I just changed my shared seceret and tested again. Same thing. I got the reply of "Hello $USER".
Configure your shared secret in the RADIUS dissector in wireshark. If the secret is correct you'll see the decoded password in the packet trace.
-Arran
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I fixed that. I took out the ipv4addr and put the ipaddr back. On Friday, June 30, 2017 4:30 PM, Alan Buxey <alan.buxey@gmail.com> wrote: client network-equipment { ipv4addr = 10.150.1.0/24 secret = NetworkControl1 nas_type = cisco shortname = network-equipment } ? On 30 June 2017 at 22:17, Andrew Meyer via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
This is weird. I got it to work, however I had to manually specify my hosts connecting to the FreeRADIUS server. If I do a 10.150.1.0/24 It won't work. But if I specify the IP with the ipaddr = 10.150.1.250 it works fine. Has anyone seen this problem? My config looks correct. This is all a test so passwords will be changed.
client network-equipment { ipaddr = 10.150.1.0/24 secret = NetworkControl1 nas_type = cisco shortname = network-equipment }
client windows-pc { ipaddr = 10.150.1.250 secret = CellPhone nas_type = other shortname = windows }
On Friday, June 30, 2017 3:42 PM, Andrew Meyer <andrewm659@yahoo.com> wrote:
Ok I fixed one aspect of the issue. I found out that I didn't have VMWare tools running, and turned off TCP OFfloading. But still getting an Accept-Reject for the user. For my other test user "bob" it works fine.
On Friday, June 30, 2017 2:29 PM, Andrew Meyer via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I'm using NTRadPing to test. [me@asm-rancid01 ~]$ sudo tcpdump -vv -c 25 -i ens160 port radius or port radius-acct or port radius-dynauthtcpdump: listening on ens160, link-type EN10MB (Ethernet), capture size 65535 bytes14:27:05.939265 IP (tos 0x0, ttl 127, id 32326, offset 0, flags [none], proto UDP (17), length 73) 10.150.1.250.54985 > asm-rancid01.borg.local.radius: [udp sum ok] RADIUS, length: 45 Access Request (1), id: 0x0f, Authenticator: 20202020202031343938383530383034 Username Attribute (1), length: 7, Value: test1 0x0000: 7465 7374 31 Password Attribute (2), length: 18, Value: 0x0000: 95cd ee67 81b4 a45e bfd5 2e3f b1fb b50014:27:06.940510 IP (tos 0x0, ttl 64, id 64923, offset 0, flags [none], proto UDP (17), length 62) asm-rancid01.borg.local.radius > 10.150.1.250.54985: [bad udp cksum 0x2189 -> 0x817c!] RADIUS, length: 34 Access Reject (3), id: 0x0f, Authenticator: 5ab10ea4604f377f82ee855f1f2a2300 Reply Attribute (18), length: 14, Value: Hello, test1 0x0000: 4865 6c6c 6f2c 2074 6573 7431
On Friday, June 30, 2017 2:18 PM, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
On Jun 30, 2017, at 3:06 PM, Andrew Meyer via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
So I just changed my shared seceret and tested again. Same thing. I got the reply of "Hello $USER".
Configure your shared secret in the RADIUS dissector in wireshark. If the secret is correct you'll see the decoded password in the packet trace.
-Arran
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I think I fixed it. Thank you for all the help. On Friday, June 30, 2017 4:33 PM, Andrew Meyer via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote: I fixed that. I took out the ipv4addr and put the ipaddr back. On Friday, June 30, 2017 4:30 PM, Alan Buxey <alan.buxey@gmail.com> wrote: client network-equipment { ipv4addr = 10.150.1.0/24 secret = NetworkControl1 nas_type = cisco shortname = network-equipment } ? On 30 June 2017 at 22:17, Andrew Meyer via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
This is weird. I got it to work, however I had to manually specify my hosts connecting to the FreeRADIUS server. If I do a 10.150.1.0/24 It won't work. But if I specify the IP with the ipaddr = 10.150.1.250 it works fine. Has anyone seen this problem? My config looks correct. This is all a test so passwords will be changed.
client network-equipment { ipaddr = 10.150.1.0/24 secret = NetworkControl1 nas_type = cisco shortname = network-equipment }
client windows-pc { ipaddr = 10.150.1.250 secret = CellPhone nas_type = other shortname = windows }
On Friday, June 30, 2017 3:42 PM, Andrew Meyer <andrewm659@yahoo.com> wrote:
Ok I fixed one aspect of the issue. I found out that I didn't have VMWare tools running, and turned off TCP OFfloading. But still getting an Accept-Reject for the user. For my other test user "bob" it works fine.
On Friday, June 30, 2017 2:29 PM, Andrew Meyer via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I'm using NTRadPing to test. [me@asm-rancid01 ~]$ sudo tcpdump -vv -c 25 -i ens160 port radius or port radius-acct or port radius-dynauthtcpdump: listening on ens160, link-type EN10MB (Ethernet), capture size 65535 bytes14:27:05.939265 IP (tos 0x0, ttl 127, id 32326, offset 0, flags [none], proto UDP (17), length 73) 10.150.1.250.54985 > asm-rancid01.borg.local.radius: [udp sum ok] RADIUS, length: 45 Access Request (1), id: 0x0f, Authenticator: 20202020202031343938383530383034 Username Attribute (1), length: 7, Value: test1 0x0000: 7465 7374 31 Password Attribute (2), length: 18, Value: 0x0000: 95cd ee67 81b4 a45e bfd5 2e3f b1fb b50014:27:06.940510 IP (tos 0x0, ttl 64, id 64923, offset 0, flags [none], proto UDP (17), length 62) asm-rancid01.borg.local.radius > 10.150.1.250.54985: [bad udp cksum 0x2189 -> 0x817c!] RADIUS, length: 34 Access Reject (3), id: 0x0f, Authenticator: 5ab10ea4604f377f82ee855f1f2a2300 Reply Attribute (18), length: 14, Value: Hello, test1 0x0000: 4865 6c6c 6f2c 2074 6573 7431
On Friday, June 30, 2017 2:18 PM, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
On Jun 30, 2017, at 3:06 PM, Andrew Meyer via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
So I just changed my shared seceret and tested again. Same thing. I got the reply of "Hello $USER".
Configure your shared secret in the RADIUS dissector in wireshark. If the secret is correct you'll see the decoded password in the packet trace.
-Arran
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Jun 30, 2017, at 3:28 PM, Andrew Meyer <andrewm659@yahoo.com> wrote:
I'm using NTRadPing to test.
[me@asm-rancid01 ~]$ sudo tcpdump -vv -c 25 -i ens160 port radius or port radius-acct or port radius-dynauth
tcpdump's RADIUS printing/parsing functions don't attempt to decrypt the password. -Arran
participants (4)
-
Alan Buxey -
Andrew Meyer -
Arran Cudbard-Bell -
Matthew Newton