Problem: switch authentication against Freeradius server
Dear, I've implemented Linux SSH authentication using PAM against a Freeradius server, it was OK !!! But know I'm trying to authenticate some Allied switch users against the same Freeradius server...in the Allied switch I've defined the radius server IP, port and secret, and when I try to telnet this switch from other computer I fail and get this Freeradius log: rad_recv: Access-Request packet from host 10.4.133.254 port 49154, id=0, length=76 User-Name = "bapro2" User-Password = "&kq\356\275`_R\005\034\262m\263-\r\275" Cisco-AVPair = "shell:priv-lvl=1" NAS-IP-Address = 10.4.133.254 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "bapro2", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop [sql] expand: %{User-Name} -> bapro2 [sql] sql_set_user escaped user --> 'bapro2' rlm_sql (sql): Reserving sql socket id: 0 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'bapro2' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'bapro2' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'bapro2' ORDER BY priority rlm_sql (sql): Released sql socket id: 0 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group PAP {...} [pap] login attempt with password "&kqî½`_R??²m³- ½" [pap] Using clear text password "1234" [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> bapro2 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 3 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 3 Sending Access-Reject of id 0 to 10.4.133.254 port 49154 Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.4.133.254 port 49154, id=0, length=76 Sending duplicate reply to client SWITCH port 49154 - ID: 0 Sending Access-Reject of id 0 to 10.4.133.254 port 49154 Waking up in 3.0 seconds. rad_recv: Access-Request packet from host 10.4.133.254 port 49154, id=0, length=76 Sending duplicate reply to client SWITCH port 49154 - ID: 0 Sending Access-Reject of id 0 to 10.4.133.254 port 49154 Cleaning up request 3 ID 0 with timestamp +368 Ready to process requests. I see this line is completed with a wrong or cipher password, I don't know why: [pap] login attempt with password "&kqî½`_R??²m³- ½" Please can you guide me in this problem ??? Really thanks, Roberto
On 05/23/2013 03:34 PM, Roberto Carna wrote:
Dear, I've implemented Linux SSH authentication using PAM against a Freeradius server, it was OK !!!
But know I'm trying to authenticate some Allied switch users against the same Freeradius server...in the Allied switch I've defined the radius server IP, port and secret, and when I try to telnet this switch from other computer I fail and get this Freeradius log:
(..)
[pap] login attempt with password "&kqî½`_R??²m³- ½" [pap] Using clear text password "1234" [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!
(..)
Please can you guide me in this problem ???
Have you double-checked the shared secret on the server and the NAS? -Øystein
Hi, what exactly means "double-checked" the secret ??? I've defined the same secret in client.conf from Freeradius and in the config from Allied switch Thanks again... 2013/5/23 Øystein Gyland <oystegy@usit.uio.no>
On 05/23/2013 03:34 PM, Roberto Carna wrote:
Dear, I've implemented Linux SSH authentication using PAM against a Freeradius server, it was OK !!!
But know I'm trying to authenticate some Allied switch users against the same Freeradius server...in the Allied switch I've defined the radius server IP, port and secret, and when I try to telnet this switch from other computer I fail and get this Freeradius log:
(..)
[pap] login attempt with password "&kqî½`_R??²m³- ½"
[pap] Using clear text password "1234" [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!
(..)
Please can you guide me in this problem ???
Have you double-checked the shared secret on the server and the NAS?
-Øystein
Roberto Carna wrote:
But know I'm trying to authenticate some Allied switch users against the same Freeradius server...in the Allied switch I've defined the radius server IP, port and secret, and when I try to telnet this switch from other computer I fail and get this Freeradius log:
It helps to read the debug output.
rad_recv: Access-Request packet from host 10.4.133.254 port 49154, id=0, length=76 User-Name = "bapro2" User-Password = "&kq\356\275`_R\005\034\262m\263-\r\275" ... WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!
Does that mean anything to you?
I see this line is completed with a wrong or cipher password, I don't know why:
[pap] login attempt with password "&kqî½`_R??²m³- ½"
Please can you guide me in this problem ???
I did. I made FreeRADIUS print out a big WARNING message which you're ignoring. Read it. Follow the instructions. And don't argue that the secret is correct. It's not. Fix it. Alan DeKok.
Dear Alan, my shared secret is "testing123" in bothe switch and freeradius.....it's the default shared secret as you can see....so I get lost :( 2013/5/23 Alan DeKok <aland@deployingradius.com>
Roberto Carna wrote:
But know I'm trying to authenticate some Allied switch users against the same Freeradius server...in the Allied switch I've defined the radius server IP, port and secret, and when I try to telnet this switch from other computer I fail and get this Freeradius log:
It helps to read the debug output.
rad_recv: Access-Request packet from host 10.4.133.254 port 49154, id=0, length=76 User-Name = "bapro2" User-Password = "&kq\356\275`_R\005\034\262m\263-\r\275" ... WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!
Does that mean anything to you?
I see this line is completed with a wrong or cipher password, I don't know why:
[pap] login attempt with password "&kqî½`_R??²m³- ½"
Please can you guide me in this problem ???
I did. I made FreeRADIUS print out a big WARNING message which you're ignoring.
Read it. Follow the instructions.
And don't argue that the secret is correct. It's not. Fix it.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Roberto Carna wrote:
Dear Alan, my shared secret is "testing123" in bothe switch and freeradius.....it's the default shared secret as you can see....so I get lost :(
No, it's not the same shared secret. I don't know what's going on. But the message "Unprintable characters in the password" means that the shared secret is wrong. NOTHING ELSE will cause the problem. Go back and read the REST of the debug output. Verify that the "client" section printed out by the server has the CORRECT shared secret. i.e. you can sit there and say "but it's right!" all day. That will NOT fix the problem. FreeRADIUS will NOT magically start working. The shared secret is wrong. Go fix it. Alan DeKok.
OK, just a last question....I have Freeradius with MySQL, where is the NAS in order to check the pre-shared secret ??? Thanks again. 2013/5/23 Alan DeKok <aland@deployingradius.com>
Roberto Carna wrote:
Dear Alan, my shared secret is "testing123" in bothe switch and freeradius.....it's the default shared secret as you can see....so I get lost :(
No, it's not the same shared secret. I don't know what's going on. But the message "Unprintable characters in the password" means that the shared secret is wrong.
NOTHING ELSE will cause the problem.
Go back and read the REST of the debug output. Verify that the "client" section printed out by the server has the CORRECT shared secret.
i.e. you can sit there and say "but it's right!" all day. That will NOT fix the problem. FreeRADIUS will NOT magically start working.
The shared secret is wrong. Go fix it.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Roberto Carna wrote:
OK, just a last question....I have Freeradius with MySQL, where is the NAS in order to check the pre-shared secret ???
If you have already edited the shared secret, you should know where it is. Go read the documentation. If you're too lazy to read it, I'm too lazy to cut & paste it here. Alan DeKok.
OK, but using "radtest" utility with user, password and shared secret from other machine, I get the correct response from Freeradius, accepting the authentication. So, the problem maybe is in my Allied switch, maybe the OS is wrong in certain aspects like cipher libraries. Thanks to all. 2013/5/23 Alan DeKok <aland@deployingradius.com>
Roberto Carna wrote:
OK, just a last question....I have Freeradius with MySQL, where is the NAS in order to check the pre-shared secret ???
If you have already edited the shared secret, you should know where it is.
Go read the documentation.
If you're too lazy to read it, I'm too lazy to cut & paste it here.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
Roberto Carna -
Øystein Gyland