Hello group, I try to migrate a freeradius-Server from 1.1.7 to 2.0.3 using the new 2.0 syntax. Authentication uses the plain textfile /etc/raddb/users. Although my test-user matches an entry, I get an error-message "auth: No authenticate method (Auth-Type)..." I have no idea how to change this Auth-Type. The exact error you can see in an excerpt of radiusd -X: #radiusd -X FreeRADIUS Version 2.0.3, for host i686-pc-linux-gnu, built on Apr 3 2008 at 13:33:47 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. Starting - reading configuration files ... [...] files { usersfile = "/usr/local/etc/raddb/users" acctusersfile = "/usr/local/etc/raddb/acct_users" preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" compat = "cistron" } [/usr/local/etc/raddb/users]:1 Cistron compatibility checks for entry odsl ... Changing 'Password =' to 'Password ==' Changing 'Huntgroup-Name =' to 'Huntgroup-Name ==' Changing 'Simultaneous-Use =' to 'Simultaneous-Use +=' [...] Ready to process requests. [...] Going to the next request Ready to process requests. User-Password = "XYZ8AB" User-Name = "odsl" Acct-Session-Id = "erx GigabitEthernet 6/0.44:44:0004269184" Service-Type = Framed-User Framed-Protocol = PPP ERX-Pppoe-Description = "pppoe 00:a0:c5:53:c9:40" Calling-Station-Id = "#erx705#E60#44" NAS-Port-Type = Ethernet NAS-Port = 1610612780 NAS-Port-Id = "GigabitEthernet 6/0.44:44" NAS-IP-Address = XX.XX.XX.XX NAS-Identifier = "erx705" +- entering group authorize ++[preprocess] returns ok WARNING: Found User-Password == "...". WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See "man rlm_pap" for more information. users: Matched entry odsl at line 1 ++[files] returns ok auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [odsl/XYZ8AB] (from client testerx port 1610612780 cli #erx705#E60#44) Delaying reject of request 0 for 1 seconds Going to the next request I have nothing special in my authorize and authenticate sections, because there was no need for it in 1.1.7 (no pap-settings for example). In short these entries: /etc/raddb/radiusd.conf: [...] files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users preproxy_usersfile = ${confdir}/preproxy_users compat = cistron } [...] $INCLUDE sites-enabled/ /etc/raddb/sites-available/default: authorize { preprocess } authenticate { } [...] Do I need rlm_pap now in 2.0.3 for using "files"-authentication? Any ideas, how I can make users/files authentication work again? Greetings, oz
oz wrote:
I have no idea how to change this Auth-Type.
You don't. You fix the configuration files to use the new recommended practice, which started being recommended in version 1.1.4.
[/usr/local/etc/raddb/users]:1 Cistron compatibility checks for entry odsl ... Changing 'Password =' to 'Password ==' Changing 'Huntgroup-Name =' to 'Huntgroup-Name ==' Changing 'Simultaneous-Use =' to 'Simultaneous-Use +='
Fix those entries. Also, change ALL "Password = ..." or "Password == .." to "Cleartext-Password := ..." See the FAQ for an example.
++[preprocess] returns ok WARNING: Found User-Password == "...". WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See "man rlm_pap" for more information.
Could you please try reading the debug output, and following it's recommendations?
Do I need rlm_pap now in 2.0.3 for using "files"-authentication? Any ideas, how I can make users/files authentication work again?
READ the debug output? Honestly. We don't just say "run in debugging mode" because we want the logs to be posted to the list. YOU need to read the output. It's not hard. Things like "WARNING" and "read the man page" should indicate to most people that maybe reading the "man" page would be a good idea. Alan DeKok.
First, thanks for supporting anyway! Alan DeKok wrote:
oz wrote:
I have no idea how to change this Auth-Type.
You don't. You fix the configuration files to use the new recommended practice, which started being recommended in version 1.1.4.
If you mean the cistron-compatibilty, I know it is not the recommended syntax. But we need this compatibility, because we can't change our users-processing at the moment. I'm sorry that I wasn't aware that "Password" has to be replaced with "Cleartext-Password" in 2.x. I read the docu before, but didn't find it mentioned explicitly.
[/usr/local/etc/raddb/users]:1 Cistron compatibility checks for entry odsl ... Changing 'Password =' to 'Password ==' Changing 'Huntgroup-Name =' to 'Huntgroup-Name ==' Changing 'Simultaneous-Use =' to 'Simultaneous-Use +='
Fix those entries
All I needed to do was replacing odsl Password = "XYZ8AB" with odsl Cleartext-Password = "XYZ8AB" in my users-file, and it instantly worked!
Also, change ALL "Password = ..." or "Password == .." to "Cleartext-Password := ..." See the FAQ for an example.
That was the key and works under "compat = cistron" also.
++[preprocess] returns ok WARNING: Found User-Password == "...". WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See "man rlm_pap" for more information.
Could you please try reading the debug output, and following it's recommendations?
Yes, that can't be stressed enough! But I did, I just had the misunderstanding, that Cleartext-Password means the *value* of User-Password - and not is an attribute name by itself. And in "man rlm_pap" Cleartext-Password is not mentioned.
Do I need rlm_pap now in 2.0.3 for using "files"-authentication? Any ideas, how I can make users/files authentication work again?
READ the debug output?
Yes, and I had tried using the pap-module, but with no success. It was the wrong direction, as I know now.
Honestly. We don't just say "run in debugging mode" because we want the logs to be posted to the list. YOU need to read the output. It's not hard. Things like "WARNING" and "read the man page" should indicate to most people that maybe reading the "man" page would be a good idea.
True as always. But sometimes debug-logs can be wrong interpreted and need additional information. Now, that I know that "Cleartext-Password" is mandatory in 2.x, I have another problem. I can't take the same users-file I use with my other 1.1.7-Servers without conversion. Freeradius-2.x is in my situation not downward-compatible, right?. Is it a dumb idea, to convert Password --> Cleartext-Password in a later release, when "compat = cistron" ist used? Or to accept both terms, "Password" and "Cleartext-Password"? Greetings, oz
oz wrote:
I'm sorry that I wasn't aware that "Password" has to be replaced with "Cleartext-Password" in 2.x. I read the docu before, but didn't find it mentioned explicitly.
You're using 1.1.7. It was mentioned in the documentation when 1.1.4 was released.
Yes, that can't be stressed enough! But I did, I just had the misunderstanding, that Cleartext-Password means the *value* of User-Password - and not is an attribute name by itself. And in "man rlm_pap" Cleartext-Password is not mentioned.
Ok.
Now, that I know that "Cleartext-Password" is mandatory in 2.x, I have another problem. I can't take the same users-file I use with my other 1.1.7-Servers without conversion. Freeradius-2.x is in my situation not downward-compatible, right?. Is it a dumb idea, to convert Password --> Cleartext-Password in a later release, when "compat = cistron" ist used? Or to accept both terms, "Password" and "Cleartext-Password"?
Don't use Password or User-Password anywhere in the configs. Use Cleartext-Password. Alan DeKok.
/etc/raddb/sites-available/default: authorize { preprocess }
authenticate { } [...]
Do I need rlm_pap now in 2.0.3 for using "files"-authentication? Any ideas, how I can make users/files authentication work again?
By going back to default "default" configuration. Put back the things you deleted and "Hey, presto" it will work. Don't delete thigs if you don't have a good idea what are they used for. Ivan Kalik Kalik Informatika ISP
participants (3)
-
Alan DeKok -
Ivan Kalik -
oz