freeradius | shared secret is incorrect | unprintable characters in the password
- First, I known this question had been asked many times, and I had read many posts about it, and reenter the shared secret many times, but still could not resolve my problem, I had been blocked on this nearly a week, so I need your help, thanks in advance - radius server : freeradius-server-2.2.0 - radius client : freeradius-client-1.1.6 - OS : Ubuntu 10.10 - *Following is one full log of the radius server :* - - Info: FreeRADIUS Version 2.2.0, for host i686-pc-linux-gnu, built on May 31 2013 at 22:41:36 - Info: Copyright (C) 1999-2012 The FreeRADIUS server project and contributors. - Info: There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A - Info: PARTICULAR PURPOSE. - Info: You may redistribute copies of FreeRADIUS under the terms of the - Info: GNU General Public License v2. - Info: Starting - reading configuration files ... - Debug: including configuration file /usr/local/freeradius-server-2.2.0/etc/raddb/radiusd.conf - Debug: including configuration file /usr/local/freeradius-server-2.2.0/etc/raddb/proxy.conf - Debug: including configuration file /usr/local/freeradius-server-2.2.0/etc/raddb/clients.conf - Debug: including files in directory /usr/local/freeradius-server-2.2.0/etc/raddb/modules/ - Debug: including configuration file /usr/local/freeradius-server-2.2.0/etc/raddb/modules/soh - Debug: including configuration file /usr/local/freeradius-server-2.2.0/etc/raddb/modules/rediswho - Debug: including configuration file /usr/local/freeradius-server-2.2.0/etc/raddb/modules/ippool - Debug: including configuration file /usr/local/freeradius-server-2.2.0/etc/raddb/modules/expr - Debug: including configuration file /usr/local/freeradius-server-2.2.0/etc/raddb/modules/opendirectory - Debug: including configuration file /usr/local/freeradius-server-2.2.0/etc/raddb/modules/radrelay - Debug: including configuration file /usr/local/freeradius-server-2.2.0/etc/raddb/modules/chap - Debug: including configuration file /usr/local/freeradius-server-2.2.0/etc/raddb/modules/detail.log - Debug: including configuration file /usr/local/freeradius-server-2.2.0/etc/raddb/modules/mac2vlan - Debug: including configuration file /usr/local/freeradius-server-2.2.0/etc/raddb/modules/cache - Debug: including configuration file /usr/local/freeradius-server-2.2.0/etc/raddb/modules/dynamic_clients - Debug: including configuration file /usr/local/freeradius-server-2.2.0/etc/raddb/modules/mschap - Debug: including configuration file /usr/local/freeradius-server-2.2.0/etc/raddb/modules/always - Debug: including configuration file /usr/local/freeradius-server-2.2.0/etc/raddb/modules/wimax - Debug: including configuration file /usr/local/freeradius-server-2.2.0/etc/raddb/modules/sqlcounter_expire_on_login - Debug: including configuration file /usr/local/freeradius-server-2.2.0/etc/raddb/modules/detail - Debug: including configuration file /usr/local/freeradius-server-2.2.0/etc/raddb/modules/exec - Debug: including configuration file /usr/local/freeradius-server-2.2.0/etc/raddb/modules/ldap - Debug: including configuration file /usr/local/freeradius-server-2.2.0/etc/raddb/modules/redis - Debug: including configuration file /usr/local/freeradius-server-2.2.0/etc/raddb/modules/attr_rewrite - Debug: including configuration file /usr/local/freeradius-server-2.2.0/etc/raddb/modules/logintime - Debug: including configuration file /usr/local/freeradius-server-2.2.0/etc/raddb/modules/linelog - Debug: including configuration file /usr/local/freeradius-server-2.2.0/etc/raddb/modules/echo - Debug: including configuration file /usr/local/freeradius-server-2.2.0/etc/raddb/modules/acct_unique - Debug: including configuration file /usr/local/freeradius-server-2.2.0/etc/raddb/modules/checkval - Debug: including configuration file /usr/local/freeradius-server-2.2.0/etc/raddb/modules/pam - Debug: including configuration file /usr/local/freeradius-server-2.2.0/etc/raddb/modules/cui - Debug: including configuration file /usr/local/freeradius-server-2.2.0/etc/raddb/modules/replicate - Debug: including configuration file /usr/local/freeradius-server-2.2.0/etc/raddb/modules/inner-eap - Debug: including configuration file /usr/local/freeradius-server-2.2.0/etc/raddb/modules/radutmp - Debug: including configuration file /usr/local/freeradius-server-2.2.0/etc/raddb/modules/realm - Debug: including configuration file /usr/local/freeradius-server-2.2.0/etc/raddb/modules/smsotp - Debug: including configuration file /usr/local/freeradius-server-2.2.0/etc/raddb/modules/detail.example.com - Debug: including configuration file /usr/local/freeradius-server-2.2.0/etc/raddb/modules/files - Debug: including configuration file /usr/local/freeradius-server-2.2.0/etc/raddb/modules/sql_log - Debug: including configuration file /usr/local/freeradius-server-2.2.0/etc/raddb/modules/krb5 - Debug: including configuration file /usr/local/freeradius-server-2.2.0/etc/raddb/modules/dhcp_sqlippool - Debug: including configuration file /usr/local/freeradius-server-2.2.0/etc/raddb/sql/mysql/ippool-dhcp.conf - Debug: including configuration file /usr/local/freeradius-server-2.2.0/etc/raddb/modules/digest - Debug: including configuration file /usr/local/freeradius-server-2.2.0/etc/raddb/modules/sradutmp - Debug: including configuration file /usr/local/freeradius-server-2.2.0/etc/raddb/modules/passwd - Debug: including configuration file /usr/local/freeradius-server-2.2.0/etc/raddb/modules/attr_filter - Debug: including configuration file /usr/local/freeradius-server-2.2.0/etc/raddb/modules/etc_group - Debug: including configuration file /usr/local/freeradius-server-2.2.0/etc/raddb/modules/policy - Debug: including configuration file /usr/local/freeradius-server-2.2.0/etc/raddb/modules/perl - Debug: including configuration file /usr/local/freeradius-server-2.2.0/etc/raddb/modules/counter - Debug: including configuration file /usr/local/freeradius-server-2.2.0/etc/raddb/modules/smbpasswd - Debug: including configuration file /usr/local/freeradius-server-2.2.0/etc/raddb/modules/otp - Debug: including configuration file /usr/local/freeradius-server-2.2.0/etc/raddb/modules/ntlm_auth - Debug: including configuration file /usr/local/freeradius-server-2.2.0/etc/raddb/modules/pap - Debug: including configuration file /usr/local/freeradius-server-2.2.0/etc/raddb/modules/preprocess - Debug: including configuration file /usr/local/freeradius-server-2.2.0/etc/raddb/modules/mac2ip - Debug: including configuration file /usr/local/freeradius-server-2.2.0/etc/raddb/modules/expiration - Debug: including configuration file /usr/local/freeradius-server-2.2.0/etc/raddb/modules/unix - Debug: including configuration file /usr/local/freeradius-server-2.2.0/etc/raddb/eap.conf - Debug: including configuration file /usr/local/freeradius-server-2.2.0/etc/raddb/policy.conf - Debug: including files in directory /usr/local/freeradius-server-2.2.0/etc/raddb/sites-enabled/ - Debug: including configuration file /usr/local/freeradius-server-2.2.0/etc/raddb/sites-enabled/default - Debug: including configuration file /usr/local/freeradius-server-2.2.0/etc/raddb/sites-enabled/inner-tunnel - Debug: including configuration file /usr/local/freeradius-server-2.2.0/etc/raddb/sites-enabled/control-socket - Debug: main { - Debug: allow_core_dumps = no - Debug: } - Debug: including dictionary file /usr/local/freeradius-server-2.2.0/etc/raddb/dictionary - Debug: main { - Debug: name = "radiusd" - Debug: prefix = "/usr/local/freeradius-server-2.2.0" - Debug: localstatedir = "/usr/local/freeradius-server-2.2.0/var" - Debug: sbindir = "/usr/local/freeradius-server-2.2.0/sbin" - Debug: logdir = "/usr/local/freeradius-server-2.2.0/var/log/radius" - Debug: run_dir = "/usr/local/freeradius-server-2.2.0/var/run/radiusd" - Debug: libdir = "/usr/local/freeradius-server-2.2.0/lib" - Debug: radacctdir = "/usr/local/freeradius-server-2.2.0/var/log/radius/radacct" - Debug: hostname_lookups = no - Debug: max_request_time = 30 - Debug: cleanup_delay = 5 - Debug: max_requests = 1024 - Debug: pidfile = "/usr/local/freeradius-server-2.2.0/var/run/radiusd/radiusd.pid" - Debug: checkrad = "/usr/local/freeradius-server-2.2.0/sbin/checkrad" - Debug: debug_level = 0 - Debug: proxy_requests = yes - Debug: log { - Debug: stripped_names = no - Debug: auth = no - Debug: auth_badpass = no - Debug: auth_goodpass = no - Debug: } - Debug: security { - Debug: max_attributes = 200 - Debug: reject_delay = 1 - Debug: status_server = yes - Debug: } - Debug: } - Debug: radiusd: #### Loading Realms and Home Servers #### - Debug: proxy server { - Debug: retry_delay = 5 - Debug: retry_count = 3 - Debug: default_fallback = no - Debug: dead_time = 120 - Debug: wake_all_if_all_dead = no - Debug: } - Debug: home_server localhost { - Debug: ipaddr = 127.0.0.1 - Debug: port = 1812 - Debug: type = "auth" - Debug: secret = "testing123" - Debug: response_window = 20 - Debug: max_outstanding = 65536 - Debug: require_message_authenticator = yes - Debug: zombie_period = 40 - Debug: status_check = "status-server" - Debug: ping_interval = 30 - Debug: check_interval = 30 - Debug: num_answers_to_alive = 3 - Debug: num_pings_to_alive = 3 - Debug: revive_interval = 120 - Debug: status_check_timeout = 4 - Debug: coa { - Debug: irt = 2 - Debug: mrt = 16 - Debug: mrc = 5 - Debug: mrd = 30 - Debug: } - Debug: } - Debug: home_server_pool my_auth_failover { - Debug: type = fail-over - Debug: home_server = localhost - Debug: } - Debug: realm example.com { - Debug: auth_pool = my_auth_failover - Debug: } - Debug: realm LOCAL { - Debug: } - Debug: radiusd: #### Loading Clients #### - Debug: client localhost { - Debug: ipaddr = 127.0.0.1 - Debug: require_message_authenticator = no - Debug: secret = "testing123" - Debug: nastype = "other" - Debug: } - Debug: radiusd: #### Instantiating modules #### - Debug: instantiate { - Debug: (Loaded rlm_exec, checking if it's valid) - Debug: Module: Linked to module rlm_exec - Debug: Module: Instantiating module "exec" from file /usr/local/freeradius-server-2.2.0/etc/raddb/modules/exec - Debug: exec { - Debug: wait = no - Debug: input_pairs = "request" - Debug: shell_escape = yes - Debug: } - Debug: (Loaded rlm_expr, checking if it's valid) - Debug: Module: Linked to module rlm_expr - Debug: Module: Instantiating module "expr" from file /usr/local/freeradius-server-2.2.0/etc/raddb/modules/expr - Debug: (Loaded rlm_expiration, checking if it's valid) - Debug: Module: Linked to module rlm_expiration - Debug: Module: Instantiating module "expiration" from file /usr/local/freeradius-server-2.2.0/etc/raddb/modules/expiration - Debug: expiration { - Debug: reply-message = "Password Has Expired " - Debug: } - Debug: (Loaded rlm_logintime, checking if it's valid) - Debug: Module: Linked to module rlm_logintime - Debug: Module: Instantiating module "logintime" from file /usr/local/freeradius-server-2.2.0/etc/raddb/modules/logintime - Debug: logintime { - Debug: reply-message = "You are calling outside your allowed timespan " - Debug: minimum-timeout = 60 - Debug: } - Debug: } - Debug: radiusd: #### Loading Virtual Servers #### - Debug: server { # from file /usr/local/freeradius-server-2.2.0/etc/raddb/radiusd.conf - Debug: modules { - Debug: Module: Creating Auth-Type = digest - Debug: Module: Creating Post-Auth-Type = REJECT - Debug: Module: Checking authenticate {...} for more modules to load - Debug: (Loaded rlm_pap, checking if it's valid) - Debug: Module: Linked to module rlm_pap - Debug: Module: Instantiating module "pap" from file /usr/local/freeradius-server-2.2.0/etc/raddb/modules/pap - Debug: pap { - Debug: encryption_scheme = "auto" - Debug: auto_header = no - Debug: } - Debug: (Loaded rlm_chap, checking if it's valid) - Debug: Module: Linked to module rlm_chap - Debug: Module: Instantiating module "chap" from file /usr/local/freeradius-server-2.2.0/etc/raddb/modules/chap - Debug: (Loaded rlm_mschap, checking if it's valid) - Debug: Module: Linked to module rlm_mschap - Debug: Module: Instantiating module "mschap" from file /usr/local/freeradius-server-2.2.0/etc/raddb/modules/mschap - Debug: mschap { - Debug: use_mppe = yes - Debug: require_encryption = no - Debug: require_strong = no - Debug: with_ntdomain_hack = no - Debug: allow_retry = yes - Debug: } - Debug: (Loaded rlm_digest, checking if it's valid) - Debug: Module: Linked to module rlm_digest - Debug: Module: Instantiating module "digest" from file /usr/local/freeradius-server-2.2.0/etc/raddb/modules/digest - Debug: (Loaded rlm_unix, checking if it's valid) - Debug: Module: Linked to module rlm_unix - Debug: Module: Instantiating module "unix" from file /usr/local/freeradius-server-2.2.0/etc/raddb/modules/unix - Debug: unix { - Debug: radwtmp = "/usr/local/freeradius-server-2.2.0/var/log/radius/radwtmp" - Debug: } - Debug: (Loaded rlm_eap, checking if it's valid) - Debug: Module: Linked to module rlm_eap - Debug: Module: Instantiating module "eap" from file /usr/local/freeradius-server-2.2.0/etc/raddb/eap.conf - Debug: eap { - Debug: default_eap_type = "md5" - Debug: timer_expire = 60 - Debug: ignore_unknown_eap_types = no - Debug: cisco_accounting_username_bug = no - Debug: max_sessions = 4096 - Debug: } - Debug: Module: Linked to sub-module rlm_eap_md5 - Debug: Module: Instantiating eap-md5 - Debug: Module: Linked to sub-module rlm_eap_leap - Debug: Module: Instantiating eap-leap - Debug: Module: Linked to sub-module rlm_eap_gtc - Debug: Module: Instantiating eap-gtc - Debug: gtc { - Debug: challenge = "Password: " - Debug: auth_type = "PAP" - Debug: } - Debug: Ignoring EAP-Type/tls because we do not have OpenSSL support. - Debug: Ignoring EAP-Type/ttls because we do not have OpenSSL support. - Debug: Ignoring EAP-Type/peap because we do not have OpenSSL support. - Debug: Module: Linked to sub-module rlm_eap_mschapv2 - Debug: Module: Instantiating eap-mschapv2 - Debug: mschapv2 { - Debug: with_ntdomain_hack = no - Debug: send_error = no - Debug: } - Debug: Module: Checking authorize {...} for more modules to load - Debug: (Loaded rlm_preprocess, checking if it's valid) - Debug: Module: Linked to module rlm_preprocess - Debug: Module: Instantiating module "preprocess" from file /usr/local/freeradius-server-2.2.0/etc/raddb/modules/preprocess - Debug: preprocess { - Debug: huntgroups = "/usr/local/freeradius-server-2.2.0/etc/raddb/huntgroups" - Debug: hints = "/usr/local/freeradius-server-2.2.0/etc/raddb/hints" - Debug: with_ascend_hack = no - Debug: ascend_channels_per_line = 23 - Debug: with_ntdomain_hack = no - Debug: with_specialix_jetstream_hack = no - Debug: with_cisco_vsa_hack = no - Debug: with_alvarion_vsa_hack = no - Debug: } - Debug: reading pairlist file /usr/local/freeradius-server-2.2.0/etc/raddb/huntgroups - Debug: reading pairlist file /usr/local/freeradius-server-2.2.0/etc/raddb/hints - Debug: (Loaded rlm_realm, checking if it's valid) - Debug: Module: Linked to module rlm_realm - Debug: Module: Instantiating module "suffix" from file /usr/local/freeradius-server-2.2.0/etc/raddb/modules/realm - Debug: realm suffix { - Debug: format = "suffix" - Debug: delimiter = "@" - Debug: ignore_default = no - Debug: ignore_null = no - Debug: } - Debug: (Loaded rlm_files, checking if it's valid) - Debug: Module: Linked to module rlm_files - Debug: Module: Instantiating module "files" from file /usr/local/freeradius-server-2.2.0/etc/raddb/modules/files - Debug: files { - Debug: usersfile = "/usr/local/freeradius-server-2.2.0/etc/raddb/users" - Debug: acctusersfile = "/usr/local/freeradius-server-2.2.0/etc/raddb/acct_users" - Debug: preproxy_usersfile = "/usr/local/freeradius-server-2.2.0/etc/raddb/preproxy_users" - Debug: compat = "no" - Debug: } - Debug: reading pairlist file /usr/local/freeradius-server-2.2.0/etc/raddb/users - Debug: reading pairlist file /usr/local/freeradius-server-2.2.0/etc/raddb/acct_users - Debug: reading pairlist file /usr/local/freeradius-server-2.2.0/etc/raddb/preproxy_users - Debug: Module: Checking preacct {...} for more modules to load - Debug: (Loaded rlm_acct_unique, checking if it's valid) - Debug: Module: Linked to module rlm_acct_unique - Debug: Module: Instantiating module "acct_unique" from file /usr/local/freeradius-server-2.2.0/etc/raddb/modules/acct_unique - Debug: acct_unique { - Debug: key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port" - Debug: } - Debug: Module: Checking accounting {...} for more modules to load - Debug: (Loaded rlm_detail, checking if it's valid) - Debug: Module: Linked to module rlm_detail - Debug: Module: Instantiating module "detail" from file /usr/local/freeradius-server-2.2.0/etc/raddb/modules/detail - Debug: detail { - Debug: detailfile = "/usr/local/freeradius-server-2.2.0/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Ad - Debug: header = "%t" - Debug: detailperm = 384 - Debug: dirperm = 493 - Debug: locking = no - Debug: log_packet_header = no - Debug: } - Debug: (Loaded rlm_attr_filter, checking if it's valid) - Debug: Module: Linked to module rlm_attr_filter - Debug: Module: Instantiating module "attr_filter.accounting_response" from file /usr/local/freeradius-server-2.2.0/etc/raddb/mod - Debug: attr_filter attr_filter.accounting_response { - Debug: attrsfile = "/usr/local/freeradius-server-2.2.0/etc/raddb/attrs.accounting_response" - Debug: key = "%{User-Name}" - Debug: relaxed = no - Debug: } - Debug: reading pairlist file /usr/local/freeradius-server-2.2.0/etc/raddb/attrs.accounting_response - Debug: Module: Checking session {...} for more modules to load - Debug: (Loaded rlm_radutmp, checking if it's valid) - Debug: Module: Linked to module rlm_radutmp - Debug: Module: Instantiating module "radutmp" from file /usr/local/freeradius-server-2.2.0/etc/raddb/modules/radutmp - Debug: radutmp { - Debug: filename = "/usr/local/freeradius-server-2.2.0/var/log/radius/radutmp" - Debug: username = "%{User-Name}" - Debug: case_sensitive = yes - Debug: check_with_nas = yes - Debug: perm = 384 - Debug: callerid = yes - Debug: } - Debug: Module: Checking post-proxy {...} for more modules to load - Debug: Module: Checking post-auth {...} for more modules to load - Debug: Module: Instantiating module "attr_filter.access_reject" from file /usr/local/freeradius-server-2.2.0/etc/raddb/modules/a - Debug: attr_filter attr_filter.access_reject { - Debug: attrsfile = "/usr/local/freeradius-server-2.2.0/etc/raddb/attrs.access_reject" - Debug: key = "%{User-Name}" - Debug: relaxed = no - Debug: } - Debug: reading pairlist file /usr/local/freeradius-server-2.2.0/etc/raddb/attrs.access_reject - Debug: } # modules - Debug: } # server - Debug: server inner-tunnel { # from file /usr/local/freeradius-server-2.2.0/etc/raddb/sites-enabled/inner-tunnel - Debug: modules { - Debug: Module: Checking authenticate {...} for more modules to load - Debug: Module: Checking authorize {...} for more modules to load - Debug: Module: Checking session {...} for more modules to load - Debug: Module: Checking post-proxy {...} for more modules to load - Debug: Module: Checking post-auth {...} for more modules to load - Debug: } # modules - Debug: } # server - Debug: radiusd: #### Opening IP addresses and Ports #### - Debug: listen { - Debug: type = "auth" - Debug: ipaddr = * - Debug: port = 0 - Debug: } - Debug: listen { - Debug: type = "acct" - Debug: ipaddr = * - Debug: port = 0 - Debug: } - Debug: listen { - Debug: type = "control" - Debug: listen { - Debug: socket = "/usr/local/freeradius-server-2.2.0/var/run/radiusd/radiusd.sock" - Debug: } - Debug: } - Debug: listen { - Debug: type = "auth" - Debug: ipaddr = 127.0.0.1 - Debug: port = 18120 - Debug: } - Debug: ... adding new socket proxy address * port 53579 - Debug: Listening on authentication address * port 1812 - Debug: Listening on accounting address * port 1813 - Debug: Listening on command file /usr/local/freeradius-server-2.2.0/var/run/radiusd/radiusd.sock - Debug: Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel - Debug: Listening on proxy address * port 1814 - Info: Ready to process requests. - Info: # Executing section authorize from file /usr/local/freeradius-server-2.2.0/etc/raddb/sites-enabled/default - Info: +- entering group authorize {...} - Info: ++[preprocess] returns ok - Info: ++[chap] returns noop - Info: ++[mschap] returns noop - Info: ++[digest] returns noop - Info: [suffix] No '@' in User-Name = "steve", looking up realm NULL - Info: [suffix] No such realm "NULL" - Info: ++[suffix] returns noop - Info: [eap] No EAP-Message, not doing EAP - Info: ++[eap] returns noop - Info: [files] users: Matched entry steve at line 76 - Info: ++[files] returns ok - Info: ++[expiration] returns noop - Info: ++[logintime] returns noop - Info: ++[pap] returns updated - Info: Found Auth-Type = PAP - Info: # Executing group from file /usr/local/freeradius-server-2.2.0/etc/raddb/sites-enabled/default - Info: +- entering group PAP {...} - Info: [pap] login attempt with password "*f言U?(?Wk?b ?*" - Info: [pap] Using clear text password "testing" - Info: [pap] Passwords don't match - Info: ++[pap] returns reject - Info: Failed to authenticate the user. - Debug: WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! - Info: Using Post-Auth-Type REJECT - Info: # Executing group from file /usr/local/freeradius-server-2.2.0/etc/raddb/sites-enabled/default - Info: +- entering group REJECT {...} - Info: [attr_filter.access_reject] expand: %{User-Name} -> steve - Debug: attr_filter: Matched entry DEFAULT at line 11 - Info: ++[attr_filter.access_reject] returns updated - Info: Delaying reject of request 0 for 1 seconds - Debug: Going to the next request - Debug: Waking up in 0.9 seconds. - Info: Sending delayed reject for request 0 - Debug: Waking up in 4.9 seconds. - Info: Cleaning up request 0 ID 183 with timestamp +24 - Info: Ready to process requests. - *I found that every time the password which are transformed from the client is different though I input at the client with the same password every time(the part I marked as red)* * * - *The server's one configure file : users, is as following, I only uncommented the user "steve" and changed its IP :* - - # - # Please read the documentation file ../doc/processing_users_file, - # or 'man 5 users' (after installing the server) for more information. - # - # This file contains authentication security and configuration - # information for each user. Accounting requests are NOT processed - # through this file. Instead, see 'acct_users', in this directory. - # - # The first field is the user's name and can be up to - # 253 characters in length. This is followed (on the same line) with - # the list of authentication requirements for that user. This can - # include password, comm server name, comm server port number, protocol - # type (perhaps set by the "hints" file), and huntgroup name (set by - # the "huntgroups" file). - # - # If you are not sure why a particular reply is being sent by the - # server, then run the server in debugging mode (radiusd -X), and - # you will see which entries in this file are matched. - # - # When an authentication request is received from the comm server, - # these values are tested. Only the first match is used unless the - # "Fall-Through" variable is set to "Yes". - # - # A special user named "DEFAULT" matches on all usernames. - # You can have several DEFAULT entries. All entries are processed - # in the order they appear in this file. The first entry that - # matches the login-request will stop processing unless you use - # the Fall-Through variable. - # - # If you use the database support to turn this file into a .db or .dbm - # file, the DEFAULT entries _have_ to be at the end of this file and - # you can't have multiple entries for one username. - # - # Indented (with the tab character) lines following the first - # line indicate the configuration values to be passed back to - # the comm server to allow the initiation of a user session. - # This can include things like the PPP configuration values - # or the host to log the user onto. - # - # You can include another `users' file with `$INCLUDE users.other' - # - - # - # For a list of RADIUS attributes, and links to their definitions, - # see: - # - # http://www.freeradius.org/rfc/attributes.html - # - - # - # Deny access for a specific user. Note that this entry MUST - # be before any other 'Auth-Type' attribute which results in the user - # being authenticated. - # - # Note that there is NO 'Fall-Through' attribute, so the user will not - # be given any additional resources. - # - #lameuser Auth-Type := Reject - # Reply-Message = "Your account has been disabled." - - # - # Deny access for a group of users. - # - # Note that there is NO 'Fall-Through' attribute, so the user will not - # be given any additional resources. - # - #DEFAULT Group == "disabled", Auth-Type := Reject - # Reply-Message = "Your account has been disabled." - # - - # - # This is a complete entry for "steve". Note that there is no Fall-Through - # entry so that no DEFAULT entry will be used, and the user will NOT - # get any attributes in addition to the ones listed here. - # - steve Cleartext-Password := "testing" - Service-Type = Framed-User, - Framed-Protocol = PPP, - Framed-IP-Address = 127.0.0.1, - Framed-IP-Netmask = 255.255.255.0, - Framed-Routing = Broadcast-Listen, - Framed-Filter-Id = "std.ppp", - Framed-MTU = 1500, - Framed-Compression = Van-Jacobsen-TCP-IP - - # - # This is an entry for a user with a space in their name. - # Note the double quotes surrounding the name. - # - #"John Doe" Cleartext-Password := "hello" - # Reply-Message = "Hello, %{User-Name}" - - # - # Dial user back and telnet to the default host for that port - # - #Deg Cleartext-Password := "ge55ged" - # Service-Type = Callback-Login-User, - # Login-IP-Host = 0.0.0.0, - # Callback-Number = "9,5551212", - # Login-Service = Telnet, - # Login-TCP-Port = Telnet - - # - # Another complete entry. After the user "dialbk" has logged in, the - # connection will be broken and the user will be dialed back after which - # he will get a connection to the host "timeshare1". - # - #dialbk Cleartext-Password := "callme" - # Service-Type = Callback-Login-User, - # Login-IP-Host = timeshare1, - # Login-Service = PortMaster, - # Callback-Number = "9,1-800-555-1212" - - # - # user "swilson" will only get a static IP number if he logs in with - # a framed protocol on a terminal server in Alphen (see the huntgroups file). - # - # Note that by setting "Fall-Through", other attributes will be added from - # the following DEFAULT entries - # - #swilson Service-Type == Framed-User, Huntgroup-Name == "alphen" - # Framed-IP-Address = 192.168.1.65, - # Fall-Through = Yes - - # - # If the user logs in as 'username.shell', then authenticate them - # using the default method, give them shell access, and stop processing - # the rest of the file. - # - #DEFAULT Suffix == ".shell" - # Service-Type = Login-User, - # Login-Service = Telnet, - # Login-IP-Host = your.shell.machine - - - # - # The rest of this file contains the several DEFAULT entries. - # DEFAULT entries match with all login names. - # Note that DEFAULT entries can also Fall-Through (see first entry). - # A name-value pair from a DEFAULT entry will _NEVER_ override - # an already existing name-value pair. - # - - # - # Set up different IP address pools for the terminal servers. - # Note that the "+" behind the IP address means that this is the "base" - # IP address. The Port-Id (S0, S1 etc) will be added to it. - # - #DEFAULT Service-Type == Framed-User, Huntgroup-Name == "alphen" - # Framed-IP-Address = 192.168.1.32+, - # Fall-Through = Yes - - #DEFAULT Service-Type == Framed-User, Huntgroup-Name == "delft" - # Framed-IP-Address = 192.168.2.32+, - # Fall-Through = Yes - - # - # Sample defaults for all framed connections. - # - #DEFAULT Service-Type == Framed-User - # Framed-IP-Address = 255.255.255.254, - # Framed-MTU = 576, - # Service-Type = Framed-User, - # Fall-Through = Yes - - # - # Default for PPP: dynamic IP address, PPP mode, VJ-compression. - # NOTE: we do not use Hint = "PPP", since PPP might also be auto-detected - # by the terminal server in which case there may not be a "P" suffix. - # The terminal server sends "Framed-Protocol = PPP" for auto PPP. - # - DEFAULT Framed-Protocol == PPP - Framed-Protocol = PPP, - Framed-Compression = Van-Jacobson-TCP-IP - - # - # Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression. - # - DEFAULT Hint == "CSLIP" - Framed-Protocol = SLIP, - Framed-Compression = Van-Jacobson-TCP-IP - - # - # Default for SLIP: dynamic IP address, SLIP mode. - # - DEFAULT Hint == "SLIP" - Framed-Protocol = SLIP - - # - # Last default: rlogin to our main server. - # - #DEFAULT - # Service-Type = Login-User, - # Login-Service = Rlogin, - # Login-IP-Host = shellbox.ispdomain.com - - # # - # # Last default: shell on the local terminal server. - # # - # DEFAULT - # Service-Type = Administrative-User - - # On no match, the user is denied access. - *The server's another configure file : clients.conf, and I changed nothing . yes, I used the default secret as the shared secret:* - - - *The client's one configure file : servers. BTW, I also tried the ways that only keep one localhost in the left side and changed it to 127.0.0.1 , the error is still and same, and I also tried reenter the shared secret many times* - - ## Server Name or Client/Server pair Key - ## ---------------- --------------- - # - #portmaster.elemental.net hardlyasecret - #portmaster2.elemental.net donttellanyone - # - ## uncomment the following line for simple testing of radlogin - ## with freeradius-server - # - localhost/localhost testing123 - *The client's another configure file : radiusclient.conf, I changed nothing*
Hi, check the shared secret you have defined in clients.conf on the server. check the shared secret you are using on the client check the server debug logs etc to see WHAT IP the client is coming through - if you are using a localhost address or name....if using the name it might be using another IP socket connection which may be matching one of the other default values present in clients.conf alan
On 06/02/2013 10:00 AM, A.L.M.Buxey@lboro.ac.uk wrote:
Hi,
check the shared secret you have defined in clients.conf on the server.
check the shared secret you are using on the client
check the server debug logs etc to see WHAT IP the client is coming through - if you are using a localhost address or name....if using the name it might be using another IP socket connection which may be matching one of the other default values present in clients.conf
Also, pay careful attention to the file pathnames in the debug output and make sure you're editing the same file. A common problem is editing files in /etc/raddb but the server is reading files some other location. For example your debug log shows this: /usr/local/freeradius-server-2.2.0/etc/raddb/clients.conf Is that the file you're editing?
Shi Xiaoyan wrote:
* First, I known this question had been asked many times, and I had read many posts about it, and reenter the shared secret many times, but still could not resolve my problem, I had been blocked on this nearly a week, so I need your help, thanks in advance
Please post plain text. There's no reason to add bullet points before every line. Please DO NOT post the "users" file. The documentation doesn't ask for it, and we don't need it. Please post "radiusd -X". Adding more "-x" is not needed. Alan DeKok.
participants (4)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
John Dennis -
Shi Xiaoyan