Intermittent access-reject even though password is correct
Hi, I am getting intermittent access-reject response from free-radius even though password was correct. User have to try again and this time user is allowed. Following are the debug logs for one such transaction - rad_recv: Access-Request packet from host 122.176.209.171 port 23328, id=41, length=321 ChilliSpot-Version = "1.3.0" User-Name = "aqua" CHAP-Challenge = 0x86b6482ac2204b1801b4705ca5d43722 CHAP-Password = 0x00662b9af994945519294eb931419a5e21 Service-Type = Login-User Acct-Session-Id = "5380389300000002" Framed-IP-Address = 192.168.182.3 NAS-Port-Type = Wireless-802.11 NAS-Port = 2 NAS-Port-Id = "00000002" Calling-Station-Id = "60-FA-CD-D1-45-CE" Called-Station-Id = "C8-D3-A3-6C-F2-53" NAS-IP-Address = 192.168.182.1 NAS-Identifier = "moka_ug" WISPr-Location-ID = "isocc=,cc=,ac=,network=xxxxxxx" WISPr-Location-Name = "xxxx" WISPr-Logoff-URL = "http://192.168.182.1:3990/logoff" Message-Authenticator = 0xe8d077bea1e4565958097834c2143975 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [chap] Setting 'Auth-Type := CHAP' ++[chap] returns ok ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "aqua", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop [sql] expand: %{User-Name} -> aqua [sql] sql_set_user escaped user --> 'aqua' rlm_sql (sql): Reserving sql socket id: 1 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'aqua' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'aqua' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'aqua' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'gartino_ug' ORDER BY id [sql] User found in group gartino_ug [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'gartino_ug' ORDER BY id rlm_sql (sql): Released sql socket id: 1 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = CHAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group CHAP {...} [chap] login attempt by "aqua" with CHAP password [chap] Using clear text password "mango" for user aqua authentication. [chap] Password check failed ++[chap] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> aqua attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 3601 for 1 seconds Going to the next request Waking up in 0.9 seconds. Can someone please help me understand what's going wrong? I am using coovachilli as a capative portal solution which automatically send these packets to radius server for AAA.
Sachin Yadav wrote:
I am getting intermittent access-reject response from free-radius even though password was correct. User have to try again and this time user is allowed. Following are the debug logs for one such transaction -
If FreeRADIUS says that the password is wrong... it's likely wrong.
# Executing group from file /etc/raddb/sites-enabled/default +- entering group CHAP {...} [chap] login attempt by "aqua" with CHAP password [chap] Using clear text password "mango" for user aqua authentication. [chap] Password check failed
That's pretty definitive.
Can someone please help me understand what's going wrong? I am using coovachilli as a capative portal solution which automatically send these packets to radius server for AAA.
I would expect coovachilli to get it right, but maybe not. If you're running v3, you can do "radiusd -Xx" to see exactly what is seen for CHAP, and what is calculated. That can help debug the issue. Alan DeKok.
participants (2)
-
Alan DeKok -
Sachin Yadav