From the logs I interpret, the error is incorrect password for the user. Is this correct interpretation?
I believe we have added in the NAS correctly to the clients file. Also the username and password, we are testing, authenticates both locally and from another NAS, without issue. Here is an excerpt of our radius -X FreeRADIUS Version 2.1.7, for host i686-redhat-linux-gnu, built on Mar 31 2010 at 00:25:31 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... client 192.168.1.239 { require_message_authenticator = no secret = "FreeRADIUS" shortname = "New_NAS" } rad_recv: Access-Request packet from host 192.168.1.239 port 1645, id=30, length=140 Framed-Protocol = PPP User-Name = "username@domain.com" User-Password = "password" NAS-Port-Type = Virtual NAS-Port = 0 NAS-Port-Id = "0/0/1/2890" Cisco-AVPair = "client-mac-address=a820.6654.6a6f" Service-Type = Framed-User NAS-IP-Address = 192.168.1.239 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "domain.com" for User-Name = "username@domain.com" [suffix] Found realm "domain.com" [suffix] Adding Stripped-User-Name = "username" [suffix] Adding Realm = "domain.com" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++? if (control:Auth-Type == Reject) (Attribute control:Auth-Type was not found) ++- entering else else {...} [sql] expand: %{Stripped-User-Name} -> username [sql] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> username [sql] sql_set_user escaped user --> 'username' rlm_sql (sql): Reserving sql socket id: 23 [sql] expand: SELECT '1' as id, userId as username, 'Cleartext-Password' as attribute, checkNASIPPassword( '%{NAS-IP-Address}','%{SQL-User-Name}') as value, ':=' as op FROM radiusUsers WHERE userId = '%{SQL-User-Name}' ORDER BY id -> SELECT '1' as id, userId as username, 'Cleartext-Password' as attribute, checkNASIPPassword( '192.168.1.239','username') as value, ':=' as op FROM radiusUsers WHERE userId = 'username' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT '1' as id, userId as username, 'Framed-IP-Address' as attribute, assignIPAddress('%{NAS-IP-Address}','%{SQL-User-Name}') as value, '==' as op FROM radiusUsers WHERE userId = '%{SQL-User-Name}' ORDER BY id -> SELECT '1' as id, userId as username, 'Framed-IP-Address' as attribute, assignIPAddress('192.168.1.239','username') as value, '==' as op FROM radiusUsers WHERE userId = 'username' ORDER BY id [sql] expand: SELECT userID as groupname FROM radiusUsers WHERE userId = '**-Not-Using-Groups-**' -> SELECT userID as groupname FROM radiusUsers WHERE userId = '**-Not-Using-Groups-**' rlm_sql (sql): Released sql socket id: 23 +++[sql] returns ok ++- else else returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password "password" [pap] Using clear text password "**-User-Not-Allowed-To-Use-This-NAS-**" [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. Login incorrect (rlm_pap: CLEAR TEXT password check failed): [ username@domain.com/password] (from client SHL-BRAS-01_239 port 0) Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> username@domain.com attr_filter: Matched entry DEFAULT attrt line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 30 to 192.168.1.239 port 1645 Finished request 70.
mr. s wrote:
From the logs I interpret, the error is incorrect password for the user. Is this correct interpretation?
No.
[pap] Using clear text password "**-User-Not-Allowed-To-Use-This-NAS-**"
This is not in the default configuration. You're supposed to understand the configuration you created. Alan DeKok.
Understood, however I am not the one who set this up or created the non-default configuration. Any other guidance is greatly appreciated. Thanks- On Tue, Aug 20, 2013 at 8:30 PM, Alan DeKok <aland@deployingradius.com>wrote:
mr. s wrote:
From the logs I interpret, the error is incorrect password for the user. Is this correct interpretation?
No.
[pap] Using clear text password "**-User-Not-Allowed-To-Use-This-NAS-**"
This is not in the default configuration.
You're supposed to understand the configuration you created.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mr. s wrote:
Understood, however I am not the one who set this up or created the non-default configuration. Any other guidance is greatly appreciated.
Ask the people who created this configuration. We didn't create it, and we don't have access to your system to debug it. The data is in SQL. Look at it. The password "**-User-Not-Allowed-To-Use-This-NAS-**" should explain itself. Does it suggest anything to you? Perhaps you should look at your SQL queries and your SQL database to see what's going on. Alan DeKok.
And thats the rub, thanks very very much. It is a stored query in our sql. Easy once you know where its at. On Tue, Aug 20, 2013 at 9:54 PM, Alan DeKok <aland@deployingradius.com>wrote:
mr. s wrote:
Understood, however I am not the one who set this up or created the non-default configuration. Any other guidance is greatly appreciated.
Ask the people who created this configuration. We didn't create it, and we don't have access to your system to debug it.
The data is in SQL. Look at it.
The password "**-User-Not-Allowed-To-Use-This-NAS-**" should explain itself. Does it suggest anything to you? Perhaps you should look at your SQL queries and your SQL database to see what's going on.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Alan DeKok -
mr. s