Hi, I have recently installed freeradius and am having some trouble authenticating a test adsl user. The users file is default plus the following additions:- DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP, Tunnel-Type == L2TP, Tunnel-Medium-Type == IP, Service-Type = Framed-User, Tunnel-Password = blahblah, Tunnel-Server-Endpoint = 192.168.0.1, Tunnel-Client-Auth-ID = Tunnel-21CN, Fall-Through = Yes testuser@randomdomain.net.uk Cleartext-Password :="test123", NAS-IP-Address == 1.1.1.1 Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 10.1.1.1, Framed-IP-Netmask = 255.255.255.255, Cisco-AVPair = "ip:dns-servers=8.8.8.8" Ready to process requests. rad_recv: Access-Request packet from host 62.249.192.164 port 31625, id=13, length=145 Framed-Protocol = PPP User-Name = "testuser@randomdomain.net.uk" CHAP-Password = 0x027bcf494903b89f4cda018f7c8af60ce1 Connect-Info = "14292000/1000" NAS-Port-Type = ISDN NAS-Port = 21337 NAS-Port-Id = "Uniq-Sess-ID1337" Service-Type = Framed-User NAS-IP-Address = 62.249.255.146 Calling-Station-Id = "WBC BBEU00014378" # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [chap] Setting 'Auth-Type := CHAP' ++[chap] returns ok ++[mschap] returns noop ++[digest] returns noop [suffix] Looking up realm "randomdomain.net.uk" for User-Name = "testuser@randomdomain.net.uk" [suffix] No such realm "randomdomain.net.uk" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry DEFAULT at line 172 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = CHAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group CHAP {...} [chap] login attempt by "testuser@randomdomain.net.uk" with CHAP password [chap] Cleartext-Password is required for authentication ++[chap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> testuser@randomdomain.net.uk attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 13 to 62.249.192.164 port 31625 Waking up in 4.9 seconds. Cleaning up request 0 ID 13 with timestamp +4 Ready to process requests. The main thing that strikes me is the below:- [chap] login attempt by "testuser@randomdomain.net.uk" with CHAP password [chap] Cleartext-Password is required for authentication ++[chap] returns invalid There is a Cleartext-Password set so unsure why this error is occurring. Any help most appreciated.
Nick wrote:
testuser@randomdomain.net.uk Cleartext-Password :="test123", NAS-IP-Address == 1.1.1.1 ... rad_recv: Access-Request packet from host 62.249.192.164 port 31625, id=13, length=145 ... NAS-IP-Address = 62.249.255.146
Do you see an issue there?
[files] users: Matched entry DEFAULT at line 172
And what's on line 172? Not the entry you added.
There is a Cleartext-Password set so unsure why this error is occurring. Any help most appreciated.
Because you added MORE checks (NAS-IP-Address) that caused it to fail. Delete those checks, and it will work. Alan DeKok.
Ahh I was told the the nas ip address doesn't matter. They will be getting a poke in the eye later. Nick On 16 Aug 2012, at 16:42, Alan DeKok <aland@deployingradius.com> wrote:
Nick wrote:
testuser@randomdomain.net.uk Cleartext-Password :="test123", NAS-IP-Address == 1.1.1.1 ... rad_recv: Access-Request packet from host 62.249.192.164 port 31625, id=13, length=145 ... NAS-IP-Address = 62.249.255.146
Do you see an issue there?
[files] users: Matched entry DEFAULT at line 172
And what's on line 172?
Not the entry you added.
There is a Cleartext-Password set so unsure why this error is occurring. Any help most appreciated.
Because you added MORE checks (NAS-IP-Address) that caused it to fail.
Delete those checks, and it will work.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Alan, Spot on as usual. Removed the NAS-IP-Address entry and auth was successful. Entry 172 was the start of the below:- DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP, Tunnel-Type == L2TP, Tunnel-Medium-Type == IP, Service-Type = Framed-User, Tunnel-Password = blahblah, Tunnel-Server-Endpoint = 192.168.0.1, Tunnel-Client-Auth-ID = Tunnel-21CN, Fall-Through = Yes Thanks again. Nick -----Original Message----- From: freeradius-users-bounces+nick=njryce.net@lists.freeradius.org [mailto:freeradius-users-bounces+nick=njryce.net@lists.freeradius.org] On Behalf Of Alan DeKok Sent: 16 August 2012 16:42 To: FreeRadius users mailing list Subject: Re: another CHAP issue Nick wrote:
testuser@randomdomain.net.uk Cleartext-Password :="test123", NAS-IP-Address == 1.1.1.1 ... rad_recv: Access-Request packet from host 62.249.192.164 port 31625, id=13, length=145 ... NAS-IP-Address = 62.249.255.146
Do you see an issue there?
[files] users: Matched entry DEFAULT at line 172
And what's on line 172? Not the entry you added.
There is a Cleartext-Password set so unsure why this error is occurring. Any help most appreciated.
Because you added MORE checks (NAS-IP-Address) that caused it to fail. Delete those checks, and it will work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
Nick -
Nick Ryce