user defined in mysql table radcheck fails wtih "No "known good password", and radpostauth updated successfully but still empty
Using freeradius 3 (even though most online help is for version 2) since this is the version that I first got "radtest" to work in. Running it in ubuntu 14.04.4 LTS. I entered a user "bob" into the "freeradius/users" file and radtest bob hello1 localhost 1812 testing1 works fine. I then entered "bobsql" into the database (after adding "sql" to all the places in freeradius/sites-available/default and adding the new mysql user login & database info to freeradius/mods-available/sql) | id | username | attribute | value | op | +----+----------+-----------+----------+----+ | 4 | bobsql | Password | hello1 | := | but the command radtest bobsql hello1 localhost 1812 testing1 gives the "freeradius -X" output: (23) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type I removed and re-entered "bobsql" to make sure I didn't accidentally add non-visible characters to the username or password. The strange part is that it says it successfully logged the error to the "radpostauth" table: (23) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'bobsql', 'hello1', 'Access-Reject', '2016-04-19 12:43:09') (23) sql: SQL query returned: success (23) sql: 1 record(s) updated But when I looked at this table it was still empty. I even logged in as "radius" and tested this command to make sure it wasn't being blocked by insufficient user permissions. Dustin p.s.: Here is the area of "freeradius -X" output around the problem area: (23) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'bobsql' ORDER BY id (23) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'bobsql' ORDER BY id rlm_sql (sql): Released connection (16) rlm_sql (sql): Need 1 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (17), 1 of 30 pending slots used (23) [sql] = notfound (23) [expiration] = noop (23) [logintime] = noop (23) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (23) pap: WARNING: Authentication will fail unless a "known good" password is available (23) [pap] = noop (23) } # authorize = ok (23) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (23) Failed to authenticate the user (23) Using Post-Auth-Type Reject (23) # Executing group from file /etc/freeradius/sites-enabled/default (23) Post-Auth-Type REJECT { (23) sql: EXPAND .query (23) sql: --> .query (23) sql: Using query template 'query' rlm_sql (sql): Reserved connection (15) (23) sql: EXPAND %{User-Name} (23) sql: --> bobsql (23) sql: SQL-User-Name set to 'bobsql' (23) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (23) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'bobsql', 'hello1', 'Access-Reject', '2016-04-19 12:43:09') (23) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'bobsql', 'hello1', 'Access-Reject', '2016-04-19 12:43:09') (23) sql: SQL query returned: success (23) sql: 1 record(s) updated rlm_sql (sql): Released connection (15) (23) [sql] = ok Here's the entire output of "freeradius -X": (22) Cleaning up request packet ID 198 with timestamp +2275 Ready to process requests (23) Received Access-Request Id 40 from 127.0.0.1:41089 to 127.0.0.1:1812 length 76 (23) User-Name = "bobsql" (23) User-Password = "hello1" (23) NAS-IP-Address = 192.168.0.166 (23) NAS-Port = 1812 (23) Message-Authenticator = 0xa745b8c6f1030fe8a5914f73096859ae (23) # Executing section authorize from file /etc/freeradius/sites-enabled/default (23) authorize { (23) policy filter_username { (23) if (&User-Name) { (23) if (&User-Name) -> TRUE (23) if (&User-Name) { (23) if (&User-Name =~ / /) { (23) if (&User-Name =~ / /) -> FALSE (23) if (&User-Name =~ /@[^@]*@/ ) { (23) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (23) if (&User-Name =~ /\.\./ ) { (23) if (&User-Name =~ /\.\./ ) -> FALSE (23) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (23) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (23) if (&User-Name =~ /\.$/) { (23) if (&User-Name =~ /\.$/) -> FALSE (23) if (&User-Name =~ /@\./) { (23) if (&User-Name =~ /@\./) -> FALSE (23) } # if (&User-Name) = notfound (23) } # policy filter_username = notfound (23) [preprocess] = ok (23) [chap] = noop (23) [mschap] = noop (23) [digest] = noop (23) suffix: Checking for suffix after "@" (23) suffix: No '@' in User-Name = "bobsql", looking up realm NULL (23) suffix: No such realm "NULL" (23) [suffix] = noop (23) eap: No EAP-Message, not doing EAP (23) [eap] = noop (23) [files] = noop (23) sql: EXPAND %{User-Name} (23) sql: --> bobsql (23) sql: SQL-User-Name set to 'bobsql' rlm_sql (sql): Reserved connection (16) (23) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (23) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'bobsql' ORDER BY id (23) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'bobsql' ORDER BY id rlm_sql (sql): Released connection (16) rlm_sql (sql): Need 1 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (17), 1 of 30 pending slots used (23) [sql] = notfound (23) [expiration] = noop (23) [logintime] = noop (23) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (23) pap: WARNING: Authentication will fail unless a "known good" password is available (23) [pap] = noop (23) } # authorize = ok (23) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (23) Failed to authenticate the user (23) Using Post-Auth-Type Reject (23) # Executing group from file /etc/freeradius/sites-enabled/default (23) Post-Auth-Type REJECT { (23) sql: EXPAND .query (23) sql: --> .query (23) sql: Using query template 'query' rlm_sql (sql): Reserved connection (15) (23) sql: EXPAND %{User-Name} (23) sql: --> bobsql (23) sql: SQL-User-Name set to 'bobsql' (23) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (23) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'bobsql', 'hello1', 'Access-Reject', '2016-04-19 12:43:09') (23) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'bobsql', 'hello1', 'Access-Reject', '2016-04-19 12:43:09') (23) sql: SQL query returned: success (23) sql: 1 record(s) updated rlm_sql (sql): Released connection (15) (23) [sql] = ok (23) attr_filter.access_reject: EXPAND %{User-Name} (23) attr_filter.access_reject: --> bobsql (23) attr_filter.access_reject: Matched entry DEFAULT at line 11 (23) [attr_filter.access_reject] = updated (23) [eap] = noop (23) policy remove_reply_message_if_eap { (23) if (&reply:EAP-Message && &reply:Reply-Message) { (23) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (23) else { (23) [noop] = noop (23) } # else = noop (23) } # policy remove_reply_message_if_eap = noop (23) } # Post-Auth-Type REJECT = updated (23) Delaying response for 1.000000 seconds Waking up in 0.6 seconds. Waking up in 0.3 seconds. (23) Sending delayed response (23) Sent Access-Reject Id 40 from 127.0.0.1:1812 to 127.0.0.1:41089 length 20 Waking up in 3.9 seconds. (23) Cleaning up request packet ID 40 with timestamp +2281
On 19-04-16 22:16, Dustin S via Freeradius-Users wrote:
I entered a user "bob" into the "freeradius/users" file and radtest bob hello1 localhost 1812 testing1 works fine.
I then entered "bobsql" into the database (after adding "sql" to all the places in freeradius/sites-available/default and adding the new mysql user login & database info to freeradius/mods-available/sql)
| id | username | attribute | value | op | +----+----------+-----------+----------+----+ | 4 | bobsql | Password | hello1 | := |
Well, the line from the users file reads like this: bob Cleartext-Password := "hello" Finding the difference here is left as an excercise to the reader ;) -- Herwin Weststrate
already changed the user file entry to "hello1", and the radtest works fine with bob/hello1. It just stops working when I change to using sql. From: Herwin Weststrate <herwin@quarantainenet.nl> To: Dustin S <dsoodak@yahoo.com>; FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Sent: Wednesday, April 20, 2016 12:28 AM Subject: Re: user defined in mysql table radcheck fails wtih "No "known good password", and radpostauth updated successfully but still empty On 19-04-16 22:16, Dustin S via Freeradius-Users wrote:
I entered a user "bob" into the "freeradius/users" file and radtest bob hello1 localhost 1812 testing1 works fine.
I then entered "bobsql" into the database (after adding "sql" to all the places in freeradius/sites-available/default and adding the new mysql user login & database info to freeradius/mods-available/sql)
| id | username | attribute | value | op | +----+----------+-----------+----------+----+ | 4 | bobsql | Password | hello1 | := |
Well, the line from the users file reads like this: bob Cleartext-Password := "hello" Finding the difference here is left as an excercise to the reader ;) -- Herwin Weststrate
On Apr 22, 2016, at 3:30 PM, Dustin S via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
already changed the user file entry to "hello1", and the radtest works fine with bob/hello1. It just stops working when I change to using sql.
Your SQL entry is wrong.
| id | username | attribute | value | op | +----+----------+-----------+----------+----+ | 4 | bobsql | Password | hello1 | := |
Why "Password"? The documentation and examples for the last 10+ years have said to use "Cleartext-Password". Reading the SQL documentation in the Wiki would get you the same information. Alan DeKok.
On Apr 22, 2016, at 3:30 PM, Dustin S via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
already changed the user file entry to "hello1", and the radtest works fine with bob/hello1. It just stops working when I change to using sql.
> Your SQL entry is wrong.
| id | username | attribute | value | op | +----+----------+-----------+----------+----+ | 4 | bobsql | Password | hello1 | := |
Why "Password"? The documentation and examples for the last 10+ years have said to use "Cleartext-Password".
Thanks! About half the websites I visited used "Password". It has been really confusing as a first time user since many files have slightly different names and locations than in my version (Ex: "/etc/raddb/sql.conf" settings are found in "/etc/freeradius/mods-available/sql") .
Reading the SQL documentation in the Wiki would get you the same information.
Alan DeKok. When I installed daloradius, it made everything work (it also seems to have already changed the entry to "Cleartext-Password"), but when I tried it again today, it went back to the way it was (not working, and with the same symptoms). Dustin Soodak p.s. How do you respond to posts so that your reply shows up in the on-line archive?
On Apr 22, 2016, at 5:33 PM, Dustin S via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
About half the websites I visited used "Password".
They've been wrong for 10 years. All of the FreeRADIUS documentation for the past 10 years has said to use Cleartext-Password. PLEASE read the FreeRADIUS documentation before searching random web sites on google. 90% of those web sites are wrong.
It has been really confusing as a first time user since many files have slightly different names and locations than in my version (Ex: "/etc/raddb/sql.conf" settings are found in "/etc/freeradius/mods-available/sql") .
You're using version 2. The updated docs are for version 3. I suggest using a recent version of the server.
When I installed daloradius, it made everything work (it also seems to have already changed the entry to "Cleartext-Password"), but when I tried it again today, it went back to the way it was (not working, and with the same symptoms).
I have no idea how daloradius works.
p.s. How do you respond to posts so that your reply shows up in the on-line archive?
I hit "reply". Using a standard mail client. Alan DeKok.
participants (3)
-
Alan DeKok -
Dustin S -
Herwin Weststrate