Framed-Protocol PPP question
We have successfully installed and tested FreeRadius. However authentication fails when we try with a live customer. Here is the lines in the debug file where it fails: <snip> # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [chap] Setting 'Auth-Type := CHAP' ++[chap] returns ok : ++[pap] returns noop Found Auth-Type = CHAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group CHAP {...} [chap] login attempt by "3108396020@netwood.net" with CHAP password [chap] Cleartext-Password is required for authentication ++[chap] returns invalid Failed to authenticate the user. Login incorrect (rlm_chap: Clear text password not available): [3108396020@netwood.net/<CHAP-Password>] (from client LosAngeles port 67371072) Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} </snip> This is the entry we have for the customer in the users file: <snip> 3108396020@netwood.net Cleartext-Password := "testing123" </snip> Any advice is greatly appreciated. Cheers, Jonas Fornander System Administrator <http://www.netwood.net/> Netwood Communications, LLC Providing All Your Internet Needs Tel: 310-442-1530 Fax: 310-496-0712 ************************************* Like us - Facebook <http://on.fb.me/hOVxtl> http://on.fb.me/hOVxtl, Follow us -Twitter <http://bit.ly/fqxj64> http://bit.ly/fqxj64 Link in - LinkedIn <http://linkd.in/Hdc3Ce> http://linkd.in/Hdc3Ce Read our Yelp reviews <http://bit.ly/kjbxEV> http://bit.ly/kjbxEV ************************************************************** P THINK GREEN BEFORE YOU PRINT. Supporting Paperless Office Concepts
Jonas Fornander wrote:
We have successfully installed and tested FreeRadius.
However authentication fails when we try with a live customer. .. [chap] Cleartext-Password is required for authentication
That should be pretty clear.
This is the entry we have for the customer in the users file:
3108396020@netwood.net Cleartext-Password := "testing123"
Any advice is greatly appreciated.
Well... it wasn't found in the "users" file. It's impossible to know what really happened, because you helpfully deleted all of the useful information from the debug log. Alan DeKok.
Jonas Fornander wrote:
We have successfully installed and tested FreeRadius.
However authentication fails when we try with a live customer. .. [chap] Cleartext-Password is required for authentication
That should be pretty clear.
This is the entry we have for the customer in the users file:
3108396020@netwood.net Cleartext-Password := "testing123"
Any advice is greatly appreciated.
Well... it wasn't found in the "users" file. It's impossible to know what really happened, because you helpfully deleted all of the useful information from the debug log. Alan DeKok. [jonas] Below is the whole log for that connection attempt. Ready to process requests. rad_recv: Access-Request packet from host 64.105.132.249 port 1814, id=116, length=294 User-Name = "3108396020@netwood.net" CHAP-Password = 0x01c0dd7a2fa7e1d41a9fbafbfc04a227e3 CHAP-Challenge = 0x34c09a5e9141f29c9d7cae2f2066f379 Service-Type = Framed-User Framed-Protocol = PPP NAS-Identifier = "lsanca54-seb3" NAS-Port = 67371072 NAS-Real-Port = 1140850918 NAS-Port-Type = Virtual NAS-Port-Id = "4/4 vpi-vci 0 230 pppoe 345" Medium-Type = DSL Mac-Addr = "58-6d-8f-3e-7e-40" Connect-Info = "covad" Platform-Type = SmartEdge-800 OS-Version = "6.1.5.6" Acct-Session-Id = "0303003F28004E4F-502C6F45" Framed-IP-Address = 68.167.6.182 NAS-IP-Address = 66.166.60.137 Message-Authenticator = 0xa4c9ddcd035e84cf48dd06f771b57593 Proxy-State = 0x313932 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [chap] Setting 'Auth-Type := CHAP' ++[chap] returns ok : ++[pap] returns noop Found Auth-Type = CHAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group CHAP {...} [chap] login attempt by "3108396020@netwood.net" with CHAP password [chap] Cleartext-Password is required for authentication ++[chap] returns invalid Failed to authenticate the user. Login incorrect (rlm_chap: Clear text password not available): [3108396020@netwood.net/<CHAP-Password>] (from client LosAngeles port 67371072) Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> 3108396020@netwood.net attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 253 to 64.105.132.249 port 1814 Proxy-State = 0x313838 Waking up in 4.9 seconds. Cleaning up request 0 ID 253 with timestamp +9726 Ready to process requests. //jonas
Jonas Fornander wrote:
[jonas] Below is the whole log for that connection attempt.
You either edited the debug log, or you edited the default configuration, and broke it. Don't do that.
# Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [chap] Setting 'Auth-Type := CHAP' ++[chap] returns ok : ++[pap] returns noop Found Auth-Type = CHAP
There should be a LOT more modules being run in the "authorize" section. One of them reads the "users" file. If you don't know what the authorize section does, don't edit it. You will break the server. Alan DeKok.
Jonas Fornander wrote:
[jonas] Below is the whole log for that connection attempt.
You either edited the debug log, or you edited the default configuration, and broke it. Don't do that. [jonas] I have not edited any configuration. I apologize if the debug log was edited. There should be a LOT more modules being run in the "authorize" section. One of them reads the "users" file. If you don't know what the authorize section does, don't edit it. You will break the server. [jonas] Here is the first connection request in the debug log. I have not done any edits to any configurations. I have just added clients to the clients.conf - I got the list from the vendor - and a user to the users file. That's it. Ready to process requests. rad_recv: Access-Request packet from host 64.105.132.249 port 1814, id=253, length=294 User-Name = "3108396020@netwood.net" CHAP-Password = 0x01365cef3e4c1cd1ea35f46d6535a9b23a CHAP-Challenge = 0xca4519d4ab276a48e4973b5b00dc43d6 Service-Type = Framed-User Framed-Protocol = PPP NAS-Identifier = "lsanca54-seb3" NAS-Port = 67371072 NAS-Real-Port = 1140850918 NAS-Port-Type = Virtual NAS-Port-Id = "4/4 vpi-vci 0 230 pppoe 343" Medium-Type = DSL Mac-Addr = "58-6d-8f-3e-7e-40" Connect-Info = "covad" Platform-Type = SmartEdge-800 OS-Version = "6.1.5.6" Acct-Session-Id = "0303003F28004E4F-502C6F25" Framed-IP-Address = 68.167.6.182 NAS-IP-Address = 66.166.60.137 Message-Authenticator = 0x1bf354e361c1dbfcefffeffac95d98e2 Proxy-State = 0x313838 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [chap] Setting 'Auth-Type := CHAP' ++[chap] returns ok ++[mschap] returns noop ++[digest] returns noop [suffix] Looking up realm "netwood.net" for User-Name = "3108396020@netwood.net" [suffix] No such realm "netwood.net" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry DEFAULT at line 172 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = CHAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group CHAP {...} [chap] login attempt by "3108396020@netwood.net" with CHAP password [chap] Cleartext-Password is required for authentication ++[chap] returns invalid Failed to authenticate the user. Login incorrect (rlm_chap: Clear text password not available): [3108396020@netwood.net/<CHAP-Password>] (from client LosAngeles port 67371072) Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> 3108396020@netwood.net attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 253 to 64.105.132.249 port 1814 Proxy-State = 0x313838 Waking up in 4.9 seconds. Cleaning up request 0 ID 253 with timestamp +9726 Ready to process requests. //jonas
Jonas Fornander wrote:
[jonas] I have not edited any configuration. I apologize if the debug log was edited.
The whole POINT of posting the debug log is to see what the server is doing. Editing it means you're deleting data we need to help you.
[jonas] Here is the first connection request in the debug log. I have not done any edits to any configurations. I have just added clients to the clients.conf - I got the list from the vendor - and a user to the users file. That's it.
Well, you did something wrong:
Ready to process requests. rad_recv: Access-Request packet from host 64.105.132.249 port 1814, id=253, length=294 User-Name = "3108396020@netwood.net" ... [files] users: Matched entry DEFAULT at line 172
So... what's at line 172? Not the 3108396020@netwood.net entry. That's for sure. So... what, exactly, did you put into the "users" file? And where? Alan DeKok.
Ready to process requests. rad_recv: Access-Request packet from host 64.105.132.249 port 1814, id=253, length=294 User-Name = "3108396020@netwood.net" ... [files] users: Matched entry DEFAULT at line 172
So... what's at line 172? Not the 3108396020@netwood.net entry. That's for sure. So... what, exactly, did you put into the "users" file? And where? Alan DeKok. [jonas] On line 172 in the users file is this: DEFAULT Framed-Protocol == PPP The only thing I changed in the users file was when I added the user at the end. The end of the file contains this: # # On no match, the user is denied access. testuser Cleartext-Password := "thingamabob" 3108396020@netwood.net Cleartext-Password := "testing123" BTW, I really appreciate your help, Alan. //jonas
So if I understand this correctly, the users file is processed and when it reaches line 172, there is a match and since no Fall-Through is set, it stops processing the rest of the file so it actually never reaches the username entry? Is my choices to either comment out the DEFAULT entries or add the usernames to the top of the file? //jonas Jonas Fornander wrote:
The only thing I changed in the users file was when I added the user at the end.
$ man users The file is processed top to bottom. See the FAQ for an example of how to configure a user.
BTW, I really appreciate your help, Alan.
It's what I do. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Jonas Fornander wrote:
So if I understand this correctly, the users file is processed and when it reaches line 172, there is a match and since no Fall-Through is set, it stops processing the rest of the file so it actually never reaches the username entry?
That's what the documentation says it does.
Is my choices to either comment out the DEFAULT entries or add the usernames to the top of the file?
That's the idea. Alan DeKok.
Now it works great (with the user added to the TOP of the file). I did not follow the instructions even though I thought I did so. Here it is from the configuration HOW-TO: <snip> Edit /etc/raddb/users and create an example user account as the first entry. i.e. at the top of the file, such as: </snip> Thanks for the help. Cheers, Jonas Fornander System Administrator Netwood Communications, LLC Providing All Your Internet Needs Tel: 310-442-1530 Fax: 310-496-0712 ************************************* Like us - Facebook http://on.fb.me/hOVxtl, Follow us -Twitter http://bit.ly/fqxj64 Link in - LinkedIn http://linkd.in/Hdc3Ce Read our Yelp reviews http://bit.ly/kjbxEV ************************************************************** THINK GREEN BEFORE YOU PRINT. Supporting Paperless Office Concepts -----Original Message----- From: freeradius-users-bounces+support=netwood.net@lists.freeradius.org [mailto:freeradius-users-bounces+support=netwood.net@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Friday, August 17, 2012 11:45 AM To: FreeRadius users mailing list Subject: Re: Framed-Protocol PPP question Jonas Fornander wrote:
So if I understand this correctly, the users file is processed and when it reaches line 172, there is a match and since no Fall-Through is set, it stops processing the rest of the file so it actually never reaches the username entry?
That's what the documentation says it does.
Is my choices to either comment out the DEFAULT entries or add the usernames to the top of the file?
That's the idea. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Alan DeKok -
Jonas Fornander