Issues with squid_radius_auth
Hi. I'm using squid proxy server with freeradius authentication with postgresql backend running on Debian Squeeze and I get the following error from freeradius. ./squid_radius_auth -f /etc/squid3/squid_radius_auth.conf andrei tester Warning: Received invalid reply digest from server Warning: Received invalid reply digest from serverERR I'll post the files configuration and output from freeradius debug: cat /etc/squid3/squid_radius_auth.conf # squid_rad_auth configuration file # MvS: 28-10-1998 server 192.168.107.2 secret testing -------------------------------------------------------------------------------------------------------------------------------- freeradius -X stripped output: freeradius -X including configuration file /etc/freeradius/sites-enabled/default main { user = "freerad" group = "freerad" allow_core_dumps = no } including dictionary file /etc/freeradius/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = no log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Ready to process requests. rad_recv: Access-Request packet from host 192.168.107.2 port 48244, id=1, length=64 User-Name = "andrei" User-Password = "WIdk\214\356\376G/\215X\367n\246h\224" NAS-Port = 111 NAS-Port-Type = Async NAS-IP-Address = 192.168.107.2 +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.107.2/auth-detail-20100129 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.107.2/auth-detail-20100129 [auth_log] expand: %t -> Fri Jan 29 18:34:05 2010 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "andrei", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[unix] returns notfound ++[files] returns noop [sql] expand: %{User-Name} -> andrei [sql] sql_set_user escaped user --> 'andrei' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'andrei' ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 1 , fields = 5 [sql] User found in radcheck table [sql] expand: SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE Username = 'andrei' ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 0 , fields = 5 [sql] expand: SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority -> SELECT GroupName FROM radusergroup WHERE UserName='andrei' ORDER BY priority rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 0 , fields = 1 rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password "WIdk?��G/?X�n�h?" [pap] Using clear text password "tester" [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> andrei attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 1 to 192.168.107.2 port 48244 rad_recv: Access-Request packet from host 192.168.107.2 port 48244, id=1, length=64 Sending duplicate reply to client localhost port 48244 - ID: 1 Sending Access-Reject of id 1 to 192.168.107.2 port 48244 Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.107.2 port 48244, id=1, length=64 Sending duplicate reply to client localhost port 48244 - ID: 1 Sending Access-Reject of id 1 to 192.168.107.2 port 48244 Waking up in 3.9 seconds. rad_recv: Access-Request packet from host 192.168.107.2 port 48244, id=1, length=64 Sending duplicate reply to client localhost port 48244 - ID: 1 Sending Access-Reject of id 1 to 192.168.107.2 port 48244 Waking up in 2.9 seconds. rad_recv: Access-Request packet from host 192.168.107.2 port 48244, id=1, length=64 Sending duplicate reply to client localhost port 48244 - ID: 1 Sending Access-Reject of id 1 to 192.168.107.2 port 48244 Waking up in 1.9 seconds. rad_recv: Access-Request packet from host 192.168.107.2 port 48244, id=1, length=64 Sending duplicate reply to client localhost port 48244 - ID: 1 Sending Access-Reject of id 1 to 192.168.107.2 port 48244 Waking up in 0.9 seconds. Cleaning up request 0 ID 1 with timestamp +3 Ready to process requests. ---------------------------------------------------------------------------------------------------------------------------------- cat /etc/freeradius/clients.conf client localhost { ipaddr = 192.168.107.2 netmask = 32 secret = testing require_message_authenticator = no shortname = localhost nastype = other -------------------------------------------------------------------------------------------------------------------------- Somehow the client is not sending the cleartext password from database and this causes the error. The shared secret is correct as I use the same configuration for a PPPOE server and everything works as it should. Any hints ?
Ovi C wrote: ...
Failed to authenticate the user. WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!
So...
Somehow the client is not sending the cleartext password from database and this causes the error. The shared secret is correct as I use the same configuration for a PPPOE server and everything works as it should. Any hints ?
If the shared secret is the same, then the Squid RADIUS plugin has 64-bit or CPU endian issues. Alan DeKok.
Hi, I'm having the same issue, could anyone solve it? -- View this message in context: http://freeradius.1045715.n5.nabble.com/Issues-with-squid-radius-auth-tp2788... Sent from the FreeRadius - User mailing list archive at Nabble.com.
participants (3)
-
Alan DeKok -
danegirl -
Ovi C