FreeRADIUS server is not recognizing updates from my users file
for example, lines from my users file: testing Cleartext-Password := "52345" guestuser Cleartext-Password := "16109" Debug file 1 (Notice how it is authenticating with password 12345, an old password) -- *Aaron Dalla-Longa* Systems Administrator Shortgrass Library System tf: 1.866.529.0550 | p: 403.529.0550
for example, lines from my users file:
testing Cleartext-Password := "52345" guestuser Cleartext-Password := "16109"
Debug file 1 (Notice how it is authenticating with password 12345, an old password)
Have you restarted FreeRadius after having changed the passwords? It won't re-read the files otherwise. -- Alejandro Perez-Mendez Technical Specialist (AAA), Trust & Identity M (+34) 619 333 219 Skype alejandro_perez_mendez jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
sorry, accidently sent that last email incomplete, anyway: As far as troubleshooting, I have tried to start and stop the freeradius server, as well as completely restart the server that this is located on (ubuntu x64 18.04 LTS) *Debug file 1 (Notice how it is authenticating with password 12345, an old password) * Ready to process requests (0) Received Access-Request Id 43 from 192.168.0.251:43064 to 192.168.0.34:1812 length 205 (0) NAS-IP-Address = 192.168.0.251 (0) NAS-Port = 0 (0) NAS-Port-Type = Wireless-802.11 (0) User-Name = "testing" (0) Service-Type = Login-User (0) Calling-Station-Id = "0.0.0.0" (0) Called-Station-Id = "000B86DC7500" (0) MS-CHAP-Challenge = 0x72afbc5215acc3801eeaeb6a8028bf0a (0) MS-CHAP2-Response = 0x0000c1a72376f832a9551a72d73845155c310000000000000000ce5037dbf4859d34dc9124eec53caef6cf8d72ccae7ccdc5 (0) Aruba-Location-Id = "N/A" (0) Aruba-AP-Group = "N/A" (0) NAS-Identifier = "aruba" (0) Message-Authenticator = 0x8301ff3e6feee4afcf1d1b89a6b11802 (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' (0) [mschap] = ok (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "testing", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) files: users: Matched entry testing at line 223 (0) [files] = ok (0) [expiration] = noop (0) [logintime] = noop (0) pap: WARNING: Auth-Type already set. Not setting to PAP (0) [pap] = noop (0) } # authorize = ok (0) Found Auth-Type = mschap (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) authenticate { (0) mschap: Found Cleartext-Password, hashing to create NT-Password (0) mschap: Found Cleartext-Password, hashing to create LM-Password (0) mschap: Creating challenge hash with username: testing (0) mschap: Client is using MS-CHAPv2 (0) mschap: Adding MS-CHAPv2 MPPE keys (0) [mschap] = ok (0) } # authenticate = ok (0) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default (0) post-auth { (0) update { (0) No attributes updated (0) } # update = noop (0) [exec] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # post-auth = noop (0) Sent Access-Accept Id 43 from 192.168.0.34:1812 to 192.168.0.251:43064 length 0 (0) MS-CHAP2-Success = 0x00533d37463746344639363836363138424141333835374136383231454639463933423039363637443633 (0) MS-MPPE-Recv-Key = 0x470e62a64268cbb27fedeca0ec416bdf (0) MS-MPPE-Send-Key = 0x773dbf8aba00cc631699463aa9db6f3e (0) MS-MPPE-Encryption-Policy = Encryption-Allowed (0) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (0) Finished request Waking up in 4.9 seconds. (0) Cleaning up request packet ID 43 with timestamp +4 Ready to process requests *Debug 2, using password 52345, gets rejected: * Ready to process requests (1) Received Access-Request Id 44 from 192.168.0.251:43064 to 192.168.0.34:1812 length 205 (1) NAS-IP-Address = 192.168.0.251 (1) NAS-Port = 0 (1) NAS-Port-Type = Wireless-802.11 (1) User-Name = "testing" (1) Service-Type = Login-User (1) Calling-Station-Id = "0.0.0.0" (1) Called-Station-Id = "000B86DC7500" (1) MS-CHAP-Challenge = 0x06dc76b4c9a101e7ff9799d66ce4689e (1) MS-CHAP2-Response = 0x0000f8dbc20f2d288d874d88c4479566ac0d00000000000000002ac451293f31a0639a3409c825f328e2d1655e4fc5d3951d (1) Aruba-Location-Id = "N/A" (1) Aruba-AP-Group = "N/A" (1) NAS-Identifier = "aruba" (1) Message-Authenticator = 0x5c0fd3d522a5d7f3ed3977c68c402630 (1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' (1) [mschap] = ok (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "testing", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: No EAP-Message, not doing EAP (1) [eap] = noop (1) files: users: Matched entry testing at line 223 (1) [files] = ok (1) [expiration] = noop (1) [logintime] = noop (1) pap: WARNING: Auth-Type already set. Not setting to PAP (1) [pap] = noop (1) } # authorize = ok (1) Found Auth-Type = mschap (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (1) authenticate { (1) mschap: Found Cleartext-Password, hashing to create NT-Password (1) mschap: Found Cleartext-Password, hashing to create LM-Password (1) mschap: Creating challenge hash with username: testing (1) mschap: Client is using MS-CHAPv2 (1) mschap: ERROR: MS-CHAP2-Response is incorrect (1) [mschap] = reject (1) } # authenticate = reject (1) Failed to authenticate the user (1) Using Post-Auth-Type Reject (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (1) Post-Auth-Type REJECT { (1) attr_filter.access_reject: EXPAND %{User-Name} (1) attr_filter.access_reject: --> testing (1) attr_filter.access_reject: Matched entry DEFAULT at line 11 (1) [attr_filter.access_reject] = updated (1) [eap] = noop (1) policy remove_reply_message_if_eap { (1) if (&reply:EAP-Message && &reply:Reply-Message) { (1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (1) else { (1) [noop] = noop (1) } # else = noop (1) } # policy remove_reply_message_if_eap = noop (1) } # Post-Auth-Type REJECT = updated (1) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (1) Sending delayed response (1) Sent Access-Reject Id 44 from 192.168.0.34:1812 to 192.168.0.251:43064 length 103 (1) MS-CHAP-Error = "\000E=691 R=1 C=91a925843c440ae78ba26a7744bd4a25 V=3 M=Authentication rejected" Waking up in 3.9 seconds. (1) Cleaning up request packet ID 44 with timestamp +168 Ready to process requests On Fri, Apr 12, 2019 at 11:51 AM Aaron Dalla-Longa <aaron@shortgrass.ca> wrote:
for example, lines from my users file:
testing Cleartext-Password := "52345" guestuser Cleartext-Password := "16109"
Debug file 1 (Notice how it is authenticating with password 12345, an old password)
-- *Aaron Dalla-Longa* Systems Administrator Shortgrass Library System tf: 1.866.529.0550 | p: 403.529.0550
-- *Aaron Dalla-Longa* Systems Administrator Shortgrass Library System tf: 1.866.529.0550 | p: 403.529.0550
Yes Alex, sorry, accidently hit send too early. I have tried to restart the service but it seems it will not grab the new file, and keeps reading an 'old version' of it for some reason. Is there a different command I can use in order to try to force it to grab the updated file? On Fri, Apr 12, 2019 at 11:55 AM Aaron Dalla-Longa <aaron@shortgrass.ca> wrote:
sorry, accidently sent that last email incomplete, anyway:
As far as troubleshooting, I have tried to start and stop the freeradius server, as well as completely restart the server that this is located on (ubuntu x64 18.04 LTS)
*Debug file 1 (Notice how it is authenticating with password 12345, an old password) *
Ready to process requests (0) Received Access-Request Id 43 from 192.168.0.251:43064 to 192.168.0.34:1812 length 205 (0) NAS-IP-Address = 192.168.0.251 (0) NAS-Port = 0 (0) NAS-Port-Type = Wireless-802.11 (0) User-Name = "testing" (0) Service-Type = Login-User (0) Calling-Station-Id = "0.0.0.0" (0) Called-Station-Id = "000B86DC7500" (0) MS-CHAP-Challenge = 0x72afbc5215acc3801eeaeb6a8028bf0a (0) MS-CHAP2-Response = 0x0000c1a72376f832a9551a72d73845155c310000000000000000ce5037dbf4859d34dc9124eec53caef6cf8d72ccae7ccdc5 (0) Aruba-Location-Id = "N/A" (0) Aruba-AP-Group = "N/A" (0) NAS-Identifier = "aruba" (0) Message-Authenticator = 0x8301ff3e6feee4afcf1d1b89a6b11802 (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' (0) [mschap] = ok (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "testing", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) files: users: Matched entry testing at line 223 (0) [files] = ok (0) [expiration] = noop (0) [logintime] = noop (0) pap: WARNING: Auth-Type already set. Not setting to PAP (0) [pap] = noop (0) } # authorize = ok (0) Found Auth-Type = mschap (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) authenticate { (0) mschap: Found Cleartext-Password, hashing to create NT-Password (0) mschap: Found Cleartext-Password, hashing to create LM-Password (0) mschap: Creating challenge hash with username: testing (0) mschap: Client is using MS-CHAPv2 (0) mschap: Adding MS-CHAPv2 MPPE keys (0) [mschap] = ok (0) } # authenticate = ok (0) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default (0) post-auth { (0) update { (0) No attributes updated (0) } # update = noop (0) [exec] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # post-auth = noop (0) Sent Access-Accept Id 43 from 192.168.0.34:1812 to 192.168.0.251:43064 length 0 (0) MS-CHAP2-Success = 0x00533d37463746344639363836363138424141333835374136383231454639463933423039363637443633 (0) MS-MPPE-Recv-Key = 0x470e62a64268cbb27fedeca0ec416bdf (0) MS-MPPE-Send-Key = 0x773dbf8aba00cc631699463aa9db6f3e (0) MS-MPPE-Encryption-Policy = Encryption-Allowed (0) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (0) Finished request Waking up in 4.9 seconds. (0) Cleaning up request packet ID 43 with timestamp +4 Ready to process requests
*Debug 2, using password 52345, gets rejected: *
Ready to process requests (1) Received Access-Request Id 44 from 192.168.0.251:43064 to 192.168.0.34:1812 length 205 (1) NAS-IP-Address = 192.168.0.251 (1) NAS-Port = 0 (1) NAS-Port-Type = Wireless-802.11 (1) User-Name = "testing" (1) Service-Type = Login-User (1) Calling-Station-Id = "0.0.0.0" (1) Called-Station-Id = "000B86DC7500" (1) MS-CHAP-Challenge = 0x06dc76b4c9a101e7ff9799d66ce4689e (1) MS-CHAP2-Response = 0x0000f8dbc20f2d288d874d88c4479566ac0d00000000000000002ac451293f31a0639a3409c825f328e2d1655e4fc5d3951d (1) Aruba-Location-Id = "N/A" (1) Aruba-AP-Group = "N/A" (1) NAS-Identifier = "aruba" (1) Message-Authenticator = 0x5c0fd3d522a5d7f3ed3977c68c402630 (1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' (1) [mschap] = ok (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "testing", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: No EAP-Message, not doing EAP (1) [eap] = noop (1) files: users: Matched entry testing at line 223 (1) [files] = ok (1) [expiration] = noop (1) [logintime] = noop (1) pap: WARNING: Auth-Type already set. Not setting to PAP (1) [pap] = noop (1) } # authorize = ok (1) Found Auth-Type = mschap (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (1) authenticate { (1) mschap: Found Cleartext-Password, hashing to create NT-Password (1) mschap: Found Cleartext-Password, hashing to create LM-Password (1) mschap: Creating challenge hash with username: testing (1) mschap: Client is using MS-CHAPv2 (1) mschap: ERROR: MS-CHAP2-Response is incorrect (1) [mschap] = reject (1) } # authenticate = reject (1) Failed to authenticate the user (1) Using Post-Auth-Type Reject (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (1) Post-Auth-Type REJECT { (1) attr_filter.access_reject: EXPAND %{User-Name} (1) attr_filter.access_reject: --> testing (1) attr_filter.access_reject: Matched entry DEFAULT at line 11 (1) [attr_filter.access_reject] = updated (1) [eap] = noop (1) policy remove_reply_message_if_eap { (1) if (&reply:EAP-Message && &reply:Reply-Message) { (1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (1) else { (1) [noop] = noop (1) } # else = noop (1) } # policy remove_reply_message_if_eap = noop (1) } # Post-Auth-Type REJECT = updated (1) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (1) Sending delayed response (1) Sent Access-Reject Id 44 from 192.168.0.34:1812 to 192.168.0.251:43064 length 103 (1) MS-CHAP-Error = "\000E=691 R=1 C=91a925843c440ae78ba26a7744bd4a25 V=3 M=Authentication rejected" Waking up in 3.9 seconds. (1) Cleaning up request packet ID 44 with timestamp +168 Ready to process requests
On Fri, Apr 12, 2019 at 11:51 AM Aaron Dalla-Longa <aaron@shortgrass.ca> wrote:
for example, lines from my users file:
testing Cleartext-Password := "52345" guestuser Cleartext-Password := "16109"
Debug file 1 (Notice how it is authenticating with password 12345, an old password)
-- *Aaron Dalla-Longa* Systems Administrator Shortgrass Library System tf: 1.866.529.0550 | p: 403.529.0550
-- *Aaron Dalla-Longa* Systems Administrator Shortgrass Library System tf: 1.866.529.0550 | p: 403.529.0550
-- *Aaron Dalla-Longa* Systems Administrator Shortgrass Library System tf: 1.866.529.0550 | p: 403.529.0550
El 12/4/19 a las 19:57, Aaron Dalla-Longa escribió:
Yes Alex, sorry, accidently hit send too early. I have tried to restart the service but it seems it will not grab the new file, and keeps reading an 'old version' of it for some reason. Is there a different command I can use in order to try to force it to grab the updated file? The users file is supposed to be a symbolic link. Make sure your editor did not change this. This is how it should be.
users -> mods-config/files/authorize -- Alejandro Perez-Mendez Technical Specialist (AAA), Trust & Identity M (+34) 619 333 219 Skype alejandro_perez_mendez jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
Yes that was the issue. Thank you :) On Fri, Apr 12, 2019 at 12:02 PM Alex Perez <Alex.Perez-Mendez@jisc.ac.uk> wrote:
El 12/4/19 a las 19:57, Aaron Dalla-Longa escribió:
Yes Alex, sorry, accidently hit send too early. I have tried to restart the service but it seems it will not grab the new file, and keeps reading an 'old version' of it for some reason. Is there a different command I can use in order to try to force it to grab the updated file? The users file is supposed to be a symbolic link. Make sure your editor did not change this. This is how it should be.
users -> mods-config/files/authorize
-- Alejandro Perez-Mendez Technical Specialist (AAA), Trust & Identity M (+34) 619 333 219 Skype alejandro_perez_mendez jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- *Aaron Dalla-Longa* Systems Administrator Shortgrass Library System tf: 1.866.529.0550 | p: 403.529.0550
participants (2)
-
Aaron Dalla-Longa -
Alex Perez