files Authentication problem
Hello, I have a problem of authentication with the files method. I am using freeradius: FreeRADIUS Version 2.1.10 I try to configure freeradius to have authentication with non-sensitive password and user. I am using ntradping to test my radius server. In both case, ++[files] returns ok , so it seems to be ok. But the client receive on ok, and one bad. See the output of freeradius -X NON-WORKING : the last C is in capital letter. ============= rad_recv: Access-Request packet from host 100.100.16.3 port 44994, id=1, length=57 User-Name = "00c51180d29c" User-Password = "00c51180d29C" Vendor-Specific = 0x383030 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [files] expand: %{User-Password} -> 00c51180d29C [files] expand: %{tolower:%{User-Password}} -> 00c51180d29c [files] users: Matched entry 00c51180d29c at line 2 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = Local WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. User-Password in the request does NOT match "known good" password. Failed to authenticate the user. Login incorrect: [00c51180d29c/00c51180d29C] (from client pc1461 port 0) Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> 00c51180d29c attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds WORKING ========= rad_recv: Access-Request packet from host 100.100.16.3 port 45055, id=3, length=57 User-Name = "00c51180d29c" User-Password = "00c51180d29c" Vendor-Specific = 0x383030 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [files] expand: %{User-Password} -> 00c51180d29c [files] expand: %{tolower:%{User-Password}} -> 00c51180d29c [files] users: Matched entry 00c51180d29c at line 2 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = Local WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. User-Password in the request is correct. Login OK: [00c51180d29c/00c51180d29c] (from client pcXX port 0) # Executing section post-auth from file /etc/freeradius/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 3 to 100.100.16.3 port 45055 Alcatel-Lucent-Auth-Group = 4 Finished request 3. Config of the files modules ==================== files { # The default key attribute to use for matches. The content # of this attribute is used to match the "name" of the # entry. #key = "%{Stripped-User-Name:-%{User-Name}}" usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users preproxy_usersfile = ${confdir}/preproxy_users key = "%{tolower:%{User-Password}}" case_sensitive = no # If you want to use the old Cistron 'users' file # with FreeRADIUS, you should change the next line # to 'compat = cistron'. You can the copy your 'users' # file from Cistron. compat = no } Users file (all in lower letters) ======== "00c51180d29c" Auth-Type := Local, Cleartext-Password := "00c51180d29c" Alcatel-Lucent-Auth-Group = 4 Thanks for the help. Alexandre
On Wed, Nov 21, 2012 at 09:01:22AM +0100, alexdhelmet@free.fr wrote:
"00c51180d29c" Auth-Type := Local, Cleartext-Password := "00c51180d29c" Alcatel-Lucent-Auth-Group = 4
As the debug log says, Remove "Auth-Type := Local" from the above. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Hello Matthew , Thanks for your answer. But, at the moment, we must keep this Auth-Type, to be compatible wirth an old version of freeradius, we couldn't update at the moment. Alexandre
On Wed, Nov 21, 2012 at 09:01:22AM +0100, alexdhelmet@free.fr wrote:
"00c51180d29c" Auth-Type := Local, Cleartext-Password := "00c51180d29c" Alcatel-Lucent-Auth-Group = 4 As the debug log says, Remove "Auth-Type := Local" from the above.
Matthew
Hi On Mon, Nov 26, 2012 at 08:17:21AM +0100, alexdhelmet@free.fr wrote:
Thanks for your answer.
I've just re-read what you're doing - you're looking up the lowercase password in the users file instead of the username (e.g. you're ignoring the username), but then your password check is between User-Password and Cleartext-Password, as usual. Try something like this in your sites-enabled/default, after preprocess: update request { User-Password := "%{tolower:%{User-Password}}" }
But, at the moment, we must keep this Auth-Type, to be compatible wirth an old version of freeradius, we couldn't update at the moment.
No, you still don't need it. The PAP module will do it for you - read the debug output. Matthew (waiting for 3.x so that Auth-Type := Local will actually break things at last).
On Wed, Nov 21, 2012 at 09:01:22AM +0100, alexdhelmet@free.fr wrote:
"00c51180d29c" Auth-Type := Local, Cleartext-Password := "00c51180d29c" Alcatel-Lucent-Auth-Group = 4 As the debug log says, Remove "Auth-Type := Local" from the above.
Matthew
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
participants (2)
-
alexdhelmet@free.fr -
Matthew Newton