Issue with authorisation on Dlink switch
Got stuck with a strange behaviour : Listening on auth address 10.10.9.5 port 1812 bound to server default Listening on acct address * port 1813 bound to server default Listening on auth address :: port 1812 bound to server default Listening on acct address :: port 1813 bound to server default Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel Listening on proxy address * port 36922 Listening on proxy address :: port 52073 Ready to process requests (0) Received Access-Request Id 188 from 10.10.9.10:1044 to 10.10.9.5:1812 length 86 (0) User-Name = "admin" (0) User-Password = "c\375'\364D\212\021\257.?\327\017\336\177W\212" (0) NAS-IP-Address = 10.10.9.10 (0) NAS-Identifier = "Test" (0) NAS-Port-Type = Virtual (0) Service-Type = Framed-User (0) Framed-Protocol = PPP (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (!&User-Name) { (0) if (!&User-Name) -> FALSE (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@.*@/ ) { (0) if (&User-Name =~ /@.*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "admin", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) files: users: Matched entry DEFAULT at line 181 (0) [files] = ok (0) [expiration] = noop (0) [logintime] = noop (0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (0) pap: WARNING: Authentication will fail unless a "known good" password is available (0) [pap] = noop (0) } # authorize = ok (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (0) Failed to authenticate the user (0) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [admin/c?'? D???.?????W?] (from client switch port 0) (0) WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject: EXPAND %{User-Name} (0) attr_filter.access_reject: --> admin (0) attr_filter.access_reject: Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) [eap] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (0) Sending delayed response (0) Sent Access-Reject Id 188 from 10.10.9.5:1812 to 10.10.9.10:1044 length 20 Waking up in 3.9 seconds. Waking up in 8.9 seconds. (0) Cleaning up request packet ID 188 with timestamp +48 Ready to process requests (1) Received Access-Request Id 205 from 10.10.9.10:1045 to 10.10.9.5:1812 length 86 (1) User-Name = "admin" (1) User-Password = "\365yo\274\206Oz\203\024/\350\256p\317\312\353" (1) NAS-IP-Address = 10.10.9.10 (1) NAS-Identifier = "test" (1) NAS-Port-Type = Virtual (1) Service-Type = Framed-User (1) Framed-Protocol = PPP (1) # Executing section authorize from file /etc/raddb/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (!&User-Name) { (1) if (!&User-Name) -> FALSE (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@.*@/ ) { (1) if (&User-Name =~ /@.*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "admin", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: No EAP-Message, not doing EAP (1) [eap] = noop (1) files: users: Matched entry DEFAULT at line 181 (1) [files] = ok (1) [expiration] = noop (1) [logintime] = noop (1) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (1) pap: WARNING: Authentication will fail unless a "known good" password is available (1) [pap] = noop (1) } # authorize = ok (1) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (1) Failed to authenticate the user (1) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [admin/?yo?? Oz??/??p???] (from client switch port 0) (1) WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! (1) Using Post-Auth-Type Reject (1) # Executing group from file /etc/raddb/sites-enabled/default (1) Post-Auth-Type REJECT { (1) attr_filter.access_reject: EXPAND %{User-Name} (1) attr_filter.access_reject: --> admin (1) attr_filter.access_reject: Matched entry DEFAULT at line 11 (1) [attr_filter.access_reject] = updated (1) [eap] = noop (1) policy remove_reply_message_if_eap { (1) if (&reply:EAP-Message && &reply:Reply-Message) { (1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (1) else { (1) [noop] = noop (1) } # else = noop (1) } # policy remove_reply_message_if_eap = noop (1) } # Post-Auth-Type REJECT = updated (1) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (1) Sending delayed response (1) Sent Access-Reject Id 205 from 10.10.9.5:1812 to 10.10.9.10:1045 length 20 Waking up in 3.9 seconds. Waking up in 8.9 seconds. (1) Cleaning up request packet ID 205 with timestamp +114 Ready to process requests. Just a few lines make me confused: (1) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (1) pap: WARNING: Authentication will fail unless a "known good" password is available Here is some lines from config users: user Cleartext-Password := "1234" Dlink-User-Level = 3 1) WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! the secret is 100% correct on both sides..... is is really simple 123..... Got very confused.. I have tried to play around the whole day but could not sort the issue out :(
On Feb 2, 2016, at 1:33 PM, Viacheslav Gubin <gubin.vya4eslav@gmail.com> wrote:
Just a few lines make me confused:
(1) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (1) pap: WARNING: Authentication will fail unless a "known good" password is available
Here is some lines from config users:
user Cleartext-Password := "1234" Dlink-User-Level = 3
Please read the debug output. It says: (0) files: users: Matched entry DEFAULT at line 181 (0) [files] = ok So... what's on line 181?
1) WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!
the secret is 100% correct on both sides..... is is really simple 123.....
(a) the shared secret is wrong (b) the NAS is broken Pick one. Alan DeKok.
On Tue, Feb 02, 2016 at 06:33:04PM +0000, Viacheslav Gubin wrote:
(0) Received Access-Request Id 188 from 10.10.9.10:1044 to 10.10.9.5:1812 length 86 (0) User-Name = "admin" (0) User-Password = "c\375'\364D\212\021\257.?\327\017\336\177W\212"
Standard 'shared password is wrong'.
Here is some lines from config users:
user Cleartext-Password := "1234" Dlink-User-Level = 3
The username above is "admin", not "user". Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
participants (3)
-
Alan DeKok -
Matthew Newton -
Viacheslav Gubin