radtest OK ssh NOK
HI Guys Doing an integration on te freeradiuos 3.0.11 into a OpenSuse Linux. I got a successful on radtest. testbedocg:/usr/local/etc/raddb/sites-enabled # radtest dop "dop" 172.16.173.31 1812 Lebara321 Sent Access-Request Id 212 from 0.0.0.0:56392 to 172.16.173.31:1812 length 73 User-Name = "dop" User-Password = "dop" NAS-IP-Address = 192.168.23.31 NAS-Port = 1812 Message-Authenticator = 0x00 Cleartext-Password = "dop" Received Access-Accept Id 212 from 172.16.173.31:1812 to 0.0.0.0:0 length 26 Session-Timeout = 86101 testbedocg:/usr/local/etc/raddb/sites-enabled # client 172.16 { ipaddr = 172.16.0.0/16 secret = Lebara321 nas_type = other } But not successful on ssh. It clearly says that the passwords do not match but checking in SQL I have this line: +----+----------+--------------------+----+------------------------------------+ | id | username | attribute | op | value | +----+----------+--------------------+----+------------------------------------+ | 42 | dop | Max-All-Session | := | 1464051644 | | 41 | dop | Cleartext-Password | := | dop | (4) Received Access-Request Id 3 from 172.16.173.31:52494 to 172.16.173.31:1812 length 84 (4) User-Name = "dop" (4) User-Password = "\010\n\r\177INCORRECT" (4) NAS-IP-Address = 192.168.23.31 (4) NAS-Identifier = "sshd" (4) NAS-Port = 92450 (4) NAS-Port-Type = Virtual (4) Service-Type = Authenticate-Only (4) Calling-Station-Id = "127.0.0.1" (4) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (4) authorize { (4) policy filter_username { (4) if (&User-Name) { (4) if (&User-Name) -> TRUE (4) if (&User-Name) { (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@[^@]*@/ ) { (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # if (&User-Name) = notfound (4) } # policy filter_username = notfound (4) [preprocess] = ok (4) [chap] = noop (4) [mschap] = noop (4) [digest] = noop (4) suffix: Checking for suffix after "@" (4) suffix: No '@' in User-Name = "dop", looking up realm NULL (4) suffix: No such realm "NULL" (4) [suffix] = noop (4) eap: No EAP-Message, not doing EAP (4) [eap] = noop (4) [files] = noop (4) sql: EXPAND %{User-Name} (4) sql: --> dop (4) sql: SQL-User-Name set to 'dop' rlm_sql (sql): Reserved connection (8) (4) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (4) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'dop' ORDER BY id (4) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'dop' ORDER BY id (4) sql: User found in radcheck table (4) sql: Conditional check items matched, merging assignment check items (4) sql: Cleartext-Password := "dop" (4) sql: Max-All-Session := 1464051644 (4) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (4) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'dop' ORDER BY id (4) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'dop' ORDER BY id (4) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (4) sql: --> SELECT groupname FROM radusergroup WHERE username = 'dop' ORDER BY priority (4) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'dop' ORDER BY priority (4) sql: User not found in any groups rlm_sql (sql): Released connection (8) rlm_sql (sql): Need 1 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (10), 1 of 30 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.0.67, protocol version 10 (4) [sql] = ok sqlcounter_expand: 'select UNIX_TIMESTAMP(sysdate()) - value from raduser_connection_time where username='%{User-Name}';' (4) expired_Xh: EXPAND %{User-Name} (4) expired_Xh: --> dop (4) expired_Xh: SQL-User-Name set to 'dop' rlm_sql (sql): Reserved connection (9) (4) expired_Xh: Executing select query: select UNIX_TIMESTAMP(sysdate()) - value from raduser_connection_time where username='dop'; rlm_sql (sql): Released connection (9) (4) expired_Xh: EXPAND %{sql:select UNIX_TIMESTAMP(sysdate()) - value from raduser_connection_time where username='%{User-Name}';} (4) expired_Xh: --> 1463966096 (4) expired_Xh: Allowing user, &control:Max-All-Session value (1464051644) is greater than counter value (1463966096) (4) expired_Xh: Setting &reply:Session-Timeout value to 85548 (4) [expired_Xh] = ok (4) [expiration] = noop (4) [logintime] = noop (4) [pap] = updated (4) } # authorize = updated (4) Found Auth-Type = PAP (4) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (4) Auth-Type PAP { (4) pap: Login attempt with password (4) pap: Comparing with "known good" Cleartext-Password (4) pap: ERROR: Cleartext password "dop" does not match "known good" password (4) pap: Passwords don't match (4) [pap] = reject (4) } # Auth-Type PAP = reject (4) Failed to authenticate the user (4) WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! (4) Using Post-Auth-Type Reject (4) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (4) Post-Auth-Type REJECT { (4) sql: EXPAND .query (4) sql: --> .query (4) sql: Using query template 'query' rlm_sql (sql): Reserved connection (8) (4) sql: EXPAND %{User-Name} (4) sql: --> dop (4) sql: SQL-User-Name set to 'dop' (4) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (4) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'dop', '=3D08=5Cn=3D0D=3D7FINCORRECT', 'Access-Reject', '2016-05-24 02:14:56') (4) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'dop', '=3D08=5Cn=3D0D=3D7FINCORRECT', 'Access-Reject', '2016-05-24 02:14:56') (4) sql: SQL query returned: success (4) sql: 1 record(s) updated rlm_sql (sql): Released connection (8) (4) [sql] = ok (4) attr_filter.access_reject: EXPAND %{User-Name} (4) attr_filter.access_reject: --> dop (4) attr_filter.access_reject: Matched entry DEFAULT at line 11 (4) [attr_filter.access_reject] = updated (4) [eap] = noop (4) policy remove_reply_message_if_eap { (4) if (&reply:EAP-Message && &reply:Reply-Message) { (4) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (4) else { (4) [noop] = noop (4) } # else = noop (4) } # policy remove_reply_message_if_eap = noop (4) } # Post-Auth-Type REJECT = updated (4) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (5) Received Access-Request Id 39 from 127.0.0.1:52494 to 127.0.0.1:1812 length 84 (5) User-Name = "dop" (5) User-Password = "\010\n\r\177INCORRECT" (5) NAS-IP-Address = 192.168.23.31 (5) NAS-Identifier = "sshd" (5) NAS-Port = 92450 (5) NAS-Port-Type = Virtual (5) Service-Type = Authenticate-Only (5) Calling-Station-Id = "127.0.0.1" (5) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) [preprocess] = ok (5) [chap] = noop (5) [mschap] = noop (5) [digest] = noop (5) suffix: Checking for suffix after "@" (5) suffix: No '@' in User-Name = "dop", looking up realm NULL (5) suffix: No such realm "NULL" (5) [suffix] = noop (5) eap: No EAP-Message, not doing EAP (5) [eap] = noop (5) [files] = noop (5) sql: EXPAND %{User-Name} (5) sql: --> dop (5) sql: SQL-User-Name set to 'dop' rlm_sql (sql): Reserved connection (10) (5) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (5) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'dop' ORDER BY id (5) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'dop' ORDER BY id (5) sql: User found in radcheck table (5) sql: Conditional check items matched, merging assignment check items (5) sql: Cleartext-Password := "dop" (5) sql: Max-All-Session := 1464051644 (5) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (5) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'dop' ORDER BY id (5) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'dop' ORDER BY id (5) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (5) sql: --> SELECT groupname FROM radusergroup WHERE username = 'dop' ORDER BY priority (5) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'dop' ORDER BY priority (5) sql: User not found in any groups rlm_sql (sql): Released connection (10) (5) [sql] = ok sqlcounter_expand: 'select UNIX_TIMESTAMP(sysdate()) - value from raduser_connection_time where username='%{User-Name}';' (5) expired_Xh: EXPAND %{User-Name} (5) expired_Xh: --> dop (5) expired_Xh: SQL-User-Name set to 'dop' rlm_sql (sql): Reserved connection (9) (5) expired_Xh: Executing select query: select UNIX_TIMESTAMP(sysdate()) - value from raduser_connection_time where username='dop'; rlm_sql (sql): Released connection (9) (5) expired_Xh: EXPAND %{sql:select UNIX_TIMESTAMP(sysdate()) - value from raduser_connection_time where username='%{User-Name}';} (5) expired_Xh: --> 1463966097 (5) expired_Xh: Allowing user, &control:Max-All-Session value (1464051644) is greater than counter value (1463966097) (5) expired_Xh: Setting &reply:Session-Timeout value to 85547 (5) [expired_Xh] = ok (5) [expiration] = noop (5) [logintime] = noop (5) [pap] = updated (5) } # authorize = updated (5) Found Auth-Type = PAP (5) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (5) Auth-Type PAP { (5) pap: Login attempt with password (5) pap: Comparing with "known good" Cleartext-Password (5) pap: ERROR: Cleartext password "dop" does not match "known good" password (5) pap: Passwords don't match (5) [pap] = reject (5) } # Auth-Type PAP = reject (5) Failed to authenticate the user (5) WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! (5) Using Post-Auth-Type Reject (5) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (5) Post-Auth-Type REJECT { (5) sql: EXPAND .query (5) sql: --> .query (5) sql: Using query template 'query' rlm_sql (sql): Reserved connection (8) (5) sql: EXPAND %{User-Name} (5) sql: --> dop (5) sql: SQL-User-Name set to 'dop' (5) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (5) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'dop', '=3D08=5Cn=3D0D=3D7FINCORRECT', 'Access-Reject', '2016-05-24 02:14:57') (5) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'dop', '=3D08=5Cn=3D0D=3D7FINCORRECT', 'Access-Reject', '2016-05-24 02:14:57') (5) sql: SQL query returned: success (5) sql: 1 record(s) updated rlm_sql (sql): Released connection (8) (5) [sql] = ok (5) attr_filter.access_reject: EXPAND %{User-Name} (5) attr_filter.access_reject: --> dop (5) attr_filter.access_reject: Matched entry DEFAULT at line 11 (5) [attr_filter.access_reject] = updated (5) [eap] = noop (5) policy remove_reply_message_if_eap { (5) if (&reply:EAP-Message && &reply:Reply-Message) { (5) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (5) else { (5) [noop] = noop (5) } # else = noop (5) } # policy remove_reply_message_if_eap = noop (5) } # Post-Auth-Type REJECT = updated (5) Delaying response for 1.000000 seconds (4) Sending delayed response (4) Sent Access-Reject Id 3 from 172.16.173.31:1812 to 172.16.173.31:52494 length 20 Waking up in 0.3 seconds. Waking up in 0.6 seconds. (5) Sending delayed response (5) Sent Access-Reject Id 39 from 127.0.0.1:1812 to 127.0.0.1:52494 length 20 Waking up in 3.0 seconds. (4) Cleaning up request packet ID 3 with timestamp +169 Waking up in 0.9 seconds. (5) Cleaning up request packet ID 39 with timestamp +170 Ready to process requests This email is confidential and may be subject to privilege. If you are not the intended recipient, please do not copy or disclose its content but contact the sender immediately upon receipt.
HI Herwin
(4) WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!
This pretty much sounds like the most plausible cause to me.
Thanks for the feedback. Normally the password is input into the DB through a python script. It is straight forward what the problem is but cannot get why the password is invalid while through radtest it works fine. Adding manually the "dop" (without the ") into the DB doesn't even work. Anyway adding to clients also 192.168 doesn't help. BR Joaquin This email is confidential and may be subject to privilege. If you are not the intended recipient, please do not copy or disclose its content but contact the sender immediately upon receipt.
On Tue, May 24, 2016 at 01:19:09AM +0000, Joaquin Alzola wrote:
But not successful on ssh. It clearly says that the passwords do not match but checking in SQL I have this line: +----+----------+--------------------+----+------------------------------------+ | id | username | attribute | op | value | +----+----------+--------------------+----+------------------------------------+ | 42 | dop | Max-All-Session | := | 1464051644 | | 41 | dop | Cleartext-Password | := | dop |
(4) Received Access-Request Id 3 from 172.16.173.31:52494 to 172.16.173.31:1812 length 84 (4) User-Name = "dop" (4) User-Password = "\010\n\r\177INCORRECT"
ssh isn't sending "dop" as the password; it's sending "\010\n\r\177INCORRECT". FreeRADIUS is working fine. I suggest you dig into what's happening on the client side. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On Tue, May 24, 2016 at 01:19:09AM +0000, Joaquin Alzola wrote:
(4) Received Access-Request Id 3 from 172.16.173.31:52494 to 172.16.173.31:1812 length 84 (4) User-Name = "dop" (4) User-Password = "\010\n\r\177INCORRECT"
ssh isn't sending "dop" as the password; it's sending "\010\n\r\177INCORRECT".
FreeRADIUS is working fine. I suggest you dig into what's happening on the client side.
Totally right Matthew. You gave me the lead to the issue and now it is solved. Problem: User was not created on the /etc/passwd. After executing: /usr/sbin/useradd -m dop Freeradius is working as it should work. Thanks for the lead. This email is confidential and may be subject to privilege. If you are not the intended recipient, please do not copy or disclose its content but contact the sender immediately upon receipt.
participants (3)
-
Herwin Weststrate -
Joaquin Alzola -
Matthew Newton