Hi - we recently upgraded to version 2.1.8 (freeradius) and my authentication does not work any more. This used to work (configured in Radius): basic-a User-Password == "csetestp" User-Name =~ "^([aA-zZ]+)-([aA-zZ]+)$", Framed-Pool := "21", Class := 2, Session-Timeout := 600, Fall-Through = No This is not pap/chap authentication - our NAS is sending auth-req for a DHCP user. I also tried to change to cleartext-password. Also I tried this: basic-a Auth-Type := Local, User-Password == "csetestp" but no luck This is what I'm getting on Radius: rad_recv: Access-Request packet from host 114.0.1.11 port 50633, id=62, length=78 User-Name = "basic-a" User-Password = "csetestp" NAS-IP-Address = 2.2.2.2 NAS-Port-Type = Ethernet NAS-Port-Id = "1/1/5:4" NAS-Identifier = "right-b4" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "basic-a", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] expand: %{User-Name} -> basic-a [files] expand: %{User-Name} -> basic-a [files] expand: %{User-Name} -> basic-a [files] expand: %{User-Name} -> basic-a WARNING: Found User-Password == "...". WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See "man rlm_pap" for more information. [files] users: Matched entry basic-a at line 106 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = Local WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. No "known good" password was configured for the user. As a result, we cannot authenticate the user. Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> basic-a attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 62 to 114.0.1.11 port 50633 Waking up in 4.9 seconds. Cleaning up request 1 ID 62 with timestamp +37 Ready to process requests.
I also noticed that it is failing for PPP users as well: prko Auth-Type := Local, User-Password == "xxxx" Framed-Pool := "22", Framed-IP-Netmask := 255.255.0.0, Fall-Through = No With this: rad_recv: Access-Request packet from host 114.0.1.11 port 50633, id=63, length=146 User-Name = "prko" NAS-IP-Address = 2.2.2.2 Service-Type = Framed-User Framed-Protocol = PPP CHAP-Password = 0x019d64425b84c05b4dbef1cfc5d2665937 CHAP-Challenge = 0xe546ec9fc842c4fe4dbaaf0c23cb4724b5f8ab7bc3522ea4d1cc9a455d2437446a2463b26628b13363e0bf862d072b627fd6dd43a98be87b NAS-Port-Type = 33 NAS-Port-Id = "1/1/5:2" NAS-Identifier = "right-b4" +- entering group authorize {...} ++[preprocess] returns ok [chap] Setting 'Auth-Type := CHAP' ++[chap] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "prko", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] expand: %{User-Name} -> prko [files] expand: %{User-Name} -> prko [files] expand: %{User-Name} -> prko [files] expand: %{User-Name} -> prko WARNING: Found User-Password == "...". WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See "man rlm_pap" for more information. [files] users: Matched entry prko at line 244 [files] expand: %{NAS-Port-Id}-%{User-Name} -> 1/1/5:2-prko ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = Local WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. No "known good" password was configured for the user. As a result, we cannot authenticate the user. Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> prko attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 2 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 2 Sending Access-Reject of id 63 to 114.0.1.11 port 50633 Waking up in 4.9 seconds. Cleaning up request 2 ID 63 with timestamp +1009 Ready to process requests. On Wed, Sep 22, 2010 at 2:59 PM, Marlon Duksa <mduksa@gmail.com> wrote:
Hi - we recently upgraded to version 2.1.8 (freeradius) and my authentication does not work any more.
This used to work (configured in Radius):
basic-a User-Password == "csetestp" User-Name =~ "^([aA-zZ]+)-([aA-zZ]+)$", Framed-Pool := "21", Class := 2, Session-Timeout := 600, Fall-Through = No
This is not pap/chap authentication - our NAS is sending auth-req for a DHCP user.
I also tried to change to cleartext-password. Also I tried this: basic-a Auth-Type := Local, User-Password == "csetestp" but no luck
This is what I'm getting on Radius:
rad_recv: Access-Request packet from host 114.0.1.11 port 50633, id=62, length=78 User-Name = "basic-a" User-Password = "csetestp" NAS-IP-Address = 2.2.2.2 NAS-Port-Type = Ethernet NAS-Port-Id = "1/1/5:4" NAS-Identifier = "right-b4" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "basic-a", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] expand: %{User-Name} -> basic-a [files] expand: %{User-Name} -> basic-a [files] expand: %{User-Name} -> basic-a [files] expand: %{User-Name} -> basic-a WARNING: Found User-Password == "...". WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See "man rlm_pap" for more information. [files] users: Matched entry basic-a at line 106 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = Local WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. No "known good" password was configured for the user. As a result, we cannot authenticate the user. Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> basic-a attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 62 to 114.0.1.11 port 50633 Waking up in 4.9 seconds. Cleaning up request 1 ID 62 with timestamp +37 Ready to process requests.
I resolved this. Thanks. On Wed, Sep 22, 2010 at 2:59 PM, Marlon Duksa <mduksa@gmail.com> wrote:
Hi - we recently upgraded to version 2.1.8 (freeradius) and my authentication does not work any more.
This used to work (configured in Radius):
basic-a User-Password == "csetestp" User-Name =~ "^([aA-zZ]+)-([aA-zZ]+)$", Framed-Pool := "21", Class := 2, Session-Timeout := 600, Fall-Through = No
This is not pap/chap authentication - our NAS is sending auth-req for a DHCP user.
I also tried to change to cleartext-password. Also I tried this: basic-a Auth-Type := Local, User-Password == "csetestp" but no luck
This is what I'm getting on Radius:
rad_recv: Access-Request packet from host 114.0.1.11 port 50633, id=62, length=78 User-Name = "basic-a" User-Password = "csetestp" NAS-IP-Address = 2.2.2.2 NAS-Port-Type = Ethernet NAS-Port-Id = "1/1/5:4" NAS-Identifier = "right-b4" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "basic-a", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] expand: %{User-Name} -> basic-a [files] expand: %{User-Name} -> basic-a [files] expand: %{User-Name} -> basic-a [files] expand: %{User-Name} -> basic-a WARNING: Found User-Password == "...". WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See "man rlm_pap" for more information. [files] users: Matched entry basic-a at line 106 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = Local WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. No "known good" password was configured for the user. As a result, we cannot authenticate the user. Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> basic-a attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 62 to 114.0.1.11 port 50633 Waking up in 4.9 seconds. Cleaning up request 1 ID 62 with timestamp +37 Ready to process requests.
participants (1)
-
Marlon Duksa