users authentication problem
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, ...we recently upgraded vom freeradius 0.9 to freeradius 2.1.4. Unfortunately local users cannot be authenticated anymore. This morning I used the default configuration files from 2.1.4 and started from scratch. My first objective was to get any valid response from the freeradiusd - but unluckily, without success. In the users file, I enabled the following line: lameuser Auth-Type := Reject Reply-Message = "Your account has been disabled." one entry in clients.conf for localhost testing: client localhost { ipaddr = 127.0.0.1 secret = testing123 require_message_authenticator = no nastype = other virtual_server = default } sites-enabled/default: authorize { chap suffix eap { ok = return } files expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix eap files } I think that must be the main configuration items for my very basic test. Then I run freeradiusd -X -xx and test the user via radclient: echo "User-Name=lameuser, Password=bla, NAS-IP-Address=127.0.0.1" | radclient - -r 1 -x -s 127.0.0.1 auth 'testing123' results in: Sending Access-Request of id 20 to 127.0.0.1 port 1812 User-Name = "lameuser" Password = "bla" NAS-IP-Address = 127.0.0.1 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=20, length=20 Total approved auths: 0 Total denied auths: 1 Total lost auths: 0 The radiusd logs the following: Tue May 12 11:31:58 2009 : Debug: Listening on authentication address * port 1812 Tue May 12 11:31:58 2009 : Debug: Listening on accounting address * port 1813 Tue May 12 11:31:58 2009 : Debug: Listening on command file /var/run/freeradius/run/radiusd/radiusd.sock Tue May 12 11:31:58 2009 : Debug: Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 33013, id=5, length=54 User-Name = "lameuser" User-Password = "bla" NAS-IP-Address = 127.0.0.1 Tue May 12 11:32:04 2009 : Info: server default { Tue May 12 11:32:04 2009 : Info: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Tue May 12 11:32:04 2009 : Info: Failed to authenticate the user. Tue May 12 11:32:04 2009 : Info: } # server default - -> the user gets rejected, but not because of the Auth-Type := Reject setting in the users file. This is the same behaviour we observer when configuring "real" user accounts having a password associated, like the following: testuser Auth-Type := Local, Cleartext-Password == "blabla" server log says: Tue May 12 11:35:50 2009 : Info: server default { Tue May 12 11:35:50 2009 : Info: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Tue May 12 11:35:50 2009 : Info: Failed to authenticate the user. Tue May 12 11:35:50 2009 : Info: } # server default Thanks for any hints troubleshooting this! Regards, Andy -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkoJQ+MACgkQRrny/uOBVy7sggCfRfAjnhIkHwQbElEUwwZWPM4L DIEAniJziPLwpdyQKAWpa/vJvGAftmq1 =4Tih -----END PGP SIGNATURE-----
Andreas Bourges wrote:
-> the user gets rejected, but not because of the Auth-Type := Reject setting in the users file. This is the same behaviour we observer when configuring "real" user accounts having a password associated, like the following:
testuser Auth-Type := Local, Cleartext-Password == "blabla"
See the FAQ for the *CORRECT* configuration: testuser Cleartext-Password := "blabla" Do NOT set Auth-Type. Alan DeKok.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, On Tuesday 12 May 2009 11:57:14 Alan DeKok wrote:
Andreas Bourges wrote:
-> the user gets rejected, but not because of the Auth-Type := Reject setting in the users file. This is the same behaviour we observer when configuring "real" user accounts having a password associated, like the following:
testuser Auth-Type := Local, Cleartext-Password == "blabla"
See the FAQ for the *CORRECT* configuration:
Jep, sorry - should have had a look there, first. But even the simplest example from the FAQ doesn't work: bob Cleartext-Password := "bob" Reply-Message = "Hello, bob" rad_recv: Access-Request packet from host 127.0.0.1 port 33026, id=225, length=55 User-Name = "bob" User-Password = "bob" NAS-IP-Address = 10.0.0.206 NAS-Port = 0 Tue May 12 13:25:55 2009 : Info: server default { Tue May 12 13:25:55 2009 : Info: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Tue May 12 13:25:55 2009 : Info: Failed to authenticate the user. Tue May 12 13:25:55 2009 : Info: } # server default
testuser Cleartext-Password := "blabla"
Thanks for the tip, but it didn't help, same msg from radiusd as before.
Do NOT set Auth-Type.
I must be doing something very basic wrong, I guess. Could it be a build problem (compiled freeradius from source on my own). Where can I look further? thanks for any hint, Andy -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkoJXb4ACgkQRrny/uOBVy4iAwCdHRdd3Kk8bZe+Fb1QfKCar1V2 A7oAoMKKJFqTYyr47Mx/nTbAH+K41ihs =PYiY -----END PGP SIGNATURE-----
sites-enabled/default:
authorize { chap suffix eap { ok = return } files expiration logintime pap } ... Tue May 12 11:35:50 2009 : Info: server default { Tue May 12 11:35:50 2009 : Info: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
I can't see any of the authorize modules being used. Why don't you first use the default configuration. Just add the user entry at the top of the users file. Ivan
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, ...I would have bet that I had done exactly these steps this morning. But nevertheless I tried it another time and - succeeded. Thanks for pushing my nose on this again and again - it finally helped :) I will try to find the differences between the two versions... thanks and regards, Andy On Tuesday 12 May 2009 13:37:07 Ivan Kalik wrote:
sites-enabled/default:
authorize { chap suffix eap { ok = return } files expiration logintime pap }
...
Tue May 12 11:35:50 2009 : Info: server default { Tue May 12 11:35:50 2009 : Info: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
I can't see any of the authorize modules being used. Why don't you first use the default configuration. Just add the user entry at the top of the users file.
Ivan
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkoJZQMACgkQRrny/uOBVy57hACgjlsNGxq8naeWGD7W6tY3JvSq 5dkAoJhatzqx9IJR0LjvVg9amIK6WCIr =ek/G -----END PGP SIGNATURE-----
participants (3)
-
Alan DeKok -
Andreas Bourges -
Ivan Kalik