RE:huntgroups are failing auth - missing Chap Password
OK, I must be missing something here, likely due to my limited experience with FreeRADIUS. After re-reading the instructions in the users file the only thing I can see that is relevant when using huntgroups is an entry for a user that has no User-Password attribute assigned which I assume means that the default Auth-Type System will kick in and look the password up in an other file someplace. What I don't know is the location of this file and how to go about adding the password for my users. Is the use of a huntgroups file the best way for me to accomplish what I am trying to do? I want to limit user Bob so that he can only login from one specific access point. Thanks for the previous advice and in advance for any more. BTW: Sorry if this posting has broken the original thread.
Read instructions in users file about which password attribute should you be using. User-Password is wrong for 1.1.7.
Ivan Kalik Kalik Informatika ISP
Dana 14/9/2007, "Terry Pelley" <Terry.Pelley at ocdsb.ca> pie:
FreeRADIUS Version 1.1.7
I am using the FreeRADIUS.net Windows version of the software. at least for the time being.
I am trying to set up a very basic single user account for a very specific purpose and have created the account as follows.
hunttest User-Password == "hunttest", Huntgroup-Name == "hunttest"
My huntgroups file has a huntgroup called hunttest with a single NAS IP Address listed as follows.
public NAS-IP-Address == 10.252.9.2
when the user huntest attempts to authenticate it fails. My RADIUS Log shows the following entry.
Wed May 7 15:07:25 2008 : Auth: Login incorrect (rlm_chap: Clear text password not available): [hunttest/<CHAP-Password>] (from client NAS04 port 5 cli 00-1E-8C-0E-8E-70) Wed May 7 15:07:25 2008 : Auth: Login incorrect (rlm_chap: Clear text password not available): [hunttest/<CHAP-Password>] (from client NAS04 port 5 cli 00-1E-8C-0E-8E-70)
Can some one tell me what is wrong. I am simply trying to create a config that will allow the user hunttest to authenticate only if the request comes from the client NAS04. Perhaps a huntgroup is not the best way to do this.
I must be missing something here, likely due to my limited experience with FreeRADIUS.
No, all you have to do is to be able to read. With care and understanding.
After re-reading the instructions in the users file the only thing I can see that is relevant when using huntgroups is an entry for a user that has no User-Password attribute assigned which I assume means that the default Auth-Type System will kick in and look the password up in an other file someplace. What I don't know is the location of this file and how to go about adding the password for my users.
Forget hungroups. That part is fine. Password attribute is the problem. So you have re-read instructions in users file. Did you find User-Password used in any of the examples? Or perhaps some other password attribute? The one that debug suggests is missing?
Is the use of a huntgroups file the best way for me to accomplish what I am trying to do? I want to limit user Bob so that he can only login from one specific access point.
For a single device NAS-IP-Address should be better (avoiding use of huntgroups). For a groups of devices hungroups work well as long as the (hunt)groups don't overlap. Ivan Kalik Kalik Informatika ISP
FreeRadius users mailing list <freeradius-users@lists.freeradius.org> writes:
I must be missing something here, likely due to my limited experience with FreeRADIUS.
No, all you have to do is to be able to read. With care and understanding.
OK, I'll Re-read again.
After re-reading the instructions in the users file the only thing I can see that is relevant when using huntgroups is an entry for a user that has no User-Password attribute assigned which I assume means that the default Auth-Type System will kick in and look the password up in an other file someplace. What I don't know is the location of this file and how to go about adding the password for my users.
Forget hungroups. That part is fine. Password attribute is the problem. So you have re-read instructions in users file. Did you find User-Password used in any of the examples? Or perhaps some other password attribute? The one that debug suggests is missing?
As I said before, the only example of using a huntgroup I can see in the users file does not list a password attribute at all. so assuming that I should set the attribute to either CHAP-Password =="password" or Cleartext-Password == "password" I tried both and of course neither works. testuser Huntgroup-Name =="testgroup", CHAP-Password == "password" yields the same error as having used Cleartext-Password, User-Password or no password at all.
Is the use of a huntgroups file the best way for me to accomplish what I am trying to do? I want to limit user Bob so that he can only login from one specific access point.
For a single device NAS-IP-Address should be better (avoiding use of huntgroups). For a groups of devices hungroups work well as long as the (hunt)groups don't overlap.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Terry Pelley wrote:
As I said before, the only example of using a huntgroup I can see in the users file does not list a password attribute at all.
Because the "huntgroups" file isn't about setting the password. i.e. it doesn't *do* that. It's not *supposed* to do that.
Is the use of a huntgroups file the best way for me to accomplish what I am trying to do? I want to limit user Bob so that he can only login from one specific access point.
"users" file: bob Client-IP-Address != 1.2.3.4, Auth-Type := Reject That's it. No huntgroups are necessary. Alan DeKok.
How difficult can it be to follow clearly written instructions?
As I said before, the only example of using a huntgroup I can see in the users file does not list a password attribute at all. so assuming that I should set the attribute to either CHAP-Password =="password" or Cleartext-Password == "password" I tried both and of course neither works.
No. It doesn't. Why? Let's have a look at the password entry from users file: Cleartext-Password := "testing" Can you see *any* difference between that and what you were using? Fix it and it will work.
testuser Huntgroup-Name =="testgroup", CHAP-Password == "password" yields the same error as having used Cleartext-Password, User-Password or no password at all.
"like no password at all" - exactly. Your password entry is wrong. Use entries that documentation suggests. Stop hanging hopelessly to the way "it used to be" - I think that you have established by now that the "old way" doesn't work. Ivan Kalik Kalik Informatika ISP
Thanks to all who offered assistance. I figured it out. FreeRadius users mailing list <freeradius-users@lists.freeradius.org> writes:
FreeRadius users mailing list <[ mailto:freeradius-users@lists.freeradius.org ]freeradius-users@lists.freeradius.org> writes:
I must be missing something here, likely due to my limited experience with FreeRADIUS.
No, all you have to do is to be able to read. With care and understanding.
OK, I'll Re-read again.
After re-reading the instructions in the users file the only thing I can see that is relevant when using huntgroups is an entry for a user that has no User-Password attribute assigned which I assume means that the default Auth-Type System will kick in and look the password up in an other file someplace. What I don't know is the location of this file and how to go about adding the password for my users.
Forget hungroups. That part is fine. Password attribute is the problem. So you have re-read instructions in users file. Did you find User-Password used in any of the examples? Or perhaps some other password attribute? The one that debug suggests is missing?
As I said before, the only example of using a huntgroup I can see in the users file does not list a password attribute at all. so assuming that I should set the attribute to either CHAP-Password =="password" or Cleartext-Password == "password" I tried both and of course neither works.
testuser Huntgroup-Name =="testgroup", CHAP-Password == "password" yields the same error as having used Cleartext-Password, User-Password or no password at all.
Is the use of a huntgroups file the best way for me to accomplish what I am trying to do? I want to limit user Bob so that he can only login from one specific access point.
For a single device NAS-IP-Address should be better (avoiding use of huntgroups). For a groups of devices hungroups work well as long as the (hunt)groups don't overlap.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See [ http://www.freeradius.org/list/users.html ]http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
Ivan Kalik -
Terry Pelley