Fwd: failure log from radius debug
please diagnose why radius feels that my server has declined the user/password? both these user attempts used their correct password, yet the log says it was invalid. Thanks! -------- Original Message -------- Subject: failure log from radius debug Date: Tue, 29 Nov 2011 10:50:29 -0800 From: Charlie Root To: jim@paz.bz Tue Nov 29 10:42:30 2011 : Info: Ready to process requests. rad_recv: Access-Request packet from host 209.53.238.13 port 513, id=118, length=95 User-Name = "carlmerk" User-Password = "mushXX" NAS-Port = 15 NAS-Port-Type = Async NAS-Identifier = "ras" Called-Station-Id = "unknown" Calling-Station-Id = "unknown" Service-Type = Framed-User Framed-Protocol = PPP Tue Nov 29 10:44:13 2011 : Info: # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default Tue Nov 29 10:44:13 2011 : Info: +- entering group authorize {...} Tue Nov 29 10:44:13 2011 : Info: ++[preprocess] returns ok Tue Nov 29 10:44:13 2011 : Info: ++[chap] returns noop Tue Nov 29 10:44:13 2011 : Info: ++[mschap] returns noop Tue Nov 29 10:44:13 2011 : Info: ++[digest] returns noop Tue Nov 29 10:44:13 2011 : Info: [suffix] No '@' in User-Name = "carlmerk", looking up realm NULL Tue Nov 29 10:44:13 2011 : Info: [suffix] No such realm "NULL" Tue Nov 29 10:44:13 2011 : Info: ++[suffix] returns noop Tue Nov 29 10:44:13 2011 : Info: [eap] No EAP-Message, not doing EAP Tue Nov 29 10:44:13 2011 : Info: ++[eap] returns noop Tue Nov 29 10:44:13 2011 : Info: [files] users: Matched entry DEFAULT at line 50 Tue Nov 29 10:44:13 2011 : Info: ++[files] returns ok Tue Nov 29 10:44:13 2011 : Info: ++[expiration] returns noop Tue Nov 29 10:44:13 2011 : Info: ++[logintime] returns noop Tue Nov 29 10:44:13 2011 : Info: [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. Tue Nov 29 10:44:13 2011 : Info: ++[pap] returns noop Tue Nov 29 10:44:13 2011 : Info: Found Auth-Type = System Tue Nov 29 10:44:13 2011 : Info: # Executing group from file /usr/local/etc/raddb/sites-enabled/default Tue Nov 29 10:44:13 2011 : Info: +- entering group authenticate {...} Tue Nov 29 10:44:13 2011 : Auth: [unix] invalid password "carlmerk" Tue Nov 29 10:44:13 2011 : Info: ++[unix] returns reject Tue Nov 29 10:44:13 2011 : Info: Failed to authenticate the user. Tue Nov 29 10:44:13 2011 : Auth: Login incorrect: [carlmerk/mushXX] (from client localhost port 15 cli unknown) Tue Nov 29 10:44:13 2011 : Info: Using Post-Auth-Type Reject Tue Nov 29 10:44:13 2011 : Info: # Executing group from file /usr/local/etc/raddb/sites-enabled/default Tue Nov 29 10:44:13 2011 : Info: +- entering group REJECT {...} Tue Nov 29 10:44:13 2011 : Info: [attr_filter.access_reject] expand: %{User-Name} -> carlmerk Tue Nov 29 10:44:13 2011 : Debug: attr_filter: Matched entry DEFAULT at line 11 Tue Nov 29 10:44:13 2011 : Info: ++[attr_filter.access_reject] returns updated Tue Nov 29 10:44:13 2011 : Info: Delaying reject of request 0 for 1 seconds Tue Nov 29 10:44:13 2011 : Debug: Going to the next request Tue Nov 29 10:44:13 2011 : Debug: Waking up in 0.9 seconds. Tue Nov 29 10:44:14 2011 : Info: Sending delayed reject for request 0 Sending Access-Reject of id 118 to 209.53.238.13 port 513 Tue Nov 29 10:44:14 2011 : Debug: Waking up in 4.9 seconds. Tue Nov 29 10:44:19 2011 : Info: Cleaning up request 0 ID 118 with timestamp +103 Tue Nov 29 10:44:19 2011 : Info: Ready to process requests. rad_recv: Access-Request packet from host 209.53.238.13 port 513, id=119, length=95 User-Name = "carollyn" User-Password = "carolXX" NAS-Port = 2 NAS-Port-Type = Async NAS-Identifier = "ras" Called-Station-Id = "unknown" Calling-Station-Id = "unknown" Service-Type = Framed-User Framed-Protocol = PPP Tue Nov 29 10:44:20 2011 : Info: # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default Tue Nov 29 10:44:20 2011 : Info: +- entering group authorize {...} Tue Nov 29 10:44:20 2011 : Info: ++[preprocess] returns ok Tue Nov 29 10:44:20 2011 : Info: ++[chap] returns noop Tue Nov 29 10:44:20 2011 : Info: ++[mschap] returns noop Tue Nov 29 10:44:20 2011 : Info: ++[digest] returns noop Tue Nov 29 10:44:20 2011 : Info: [suffix] No '@' in User-Name = "carollyn", looking up realm NULL Tue Nov 29 10:44:20 2011 : Info: [suffix] No such realm "NULL" Tue Nov 29 10:44:20 2011 : Info: ++[suffix] returns noop Tue Nov 29 10:44:20 2011 : Info: [eap] No EAP-Message, not doing EAP Tue Nov 29 10:44:20 2011 : Info: ++[eap] returns noop Tue Nov 29 10:44:20 2011 : Info: [files] users: Matched entry DEFAULT at line 50 Tue Nov 29 10:44:20 2011 : Info: ++[files] returns ok Tue Nov 29 10:44:20 2011 : Info: ++[expiration] returns noop Tue Nov 29 10:44:20 2011 : Info: ++[logintime] returns noop Tue Nov 29 10:44:20 2011 : Info: [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. Tue Nov 29 10:44:20 2011 : Info: ++[pap] returns noop Tue Nov 29 10:44:20 2011 : Info: Found Auth-Type = System Tue Nov 29 10:44:20 2011 : Info: # Executing group from file /usr/local/etc/raddb/sites-enabled/default Tue Nov 29 10:44:20 2011 : Info: +- entering group authenticate {...} Tue Nov 29 10:44:20 2011 : Auth: [unix] invalid password "carollyn" Tue Nov 29 10:44:20 2011 : Info: ++[unix] returns reject Tue Nov 29 10:44:20 2011 : Info: Failed to authenticate the user. Tue Nov 29 10:44:20 2011 : Auth: Login incorrect: [carollyn/carolXX] (from client localhost port 2 cli unknown) Tue Nov 29 10:44:20 2011 : Info: Using Post-Auth-Type Reject Tue Nov 29 10:44:20 2011 : Info: # Executing group from file /usr/local/etc/raddb/sites-enabled/default Tue Nov 29 10:44:20 2011 : Info: +- entering group REJECT {...} Tue Nov 29 10:44:20 2011 : Info: [attr_filter.access_reject] expand: %{User-Name} -> carollyn Tue Nov 29 10:44:20 2011 : Debug: attr_filter: Matched entry DEFAULT at line 11 Tue Nov 29 10:44:20 2011 : Info: ++[attr_filter.access_reject] returns updated Tue Nov 29 10:44:20 2011 : Info: Delaying reject of request 1 for 1 seconds Tue Nov 29 10:44:20 2011 : Debug: Going to the next request Tue Nov 29 10:44:20 2011 : Debug: Waking up in 0.9 seconds. Tue Nov 29 10:44:21 2011 : Info: Sending delayed reject for request 1 Sending Access-Reject of id 119 to 209.53.238.13 port 513 Tue Nov 29 10:44:21 2011 : Debug: Waking up in 4.9 seconds. Tue Nov 29 10:44:26 2011 : Info: Cleaning up request 1 ID 119 with timestamp +110 Tue Nov 29 10:44:26 2011 : Info: Ready to process requests. ^\Quit auth# ^Dexit Script done on Tue Nov 29 10:44:31 2011
Jim Pazarena wrote:
please diagnose why radius feels that my server has declined the user/password?
Because the password is wrong.
both these user attempts used their correct password, yet the log says it was invalid.
<shrug> FreeRADIUS uses the system libraries to do the password checks. If the system says that the password is wrong, FreeRADIUS can't do much about it. Alan DeKok.
Hi,
please diagnose why radius feels that my server has declined the user/password? both these user attempts used their correct password, yet the log says it was invalid.
Tue Nov 29 10:44:13 2011 : Info: [files] users: Matched entry DEFAULT at line 50 Tue Nov 29 10:44:13 2011 : Info: ++[files] returns ok
whats at line 50 of the 'users' file?
Tue Nov 29 10:44:13 2011 : Info: +- entering group authenticate {...} Tue Nov 29 10:44:13 2011 : Auth: [unix] invalid password "carlmerk" Tue Nov 29 10:44:13 2011 : Info: ++[unix] returns reject
the passwd/unix module believes that the password isnt correct. is it correct/valid/current - or is the account invalid/expired/locked/no home etc ? is this a PAP, CHAP or MSCHAPv2 system? alan
On 2011-11-29 11:44 AM, Alan Buxey wrote:
Hi,
Tue Nov 29 10:44:13 2011 : Info: [files] users: Matched entry DEFAULT at line 50 Tue Nov 29 10:44:13 2011 : Info: ++[files] returns ok
whats at line 50 of the 'users' file?
50-> DEFAULT Auth-Type = System
Tue Nov 29 10:44:13 2011 : Info: +- entering group authenticate {...} Tue Nov 29 10:44:13 2011 : Auth: [unix] invalid password "carlmerk" Tue Nov 29 10:44:13 2011 : Info: ++[unix] returns reject
the same user ID/pwd can login via ftp or ssh, so I suspect that the password as submitted is correct.
the passwd/unix module believes that the password isnt correct. is it correct/valid/current - or is the account invalid/expired/locked/no home etc ?
is this a PAP, CHAP or MSCHAPv2 system?
PAP. This is most baffling. When I ran cistron, it just "worked"; but I switched to 64-bit FreeBSD, and cistron doesn't like a 64-bit OS. I tried the login with 3 user IDs including my own, and all fail. Any suggestions would be most appreciated. Is it possible that freeradius2 needs compiling with special flags for a 64-bit OS? -- Jim Pazarena work:250 559-7777 Box 550 - 405 2nd Avenue fax: 866 279-3608 Queen Charlotte BC V0T 1S0 mailto:jim@paz.bz
Jim Pazarena wrote:
This is most baffling. When I ran cistron, it just "worked"; but I switched to 64-bit FreeBSD, and cistron doesn't like a 64-bit OS.
Cistron is old...
I tried the login with 3 user IDs including my own, and all fail. Any suggestions would be most appreciated. Is it possible that freeradius2 needs compiling with special flags for a 64-bit OS?
No. FreeRADIUS is 64-bit clean. My guess is that the passwords on 64-bit FreeBSD are *not* encrypted with the "crypt" function. There is some other API necessary to do password checks. I don't run FreeBSD, so I don't know what that is. Alan DeKok.
Hi,
No. FreeRADIUS is 64-bit clean.
My guess is that the passwords on 64-bit FreeBSD are *not* encrypted with the "crypt" function. There is some other API necessary to do password checks.
BSD is a little different ;-) http://www.bsdcertification.org/downloads/user_management.pdf /etc/master.passwd - only root can read/view this...which may be an issue if the daemon runs with another userid ...its about time I spun up a BSD box...my personal favourite was DragonflyBSD to see how things fly ;-) alan
Alan DeKok wrote, On 2011-11-30 9:47 AM:
Jim Pazarena wrote:
This is most baffling. When I ran cistron, it just "worked"; but I switched
No. FreeRADIUS is 64-bit clean.
My guess is that the passwords on 64-bit FreeBSD are *not* encrypted with the "crypt" function. There is some other API necessary to do password checks.
I don't run FreeBSD, so I don't know what that is.
Ahh. the FreeBSD docs indicate that the default for password encryption is MD5. Now I need to learn how to "use" MD5 within freeradius. Suggestions would be most appreciated. -- Jim Pazarena work:250 559-7777 Box 550 - 405 2nd Avenue fax: 866 279-3608 Queen Charlotte BC V0T 1S0 mailto:jim@paz.bz
On Thu, Dec 1, 2011 at 3:58 AM, Jim Pazarena <jim@paz.bz> wrote:
Ahh. the FreeBSD docs indicate that the default for password encryption is MD5.
Now I need to learn how to "use" MD5 within freeradius. Suggestions would be most appreciated.
FR should support MD5 just fine. Take a look at raddb/modules/passwd and see if you can adjust it. You need to run radiusd as root, of course. -- Fajar
Hello friends, I tell them: When I try to authenticate using mschap I encounter this error''NT_STATUS_WRONG_PASSWORD: Wrong Password'', yet when I do the test using authentic pap without problems. I'm trying to authenticate my freeradius server with active directory server. Greetings and waiting for your help. William Fin a la injusticia, LIBERTAD AHORA A NUESTROS CINCO COMPATRIOTAS QUE SE ENCUENTRAN INJUSTAMENTE EN PRISIONES DE LOS EEUU! http://www.antiterroristas.cu http://justiciaparaloscinco.wordpress.com
Hi,
Hello friends, I tell them: When I try to authenticate using mschap I encounter this error''NT_STATUS_WRONG_PASSWORD: Wrong Password'', yet when I do the test using authentic pap without problems. I'm trying to authenticate my freeradius server with active directory server. Greetings and waiting for your help. William
what happens when you run the ntlm_auth command direct on command line? what version of SAMBA are you running? alan
El 30/11/2011 16:57, Alan Buxey escribió:
Hi,
Hello friends, I tell them: When I try to authenticate using mschap I encounter this error''NT_STATUS_WRONG_PASSWORD: Wrong Password'', yet when I do the test using authentic pap without problems. I'm trying to authenticate my freeradius server with active directory server. Greetings and waiting for your help. William what happens when you run the ntlm_auth command direct on command line?
what version of SAMBA are you running?
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fin a la injusticia, LIBERTAD AHORA A NUESTROS CINCO COMPATRIOTAS QUE SE ENCUENTRAN INJUSTAMENTE EN PRISIONES DE LOS EEUU! http://www.antiterroristas.cu http://justiciaparaloscinco.wordpress.com Hi Alan, when I run the ntlm_auth command gives me an effective response. *ntlm_auth --request-nt-key --domain=MyDomain --username=USER--password=PASS* _/NT_STATUS_OK: Success (0x0)/_
_*freeradius -X (DEBUG MODE)*_ rad_recv: Access-Request packet from host 127.0.0.1 port 55866, id=115, length=60 User-Name = "gwilliam" User-Password = "1qazxsw23edc@" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/127.0.0.1/auth-detail-20111130 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20111130 [auth_log] expand: %t -> Wed Nov 30 17:05:41 2011 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop ++? if (!control:Auth-Type && User-Password) ? Evaluating !(control:Auth-Type ) -> TRUE ? Evaluating (User-Password) -> TRUE ++? if (!control:Auth-Type && User-Password) -> TRUE ++- entering if (!control:Auth-Type && User-Password) {...} +++[control] returns noop ++- if (!control:Auth-Type && User-Password) returns noop [ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=gwilliam [ntlm_auth] expand: --password=%{User-Password} -> --password=1qazxsw23edc@ Exec-Program output: NT_STATUS_OK: Success (0x0) Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0) Exec-Program: returned: 0 ++[ntlm_auth] returns ok [suffix] No '@' in User-Name = "gwilliam", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = ntlm_auth # Executing group from file /etc/freeradius/sites-enabled/default +- entering group ntlm_auth {...} *[ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=gwilliam [ntlm_auth] expand: --password=%{User-Password} -> --password=1qazxsw23edc@ Exec-Program output: NT_STATUS_OK: Success (0x0) Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0)* Exec-Program: returned: 0 ++[ntlm_auth] returns ok # Executing section post-auth from file /etc/freeradius/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 115 to 127.0.0.1 port 55866 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 115 with timestamp +34 Ready to process requests. _*when I do the test using mschap radtest-t is when the key is erroneous*_ /radtest -t mschap gwilliam 1qazxsw23edc@ localhost 0 testing123/ rad_recv: Access-Request packet from host 127.0.0.1 port 37155, id=130, length=116 User-Name = "gwilliam" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 MS-CHAP-Challenge = 0xd85c0848bec6df72 MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000d6f2f97947a122925fa9019e04b04834cc4857db4a4d359f # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/127.0.0.1/auth-detail-20111130 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20111130 [auth_log] expand: %t -> Wed Nov 30 17:07:09 2011 ++[auth_log] returns ok ++[chap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok ++? if (!control:Auth-Type && User-Password) ? Evaluating !(control:Auth-Type ) -> FALSE ? Skipping (User-Password) ++? if (!control:Auth-Type && User-Password) -> FALSE *[ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=gwilliam [ntlm_auth] expand: --password=%{User-Password} -> --password= Exec-Program output: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) Exec-Program-Wait: plaintext: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) Exec-Program: returned: 1 ++[ntlm_auth] returns reject* Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> gwilliam attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 130 to 127.0.0.1 port 37155 Waking up in 4.9 seconds. Cleaning up request 1 ID 130 with timestamp +122 Ready to process requests. My samba version is 3.5.8, my OS is ubuntu server version 11.04. Thanks for you help. Fin a la injusticia, LIBERTAD AHORA A NUESTROS CINCO COMPATRIOTAS QUE SE ENCUENTRAN INJUSTAMENTE EN PRISIONES DE LOS EEUU! http://www.antiterroristas.cu http://justiciaparaloscinco.wordpress.com
Guillermo W. Llanes Suárez wrote:
_*when I do the test using mschap radtest-t is when the key is erroneous*_ /radtest -t mschap gwilliam 1qazxsw23edc@ localhost 0 testing123/
Because you edited the configuration and broke it. Don't do that. Alan DeKok.
El 01/12/2011 3:49, Alan DeKok escribió:
Because you edited the configuration and broke it.
Don't do that. thanks alan, the main problem when I try to authenticate a client EAP (PEAP) against the radius server when it attempts to authenticate using ntlm_auth is wrong, however, is effectively using PAP authentication. I think it is due to password encryption. I reviewed many manuals found in freeradius wiki, Trand any suggestions. Aware of your help William.
Fin a la injusticia, LIBERTAD AHORA A NUESTROS CINCO COMPATRIOTAS QUE SE ENCUENTRAN INJUSTAMENTE EN PRISIONES DE LOS EEUU! http://www.antiterroristas.cu http://justiciaparaloscinco.wordpress.com
2011/12/1 "Guillermo W. Llanes Suárez" <gwilliam@uci.cu>:
El 01/12/2011 3:49, Alan DeKok escribió:
Because you edited the configuration and broke it.
Don't do that.
thanks alan, the main problem when I try to authenticate a client EAP (PEAP) against the radius server when it attempts to authenticate using ntlm_auth is wrong, however, is effectively using PAP authentication. I think it is due to password encryption.
No it's not. Alan is pretty straight-forward when he said "you edited the configuration and broke it". Which, looking from the debug log you sent, is just that.
I reviewed many manuals found in freeradius wiki
If you have looked at http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO, you'd seen this line: " Updated tutorial for freeradius 2.x is at: http://deployingradius.com/documents/configuration/active_directory.html " ... and if you have looked at that page, there's a section "Configuring FreeRADIUS to use ntlm_auth for MS-CHAP". You haven't done what it said. Hint: there's no "--password=%{User-Password}" in that section. Your debug log has it. -- Fajar
Jim Pazarena wrote:
Ahh. the FreeBSD docs indicate that the default for password encryption is MD5.
That doesn't matter.
Now I need to learn how to "use" MD5 within freeradius.
You shouldn't have to. FreeRADIUS has worked on FreeBSD for *years*. It calls a FreeBSD function to get the MD5-hashed password. It calls a FreeBSD function to turn the User-Password into an MD5-hashed password. It then compares the two. If that doesn't work, then something is wrong on the FreeBSD system. Maybe it needs another magic API to work, and FreeRADIUS doesn't use that. Alan DeKok.
On 1 Dec 2011, at 09:52, Alan DeKok wrote:
Jim Pazarena wrote:
Ahh. the FreeBSD docs indicate that the default for password encryption is MD5.
If the password encryption is MD5 then you'll have to use PAP or an EAP method with a PAP inner. Nothing else will work. -Arran Arran Cudbard-Bell a.cudbardb@freeradius.org Betelwiki, Betelwiki, Betelwiki.... http://wiki.freeradius.org/ !
participants (6)
-
"Guillermo W. Llanes Suárez" -
Alan Buxey -
Alan DeKok -
Arran Cudbard-Bell -
Fajar A. Nugraha -
Jim Pazarena