still not working (newbie for radius)
Hi all: I apologize for the emails for such simple issue...:) it is still not working. I have done all of your guys advised and tried to read through the documents, but...:( here is my "client.conf" file: client 192.168.255.138 { secret = testing123 nastype = juniper } for my "users" file: bob Auth-Type := Local User-Password = "bob", Juniper-Local-User-Name = "labrat" I started radius with "radiusd -X" and also started tcpdump process. here is what i got from freerediaus debugging: rad_recv: Access-Request packet from host 192.168.255.138 port 54462, id=202, length=57 User-Name = "bob" User-Password = "bob" NAS-Identifier = "lab-r8" NAS-IP-Address = 150.150.0.1 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry bob at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = Local WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. No "known good" password was configured for the user. As a result, we cannot authenticate the user. Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> bob attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 202 to 192.168.255.138 port 54462 Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.255.138 port 54462, id=202, length=57 Sending duplicate reply to client r8 port 54462 - ID: 202 Sending Access-Reject of id 202 to 192.168.255.138 port 54462 Waking up in 2.9 seconds. Cleaning up request 0 ID 202 with timestamp +11 rad_recv: Access-Request packet from host 192.168.255.138 port 54462, id=202, length=57 User-Name = "bob" User-Password = "bob" NAS-Identifier = "lab-r8" NAS-IP-Address = 150.150.0.1 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry bob at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = Local WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. No "known good" password was configured for the user. As a result, we cannot authenticate the user. Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> bob attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 202 to 192.168.255.138 port 54462 Waking up in 4.9 seconds. Cleaning up request 1 ID 202 with timestamp +18 Ready to process requests. for tcpdump: 17:07:11.998936 IP 192.168.255.138.54462 > 192.168.255.128.radius: RADIUS, Access Request (1), id: 0xca length: 57 17:07:14.999487 IP 192.168.255.138.54462 > 192.168.255.128.radius: RADIUS, Access Request (1), id: 0xca length: 57 Interestingly, I only saw 'Access Request" came in, but I didn't see Access Reject messages. any help would be greatly appreciated. gahn
I think it tells you in your debug what the problem is Gahn: Found Auth-Type = Local WARNING: Please update your configuration, and remove 'Auth-Type = Local' --- On Sun, 19/9/10, gahn <ipfreak@yahoo.com> wrote: From: gahn <ipfreak@yahoo.com> Subject: still not working (newbie for radius) To: freeradius-users@lists.freeradius.org Date: Sunday, 19 September, 2010, 22:35 Hi all: I apologize for the emails for such simple issue...:) it is still not working. I have done all of your guys advised and tried to read through the documents, but...:( here is my "client.conf" file: client 192.168.255.138 { secret = testing123 nastype = juniper } for my "users" file: bob Auth-Type := Local User-Password = "bob", Juniper-Local-User-Name = "labrat" I started radius with "radiusd -X" and also started tcpdump process. here is what i got from freerediaus debugging: rad_recv: Access-Request packet from host 192.168.255.138 port 54462, id=202, length=57 User-Name = "bob" User-Password = "bob" NAS-Identifier = "lab-r8" NAS-IP-Address = 150.150.0.1 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry bob at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = Local WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. No "known good" password was configured for the user. As a result, we cannot authenticate the user. Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> bob attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 202 to 192.168.255.138 port 54462 Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.255.138 port 54462, id=202, length=57 Sending duplicate reply to client r8 port 54462 - ID: 202 Sending Access-Reject of id 202 to 192.168.255.138 port 54462 Waking up in 2.9 seconds. Cleaning up request 0 ID 202 with timestamp +11 rad_recv: Access-Request packet from host 192.168.255.138 port 54462, id=202, length=57 User-Name = "bob" User-Password = "bob" NAS-Identifier = "lab-r8" NAS-IP-Address = 150.150.0.1 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry bob at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = Local WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. No "known good" password was configured for the user. As a result, we cannot authenticate the user. Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> bob attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 202 to 192.168.255.138 port 54462 Waking up in 4.9 seconds. Cleaning up request 1 ID 202 with timestamp +18 Ready to process requests. for tcpdump: 17:07:11.998936 IP 192.168.255.138.54462 > 192.168.255.128.radius: RADIUS, Access Request (1), id: 0xca length: 57 17:07:14.999487 IP 192.168.255.138.54462 > 192.168.255.128.radius: RADIUS, Access Request (1), id: 0xca length: 57 Interestingly, I only saw 'Access Request" came in, but I didn't see Access Reject messages. any help would be greatly appreciated. gahn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
thanks for the reply: well, i had tried other configuration for "users": bob Cleartext-Password = "bob" Juniper-Local-User-Name = "labrat" labrat is local login user id so that all of radius users will be mapped to that user. unfortunately, it is also failed though with no warning messages: rad_recv: Access-Request packet from host 192.168.255.138 port 55206, id=152, length=57 User-Name = "bob" User-Password = "bob" NAS-Identifier = "lab-r8" NAS-IP-Address = 150.150.0.1 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> bob attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 152 to 192.168.255.138 port 55206 Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.255.138 port 55206, id=152, length=57 Sending duplicate reply to client r8 port 55206 - ID: 152 Sending Access-Reject of id 152 to 192.168.255.138 port 55206 Waking up in 2.9 seconds. Cleaning up request 0 ID 152 with timestamp +9 Ready to process requests. rad_recv: Access-Request packet from host 192.168.255.138 port 55206, id=152, length=57 User-Name = "bob" User-Password = "bob" NAS-Identifier = "lab-r8" NAS-IP-Address = 150.150.0.1 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> bob attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 152 to 192.168.255.138 port 55206 Waking up in 4.9 seconds. Cleaning up request 1 ID 152 with timestamp +15 Ready to process requests. --- On Sun, 9/19/10, Daniel Woodruffe <danny.woodruffe@yahoo.co.uk> wrote: From: Daniel Woodruffe <danny.woodruffe@yahoo.co.uk> Subject: Re: still not working (newbie for radius) To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Date: Sunday, September 19, 2010, 3:57 PM I think it tells you in your debug what the problem is Gahn: Found Auth-Type = Local WARNING: Please update your configuration, and remove 'Auth-Type = Local' --- On Sun, 19/9/10, gahn <ipfreak@yahoo.com> wrote: From: gahn <ipfreak@yahoo.com> Subject: still not working (newbie for radius) To: freeradius-users@lists.freeradius.org Date: Sunday, 19 September, 2010, 22:35 Hi all: I apologize for the emails for such simple issue...:) it is still not working. I have done all of your guys advised and tried to read through the documents, but...:( here is my "client.conf" file: client 192.168.255.138 { secret = testing123 nastype = juniper } for my "users" file: bob Auth-Type := Local User-Password = "bob", Juniper-Local-User-Name = "labrat" I started radius with "radiusd -X" and also started tcpdump process. here is what i got from freerediaus debugging: rad_recv: Access-Request packet from host 192.168.255.138 port 54462, id=202, length=57 User-Name = "bob" User-Password = "bob" NAS-Identifier = "lab-r8" NAS-IP-Address = 150.150.0.1 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry bob at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = Local WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. No "known good" password was configured for the user. As a result, we cannot authenticate the user. Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> bob attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 202 to 192.168.255.138 port 54462 Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.255.138 port 54462, id=202, length=57 Sending duplicate reply to client r8 port 54462 - ID: 202 Sending Access-Reject of id 202 to 192.168.255.138 port 54462 Waking up in 2.9 seconds. Cleaning up request 0 ID 202 with timestamp +11 rad_recv: Access-Request packet from host 192.168.255.138 port 54462, id=202, length=57 User-Name = "bob" User-Password = "bob" NAS-Identifier = "lab-r8" NAS-IP-Address = 150.150.0.1 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry bob at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = Local WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. No "known good" password was configured for the user. As a result, we cannot authenticate the user. Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> bob attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 202 to 192.168.255.138 port 54462 Waking up in 4.9 seconds. Cleaning up request 1 ID 202 with timestamp +18 Ready to process requests. for tcpdump: 17:07:11.998936 IP 192.168.255.138.54462 > 192.168.255.128.radius: RADIUS, Access Request (1), id: 0xca length: 57 17:07:14.999487 IP 192.168.255.138.54462 > 192.168.255.128.radius: RADIUS, Access Request (1), id: 0xca length: 57 Interestingly, I only saw 'Access Request" came in, but I didn't see Access Reject messages. any help would be greatly appreciated. gahn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -----Inline Attachment Follows----- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
well, i had tried other configuration for "users": bob Cleartext-Password = "bob" Juniper-Local-User-Name = "labrat" labrat is local login user id so that all of radius users will be mapped to that user. unfortunately, it is also failed though with no warning messages: <tim> You are missing a : - try the following: bob Cleartext-Password := "bob" Juniper-Local-User-Name = "labrat"
thanks tim: yes, it is better but yet working correctly: gahn@giraffe:~:$ ssh bob@192.168.255.138 bob@192.168.255.138's password: Permission denied, please try again. bob@192.168.255.138's password: Permission denied, please try again. bob@192.168.255.138's password: Permission denied (publickey,password,keyboard-interactive). but trying local username "labrat" is working fine: gahn@giraffe:~:$ ssh labrat@192.168.255.138 labrat@192.168.255.138's password: --- JUNOS 8.5R4.3 built 2008-08-12 23:16:55 UTC labrat@lab-r8> what is interesting here is that now i can see "Access-Accept" in the debugging messages of "radiusd -X": rad_recv: Access-Request packet from host 192.168.255.138 port 65003, id=3, length=57 User-Name = "bob" User-Password = "bob" NAS-Identifier = "lab-r8" NAS-IP-Address = 150.150.0.1 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry bob at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password "bob" [pap] Using clear text password "bob" [pap] User authenticated successfully ++[pap] returns ok +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 3 to 192.168.255.138 port 65003 Juniper-Local-User-Name = "labrat" Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.255.138 port 65003, id=3, length=57 Sending duplicate reply to client r8 port 65003 - ID: 3 Sending Access-Accept of id 3 to 192.168.255.138 port 65003 Waking up in 1.9 seconds. Cleaning up request 4 ID 3 with timestamp +91 Ready to process requests. rad_recv: Access-Request packet from host 192.168.255.138 port 65003, id=3, length=57 User-Name = "bob" User-Password = "bob" NAS-Identifier = "lab-r8" NAS-IP-Address = 150.150.0.1 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry bob at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password "bob" [pap] Using clear text password "bob" [pap] User authenticated successfully ++[pap] returns ok +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 3 to 192.168.255.138 port 65003 Juniper-Local-User-Name = "labrat" Finished request 5. Going to the next request Waking up in 4.9 seconds. Cleaning up request 5 ID 3 with timestamp +97 Ready to process requests. --- On Sun, 9/19/10, Tim Sylvester <tim.sylvester@networkradius.com> wrote:
From: Tim Sylvester <tim.sylvester@networkradius.com> Subject: RE: still not working (newbie for radius) To: "'FreeRadius users mailing list'" <freeradius-users@lists.freeradius.org> Date: Sunday, September 19, 2010, 5:52 PM
well, i had tried other configuration for "users":
bob Cleartext-Password = "bob" Juniper-Local-User-Name = "labrat"
labrat is local login user id so that all of radius users will be mapped to that user. unfortunately, it is also failed though with no warning messages:
<tim> You are missing a : - try the following:
bob Cleartext-Password := "bob" Juniper-Local-User-Name = "labrat"
-----Inline Attachment Follows-----
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
By the looks of it you have two problems. The User-Password name 'bob' isn't matched by the response Juniper-Local-User-Name 'labrat'. Perhaps ssh cares. Your broken client sends the identical packet for the new authentication attempt when it must send a brand new packet (different id, socket or port). That's why the server drops subsequent login attempts from ssh - they're duplicate requests which the server has already answered. In your second attempt you're User-Name is 'labrat' and the Juniper-Local-User-Name 'labrat' is being returned in the response probably convincing SSH you are who you claim to be. On 2010-09-19 9:35 PM, gahn wrote:
thanks tim:
yes, it is better but yet working correctly:
gahn@giraffe:~:$ ssh bob@192.168.255.138 bob@192.168.255.138's password: Permission denied, please try again. bob@192.168.255.138's password: Permission denied, please try again. bob@192.168.255.138's password: Permission denied (publickey,password,keyboard-interactive).
but trying local username "labrat" is working fine:
gahn@giraffe:~:$ ssh labrat@192.168.255.138 labrat@192.168.255.138's password: --- JUNOS 8.5R4.3 built 2008-08-12 23:16:55 UTC labrat@lab-r8>
what is interesting here is that now i can see "Access-Accept" in the debugging messages of "radiusd -X":
rad_recv: Access-Request packet from host 192.168.255.138 port 65003, id=3, length=57 User-Name = "bob" User-Password = "bob" NAS-Identifier = "lab-r8" NAS-IP-Address = 150.150.0.1 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry bob at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password "bob" [pap] Using clear text password "bob" [pap] User authenticated successfully ++[pap] returns ok +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 3 to 192.168.255.138 port 65003 Juniper-Local-User-Name = "labrat" Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.255.138 port 65003, id=3, length=57 Sending duplicate reply to client r8 port 65003 - ID: 3 Sending Access-Accept of id 3 to 192.168.255.138 port 65003 Waking up in 1.9 seconds. Cleaning up request 4 ID 3 with timestamp +91 Ready to process requests. rad_recv: Access-Request packet from host 192.168.255.138 port 65003, id=3, length=57 User-Name = "bob" User-Password = "bob" NAS-Identifier = "lab-r8" NAS-IP-Address = 150.150.0.1 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry bob at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password "bob" [pap] Using clear text password "bob" [pap] User authenticated successfully ++[pap] returns ok +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 3 to 192.168.255.138 port 65003 Juniper-Local-User-Name = "labrat" Finished request 5. Going to the next request Waking up in 4.9 seconds. Cleaning up request 5 ID 3 with timestamp +97 Ready to process requests.
--- On Sun, 9/19/10, Tim Sylvester<tim.sylvester@networkradius.com> wrote:
From: Tim Sylvester<tim.sylvester@networkradius.com> Subject: RE: still not working (newbie for radius) To: "'FreeRadius users mailing list'"<freeradius-users@lists.freeradius.org> Date: Sunday, September 19, 2010, 5:52 PM
well, i had tried other configuration for "users":
bob Cleartext-Password = "bob" Juniper-Local-User-Name = "labrat"
labrat is local login user id so that all of radius users will be mapped to that user. unfortunately, it is also failed though with no warning messages:
<tim> You are missing a : - try the following:
bob Cleartext-Password := "bob" Juniper-Local-User-Name = "labrat"
thanks. well, i don't have user "labrat" configured in file "users" on the radius server. the "labrat" is in local user password database on the juniper box. for the raqdius support on juniper routers, it must map a remote user (in the database of radius server) to a specific local user. in my case, i map the radius username "bob" to the juniper local username "labrat". if i understand correctly what you were saying, this attribute of "Juniper-Local-User-Name" is not working? also you are right, for some reasons, every login attempt will have two more duplicated messages besides the first one. why is that? I am really new on this. thanks for the help... --- On Sun, 9/19/10, Michael Lecuyer <mjl@iterpacis.org> wrote:
From: Michael Lecuyer <mjl@iterpacis.org> Subject: Re: still not working (newbie for radius) To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Date: Sunday, September 19, 2010, 7:26 PM By the looks of it you have two problems. The User-Password name 'bob' isn't matched by the response Juniper-Local-User-Name 'labrat'. Perhaps ssh cares.
Your broken client sends the identical packet for the new authentication attempt when it must send a brand new packet (different id, socket or port). That's why the server drops subsequent login attempts from ssh - they're duplicate requests which the server has already answered.
In your second attempt you're User-Name is 'labrat' and the
Juniper-Local-User-Name 'labrat' is being returned in the response probably convincing SSH you are who you claim to be.
On 2010-09-19 9:35 PM, gahn wrote:
thanks tim:
yes, it is better but yet working correctly:
gahn@giraffe:~:$ ssh bob@192.168.255.138 bob@192.168.255.138's password: Permission denied, please try again. bob@192.168.255.138's password: Permission denied, please try again. bob@192.168.255.138's password: Permission denied (publickey,password,keyboard-interactive).
but trying local username "labrat" is working fine:
gahn@giraffe:~:$ ssh labrat@192.168.255.138 labrat@192.168.255.138's password: --- JUNOS 8.5R4.3 built 2008-08-12 23:16:55 UTC labrat@lab-r8>
what is interesting here is that now i can see "Access-Accept" in the debugging messages of "radiusd -X":
rad_recv: Access-Request packet from host 192.168.255.138 port 65003, id=3, length=57 User-Name = "bob" User-Password = "bob" NAS-Identifier = "lab-r8" NAS-IP-Address = 150.150.0.1 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry bob at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password "bob" [pap] Using clear text password "bob" [pap] User authenticated successfully ++[pap] returns ok +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 3 to 192.168.255.138 port 65003
Juniper-Local-User-Name = "labrat"
Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.255.138 port 65003, id=3, length=57 Sending duplicate reply to client r8 port 65003 - ID: 3 Sending Access-Accept of id 3 to 192.168.255.138 port 65003 Waking up in 1.9 seconds. Cleaning up request 4 ID 3 with timestamp +91 Ready to process requests. rad_recv: Access-Request packet from host 192.168.255.138 port 65003, id=3, length=57 User-Name = "bob" User-Password = "bob" NAS-Identifier = "lab-r8" NAS-IP-Address = 150.150.0.1 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry bob at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password "bob" [pap] Using clear text password "bob" [pap] User authenticated successfully ++[pap] returns ok +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 3 to 192.168.255.138 port 65003
Juniper-Local-User-Name = "labrat"
Finished request 5. Going to the next request Waking up in 4.9 seconds. Cleaning up request 5 ID 3 with timestamp +97 Ready to process requests.
--- On Sun, 9/19/10, Tim Sylvester<tim.sylvester@networkradius.com> wrote:
From: Tim Sylvester<tim.sylvester@networkradius.com> Subject: RE: still not working (newbie for radius) To: "'FreeRadius users mailing list'"<freeradius-users@lists.freeradius.org> Date: Sunday, September 19, 2010, 5:52 PM
well, i had tried other configuration for "users":
bob Cleartext-Password = "bob"
Juniper-Local-User-Name = "labrat"
labrat is local login user id so that all of
radius users
will be mapped to that user. unfortunately, it is also failed though with no warning messages:
<tim> You are missing a : - try the following:
bob Cleartext-Password := "bob"
Juniper-Local-User-Name =
"labrat"
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I'm merely speculating that your SSH client is rejecting the response where the User-Name & Juniper-Local-User-Name for 'bob' but accepts the name 'labrat' and response name 'labrat'.
well, i don't have user "labrat" configured in file "users" on the radius server.
KISS: Set up the server to test the Juniper-Local-User-Name responses. You might consider testing just that side of things 'til you figure out the pattern. This part is not a RADIUS problem. BTW the Access-Request packet should use either the NAS-Identifier OR the NAS-IP-Address but not both. Something is likely to mysteriously break later. Choose one.
also you are right, for some reasons, every login attempt will have two more duplicated messages besides the first one. why is that?
The RADIUS server is working properly. Your client is not. Your RADIUS client sends an identical packet for each different attempt to log in. This is just plain wrong and the server is replying with a copy of the original response. Either the client is broken or SSH is misusing the client. On 2010-09-19 11:19 PM, gahn wrote:
thanks.
well, i don't have user "labrat" configured in file "users" on the radius server. the "labrat" is in local user password database on the juniper box. for the raqdius support on juniper routers, it must map a remote user (in the database of radius server) to a specific local user. in my case, i map the radius username "bob" to the juniper local username "labrat".
if i understand correctly what you were saying, this attribute of "Juniper-Local-User-Name" is not working?
also you are right, for some reasons, every login attempt will have two more duplicated messages besides the first one. why is that?
I am really new on this. thanks for the help...
--- On Sun, 9/19/10, Michael Lecuyer<mjl@iterpacis.org> wrote:
From: Michael Lecuyer<mjl@iterpacis.org> Subject: Re: still not working (newbie for radius) To: "FreeRadius users mailing list"<freeradius-users@lists.freeradius.org> Date: Sunday, September 19, 2010, 7:26 PM By the looks of it you have two problems. The User-Password name 'bob' isn't matched by the response Juniper-Local-User-Name 'labrat'. Perhaps ssh cares.
Your broken client sends the identical packet for the new authentication attempt when it must send a brand new packet (different id, socket or port). That's why the server drops subsequent login attempts from ssh - they're duplicate requests which the server has already answered.
In your second attempt you're User-Name is 'labrat' and the
Juniper-Local-User-Name 'labrat' is being returned in the response probably convincing SSH you are who you claim to be.
On 2010-09-19 9:35 PM, gahn wrote:
thanks tim:
yes, it is better but yet working correctly:
gahn@giraffe:~:$ ssh bob@192.168.255.138 bob@192.168.255.138's password: Permission denied, please try again. bob@192.168.255.138's password: Permission denied, please try again. bob@192.168.255.138's password: Permission denied (publickey,password,keyboard-interactive).
but trying local username "labrat" is working fine:
gahn@giraffe:~:$ ssh labrat@192.168.255.138 labrat@192.168.255.138's password: --- JUNOS 8.5R4.3 built 2008-08-12 23:16:55 UTC labrat@lab-r8>
what is interesting here is that now i can see "Access-Accept" in the debugging messages of "radiusd -X":
rad_recv: Access-Request packet from host 192.168.255.138 port 65003, id=3, length=57 User-Name = "bob" User-Password = "bob" NAS-Identifier = "lab-r8" NAS-IP-Address = 150.150.0.1 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry bob at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password "bob" [pap] Using clear text password "bob" [pap] User authenticated successfully ++[pap] returns ok +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 3 to 192.168.255.138 port 65003
Juniper-Local-User-Name = "labrat"
Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.255.138 port 65003, id=3, length=57 Sending duplicate reply to client r8 port 65003 - ID: 3 Sending Access-Accept of id 3 to 192.168.255.138 port 65003 Waking up in 1.9 seconds. Cleaning up request 4 ID 3 with timestamp +91 Ready to process requests. rad_recv: Access-Request packet from host 192.168.255.138 port 65003, id=3, length=57 User-Name = "bob" User-Password = "bob" NAS-Identifier = "lab-r8" NAS-IP-Address = 150.150.0.1 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry bob at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password "bob" [pap] Using clear text password "bob" [pap] User authenticated successfully ++[pap] returns ok +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 3 to 192.168.255.138 port 65003
Juniper-Local-User-Name = "labrat"
Finished request 5. Going to the next request Waking up in 4.9 seconds. Cleaning up request 5 ID 3 with timestamp +97 Ready to process requests.
--- On Sun, 9/19/10, Tim Sylvester<tim.sylvester@networkradius.com> wrote:
From: Tim Sylvester<tim.sylvester@networkradius.com> Subject: RE: still not working (newbie for radius) To: "'FreeRadius users mailing list'"<freeradius-users@lists.freeradius.org> Date: Sunday, September 19, 2010, 5:52 PM
well, i had tried other configuration for "users":
bob Cleartext-Password = "bob"
Juniper-Local-User-Name = "labrat"
labrat is local login user id so that all of
radius users
will be mapped to that user. unfortunately, it is also failed though with no warning messages:
<tim> You are missing a : - try the following:
bob Cleartext-Password := "bob"
Juniper-Local-User-Name =
"labrat"
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks. the clients, in my case, are those juniper devices. the configuration is fairly straightforward: radius-server { 192.168.255.128 secret testing123 } class operator-local { permissions view-configuration; } user remote { uid 3000; class operator-local; } for "users", i have only this: bob Cleartext-Password := "bob" by default, the user "bob" in radius server will be mapped to juniper user local user "remote". yes the server is working but not configurations of the server. i checked with the file "dirctory" and I have the required line for juniper-specific in it: $INCLUDE /usr/local/share/freeradius/dictionary.juniper also i bought the book of "radius" and read some of it. as those docs online, the book doesn't seem to be very accurate. guess it has been ther since 2002 and it hasn't changed over the years. obviously the book/online docs don't get updated that much... i removed this line "nastype = juniper" in clients.conf and now no more duplicate messages any more. as to the "NAS-Identifier" and "NAS-IP-Address", i don't know why they show up together --- On Sun, 9/19/10, Michael Lecuyer <mjl@iterpacis.org> wrote:
From: Michael Lecuyer <mjl@iterpacis.org> Subject: Re: still not working (newbie for radius) To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Date: Sunday, September 19, 2010, 9:53 PM I'm merely speculating that your SSH client is rejecting the response where the User-Name & Juniper-Local-User-Name for 'bob' but accepts the name 'labrat' and response name 'labrat'.
well, i don't have user "labrat" configured in file "users" on the radius server.
KISS: Set up the server to test the Juniper-Local-User-Name responses. You might consider testing just that side of things 'til you figure out the pattern. This part is not a RADIUS problem.
BTW the Access-Request packet should use either the NAS-Identifier OR the NAS-IP-Address but not both. Something is likely to mysteriously break later. Choose one.
also you are right, for some reasons, every login attempt will have two more duplicated messages besides the first one. why is that?
The RADIUS server is working properly. Your client is not.
Your RADIUS client sends an identical packet for each different attempt to log in. This is just plain wrong and the server is replying with a copy of the original response.
Either the client is broken or SSH is misusing the client.
On 2010-09-19 11:19 PM, gahn wrote:
thanks.
well, i don't have user "labrat" configured in file "users" on the radius server. the "labrat" is in local user password database on the juniper box. for the raqdius support on juniper routers, it must map a remote user (in the database of radius server) to a specific local user. in my case, i map the radius username "bob" to the juniper local username "labrat".
if i understand correctly what you were saying, this attribute of "Juniper-Local-User-Name" is not working?
also you are right, for some reasons, every login attempt will have two more duplicated messages besides the first one. why is that?
I am really new on this. thanks for the help...
--- On Sun, 9/19/10, Michael Lecuyer<mjl@iterpacis.org> wrote:
From: Michael Lecuyer<mjl@iterpacis.org> Subject: Re: still not working (newbie for radius) To: "FreeRadius users mailing list"<freeradius-users@lists.freeradius.org> Date: Sunday, September 19, 2010, 7:26 PM By the looks of it you have two problems. The User-Password name 'bob' isn't matched by the response Juniper-Local-User-Name 'labrat'. Perhaps ssh cares.
Your broken client sends the identical packet for the new authentication attempt when it must send a brand new packet (different id, socket or port). That's why the server drops subsequent login attempts from ssh - they're duplicate requests which the server has already answered.
In your second attempt you're User-Name is 'labrat' and the
Juniper-Local-User-Name 'labrat' is being returned in the response probably convincing SSH you are who you claim to be.
On 2010-09-19 9:35 PM, gahn wrote:
thanks tim:
yes, it is better but yet working correctly:
gahn@giraffe:~:$ ssh bob@192.168.255.138 bob@192.168.255.138's password: Permission denied, please try again. bob@192.168.255.138's password: Permission denied, please try again. bob@192.168.255.138's password: Permission denied (publickey,password,keyboard-interactive).
but trying local username "labrat" is working fine:
gahn@giraffe:~:$ ssh labrat@192.168.255.138 labrat@192.168.255.138's password: --- JUNOS 8.5R4.3 built 2008-08-12 23:16:55 UTC labrat@lab-r8>
what is interesting here is that now i can see "Access-Accept" in the debugging messages of "radiusd -X":
rad_recv: Access-Request packet from host 192.168.255.138 port 65003, id=3, length=57 User-Name = "bob" User-Password = "bob" NAS-Identifier = "lab-r8" NAS-IP-Address = 150.150.0.1 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry bob at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password "bob" [pap] Using clear text password "bob" [pap] User authenticated successfully ++[pap] returns ok +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 3 to 192.168.255.138 port 65003
Juniper-Local-User-Name = "labrat"
Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.255.138 port 65003, id=3, length=57 Sending duplicate reply to client r8 port 65003 - ID: 3 Sending Access-Accept of id 3 to 192.168.255.138 port 65003 Waking up in 1.9 seconds. Cleaning up request 4 ID 3 with timestamp +91 Ready to process requests. rad_recv: Access-Request packet from host 192.168.255.138 port 65003, id=3, length=57 User-Name = "bob" User-Password = "bob" NAS-Identifier = "lab-r8" NAS-IP-Address = 150.150.0.1 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry bob at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password "bob" [pap] Using clear text password "bob" [pap] User authenticated successfully ++[pap] returns ok +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 3 to 192.168.255.138 port 65003
Juniper-Local-User-Name = "labrat"
Finished request 5. Going to the next request Waking up in 4.9 seconds. Cleaning up request 5 ID 3 with timestamp +97 Ready to process requests.
--- On Sun, 9/19/10, Tim Sylvester<tim.sylvester@networkradius.com> wrote:
From: Tim Sylvester<tim.sylvester@networkradius.com> Subject: RE: still not working (newbie for radius) To: "'FreeRadius users mailing list'"<freeradius-users@lists.freeradius.org> Date: Sunday, September 19, 2010, 5:52 PM
well, i had tried other configuration for "users":
bob Cleartext-Password = "bob"
Juniper-Local-User-Name = "labrat"
labrat is local login user id so that all
of radius users
will be mapped to that user. unfortunately, it is also failed though with no warning messages:
<tim> You are missing a : - try the following:
bob Cleartext-Password := "bob"
Juniper-Local-User-Name =
"labrat"
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
thanks tim:
yes, it is better but yet working correctly:
gahn@giraffe:~:$ ssh bob@192.168.255.138 bob@192.168.255.138's password: Permission denied, please try again. bob@192.168.255.138's password: Permission denied, please try again. bob@192.168.255.138's password: Permission denied (publickey,password,keyboard-interactive).
but trying local username "labrat" is working fine:
...
Sending Access-Accept of id 3 to 192.168.255.138 port 65003 Juniper-Local-User-Name = "labrat" Finished request 5.
The RADIUS server is happy and sent back an Access Accept packet to your Juniper device. Check the logs/debug output for the Juniper device to see why it's not authenticating the user after it has received an Access Accept from the RADIUS server. Tim
participants (4)
-
Daniel Woodruffe -
gahn -
Michael Lecuyer -
Tim Sylvester