Auth: (24) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject):
I'm migrating a functioning freeradius install version 2.2.8 on ubuntu 16.04 LTS to version 3.0.16 on ubuntu 18.04 LTS I setup daloradius this time. I've setup my clients I've setup my users I deliver DSL and do auth and assign static IP addresses I need radius to return the Framed-IP-Address attribute if required This is all in mysql and I need accounting to be stored in mysql also. So far I'm getting this: Auth: (24) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [test@xxx.xxxx.xx/!yyyyyyyy!] (from client 999.888.777.666 port 268439551 cli xxxxxxadsfad-47:621) Any suggestions? Thank you. G
On Aug 24, 2019, at 5:30 AM, Gilbert Rebeiro <gilbertrebeiro@gmail.com> wrote:
So far I'm getting this:
Auth: (24) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [test@xxx.xxxx.xx/!yyyyyyyy!] (from client 999.888.777.666 port 268439551 cli xxxxxxadsfad-47:621)
Any suggestions?
Debug output? Alan DeKok.
Hi Alan, Just so I don’t post anything stupid. What in the output needs to be masked? IP addresses secrets etc? Thanks, Gilbert. -----Original Message----- From: Freeradius-Users <freeradius-users-bounces+gilbertrebeiro=gmail.com@lists.freeradius.org> On Behalf Of Alan DeKok Sent: Saturday, August 24, 2019 9:20 AM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: Auth: (24) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): On Aug 24, 2019, at 5:30 AM, Gilbert Rebeiro <gilbertrebeiro@gmail.com> wrote:
So far I'm getting this:
Auth: (24) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [test@xxx.xxxx.xx/!yyyyyyyy!] (from client 999.888.777.666 port 268439551 cli xxxxxxadsfad-47:621)
Any suggestions?
Debug output? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Aug 24, 2019, at 10:43 AM, <gilbertrebeiro@gmail.com> <gilbertrebeiro@gmail.com> wrote:
Hi Alan, Just so I don’t post anything stupid. What in the output needs to be masked? IP addresses secrets etc?
No one cares about IP addresses. There's no secret information there. As for secrets, read the debug output: $ radiusd -X | grep secret secret = <<< secret >>> secret = <<< secret >>> secret = <<< secret >>> private_key_password = <<< secret >>> secret = <<< secret >>> Masking is done automatically. Alan DeKok.
On 24 August 2019 15:43:24 BST, gilbertrebeiro@gmail.com wrote:
Just so I don’t post anything stupid. What in the output needs to be masked? IP addresses secrets etc?
FreeRADIUS hides configured secrets in the output already. The more you chop out, the more irritating it is for people trying to help you as they have to keep asking for more information or are left guessing. Level of irritation is inversely proportional to the amount of help you're likely to get... -- Matthew
Ready to process requests (0) Received Access-Request Id 49 from 127.0.0.1:52226 to 127.0.0.1:1812 length 102 (0) User-Name = "test@dsl.dido.ca" (0) User-Password = "testing123testing" (0) NAS-IP-Address = 23.144.128.31 (0) NAS-Port = 0 (0) Message-Authenticator = 0xde13937558571e30f92b0e3e1c2b35d6 (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/de fault (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALS E (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: Looking up realm "dsl.dido.ca" for User-Name = "test@dsl.dido.ca" (0) suffix: No such realm "dsl.dido.ca" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) [files] = noop (0) sql: EXPAND %{User-Name} (0) sql: --> test@dsl.dido.ca (0) sql: SQL-User-Name set to 'test@dsl.dido.ca' rlm_sql (sql): Closing connection (1): Hit idle_timeout, was idle for 257 second s rlm_sql (sql): Closing connection (2): Hit idle_timeout, was idle for 257 second s rlm_sql (sql): Closing connection (3): Hit idle_timeout, was idle for 257 second s rlm_sql (sql): Closing connection (4): Hit idle_timeout, was idle for 257 second s rlm_sql (sql): You probably need to lower "min" rlm_sql (sql): Closing connection (0): Hit idle_timeout, was idle for 257 second s rlm_sql (sql): You probably need to lower "min" rlm_sql (sql): Closing connection (5): Hit idle_timeout, was idle for 257 second s rlm_sql (sql): You probably need to lower "min" rlm_sql (sql): 0 of 0 connections in use. You may need to increase "spare" rlm_sql (sql): Opening additional connection (6), 1 of 32 pending slots used rlm_sql (sql): Reserved connection (6) (0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE us ername = '%{SQL-User-Name}' ORDER BY id (0) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE us ername = 'test@dsl.dido.ca' ORDER BY id (0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test@dsl.dido.ca' ORDER BY id (0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User- Name}' ORDER BY priority (0) sql: --> SELECT groupname FROM radusergroup WHERE username = 'test@dsl.di do.ca' ORDER BY priority (0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE userna me = 'test@dsl.dido.ca' ORDER BY priority (0) sql: User not found in any groups rlm_sql (sql): Released connection (6) Need 2 more connections to reach min connections (3) rlm_sql (sql): Opening additional connection (7), 1 of 31 pending slots used (0) [sql] = notfound (0) [expiration] = noop (0) [logintime] = noop (0) pap: WARNING: No "known good" password found for the user. Not setting Auth -Type (0) pap: WARNING: Authentication will fail unless a "known good" password is ava ilable (0) [pap] = noop (0) } # authorize = ok (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (0) Failed to authenticate the user (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) Post-Auth-Type REJECT { (0) sql: EXPAND .query (0) sql: --> .query (0) sql: Using query template 'query' rlm_sql (sql): Reserved connection (6) (0) sql: EXPAND %{User-Name} (0) sql: --> test@dsl.dido.ca (0) sql: SQL-User-Name set to 'test@dsl.dido.ca' (0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet- Type}', '%S') (0) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'test@dsl.dido.ca', 'testing123testing', 'Access-Reject', '2019-08-24 14:41:2 1') (0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authda te) VALUES ( 'test@dsl.dido.ca', 'testing123testing', 'Access-Reject', '2019-08- 24 14:41:21') (0) sql: SQL query returned: success (0) sql: 1 record(s) updated rlm_sql (sql): Released connection (6) (0) [sql] = ok (0) attr_filter.access_reject: EXPAND %{User-Name} (0) attr_filter.access_reject: --> test@dsl.dido.ca (0) attr_filter.access_reject: Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) [eap] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [test@dsl.dido.ca/testing123testing] (from client localhost port 0) (0) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (0) Sending delayed response (0) Sent Access-Reject Id 49 from 127.0.0.1:1812 to 127.0.0.1:52226 length 20 Waking up in 3.9 seconds. (0) Cleaning up request packet ID 49 with timestamp +257 Ready to process requests -----Original Message----- From: Matthew Newton <mcn@freeradius.org> Sent: Saturday, August 24, 2019 10:51 AM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org>; gilbertrebeiro@gmail.com; 'FreeRadius users mailing list' <freeradius-users@lists.freeradius.org> Subject: RE: Auth: (24) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): On 24 August 2019 15:43:24 BST, gilbertrebeiro@gmail.com wrote:
Just so I don’t post anything stupid. What in the output needs to be masked? IP addresses secrets etc?
FreeRADIUS hides configured secrets in the output already. The more you chop out, the more irritating it is for people trying to help you as they have to keep asking for more information or are left guessing. Level of irritation is inversely proportional to the amount of help you're likely to get... -- Matthew
On Aug 24, 2019, at 12:37 PM, gilbertrebeiro@gmail.com wrote:
Ready to process requests (0) Received Access-Request Id 49 from 127.0.0.1:52226 to 127.0.0.1:1812 length 102
Something has mangled the output. Not terribly, but it's not good.
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE us ername = '%{SQL-User-Name}' ORDER BY id (0) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE us ername = 'test@dsl.dido.ca' ORDER BY id (0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test@dsl.dido.ca' ORDER BY id (0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User- Name}' ORDER BY priority (0) sql: --> SELECT groupname FROM radusergroup WHERE username = 'test@dsl.di do.ca' ORDER BY priority (0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE userna me = 'test@dsl.dido.ca' ORDER BY priority (0) sql: User not found in any groups rlm_sql (sql): Released connection (6) Need 2 more connections to reach min connections (3) rlm_sql (sql): Opening additional connection (7), 1 of 31 pending slots used (0) [sql] = notfound
The user wasn't found in the SQL database. Presumably that's where the password is stored. Which explains the following message:
(0) pap: WARNING: No "known good" password found for the user. Not setting Auth -Type (0) pap: WARNING: Authentication will fail unless a "known good" password is ava ilable
That's pretty clear. The server has no idea how to authenticate the user. Fix the SQL database so that it returns the users information. The debug output shows you the SQL queries for a reason: So that you can run them manually from a SQL client program. i.e. so you can test them without running the entire RADIUS server. Alan DeKok.
I'm starting to understand - thank you. I am trying to figure out how to setup a profile and which device attributes I should have - where would I find this information in freeradius 2 so I can duplicate it in my 3 setup? Sorry if there are docs that I should read please direct me to them? -----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+gilbertrebeiro=gmail.com@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Saturday, August 24, 2019 3:11 PM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: Auth: (24) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject):
On Aug 24, 2019, at 12:37 PM, gilbertrebeiro@gmail.com wrote:
Ready to process requests (0) Received Access-Request Id 49 from 127.0.0.1:52226 to 127.0.0.1:1812 length 102
Something has mangled the output. Not terribly, but it's not good.
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE us ername = '%{SQL-User-Name}' ORDER BY id (0) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE us ername = 'test@dsl.dido.ca' ORDER BY id (0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test@dsl.dido.ca' ORDER BY id (0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User- Name}' ORDER BY priority (0) sql: --> SELECT groupname FROM radusergroup WHERE username = 'test@dsl.di do.ca' ORDER BY priority (0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE userna me = 'test@dsl.dido.ca' ORDER BY priority (0) sql: User not found in any groups rlm_sql (sql): Released connection (6) Need 2 more connections to reach min connections (3) rlm_sql (sql): Opening additional connection (7), 1 of 31 pending slots used (0) [sql] = notfound
The user wasn't found in the SQL database. Presumably that's where the password is stored. Which explains the following message:
(0) pap: WARNING: No "known good" password found for the user. Not setting Auth -Type (0) pap: WARNING: Authentication will fail unless a "known good" password is ava ilable
That's pretty clear. The server has no idea how to authenticate the user. Fix the SQL database so that it returns the users information. The debug output shows you the SQL queries for a reason: So that you can run them manually from a SQL client program. i.e. so you can test them without running the entire RADIUS server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Aug 24, 2019, at 6:28 PM, Gilbert Rebeiro <gilbertrebeiro@gmail.com> wrote:
I'm starting to understand - thank you. I am trying to figure out how to setup a profile and which device attributes I should have - where would I find this information in freeradius 2 so I can duplicate it in my 3 setup?
In either the configuration files or in SQL. But the SQL schema is compatible between v2 and v3. So that doesn't need to change.
Sorry if there are docs that I should read please direct me to them?
raddb/README.rst contains complete instructions for upgrading from v2 to v3. Alan DeKok.
When I query the database I get MariaDB [radius]> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test@dsl.dido.ca' ORDER BY id; +----+------------------+--------------------+-------------------+----+ | id | username | attribute | value | op | +----+------------------+--------------------+-------------------+----+ | 13 | test@dsl.dido.ca | Cleartext-Password | testing123testing | := | +----+------------------+--------------------+-------------------+----+ 1 row in set (0.000 sec) Not sure why it can't find the user... Sorry I should have said I already had done this. I thought it was missing something else. G. -----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+gilbertrebeiro=gmail.com@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Saturday, August 24, 2019 3:11 PM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: Auth: (24) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject):
On Aug 24, 2019, at 12:37 PM, gilbertrebeiro@gmail.com wrote:
Ready to process requests (0) Received Access-Request Id 49 from 127.0.0.1:52226 to 127.0.0.1:1812 length 102
Something has mangled the output. Not terribly, but it's not good.
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE us ername = '%{SQL-User-Name}' ORDER BY id (0) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE us ername = 'test@dsl.dido.ca' ORDER BY id (0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test@dsl.dido.ca' ORDER BY id (0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User- Name}' ORDER BY priority (0) sql: --> SELECT groupname FROM radusergroup WHERE username = 'test@dsl.di do.ca' ORDER BY priority (0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE userna me = 'test@dsl.dido.ca' ORDER BY priority (0) sql: User not found in any groups rlm_sql (sql): Released connection (6) Need 2 more connections to reach min connections (3) rlm_sql (sql): Opening additional connection (7), 1 of 31 pending slots used (0) [sql] = notfound
The user wasn't found in the SQL database. Presumably that's where the password is stored. Which explains the following message:
(0) pap: WARNING: No "known good" password found for the user. Not setting Auth -Type (0) pap: WARNING: Authentication will fail unless a "known good" password is ava ilable
That's pretty clear. The server has no idea how to authenticate the user. Fix the SQL database so that it returns the users information. The debug output shows you the SQL queries for a reason: So that you can run them manually from a SQL client program. i.e. so you can test them without running the entire RADIUS server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Aug 25, 2019, at 6:45 AM, Gilbert Rebeiro <gilbertrebeiro@gmail.com> wrote:
When I query the database I get MariaDB [radius]> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test@dsl.dido.ca' ORDER BY id; +----+------------------+--------------------+-------------------+----+ | id | username | attribute | value | op | +----+------------------+--------------------+-------------------+----+ | 13 | test@dsl.dido.ca | Cleartext-Password | testing123testing | := | +----+------------------+--------------------+-------------------+----+ 1 row in set (0.000 sec)
Not sure why it can't find the user...
There's not much that can go wrong here, unfortunately. Maybe the SQL query is wrong, or the "radius" user doesn't have permission to query those tables. Alan DeKok.
participants (4)
-
Alan DeKok -
Gilbert Rebeiro -
gilbertrebeiro@gmail.com -
Matthew Newton