CHAP-Password does NOT match local User-Password
Hi everyone ! I'm a newbie in freeradius. I've tryied several freeradius versions, but i get always the same error: auth: user supplied CHAP-Password does NOT match local User-Password Currently i'm using freeradius 1.0.5 and i want to bind it with the pppoe-server(accounts are mysql based). This is the ppp auth part of the radiusd -X: Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:32772, id=50, length=90 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "qweqwe" CHAP-Password = 0x1a490e809284566aa959336e511314fe82 Calling-Station-Id = "00:04:61:5C:14:11" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 radius_xlat: '/usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20080705' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20080705 modcall[authorize]: module "auth_log" returns ok for request 0 radius_xlat: ':' rlm_attr_rewrite: No match found for attribute User-Name with value 'qweqwe' modcall[authorize]: module "dwukropki" returns ok for request 0 rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module "chap" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "qweqwe", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 radius_xlat: 'qweqwe' rlm_sql (sql): sql_set_user escaped user --> 'qweqwe' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'qweqwe' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'qweqwe' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'qweqwe' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'qweqwe' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT r.id,r.UserName,r.Attribute,inet_ntoa(n.ipaddr) as value,r.op ??FROM radreply as r, nodes as n WHERE r.Username = 'qweqwe' AND n.name=r.UserName ORDER BY r.id' rlm_sql_mysql: query: SELECT r.id,r.UserName,r.Attribute,inet_ntoa(n.ipaddr) as value,r.op ??FROM radreply as r, nodes as n WHERE r.Username = 'qweqwe' AND n.name=r.UserName ORDER BY r.id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'qweqwe' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'qweqwe' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module "sql" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type Local auth: type Local auth: user supplied CHAP-Password does NOT match local User-Password auth: Failed to validate the user. Login incorrect: [qweqwe] (from client localhost port 0 cli 00:04:61:5C:14:11) Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 50 to 127.0.0.1:32772 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 50 with timestamp 486f753f Nothing to do. Sleeping until we see a request. Thanks for the support and sorry for my lame eng. -- ------------------------ Maciej Drobniuch
Maciej Drobniuch wrote:
I've tryied several freeradius versions, but i get always the same error: auth: user supplied CHAP-Password does NOT match local User-Password Currently i'm using freeradius 1.0.5
Upgrade to 2.0.5.
and i want to bind it with the ... rlm_chap: Setting 'Auth-Type := CHAP' ... rad_check_password: Found Auth-Type Local
You are forcing Auth-Type. Don't do that.
auth: type Local auth: user supplied CHAP-Password does NOT match local User-Password
And the passwords don't match. Alan DeKok.
On Tue, 08 Jul 2008 18:49:48 +0200, Alan DeKok <aland@deployingradius.com> wrote:
Upgrade to 2.0.5.
I had tht version and the same error appeared
You are forcing Auth-Type. Don't do that.
So, what I must force to don't mess up things?
And the passwords don't match.
The passwords match. Do they have to be in plaint text (in db) or some kind of a hash ? How can I see what password (in plain, when auth in pap) comes in to freeradius from pppd. THANKS FOR YOUR SUPPORT! sorry for my lame eng. -- ------------------------ Maciej Drobniuch
Maciej Drobniuch wrote:
You are forcing Auth-Type. Don't do that.
So, what I must force to don't mess up things?
Don't force anything. Use the default configuration.
And the passwords don't match.
The passwords match. Do they have to be in plaint text (in db) or some kind of a hash ?
No. See the FAQ for an example of how to configure a "known good" password for a user.
How can I see what password (in plain, when auth in pap) comes in to freeradius from pppd.
Then post the debug output from *that*, and not from a CHAP request. Alan DeKok.
Does anyone have a FreeRADIUS server handing out dynamic VLANs based on group membership in AD to a HP 2800 series switch that's configured for 802.1X? How do I configure FreeRADIUS to "read" the AD group membership attribute, and how do I then pass the matching VLAN-ID back to the switch? Daniel
How do I configure FreeRADIUS to "read" the AD group membership attribute,
See group membeship section in ldap module configuration.
and how do I then pass the matching VLAN-ID back to the switch?
Your switch documentation should tell you that. You normally use Tunnel-Type, Tunnel-Medium-Type and Tunnel-Private-Group-Id attributes. Ivan Kalik Kalik Informatika ISP
Follow-up question (sorry I'm new this): I'm currently authenticating users with FreeRadius against an AD database (PEAP-MS-CHAPv2). Would I still have to use the ldap module to get a user's AD group membership? Thanks, Daniel -----Original Message----- From: freeradius-users-bounces+dbaumann=hancockcollege.edu@lists.freeradius.or g [mailto:freeradius-users-bounces+dbaumann=hancockcollege.edu@lists.freer adius.org] On Behalf Of Ivan Kalik Sent: Tuesday, July 08, 2008 03:34 PM To: FreeRadius users mailing list Subject: Re: Dynamic VLANs based on AD group membership
How do I configure FreeRADIUS to "read" the AD group membership attribute,
See group membeship section in ldap module configuration.
and how do I then pass the matching VLAN-ID back to the switch?
Your switch documentation should tell you that. You normally use Tunnel-Type, Tunnel-Medium-Type and Tunnel-Private-Group-Id attributes. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Daniel Baumann wrote:
Follow-up question (sorry I'm new this): I'm currently authenticating users with FreeRadius against an AD database (PEAP-MS-CHAPv2). Would I still have to use the ldap module to get a user's AD group membership?
Yes. There is no other way to get the AD group membership. See the AD documentation. If it says there's another way to get AD group membership, you can use that. Otherwise, use the method which IS documented: ldap queries. Alan DeKok.
participants (4)
-
Alan DeKok -
Daniel Baumann -
Ivan Kalik -
Maciej Drobniuch