Ok, Al, can you explain or help with this. just to appease you, I unpacked free radius, out of the box, changed a single line in "server" as such: 127.0.0.1 testing123 3 ran radtest using a testuser local account: radtest testuser 1234 127.0.0.1 10 testing123 it failed, radtest shows: Sending Access-Request of id 90 to 127.0.0.1 port 1812 User-Name = "testuser" User-Password = "1234" NAS-IP-Address = 255.255.255.255 NAS-Port = 10 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=90, length=20 Radiusd -X shows: /usr/sbin/radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib/freeradius" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "radiusd" main: group = "radiusd" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" pap: auto_header = yes Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/raddb/huntgroups" preprocess: hints = "/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/etc/raddb/users" files: acctusersfile = "/etc/raddb/acct_users" files: preproxy_usersfile = "/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:32773, id=90, length=60 User-Name = "testuser" User-Password = "1234" NAS-IP-Address = 255.255.255.255 NAS-Port = 10 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 155 modcall[authorize]: module "files" returns ok for request 0 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_unix: [testuser]: invalid password modcall[authenticate]: module "unix" returns reject for request 0 modcall: leaving group authenticate (returns reject) for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 90 to 127.0.0.1 port 32773 Waking up in 4 seconds... the password is valid, as a local SSH using the same information works. And one other oddity, when using users with "hardended" passwords like say "test@" radtest and radiusd -X will show the password as "test2", whether quotes are used or not. is this normal? and why does the radtest fail? no other configurations or files where changed. everything is default. _________________________________________________________________ Are you ready for Windows Live Messenger Beta 8.5 ? Get the latest for free today! http://entertainment.sympatico.msn.ca/WindowsLiveMessenger
Dan Gahlinger wrote:
Ok, Al, can you explain or help with this.
just to appease you, I unpacked free radius, out of the box, changed a single line in "server" as such: 127.0.0.1 testing123 3
I think that's a config file for the PAM module. FreeRADIUS doesn't use it.
ran radtest using a testuser local account:
In /etc/passwd...
Radiusd -X shows: ... users: Matched entry DEFAULT at line 155
Which is the entry setting Auth-Type = System. i.e. "check against /etc/passwd".
rlm_unix: [testuser]: invalid password
Which is pretty definitive. FreeRADIUS just calls the standard Unix API's to get the users password from /etc/passwd or /etc/shadow, and then calls the standard Unix API's to check that against what the user entered. It looks like the second call is causing issues. It's returning something, but that something doesn't match what's in /etc/passwd. If it helps, FreeRADIUS is simply at the mercy of the system API's here. Are you running as root in debugging mode?
the password is valid, as a local SSH using the same information works.
Ouch.
And one other oddity, when using users with "hardended" passwords like say "test@" radtest and radiusd -X will show the password as "test2", whether quotes are used or not.
That's... odd. There may be shell escaping issues, but when I test users like that using single quotes ( 'test@' ) in radtest && the "users" file, it works for me.
is this normal? and why does the radtest fail?
It's not normal. radtest fails because the API's FreeRADIUS calls don't seem to work. Alan DeKok.
I hate hotmail. ok, you're saying /etc/raddb/server is a pam config file ? anyhow, I'm happy to report the single quote method fixes part of the problem. that of the "@%%" working better now. still doesn't log in. even using radiusd -Xsfxxx or so doesn't give any more information. -X gives the debugging I showed. is there something else I can do to test/check why the API is failing? Dan.
Date: Wed, 28 Nov 2007 18:53:20 +0100 From: aland@deployingradius.com To: freeradius-users@lists.freeradius.org Subject: Re: radtest seems to fail out of the box
Dan Gahlinger wrote:
Ok, Al, can you explain or help with this.
just to appease you, I unpacked free radius, out of the box, changed a single line in "server" as such: 127.0.0.1 testing123 3
I think that's a config file for the PAM module. FreeRADIUS doesn't use it.
ran radtest using a testuser local account:
In /etc/passwd...
Radiusd -X shows: ... users: Matched entry DEFAULT at line 155
Which is the entry setting Auth-Type = System. i.e. "check against /etc/passwd".
rlm_unix: [testuser]: invalid password
Which is pretty definitive. FreeRADIUS just calls the standard Unix API's to get the users password from /etc/passwd or /etc/shadow, and then calls the standard Unix API's to check that against what the user entered.
It looks like the second call is causing issues. It's returning something, but that something doesn't match what's in /etc/passwd.
If it helps, FreeRADIUS is simply at the mercy of the system API's here. Are you running as root in debugging mode?
the password is valid, as a local SSH using the same information works.
Ouch.
And one other oddity, when using users with "hardended" passwords like say "test@" radtest and radiusd -X will show the password as "test2", whether quotes are used or not.
That's... odd. There may be shell escaping issues, but when I test users like that using single quotes ( 'test@' ) in radtest && the "users" file, it works for me.
is this normal? and why does the radtest fail?
It's not normal. radtest fails because the API's FreeRADIUS calls don't seem to work.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_________________________________________________________________ R U Ready for Windows Live Messenger Beta 8.5? Try it today! http://entertainment.sympatico.msn.ca/WindowsLiveMessenger
Dan Gahlinger wrote:
I hate hotmail. ok, you're saying /etc/raddb/server is a pam config file ?
It's used by the pam_radius_auth module. An example and documentation ships with the module. It is NOT used by FreeRADIUS.
even using radiusd -Xsfxxx or so doesn't give any more information. -X gives the debugging I showed.
is there something else I can do to test/check why the API is failing?
Write a C program to test it.... Or, email me off-line, and I'll send you an SSH key. I can log into the machine and see if I can figure out WTF is going on. Alan DeKok.
participants (2)
-
Alan DeKok -
Dan Gahlinger