Re: Radius Squid authentication REJECT
Hi Adam, I'm sorry my previous attachment too large, This attachment log of radiusd -X output when i try to login using user = alice with passwrod=password Thanks On Thu, Apr 11, 2013 at 8:02 PM, Iftakhul Anwar <anwar@meruvian.org> wrote:
Hi Adam,
This attachment log of radiusd -X output when i try to login using user = alice with passwrod=password
On Thu, Apr 11, 2013 at 4:55 PM, Adam Bishop <Adam.Bishop@ja.net> wrote:
On 11 Apr 2013, at 10:35, Iftakhul Anwar <anwar@meruvian.org> wrote:
I just use enter after my shared secret.
Any suggestions ?
There are three possibilities
* The shared secret is wrong in the squid radius file * The shared secret is wrong in the freeradius clients file * Squid is broken (I think this unlikely)
As you've not posted a full debug log, all we can do is guess.
My guess is that radtest is using the secret defined in clients.conf:client 127.0.0.1/8 and squid is using the secret defined in clients.conf:client 192.168.2.3
Post a full log, and we can probably do more than guess.
Adam Bishop
gpg: 0x6609D460
Janet, the UK's research and education network.
Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- *M.Iftakhul Anwar* Meruvian Integrator High Performance Computing / Cloud Computing (HPC/CC)
Office Phone : 021-93586577 Mobile Phone : 085215331477 Blog : http://blog.mervpolis.com/roller/anwar FB : http://www.facebook.com/troya.adromeda Website : www.meruvian.org
-- *M.Iftakhul Anwar* Meruvian Integrator High Performance Computing / Cloud Computing (HPC/CC) Office Phone : 021-93586577 Mobile Phone : 085215331477 Blog : http://blog.mervpolis.com/roller/anwar FB : http://www.facebook.com/troya.adromeda Website : www.meruvian.org
Iftakhul Anwar wrote:
This attachment log of radiusd -X output when i try to login using user = alice with passwrod=password
You need to read it, and the responses to your messages. You've been told what's wrong, and how to fix it. Stop thinking you understand it, and read the responses. Stop thinking that you've got it configured correctly, and go fix it. It's not hard. The only reason it doesn't work is because you're not following instructions. Alan DeKok.
Hi, look: WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! there. incorrect shared secret...as already said several times in this thread...OR the squid code is broken. if this is working fine, then because its PAP you will see the password in User-Password clear as day. you dont, its all corrupted, because incorrect shared secret. put eg radtest onto the squid box and check that you can fire off a dumb RADIUS query to your FR box from the squid box alan
I'm sorry i really newbie. Actually my shared password is default using testing123.This is my configuration on my squid_rad_auth.conf squid_rad_auth.conf ----------------------------- server 192.168.2.3 secret testing123 and this is my configuration on squid.conf # TAG: auth_param #auth_param basic program /etc/squid3/squid_radius_auth -f /etc/squid3/squid_rad_auth.conf auth_param basic program /etc/squid3/squid_radius_auth -f /usr/local/squid/etc/squid_radius_auth.conf auth_param basic children 5 auth_param basic realm web-proxy auth_param basic credentialsttl 5 minutes auth_param basic casesensitive off acl radius-auth proxy_auth REQUIRED # TAG: http_access http_access allow radius-auth http_access allow localhost any something wrong ? i suspicious in log: [pap] login attempt with password “b9?I? +�(�Ч�Y�?” [pap] Using clear text password “password” [pap] Passwords don’t match Is it because of different authentification method between squid and radius ? On Thu, Apr 11, 2013 at 10:35 PM, <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
look:
WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!
there. incorrect shared secret...as already said several times in this thread...OR the squid code is broken.
if this is working fine, then because its PAP you will see the password in User-Password clear as day. you dont, its all corrupted, because incorrect shared secret.
put eg radtest onto the squid box and check that you can fire off a dumb RADIUS query to your FR box from the squid box
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- *M.Iftakhul Anwar* Meruvian Integrator High Performance Computing / Cloud Computing (HPC/CC) Office Phone : 021-93586577 Mobile Phone : 085215331477 Blog : http://blog.mervpolis.com/roller/anwar FB : http://www.facebook.com/troya.adromeda Website : www.meruvian.org
Hi,
Actually my shared password is default using testing123.This is my configuration on my squid_rad_auth.conf
as previously discussed, you are not sending full output of radiusd -X and so we are having to guess. we cannot guess your problems away at least send us your clients.conf from FreeRADIUS alan
Hi, previously i've attached my log as attachment :) Please let see my radiusd -X output when i try login on squid prompt ... rlm_sql (sql): Attempting to connect rlm_sql_mysql #2 rlm_sql_mysql: Starting connect to MySQL server for #2 rlm_sql (sql): Connected new DB handle, #2 rlm_sql (sql): starting 3 rlm_sql (sql): Attempting to connect rlm_sql_mysql #3 rlm_sql_mysql: Starting connect to MySQL server for #3 rlm_sql (sql): Connected new DB handle, #3 rlm_sql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_mysql #4 rlm_sql_mysql: Starting connect to MySQL server for #4 rlm_sql (sql): Connected new DB handle, #4 Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /usr/local/etc/raddb/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /usr/local/etc/raddb/modules/detail detail { detailfile = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.accounting_response" from file /usr/local/etc/raddb/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/usr/local/etc/raddb/attrs.accounting_response" key = "%{User-Name}" relaxed = no } reading pairlist file /usr/local/etc/raddb/attrs.accounting_response Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /usr/local/etc/raddb/modules/radutmp radutmp { filename = "/usr/local/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating module "attr_filter.access_reject" from file /usr/local/etc/raddb/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/usr/local/etc/raddb/attrs.access_reject" key = "%{User-Name}" relaxed = no } reading pairlist file /usr/local/etc/raddb/attrs.access_reject } # modules } # server server inner-tunnel { # from file /usr/local/etc/raddb/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server server coa { # from file /usr/local/etc/raddb/sites-enabled/coa modules { Module: Checking recv-coa {...} for more modules to load Module: Linked to module rlm_always Module: Instantiating module "ok" from file /usr/local/etc/raddb/modules/always always ok { rcode = "ok" simulcount = 0 mpp = no } Module: Checking send-coa {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "coa" server = "coa" ipaddr = * port = 3799 } listen { type = "control" listen { socket = "/usr/local/var/run/radiusd/radiusd.sock" } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } ... adding new socket proxy address * port 54492 Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on coa address * port 3799 as server coa Listening on command file /usr/local/var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.2.3 port 55467, id=4, length=63 User-Name = "alice" User-Password = "\335\307-\245#ˎ!7\036f\023\217\3630\257" NAS-Port = 111 NAS-Port-Type = Async NAS-IP-Address = 192.168.2.3 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "alice", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop [sql] expand: %{User-Name} -> alice [sql] sql_set_user escaped user --> 'alice' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'alice' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'alice' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'alice' ORDER BY priority rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group PAP {...} [pap] login attempt with password "\DD\C7-\A5#\CB?!7?f??\F30\AF" [pap] Using clear text password "password" [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! Using Post-Auth-Type REJECT # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> alice attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 4 to 192.168.2.3 port 55467 Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.2.3 port 55467, id=4, length=63 Sending duplicate reply to client localprivate port 55467 - ID: 4 Sending Access-Reject of id 4 to 192.168.2.3 port 55467 Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.2.3 port 55467, id=4, length=63 Sending duplicate reply to client localprivate port 55467 - ID: 4 Sending Access-Reject of id 4 to 192.168.2.3 port 55467 Waking up in 3.9 seconds. rad_recv: Access-Request packet from host 192.168.2.3 port 55467, id=4, length=63 Sending duplicate reply to client localprivate port 55467 - ID: 4 Sending Access-Reject of id 4 to 192.168.2.3 port 55467 Waking up in 2.9 seconds. rad_recv: Access-Request packet from host 192.168.2.3 port 55467, id=4, length=63 Sending duplicate reply to client localprivate port 55467 - ID: 4 Sending Access-Reject of id 4 to 192.168.2.3 port 55467 Waking up in 1.9 seconds. rad_recv: Access-Request packet from host 192.168.2.3 port 55467, id=4, length=63 Sending duplicate reply to client localprivate port 55467 - ID: 4 Sending Access-Reject of id 4 to 192.168.2.3 port 55467 Waking up in 0.9 seconds. Cleaning up request 0 ID 4 with timestamp +98 Ready to process requests. rad_recv: Access-Request packet from host 192.168.2.3 port 55467, id=4, length=63 User-Name = "alice" User-Password = "\335\307-\245#ˎ!7\036f\023\217\3630\257" NAS-Port = 111 NAS-Port-Type = Async NAS-IP-Address = 192.168.2.3 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "alice", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop [sql] expand: %{User-Name} -> alice [sql] sql_set_user escaped user --> 'alice' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'alice' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'alice' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'alice' ORDER BY priority rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group PAP {...} [pap] login attempt with password "\DD\C7-\A5#\CB?!7?f??\F30\AF" [pap] Using clear text password "password" [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! Using Post-Auth-Type REJECT # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> alice attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 4 to 192.168.2.3 port 55467 Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.2.3 port 55467, id=4, length=63 Sending duplicate reply to client localprivate port 55467 - ID: 4 Sending Access-Reject of id 4 to 192.168.2.3 port 55467 Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.2.3 port 55467, id=4, length=63 Sending duplicate reply to client localprivate port 55467 - ID: 4 Sending Access-Reject of id 4 to 192.168.2.3 port 55467 Waking up in 3.9 seconds. rad_recv: Access-Request packet from host 192.168.2.3 port 55467, id=4, length=63 Sending duplicate reply to client localprivate port 55467 - ID: 4 Sending Access-Reject of id 4 to 192.168.2.3 port 55467 Waking up in 2.9 seconds. rad_recv: Access-Request packet from host 192.168.2.3 port 55467, id=4, length=63 Sending duplicate reply to client localprivate port 55467 - ID: 4 Sending Access-Reject of id 4 to 192.168.2.3 port 55467 Waking up in 1.9 seconds. rad_recv: Access-Request packet from host 192.168.2.3 port 55467, id=4, length=63 Sending duplicate reply to client localprivate port 55467 - ID: 4 Sending Access-Reject of id 4 to 192.168.2.3 port 55467 Waking up in 0.9 seconds. Cleaning up request 1 ID 4 with timestamp +104 Ready to process requests. rad_recv: Access-Request packet from host 192.168.2.3 port 55467, id=4, length=63 User-Name = "alice" User-Password = "\335\307-\245#ˎ!7\036f\023\217\3630\257" NAS-Port = 111 NAS-Port-Type = Async NAS-IP-Address = 192.168.2.3 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "alice", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop [sql] expand: %{User-Name} -> alice [sql] sql_set_user escaped user --> 'alice' rlm_sql (sql): Reserving sql socket id: 2 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'alice' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'alice' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'alice' ORDER BY priority rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group PAP {...} [pap] login attempt with password "\DD\C7-\A5#\CB?!7?f??\F30\AF" [pap] Using clear text password "password" [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! Using Post-Auth-Type REJECT # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> alice attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 2 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 2 Sending Access-Reject of id 4 to 192.168.2.3 port 55467 rad_recv: Access-Request packet from host 192.168.2.3 port 55467, id=4, length=63 Sending duplicate reply to client localprivate port 55467 - ID: 4 Sending Access-Reject of id 4 to 192.168.2.3 port 55467 Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.2.3 port 55467, id=4, length=63 Sending duplicate reply to client localprivate port 55467 - ID: 4 Sending Access-Reject of id 4 to 192.168.2.3 port 55467 Waking up in 3.9 seconds. rad_recv: Access-Request packet from host 192.168.2.3 port 55467, id=4, length=63 Sending duplicate reply to client localprivate port 55467 - ID: 4 Sending Access-Reject of id 4 to 192.168.2.3 port 55467 Waking up in 2.9 seconds. rad_recv: Access-Request packet from host 192.168.2.3 port 55467, id=4, length=63 Sending duplicate reply to client localprivate port 55467 - ID: 4 Sending Access-Reject of id 4 to 192.168.2.3 port 55467 Waking up in 1.9 seconds. rad_recv: Access-Request packet from host 192.168.2.3 port 55467, id=4, length=63 Sending duplicate reply to client localprivate port 55467 - ID: 4 Sending Access-Reject of id 4 to 192.168.2.3 port 55467 Waking up in 0.9 seconds. Cleaning up request 2 ID 4 with timestamp +110 Ready to process requests. rad_recv: Access-Request packet from host 192.168.2.3 port 55467, id=4, length=63 User-Name = "alice" User-Password = "\335\307-\245#ˎ!7\036f\023\217\3630\257" NAS-Port = 111 NAS-Port-Type = Async NAS-IP-Address = 192.168.2.3 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "alice", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop [sql] expand: %{User-Name} -> alice [sql] sql_set_user escaped user --> 'alice' rlm_sql (sql): Reserving sql socket id: 1 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'alice' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'alice' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'alice' ORDER BY priority rlm_sql (sql): Released sql socket id: 1 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group PAP {...} [pap] login attempt with password "\DD\C7-\A5#\CB?!7?f??\F30\AF" [pap] Using clear text password "password" [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! Using Post-Auth-Type REJECT # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> alice attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 3 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 3 Sending Access-Reject of id 4 to 192.168.2.3 port 55467 rad_recv: Access-Request packet from host 192.168.2.3 port 55467, id=4, length=63 Sending duplicate reply to client localprivate port 55467 - ID: 4 Sending Access-Reject of id 4 to 192.168.2.3 port 55467 Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.2.3 port 55467, id=4, length=63 Sending duplicate reply to client localprivate port 55467 - ID: 4 Sending Access-Reject of id 4 to 192.168.2.3 port 55467 Waking up in 3.9 seconds. rad_recv: Access-Request packet from host 192.168.2.3 port 55467, id=4, length=63 Sending duplicate reply to client localprivate port 55467 - ID: 4 Sending Access-Reject of id 4 to 192.168.2.3 port 55467 Waking up in 2.9 seconds. rad_recv: Access-Request packet from host 192.168.2.3 port 55467, id=4, length=63 Sending duplicate reply to client localprivate port 55467 - ID: 4 Sending Access-Reject of id 4 to 192.168.2.3 port 55467 Waking up in 1.9 seconds. rad_recv: Access-Request packet from host 192.168.2.3 port 55467, id=4, length=63 Sending duplicate reply to client localprivate port 55467 - ID: 4 Sending Access-Reject of id 4 to 192.168.2.3 port 55467 Waking up in 0.9 seconds. Cleaning up request 3 ID 4 with timestamp +116 Ready to process requests. rad_recv: Access-Request packet from host 192.168.2.3 port 55467, id=4, length=63 User-Name = "alice" User-Password = "\335\307-\245#ˎ!7\036f\023\217\3630\257" NAS-Port = 111 NAS-Port-Type = Async NAS-IP-Address = 192.168.2.3 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "alice", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop [sql] expand: %{User-Name} -> alice [sql] sql_set_user escaped user --> 'alice' rlm_sql (sql): Reserving sql socket id: 0 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'alice' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'alice' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'alice' ORDER BY priority rlm_sql (sql): Released sql socket id: 0 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group PAP {...} [pap] login attempt with password "\DD\C7-\A5#\CB?!7?f??\F30\AF" [pap] Using clear text password "password" [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! Using Post-Auth-Type REJECT # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> alice attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 4 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 4 Sending Access-Reject of id 4 to 192.168.2.3 port 55467 Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.2.3 port 55467, id=4, length=63 Sending duplicate reply to client localprivate port 55467 - ID: 4 Sending Access-Reject of id 4 to 192.168.2.3 port 55467 Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.2.3 port 55467, id=4, length=63 Sending duplicate reply to client localprivate port 55467 - ID: 4 Sending Access-Reject of id 4 to 192.168.2.3 port 55467 Waking up in 3.9 seconds. rad_recv: Access-Request packet from host 192.168.2.3 port 55467, id=4, length=63 Sending duplicate reply to client localprivate port 55467 - ID: 4 Sending Access-Reject of id 4 to 192.168.2.3 port 55467 Waking up in 2.9 seconds. rad_recv: Access-Request packet from host 192.168.2.3 port 55467, id=4, length=63 Sending duplicate reply to client localprivate port 55467 - ID: 4 Sending Access-Reject of id 4 to 192.168.2.3 port 55467 Waking up in 1.9 seconds. rad_recv: Access-Request packet from host 192.168.2.3 port 55467, id=4, length=63 Sending duplicate reply to client localprivate port 55467 - ID: 4 Sending Access-Reject of id 4 to 192.168.2.3 port 55467 Waking up in 0.9 seconds. Cleaning up request 4 ID 4 with timestamp +122 Ready to process requests. On Thu, Apr 11, 2013 at 11:02 PM, <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
Actually my shared password is default using testing123.This is my configuration on my squid_rad_auth.conf
as previously discussed, you are not sending full output of radiusd -X and so we are having to guess. we cannot guess your problems away at least send us your clients.conf from FreeRADIUS
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- *M.Iftakhul Anwar* Meruvian Integrator High Performance Computing / Cloud Computing (HPC/CC) Office Phone : 021-93586577 Mobile Phone : 085215331477 Blog : http://blog.mervpolis.com/roller/anwar FB : http://www.facebook.com/troya.adromeda Website : www.meruvian.org
Hi,
Hi, previously i've attached my log as attachment :)
no, you havent :-( all you have attached is the stuff that you felt you wanted to send. without sending the FULL output of radiusd -X FROM THE START we cannot see where you have gone wrong. HOW can we help if you dont give us the information we request? alan
Hi, I'm sorry, This is response log from radiusd -X when i try long using usr:alice password: password Cleaning up request 3 ID 4 with timestamp +116 Ready to process requests. rad_recv: Access-Request packet from host 192.168.2.3 port 55467, id=4, length=63 User-Name = "alice" User-Password = "\335\307-\245#ˎ!7\036f\023\217\3630\257" NAS-Port = 111 NAS-Port-Type = Async NAS-IP-Address = 192.168.2.3 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "alice", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop [sql] expand: %{User-Name} -> alice [sql] sql_set_user escaped user --> 'alice' rlm_sql (sql): Reserving sql socket id: 0 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'alice' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'alice' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'alice' ORDER BY priority rlm_sql (sql): Released sql socket id: 0 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group PAP {...} [pap] login attempt with password "\DD\C7-\A5#\CB?!7?f??\F30\AF" [pap] Using clear text password "password" [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! Using Post-Auth-Type REJECT # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> alice attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 4 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 4 Sending Access-Reject of id 4 to 192.168.2.3 port 55467 Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.2.3 port 55467, id=4, length=63 Sending duplicate reply to client localprivate port 55467 - ID: 4 Sending Access-Reject of id 4 to 192.168.2.3 port 55467 Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.2.3 port 55467, id=4, length=63 Sending duplicate reply to client localprivate port 55467 - ID: 4 Sending Access-Reject of id 4 to 192.168.2.3 port 55467 Waking up in 3.9 seconds. rad_recv: Access-Request packet from host 192.168.2.3 port 55467, id=4, length=63 Sending duplicate reply to client localprivate port 55467 - ID: 4 Sending Access-Reject of id 4 to 192.168.2.3 port 55467 Waking up in 2.9 seconds. rad_recv: Access-Request packet from host 192.168.2.3 port 55467, id=4, length=63 Sending duplicate reply to client localprivate port 55467 - ID: 4 Sending Access-Reject of id 4 to 192.168.2.3 port 55467 Waking up in 1.9 seconds. rad_recv: Access-Request packet from host 192.168.2.3 port 55467, id=4, length=63 Sending duplicate reply to client localprivate port 55467 - ID: 4 Sending Access-Reject of id 4 to 192.168.2.3 port 55467 Waking up in 0.9 seconds. Cleaning up request 4 ID 4 with timestamp +122 Ready to process requests. On Thu, Apr 11, 2013 at 11:22 PM, <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
Hi, previously i've attached my log as attachment :)
no, you havent :-(
all you have attached is the stuff that you felt you wanted to send. without sending the FULL output of radiusd -X FROM THE START we cannot see where you have gone wrong.
HOW can we help if you dont give us the information we request?
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- *M.Iftakhul Anwar* Meruvian Integrator High Performance Computing / Cloud Computing (HPC/CC) Office Phone : 021-93586577 Mobile Phone : 085215331477 Blog : http://blog.mervpolis.com/roller/anwar FB : http://www.facebook.com/troya.adromeda Website : www.meruvian.org
Hi,
Hi, I'm sorry, This is response log from radiusd -X when i try long using usr:alice
one more time. please do not send us what you feel like sending us. please just simply send us the output of "radiusd -X" FROM THE VERY START right up to where is says 'Ready to process requests" do not send us the authentication attempt or anything else. everything else is pointless to send. alan
Iftakhul Anwar wrote:
This is response log from radiusd -X when i try long using usr:alice password: password
No, it's not. You need to follow instructions. If you ask questions and ignore the answers, that's rude. Either follow instructions, or stop posting the same questions. If you don't follow instructions, you will be unsubscribed and banned from the list. Following instructions shouldn't be hard. Do it, or else. Alan DeKok.
Hi All Thanks i've successfull configure squid using radius authentification. Actually i need install squid from source with parameter bellow when compile that source ( http://wiki.squid-cache.org/ConfigExamples/Authenticate/Radius) *--enable-basic-auth-helpers="squid_radius_auth"* Previously i used squid3 from apt-get . Thanks :) * * * * * * On Fri, Apr 12, 2013 at 12:36 AM, Alan DeKok <aland@deployingradius.com>wrote:
Iftakhul Anwar wrote:
This is response log from radiusd -X when i try long using usr:alice password: password
No, it's not.
You need to follow instructions. If you ask questions and ignore the answers, that's rude.
Either follow instructions, or stop posting the same questions.
If you don't follow instructions, you will be unsubscribed and banned from the list.
Following instructions shouldn't be hard. Do it, or else.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- *M.Iftakhul Anwar* Meruvian Integrator High Performance Computing / Cloud Computing (HPC/CC) Office Phone : 021-93586577 Mobile Phone : 085215331477 Blog : http://blog.mervpolis.com/roller/anwar FB : http://www.facebook.com/troya.adromeda Website : www.meruvian.org
participants (3)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Iftakhul Anwar