Hi, I try to setup a basic radius service. Use Version 3.0.3 Most files are untouched. Edit mods-config/files/authorize and added some user: testuser Cleartext-Password := "mypassword", Login-Time ="Any", Expiration >"Oct 01 2020", Simultanous-Use = 1 Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 192.168.111.222, Framed-Routing = None, Filter-ID = USER Edit client.conf and added: client 192.168.1.5 { secret = clientpwd } radiusd starts w/o problem and the default test: # radtest testing password 127.0.0.1 0 testing123 is successfull. When try to test (from localhost): # radtest testuser mypassword 127.0.0.1 0 testing123 I think this is likely the same test as with the default user 'testing'. radius throw: ... WARNING: pap : No "known good" password found tor the user. Not setting Auth-Type. WARNING: pap : Authentication will faill unless a "known good" password is available. [pap] = noop } # authorize = ok ERROR: No Auth-Tape found: rejecting the user via Post-Auth-Type = Reject ... So my question is: What is an 'known good' password? Where should this be configured? TiA Bernd
your user entry is wrong. thus not matching the request. alan On 5 July 2018 at 10:58, Bernd Nachtigall <bnacht@web.de> wrote:
Hi,
I try to setup a basic radius service. Use Version 3.0.3 Most files are untouched. Edit mods-config/files/authorize and added some user:
testuser Cleartext-Password := "mypassword", Login-Time ="Any", Expiration >"Oct 01 2020", Simultanous-Use = 1 Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 192.168.111.222, Framed-Routing = None, Filter-ID = USER
Edit client.conf and added: client 192.168.1.5 { secret = clientpwd }
radiusd starts w/o problem and the default test: # radtest testing password 127.0.0.1 0 testing123 is successfull.
When try to test (from localhost):
# radtest testuser mypassword 127.0.0.1 0 testing123
I think this is likely the same test as with the default user 'testing'.
radius throw: ... WARNING: pap : No "known good" password found tor the user. Not setting Auth-Type. WARNING: pap : Authentication will faill unless a "known good" password is available. [pap] = noop } # authorize = ok ERROR: No Auth-Tape found: rejecting the user via Post-Auth-Type = Reject ...
So my question is: What is an 'known good' password? Where should this be configured?
TiA
Bernd - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
Am 05.07.2018 um 12:03 schrieb Alan Buxey:
> your user entry is wrong. thus not matching the request.
>
> alan
Yes, I assume that ...
But
>> testuser Cleartext-Password := "mypassword",
>> radtest testuser mypassword 127.0.0.1 0 testing123
testuser = testuser
mypassword = mypassword
So, it seems that the error is not the username nor the password.
Which of the other paramters could be the reason for the 'No "known
good" password found' message?
Bernd
>
> On 5 July 2018 at 10:58, Bernd Nachtigall <bnacht@web.de> wrote:
>
>> Hi,
>>
>> I try to setup a basic radius service. Use Version 3.0.3
>> Most files are untouched. Edit mods-config/files/authorize and added
>> some user:
>>
>> testuser Cleartext-Password := "mypassword", Login-Time ="Any",
>> Expiration >"Oct 01 2020", Simultanous-Use = 1
>> Service-Type = Framed-User,
>> Framed-Protocol = PPP,
>> Framed-IP-Address = 192.168.111.222,
>> Framed-Routing = None,
>> Filter-ID = USER
>>
>> Edit client.conf and added:
>> client 192.168.1.5 {
>> secret = clientpwd
>> }
>>
>> radiusd starts w/o problem and the default test:
>> # radtest testing password 127.0.0.1 0 testing123
>> is successfull.
>>
>> When try to test (from localhost):
>>
>> # radtest testuser mypassword 127.0.0.1 0 testing123
>>
>> I think this is likely the same test as with the default user 'testing'.
>>
>> radius throw:
>> ...
>> WARNING: pap : No "known good" password found tor the user. Not setting
>> Auth-Type.
>> WARNING: pap : Authentication will faill unless a "known good" password
>> is available.
>> [pap] = noop
>> } # authorize = ok
>> ERROR: No Auth-Tape found: rejecting the user via Post-Auth-Type = Reject
>> ...
>>
>> So my question is: What is an 'known good' password? Where should this
>> be configured?
>>
>>
>> TiA
>>
>> Bernd
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/
>> list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
Am 05.07.2018 um 12:03 schrieb Alan Buxey:
> your user entry is wrong. thus not matching the request.
>
> alan
For those who dont want to be ask the oracle:
This Syntax of an user entry (old radius 2) was the cause of the error:
testuser Cleartext-Password := "mypassword", Login-Time ="Any",
Expiration >"Oct 01 2020", Simultanous-Use = 1
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 192.168.111.222,
Framed-Routing = None,
Filter-ID = USER
In radius3 you has to use:
testuser Cleartext-Password := "mypassword"
Login-Time ="Any",
Expiration >"Oct 01 2020",
Simultanous-Use = 1,
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 192.168.111.222,
Framed-Routing = None,
Filter-ID = USER
The first line has a new line after the double quote and no comma.
Bernd
>
> On 5 July 2018 at 10:58, Bernd Nachtigall <bnacht@web.de> wrote:
>
>> Hi,
>>
>> I try to setup a basic radius service. Use Version 3.0.3
>> Most files are untouched. Edit mods-config/files/authorize and added
>> some user:
>>
>> testuser Cleartext-Password := "mypassword", Login-Time ="Any",
>> Expiration >"Oct 01 2020", Simultanous-Use = 1
>> Service-Type = Framed-User,
>> Framed-Protocol = PPP,
>> Framed-IP-Address = 192.168.111.222,
>> Framed-Routing = None,
>> Filter-ID = USER
>>
>> Edit client.conf and added:
>> client 192.168.1.5 {
>> secret = clientpwd
>> }
>>
>> radiusd starts w/o problem and the default test:
>> # radtest testing password 127.0.0.1 0 testing123
>> is successfull.
>>
>> When try to test (from localhost):
>>
>> # radtest testuser mypassword 127.0.0.1 0 testing123
>>
>> I think this is likely the same test as with the default user 'testing'.
>>
>> radius throw:
>> ...
>> WARNING: pap : No "known good" password found tor the user. Not setting
>> Auth-Type.
>> WARNING: pap : Authentication will faill unless a "known good" password
>> is available.
>> [pap] = noop
>> } # authorize = ok
>> ERROR: No Auth-Tape found: rejecting the user via Post-Auth-Type = Reject
>> ...
>>
>> So my question is: What is an 'known good' password? Where should this
>> be configured?
>>
>>
>> TiA
>>
>> Bernd
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/
>> list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
On Jul 5, 2018, at 7:58 AM, Bernd Nachtigall <bnacht@web.de> wrote:
This Syntax of an user entry (old radius 2) was the cause of the error:
testuser Cleartext-Password := "mypassword", Login-Time ="Any", Expiration >"Oct 01 2020", Simultanous-Use = 1 Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 192.168.111.222, Framed-Routing = None, Filter-ID = USER
In radius3 you has to use:
testuser Cleartext-Password := "mypassword" Login-Time ="Any", Expiration >"Oct 01 2020", Simultanous-Use = 1,
That doesn't look right. And the server will complain about attributes in the reply list, when the should be in the check list. It should be: testuser Cleartext-Password := "my password, Login-Time := "Any", Expiration >"Oct 01 2020", Simultanous-Use := 1 all on one line. Notice ":=" instead of "=". See "man users" for more information. Alan DeKok.
Am 05.07.2018 um 14:47 schrieb Alan DeKok:
On Jul 5, 2018, at 7:58 AM, Bernd Nachtigall <bnacht@web.de> wrote:
This Syntax of an user entry (old radius 2) was the cause of the error:
testuser Cleartext-Password := "mypassword", Login-Time ="Any", Expiration >"Oct 01 2020", Simultanous-Use = 1 Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 192.168.111.222, Framed-Routing = None, Filter-ID = USER
In radius3 you has to use:
testuser Cleartext-Password := "mypassword" Login-Time ="Any", Expiration >"Oct 01 2020", Simultanous-Use = 1,
That doesn't look right. And the server will complain about attributes in the reply list, when the should be in the check list.
It should be:
testuser Cleartext-Password := "my password, Login-Time := "Any", Expiration >"Oct 01 2020", Simultanous-Use := 1
all on one line. Notice ":=" instead of "=".
See "man users" for more information.
Alan DeKok.
Ah, now I recognize. Thx. 1st line User, Next lines part of the answer Tank you very much! Bernd
On Thu, 2018-07-05 at 11:58 +0200, Bernd Nachtigall wrote:
I try to setup a basic radius service. Use Version 3.0.3
That's rather old now, and has security vulnerabilities.
Most files are untouched. Edit mods-config/files/authorize and added some user:
radiusd starts w/o problem and the default test: # radtest testing password 127.0.0.1 0 testing123 is successfull.
There is no default test user "testing", so where did you add that?
When try to test (from localhost):
# radtest testuser mypassword 127.0.0.1 0 testing123
I think this is likely the same test as with the default user 'testing'.
Did you add "testuser" in the same place you added "testing"?
radius throw: ... WARNING: pap : No "known good" password found tor the user. Not setting Auth-Type. WARNING: pap : Authentication will faill unless a "known good" password is available. [pap] = noop } # authorize = ok ERROR: No Auth-Tape found: rejecting the user via Post-Auth-Type = Reject ...
That doesn't show anything useful. http://wiki.freeradius.org/list-help -- Matthew
participants (4)
-
Alan Buxey -
Alan DeKok -
Bernd Nachtigall -
Matthew Newton