ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
Hello, I was working with free radius 3.0.12 and received the below errors in debug output. lm_sql (sql): Released connection (0) (0) [sql] = ok (0) [expiration] = noop (0) [logintime] = noop (0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (0) pap: WARNING: Authentication will fail unless a "known good" password is available (0) [pap] = noop (0) } # authorize = ok (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (0) Failed to authenticate the user (0) Using Post-Auth-Type Reject I was reading this : Qoute < When a RADIUS packet contains a clear-text password in the form of a User-Password attribute, the/rlm_pap/module may be used for authentication. The module requires a "known good" password, which it uses to validate the password given in the RADIUS packet. That "known good" password must be supplied by another module (e.g./rlm_files/,/rlm_ldap/, etc.), and is usually taken from a database. Unqoute > But I'm having a bit of trouble understanding. In my DB the Attribute is Cleartext-Password , which corresponds to a plain text password. So then why is this error generated. And how to mitigate it. What am I missing. The authorize section of my /etc/raddb/sites-enabled/default is read as: authorize { preprocess digest suffix sql expiration logintime pap } and authenticate as : authenticate { } Auth-Type PAP { pap } digest } Please let me know if any further information is required. Any help is greatly appreciated. -- *Mustafa Mujahid | Systems* /Operations Engineer/
On Jan 18, 2017, at 11:35 AM, Mustafa Mujahid/SYS <mustafa.mujahid@nayatel.com> wrote:
Hello,
I was working with free radius 3.0.12 and received the below errors in debug output.
You need to read the debug output. ALL OF IT. Reading only part of it means you're ignoring messages which will help you solve the problem.
I was reading this :
Qoute <
When a RADIUS packet contains a clear-text password in the form of a User-Password attribute, the/rlm_pap/module may be used for authentication. The module requires a "known good" password, which it uses to validate the password given in the RADIUS packet. That "known good" password must be supplied by another module (e.g./rlm_files/,/rlm_ldap/, etc.), and is usually taken from a database.
Unqoute >
But I'm having a bit of trouble understanding. In my DB the Attribute is Cleartext-Password , which corresponds to a plain text password. So then why is this error generated. And how to mitigate it. What am I missing.
Since you haven't said what you did, I can only guess. If you follow the documentation, it WILL WORK. See the Wiki: http://wiki.freeradius.org/modules/Rlm_sql
The authorize section of my /etc/raddb/sites-enabled/default is read as:
If you don't understand how the server works, you should NOT edit the default virtual server. Make ONE change at a time. Then, test the change, before making another one. Alan DeKok.
Hello, Turns out there is no problem with my configuration. The change at DB end is causing the problem. Changing from Password to Cleartext-Password causes PAP to give error of "No Auth-Type" and "No "known good" password found for the user" . When I tested the same with an already working radius 2.x it returned the error mentioned above. Then reverting the DB attribute pack to "Password" solved the issue and the user was able to authenticate. How can I mitigate this issue. I read this http://freeradius.org/radiusd/man/rlm_pap.html#lbAD It says Qoute < It is important to understand the difference between the User-Password and Cleartext-Password attributes. The Cleartext-Password attribute is the "known good" password for the user. Simply supplying the Cleartext-Password to the server will result in most authentication methods working. Unqoute > So , I'm having trouble understanding what else is missing, Does it have something to do with headers? I have attached a screen shot of my radcheck Table from the test oracle DB.Any help on the matter would be greatly appreciated. *Mustafa Mujahid | Systems* On 01/18/2017 09:39 PM, Alan DeKok wrote:
On Jan 18, 2017, at 11:35 AM, Mustafa Mujahid/SYS <mustafa.mujahid@nayatel.com> wrote:
Hello,
I was working with free radius 3.0.12 and received the below errors in debug output. You need to read the debug output. ALL OF IT.
Reading only part of it means you're ignoring messages which will help you solve the problem.
I was reading this :
Qoute <
When a RADIUS packet contains a clear-text password in the form of a User-Password attribute, the/rlm_pap/module may be used for authentication. The module requires a "known good" password, which it uses to validate the password given in the RADIUS packet. That "known good" password must be supplied by another module (e.g./rlm_files/,/rlm_ldap/, etc.), and is usually taken from a database.
Unqoute >
But I'm having a bit of trouble understanding. In my DB the Attribute is Cleartext-Password , which corresponds to a plain text password. So then why is this error generated. And how to mitigate it. What am I missing. Since you haven't said what you did, I can only guess.
If you follow the documentation, it WILL WORK. See the Wiki:
http://wiki.freeradius.org/modules/Rlm_sql
The authorize section of my /etc/raddb/sites-enabled/default is read as: If you don't understand how the server works, you should NOT edit the default virtual server. Make ONE change at a time. Then, test the change, before making another one.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Alan DeKok -
Mustafa Mujahid/SYS