Radius Squid authentication REJECT
Hi All, I have successfully configure freeradius with mysql. i can radtest using command : sudo radtest alice password 192.168.2.3 1812 testing123 Sending Access-Request of id 187 to 192.168.2.3 port 1812 User-Name = "alice" User-Password = "password" NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Accept packet from host 192.168.2.3 port 1812, id=187, length=20 Now i try squid using radius authentication. i followed step by step from : http://safesrv.net/setup-squid-and-freeradius-on-centos-5/#comment-1043 But i got error message log on cache.log Warning: Received invalid reply digest from server Warning: Received invalid reply digest from server Warning: Received invalid reply digest from server squid_rad_auth: No response from RADIUS server On radius -X debug there is error message like bellow : Sending duplicate reply to client localprivate port 42003 – ID: 2 Sending Access-Reject of id 2 to 192.168.2.3 port 42003 Waking up in 2.9 seconds. rad_recv: Access-Request packet from host 192.168.2.3 port 42003, id=2, length=63 Sending duplicate reply to client localprivate port 42003 – ID: 2 Sending Access-Reject of id 2 to 192.168.2.3 port 42003 Waking up in 0.9 seconds. Found Auth-Type = PAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group PAP {…} [pap] login attempt with password “b9?I? +�(�Ч�Y�?” [pap] Using clear text password “password” [pap] Passwords don’t match ++[pap] returns reject Failed to authenticate the user. WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! Using Post-Auth-Type REJECT What is that error ? How i can solve this Thanks -- *M.Iftakhul Anwar* Meruvian Integrator High Performance Computing / Cloud Computing (HPC/CC) Office Phone : 021-93586577 Mobile Phone : 085215331477 Blog : http://blog.mervpolis.com/roller/anwar FB : http://www.facebook.com/troya.adromeda Website : www.meruvian.org
Hello, did you do what the warning says and double checked the shared secret? As far as I see the squid_rad_auth.conf does not use quotation marks ("") to delimit the shared secret. Hence, perhaps you have trailing white spaces or something like that at the end of the line. Delete the line "secret" in squid_rad_auth.conf and type it again. I really mean to delete it in order to get rid of unprintable characters you might not see. Matthias Am Donnerstag 11 April 2013, 15:47:33 schrieb Iftakhul Anwar:
Hi All,
I have successfully configure freeradius with mysql. i can radtest using command :
sudo radtest alice password 192.168.2.3 1812 testing123 Sending Access-Request of id 187 to 192.168.2.3 port 1812 User-Name = "alice" User-Password = "password" NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 192.168.2.3 port 1812, id=187, length=20
Now i try squid using radius authentication.
i followed step by step from :
http://safesrv.net/setup-squid-and-freeradius-on-centos-5/#comment-1043
But i got error message log on cache.log
Warning: Received invalid reply digest from server Warning: Received invalid reply digest from server Warning: Received invalid reply digest from server squid_rad_auth: No response from RADIUS server
On radius -X debug there is error message like bellow :
Sending duplicate reply to client localprivate port 42003 – ID: 2 Sending Access-Reject of id 2 to 192.168.2.3 port 42003 Waking up in 2.9 seconds. rad_recv: Access-Request packet from host 192.168.2.3 port 42003, id=2, length=63 Sending duplicate reply to client localprivate port 42003 – ID: 2 Sending Access-Reject of id 2 to 192.168.2.3 port 42003 Waking up in 0.9 seconds. Found Auth-Type = PAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group PAP {…} [pap] login attempt with password “b9?I? +�(�Ч�Y�?” [pap] Using clear text password “password” [pap] Passwords don’t match ++[pap] returns reject Failed to authenticate the user. WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! Using Post-Auth-Type REJECT
What is that error ? How i can solve this
Thanks
---------------------------------------------------------------------- Matthias Nagel Willy-Andreas-Allee 1, Zimmer 506 76131 Karlsruhe Telefon: +49-721-8695-1506 Mobil: +49-151-15998774 e-Mail: matthias.h.nagel@gmail.com ICQ: 499797758 Skype: nagmat84
Hi Matthias, I don't use " " on my squid_rad_auth.conf.No space on my scret. This is my squid_rad_auth.conf server 192.168.2.3 secret testing123 On my radcheck, i also using Cleartext-Password on my racheck table Any another clue ? Thanks On Thu, Apr 11, 2013 at 3:59 PM, Matthias Nagel <matthias.h.nagel@gmail.com>wrote:
Hello,
did you do what the warning says and double checked the shared secret?
As far as I see the squid_rad_auth.conf does not use quotation marks ("") to delimit the shared secret. Hence, perhaps you have trailing white spaces or something like that at the end of the line. Delete the line "secret" in squid_rad_auth.conf and type it again. I really mean to delete it in order to get rid of unprintable characters you might not see.
Matthias
Am Donnerstag 11 April 2013, 15:47:33 schrieb Iftakhul Anwar:
Hi All,
I have successfully configure freeradius with mysql. i can radtest using command :
sudo radtest alice password 192.168.2.3 1812 testing123 Sending Access-Request of id 187 to 192.168.2.3 port 1812 User-Name = "alice" User-Password = "password" NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 192.168.2.3 port 1812, id=187, length=20
Now i try squid using radius authentication.
i followed step by step from :
http://safesrv.net/setup-squid-and-freeradius-on-centos-5/#comment-1043
But i got error message log on cache.log
Warning: Received invalid reply digest from server Warning: Received invalid reply digest from server Warning: Received invalid reply digest from server squid_rad_auth: No response from RADIUS server
On radius -X debug there is error message like bellow :
Sending duplicate reply to client localprivate port 42003 – ID: 2 Sending Access-Reject of id 2 to 192.168.2.3 port 42003 Waking up in 2.9 seconds. rad_recv: Access-Request packet from host 192.168.2.3 port 42003, id=2, length=63 Sending duplicate reply to client localprivate port 42003 – ID: 2 Sending Access-Reject of id 2 to 192.168.2.3 port 42003 Waking up in 0.9 seconds. Found Auth-Type = PAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group PAP {…} [pap] login attempt with password “b9?I? +�(�Ч�Y�?” [pap] Using clear text password “password” [pap] Passwords don’t match ++[pap] returns reject Failed to authenticate the user. WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! Using Post-Auth-Type REJECT
What is that error ? How i can solve this
Thanks
---------------------------------------------------------------------- Matthias Nagel Willy-Andreas-Allee 1, Zimmer 506 76131 Karlsruhe
Telefon: +49-721-8695-1506 Mobil: +49-151-15998774 e-Mail: matthias.h.nagel@gmail.com ICQ: 499797758 Skype: nagmat84
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- *M.Iftakhul Anwar* Meruvian Integrator High Performance Computing / Cloud Computing (HPC/CC) Office Phone : 021-93586577 Mobile Phone : 085215331477 Blog : http://blog.mervpolis.com/roller/anwar FB : http://www.facebook.com/troya.adromeda Website : www.meruvian.org
Hello, Am Donnerstag 11 April 2013, 16:07:08 schrieb Iftakhul Anwar:
Hi Matthias,
I don't use " " on my squid_rad_auth.conf
I know, that is the reason why I asked you to check for non-printable characters AFTER your shared secret.
No space on my scret.
And what is between the last printable character of your secret and the new line? Matthias
This is my squid_rad_auth.conf
server 192.168.2.3 secret testing123
On my radcheck, i also using Cleartext-Password on my racheck table
Any another clue ?
Thanks
On Thu, Apr 11, 2013 at 3:59 PM, Matthias Nagel <matthias.h.nagel@gmail.com>wrote:
Hello,
did you do what the warning says and double checked the shared secret?
As far as I see the squid_rad_auth.conf does not use quotation marks ("") to delimit the shared secret. Hence, perhaps you have trailing white spaces or something like that at the end of the line. Delete the line "secret" in squid_rad_auth.conf and type it again. I really mean to delete it in order to get rid of unprintable characters you might not see.
Matthias
Am Donnerstag 11 April 2013, 15:47:33 schrieb Iftakhul Anwar:
Hi All,
I have successfully configure freeradius with mysql. i can radtest using command :
sudo radtest alice password 192.168.2.3 1812 testing123 Sending Access-Request of id 187 to 192.168.2.3 port 1812 User-Name = "alice" User-Password = "password" NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 192.168.2.3 port 1812, id=187, length=20
Now i try squid using radius authentication.
i followed step by step from :
http://safesrv.net/setup-squid-and-freeradius-on-centos-5/#comment-1043
But i got error message log on cache.log
Warning: Received invalid reply digest from server Warning: Received invalid reply digest from server Warning: Received invalid reply digest from server squid_rad_auth: No response from RADIUS server
On radius -X debug there is error message like bellow :
Sending duplicate reply to client localprivate port 42003 – ID: 2 Sending Access-Reject of id 2 to 192.168.2.3 port 42003 Waking up in 2.9 seconds. rad_recv: Access-Request packet from host 192.168.2.3 port 42003, id=2, length=63 Sending duplicate reply to client localprivate port 42003 – ID: 2 Sending Access-Reject of id 2 to 192.168.2.3 port 42003 Waking up in 0.9 seconds. Found Auth-Type = PAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group PAP {…} [pap] login attempt with password “b9?I? +�(�Ч�Y�?” [pap] Using clear text password “password” [pap] Passwords don’t match ++[pap] returns reject Failed to authenticate the user. WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! Using Post-Auth-Type REJECT
What is that error ? How i can solve this
Thanks
---------------------------------------------------------------------- Matthias Nagel Willy-Andreas-Allee 1, Zimmer 506 76131 Karlsruhe
Telefon: +49-721-8695-1506 Mobil: +49-151-15998774 e-Mail: matthias.h.nagel@gmail.com ICQ: 499797758 Skype: nagmat84
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
---------------------------------------------------------------------- Matthias Nagel Willy-Andreas-Allee 1, Zimmer 506 76131 Karlsruhe Telefon: +49-721-8695-1506 Mobil: +49-151-15998774 e-Mail: matthias.h.nagel@gmail.com ICQ: 499797758 Skype: nagmat84
I just use enter after my shared secret. Any suggestions ? On Thu, Apr 11, 2013 at 4:17 PM, Matthias Nagel <matthias.h.nagel@gmail.com>wrote:
Hello,
Am Donnerstag 11 April 2013, 16:07:08 schrieb Iftakhul Anwar:
Hi Matthias,
I don't use " " on my squid_rad_auth.conf
I know, that is the reason why I asked you to check for non-printable characters AFTER your shared secret.
No space on my scret.
And what is between the last printable character of your secret and the new line?
Matthias
This is my squid_rad_auth.conf
server 192.168.2.3 secret testing123
On my radcheck, i also using Cleartext-Password on my racheck table
Any another clue ?
Thanks
On Thu, Apr 11, 2013 at 3:59 PM, Matthias Nagel <matthias.h.nagel@gmail.com>wrote:
Hello,
did you do what the warning says and double checked the shared secret?
As far as I see the squid_rad_auth.conf does not use quotation marks ("") to delimit the shared secret. Hence, perhaps you have trailing white spaces or something like that at the end of the line. Delete the line "secret" in squid_rad_auth.conf and type it again. I really mean to delete it in order to get rid of unprintable characters you might not see.
Matthias
Am Donnerstag 11 April 2013, 15:47:33 schrieb Iftakhul Anwar:
Hi All,
I have successfully configure freeradius with mysql. i can radtest using command :
sudo radtest alice password 192.168.2.3 1812 testing123 Sending Access-Request of id 187 to 192.168.2.3 port 1812 User-Name = "alice" User-Password = "password" NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 192.168.2.3 port 1812, id=187, length=20
Now i try squid using radius authentication.
i followed step by step from :
http://safesrv.net/setup-squid-and-freeradius-on-centos-5/#comment-1043
But i got error message log on cache.log
Warning: Received invalid reply digest from server Warning: Received invalid reply digest from server Warning: Received invalid reply digest from server squid_rad_auth: No response from RADIUS server
On radius -X debug there is error message like bellow :
Sending duplicate reply to client localprivate port 42003 – ID: 2 Sending Access-Reject of id 2 to 192.168.2.3 port 42003 Waking up in 2.9 seconds. rad_recv: Access-Request packet from host 192.168.2.3 port 42003, id=2, length=63 Sending duplicate reply to client localprivate port 42003 – ID: 2 Sending Access-Reject of id 2 to 192.168.2.3 port 42003 Waking up in 0.9 seconds. Found Auth-Type = PAP # Executing group from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group PAP {…} [pap] login attempt with password “b9?I? +�(�Ч�Y�?” [pap] Using clear text password “password” [pap] Passwords don’t match ++[pap] returns reject Failed to authenticate the user. WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! Using Post-Auth-Type REJECT
What is that error ? How i can solve this
Thanks
---------------------------------------------------------------------- Matthias Nagel Willy-Andreas-Allee 1, Zimmer 506 76131 Karlsruhe
Telefon: +49-721-8695-1506 Mobil: +49-151-15998774 e-Mail: matthias.h.nagel@gmail.com ICQ: 499797758 Skype: nagmat84
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
---------------------------------------------------------------------- Matthias Nagel Willy-Andreas-Allee 1, Zimmer 506 76131 Karlsruhe
Telefon: +49-721-8695-1506 Mobil: +49-151-15998774 e-Mail: matthias.h.nagel@gmail.com ICQ: 499797758 Skype: nagmat84
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- *M.Iftakhul Anwar* Meruvian Integrator High Performance Computing / Cloud Computing (HPC/CC) Office Phone : 021-93586577 Mobile Phone : 085215331477 Blog : http://blog.mervpolis.com/roller/anwar FB : http://www.facebook.com/troya.adromeda Website : www.meruvian.org
Hello, perhaps it is an encoding problem between the browser and squid. You should check what kind of encoding squid expects the browser to use and what encoding the browser actually uses. But this is not a radius problem, hence I cannot help you on that problem. Anyway, somewhere on the link "browser <-> squid <-> radius" the password gets screwed up. If the problem was between the browser and squid, the user name likely would screwed up, too. Hence, I still believe the problem is between squid and radius. But if a wrong secret isn't the solution, I am out. Sorry. Regards, Matthias Am Donnerstag 11 April 2013, 16:35:33 schrieb Iftakhul Anwar:
I just use enter after my shared secret.
Any suggestions ?
On Thu, Apr 11, 2013 at 4:17 PM, Matthias Nagel <matthias.h.nagel@gmail.com>wrote:
Hello,
Am Donnerstag 11 April 2013, 16:07:08 schrieb Iftakhul Anwar:
Hi Matthias,
I don't use " " on my squid_rad_auth.conf
I know, that is the reason why I asked you to check for non-printable characters AFTER your shared secret.
No space on my scret.
And what is between the last printable character of your secret and the new line?
Matthias
This is my squid_rad_auth.conf
server 192.168.2.3 secret testing123
On my radcheck, i also using Cleartext-Password on my racheck table
Any another clue ?
Thanks
On Thu, Apr 11, 2013 at 3:59 PM, Matthias Nagel <matthias.h.nagel@gmail.com>wrote:
Hello,
did you do what the warning says and double checked the shared secret?
As far as I see the squid_rad_auth.conf does not use quotation marks ("") to delimit the shared secret. Hence, perhaps you have trailing white spaces or something like that at the end of the line. Delete the line "secret" in squid_rad_auth.conf and type it again. I really mean to delete it in order to get rid of unprintable characters you might not see.
Matthias
Am Donnerstag 11 April 2013, 15:47:33 schrieb Iftakhul Anwar:
Hi All,
I have successfully configure freeradius with mysql. i can radtest using command :
sudo radtest alice password 192.168.2.3 1812 testing123 Sending Access-Request of id 187 to 192.168.2.3 port 1812 User-Name = "alice" User-Password = "password" NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 192.168.2.3 port 1812, id=187, length=20
Now i try squid using radius authentication.
i followed step by step from :
http://safesrv.net/setup-squid-and-freeradius-on-centos-5/#comment-1043
But i got error message log on cache.log
Warning: Received invalid reply digest from server Warning: Received invalid reply digest from server Warning: Received invalid reply digest from server squid_rad_auth: No response from RADIUS server
On radius -X debug there is error message like bellow :
Sending duplicate reply to client localprivate port 42003 – ID: 2 Sending Access-Reject of id 2 to 192.168.2.3 port 42003 Waking up in 2.9 seconds. rad_recv: Access-Request packet from host 192.168.2.3 port 42003, id=2, length=63 Sending duplicate reply to client localprivate port 42003 – ID: 2 Sending Access-Reject of id 2 to 192.168.2.3 port 42003 Waking up in 0.9 seconds. Found Auth-Type = PAP # Executing group from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group PAP {…} [pap] login attempt with password “b9?I? +�(�Ч�Y�?” [pap] Using clear text password “password” [pap] Passwords don’t match ++[pap] returns reject Failed to authenticate the user. WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! Using Post-Auth-Type REJECT
What is that error ? How i can solve this
Thanks
---------------------------------------------------------------------- Matthias Nagel Willy-Andreas-Allee 1, Zimmer 506 76131 Karlsruhe
Telefon: +49-721-8695-1506 Mobil: +49-151-15998774 e-Mail: matthias.h.nagel@gmail.com ICQ: 499797758 Skype: nagmat84
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
---------------------------------------------------------------------- Matthias Nagel Willy-Andreas-Allee 1, Zimmer 506 76131 Karlsruhe
Telefon: +49-721-8695-1506 Mobil: +49-151-15998774 e-Mail: matthias.h.nagel@gmail.com ICQ: 499797758 Skype: nagmat84
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
---------------------------------------------------------------------- Matthias Nagel Willy-Andreas-Allee 1, Zimmer 506 76131 Karlsruhe Telefon: +49-721-8695-1506 Mobil: +49-151-15998774 e-Mail: matthias.h.nagel@gmail.com ICQ: 499797758 Skype: nagmat84
On 11 Apr 2013, at 10:35, Iftakhul Anwar <anwar@meruvian.org> wrote:
I just use enter after my shared secret.
Any suggestions ?
There are three possibilities * The shared secret is wrong in the squid radius file * The shared secret is wrong in the freeradius clients file * Squid is broken (I think this unlikely) As you've not posted a full debug log, all we can do is guess. My guess is that radtest is using the secret defined in clients.conf:client 127.0.0.1/8 and squid is using the secret defined in clients.conf:client 192.168.2.3 Post a full log, and we can probably do more than guess. Adam Bishop gpg: 0x6609D460 Janet, the UK's research and education network. Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
participants (3)
-
Adam Bishop -
Iftakhul Anwar -
Matthias Nagel