I am sure the solution to my problem is simple however I can't figure it out. This is my user blarson Auth-Type := Local, Cleartext-Password == "testing" Service-Type = Framed-User, Session-Timeout = 18000, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, Framed-IP-Netmask = 255.255.255.255, Framed-Routing = None, Framed-MTU = 1006, Idle-Timeout = 1200, Ascend-Idle-Limit = 1200, Framed-Compression = Van-Jacobsen-TCP-IP, Port-Limit = 1, Slipstream-Auth = "true", Ascend-Maximum-Channels = "1" This is my realm realm compu.net { type = radius authhost = LOCAL accthost = LOCAL } This is the debug Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 40159, id=207, length=69 User-Name = "blarson@compu.net" User-Password = "testing" NAS-IP-Address = 216.248.35.2 NAS-Port = 0 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: Looking up realm "compu.net" for User-Name = "blarson@compu.net" rlm_realm: Found realm "compu.net" rlm_realm: Adding Stripped-User-Name = "blarson" rlm_realm: Adding Realm = "compu.net" rlm_realm: Authentication realm is LOCAL. ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns updated users: Matched entry DEFAULT at line 17394 users: Matched entry DEFAULT at line 17457 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type REJECT rad_check_password: Auth-Type = Reject, rejecting user auth: Failed to validate the user. Login incorrect: [blarson@compu.net/testing] (from client localhost port 0) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> blarson@compu.net attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 207 to 127.0.0.1 port 40159 Reply-Message = "Invalid or unauthorized account" Waking up in 4.9 seconds. Cleaning up request 0 ID 207 with timestamp +3 Ready to process requests. As you can see it's not stripping the realm before checking in the users file. So the user is not matched in the users file. What have I done wrong? Questions, suggestions, and fixes welcome
It worked fine with that on my old server, and I tried it both ways on both auth-type and password no change. On 7/8/2010 6:01 AM, Alan Buxey wrote:
Hi,
This is my user
blarson Auth-Type := Local, Cleartext-Password == "testing" ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Cleartext-Password := "testing"
:= is a comparison
== is a setting
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Bill Larson Network Administrator, Compu-Net Enterprises http://www.compu.net/
Bill Larson wrote:
It worked fine with that on my old server,
It was wrong.
and I tried it both ways on both auth-type and password no change.
See the FAQ for an example: blarson Cleartext-Password := "testing" That works. Anything else is wrong. You'll also need to list "pap" *last* in the "authorize" section. Alan DeKok.
Ok thanks Alan. Moving PAP and changing the users file format worked. I had been beating my brains out for about three days. On 7/8/2010 9:38 AM, Alan DeKok wrote:
Bill Larson wrote:
It worked fine with that on my old server, It was wrong.
and I tried it both ways on both auth-type and password no change. See the FAQ for an example:
blarson Cleartext-Password := "testing"
That works. Anything else is wrong.
You'll also need to list "pap" *last* in the "authorize" section.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Bill Larson Network Administrator, Compu-Net Enterprises http://www.compu.net/
Hi, All i've reboot my NAS. And since my user is getting invalid username and password allthougth I can that they are authenticated in the radius log. For exemple I get this in the log : **************************************************************************** *************** Cleaning up request 3589 ID 245 with timestamp +391 rad_recv: Access-Request packet from host 172.29.44.250 port 50000, id=252, length=323 User-Password = "vipnet2010" User-Name = "mamadou.toure@vipnet.ci" Acct-Session-Id = "erx ip:172.29.44.250:172.31.8.253:1f89:1c77:5dd:821b:252b32:0025640364" Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = "GigabitEthernet 1/1.2303:2303#587203682#\"VLAN DATA DS2PL204\"##pppoe 00:07:72:19:18:b3#" NAS-Port-Type = Virtual NAS-Port = 942170 NAS-Port-Id = "ip:172.29.44.250:172.31.8.253:1f89:1c77:5dd:821b:252b32" NAS-IP-Address = 172.29.44.250 NAS-Identifier = "ADSL.EXR310" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop rlm_realm: Looking up realm "vipnet.ci" for User-Name = "mamadou.toure@vipnet.ci" rlm_realm: No such realm "vipnet.ci" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop expand: %{User-Name} -> mamadou.toure@vipnet.ci rlm_sql (sql): sql_set_user escaped user --> 'mamadou.toure@vipnet.ci' rlm_sql (sql): Reserving sql socket id: 0 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'mamadou.toure@vipnet.ci' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'mamadou.toure@vipnet.ci' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'mamadou.toure@vipnet.ci' ORDER BY priority rlm_sql (sql): Released sql socket id: 0 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated rad_check_password: Found Auth-Type !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! auth: type "PAP" +- entering group PAP rlm_pap: login attempt with password "vipnet2010" rlm_pap: Using clear text password "vipnet2010" rlm_pap: User authenticated successfully ++[pap] returns ok Login OK: [mamadou.toure@vipnet.ci/vipnet2010] (from client nas port 942170 cli GigabitEthernet 1/1.2303:2303#587203682#"VLAN DATA DS2PL204"##pppoe 00:07:72:19:18:b3#) +- entering group post-auth ++[exec] returns noop Sending Access-Accept of id 252 to 172.29.44.250 port 50000 Framed-Protocol = PPP Service-Type = Framed-User Finished request 3649. Going to the next request ******************************************************************** But the user still getting invalid username and password. Can someone help. Regards.
participants (4)
-
Alan Buxey -
Alan DeKok -
Bill Larson -
Toure Mamadou