ISSUE: Authentication will fail unless a "known good" password is available
Hi Team, I am facing issue with radtest. I am getting error like: Authentication will fail unless a "known good" password is available Below debug details: Received Access-Request Id 241 from 127.0.0.1:38747 to 127.0.0.1:1812 length 74 (3) User-Name = "test" (3) User-Password = "test123" (3) NAS-IP-Address = 127.0.1.1 (3) NAS-Port = 1812 (3) Message-Authenticator = 0x73b04566a900069b236e748aee43500c (3) # Executing section authorize from file /etc/freeradius/sites-enabled/default (3) authorize { (3) policy filter_username { (3) if (&User-Name) { (3) if (&User-Name) -> TRUE (3) if (&User-Name) { (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@[^@]*@/ ) { (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # if (&User-Name) = notfound (3) } # policy filter_username = notfound (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix: Checking for suffix after "@" (3) suffix: No '@' in User-Name = "test", looking up realm NULL (3) suffix: No such realm "NULL" (3) [suffix] = noop (3) eap: No EAP-Message, not doing EAP (3) [eap] = noop (3) [files] = noop (3) sql: EXPAND %{User-Name} (3) sql: --> test (3) sql: SQL-User-Name set to 'test' rlm_sql (sql): Closing connection (8): Hit idle_timeout, was idle for 141 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (9): Hit idle_timeout, was idle for 141 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (7): Hit idle_timeout, was idle for 141 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): 0 of 0 connections in use. You may need to increase "spare" rlm_sql (sql): Opening additional connection (10), 1 of 32 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.7.22-0ubuntu0.16.04.1, protocol version 10 rlm_sql (sql): Reserved connection (10) (3) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (3) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test' ORDER BY id (3) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test' ORDER BY id (3) sql: User found in radcheck table (3) sql: Conditional check items matched, merging assignment check items (3) sql: User-Password := "test123" (3) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (3) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test' ORDER BY id (3) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test' ORDER BY id (3) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (3) sql: --> SELECT groupname FROM radusergroup WHERE username = 'test' ORDER BY priority (3) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'test' ORDER BY priority (3) sql: User not found in any groups rlm_sql (sql): Released connection (10) Need 2 more connections to reach min connections (3) rlm_sql (sql): Opening additional connection (11), 1 of 31 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.7.22-0ubuntu0.16.04.1, protocol version 10 (3) [sql] = ok (3) [expiration] = noop (3) [logintime] = noop (3) pap: WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! (3) pap: WARNING: !!! Ignoring control:User-Password. Update your !!! (3) pap: WARNING: !!! configuration so that the "known good" clear text !!! (3) pap: WARNING: !!! password is in Cleartext-Password and NOT in !!! (3) pap: WARNING: !!! User-Password. !!! (3) pap: WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! (3) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (3) pap: WARNING: Authentication will fail unless a "known good" password is available (3) [pap] = noop (3) } # authorize = ok (3) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (3) Failed to authenticate the user (3) Using Post-Auth-Type Reject (3) # Executing group from file /etc/freeradius/sites-enabled/default (3) Post-Auth-Type REJECT { (3) sql: EXPAND .query (3) sql: --> .query (3) sql: Using query template 'query' rlm_sql (sql): Reserved connection (10) (3) sql: EXPAND %{User-Name} (3) sql: --> test (3) sql: SQL-User-Name set to 'test' (3) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (3) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'test', 'test123', 'Access-Reject', '2018-04-26 20:51:05') (3) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'test', 'test123', 'Access-Reject', '2018-04-26 20:51:05') (3) sql: SQL query returned: success (3) sql: 1 record(s) updated rlm_sql (sql): Released connection (10) (3) [sql] = ok (3) attr_filter.access_reject: EXPAND %{User-Name} (3) attr_filter.access_reject: --> test (3) attr_filter.access_reject: Matched entry DEFAULT at line 11 (3) [attr_filter.access_reject] = updated (3) [eap] = noop (3) policy remove_reply_message_if_eap { (3) if (&reply:EAP-Message && &reply:Reply-Message) { (3) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (3) else { (3) [noop] = noop (3) } # else = noop (3) } # policy remove_reply_message_if_eap = noop (3) } # Post-Auth-Type REJECT = updated (3) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [test/test123] (from client localhost port 1812) (3) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (3) Sending delayed response (3) Sent Access-Reject Id 241 from 127.0.0.1:1812 to 127.0.0.1:38747 length 20 Waking up in 3.9 seconds. (3) Cleaning up request packet ID 241 with timestamp +264 Ready to process requests Please help me on that.
Hi, It tells you what to do, just a few lines above, with a big box of ! marks around it and it says “WARNING” on every line. Your database is returning a User-Password. Change the attribute name to Cleartext-Password.
On 26/04/2018, at 5:28 PM, Somanath Mishra <somanath.mishra@planetsbrain.com> wrote:
(3) sql: Conditional check items matched, merging assignment check items (3) sql: User-Password := “test123"
(3) pap: WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! (3) pap: WARNING: !!! Ignoring control:User-Password. Update your !!! (3) pap: WARNING: !!! configuration so that the "known good" clear text !!! (3) pap: WARNING: !!! password is in Cleartext-Password and NOT in !!! (3) pap: WARNING: !!! User-Password. !!! (3) pap: WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! (3) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (3) pap: WARNING: Authentication will fail unless a "known good" password is available
participants (2)
-
Nathan Ward -
Somanath Mishra