Freeradius-Users Digest, Vol 14, Issue 119

Kun Niu haoniukun at gmail.com
Fri Jun 30 10:48:52 CEST 2006


Daer Stefan,

Thanks for your reply.
Maybe I should check the share secret of the client and the server.
Since the passwords for both clients are "123".Relatively simple in testing.:)
Hope that the client is a standard implementation.
Thanks again for your reply.

Sincerely,
Kun

> Message: 3
> Date: Fri, 30 Jun 2006 09:49:00 +0200
> From: Stefan Winter <stefan.winter at restena.lu>
> Subject: Re: Problem about "Chap-Password" and "User-Password"
> To: FreeRadius users mailing list
>        <freeradius-users at lists.freeradius.org>
> Message-ID: <200606300949.03525.stefan.winter at restena.lu>
> Content-Type: text/plain; charset="iso-8859-15"
>
> Hello!
>
> It seems that your client is using a quite unusual character in his password.
> That leads to encoding problems with your database backend. The solution is
> to either list that character in safe_characters for the database (I don't
> really recommend that, given that \240 is a bit too unusual) or store the
> password not literal in the database, but properly encoded. the rlm_sql
> module will then take the user's password, encode it, and check it against
> the same-encoded string in the database.
>
> Of course, the problem might also be that your shared secret for this client
> isn't correct, as the end of the failed attempt suggests. But given that all
> but one character in the password are nicely printable, my guess is that it's
> really just a weird character in the password. In any case, you can verify
> that using a more straightforward password and see it that works.
>
> Greetings,
>
> Stefan Winter
>
> Am Freitag, 30. Juni 2006 09:37 schrieb Kun Niu:
> > Dear all,
> >
> > I've just installed freeradius 1.0.2 on my debian3.1 system.
> > I've got two radius clients.
> > One can be authorized normally and the other one failed to be authorized.
> >
> > Here's my log.
> > Would anyone be kind enough to analyze it for me?
> > Thanks in advance and any help would be appreciated.
> >
> > The failing one:
> >
> > rad_recv: Access-Request packet from host 192.168.1.2:1026, id=199,
> > length=239 User-Name = "abc"
> >       Service-Type = Login-User
> >       NAS-Port-Type = Ethernet
> >       NAS-IP-Address = 192.168.1.2
> >       WISPr-Logoff-URL = "https://10.10.10.1/logout.user"
> >       WISPr-Location-Name = "GEMTEK_SYSTEMS,Terminal_Worldwide"
> >       WISPr-Location-ID = "isocc=us,cc=1,ac=408,network=GEMTEK_SYSTEMS"
> >       Framed-IP-Address = 10.10.10.10
> >       Calling-Station-Id = "0060B325AB48"
> >       Called-Station-Id = "00904BBDFAD0"
> >       Acct-Session-Id = "44A4C9148546"
> >       User-Password = "Ye~\2409"
> >   Processing the authorize section of radiusd.conf
> > modcall: entering group authorize for request 1
> >   modcall[authorize]: module "preprocess" returns ok for request 1
> >   modcall[authorize]: module "chap" returns noop for request 1
> >   modcall[authorize]: module "mschap" returns noop for request 1
> >     rlm_realm: No '@' in User-Name = "abc", looking up realm NULL
> >     rlm_realm: No such realm "NULL"
> >   modcall[authorize]: module "suffix" returns noop for request 1
> >   rlm_eap: No EAP-Message, not doing EAP
> >   modcall[authorize]: module "eap" returns noop for request 1
> >     users: Matched entry DEFAULT at line 152
> >   modcall[authorize]: module "files" returns ok for request 1
> > radius_xlat:  'abc'
> > rlm_sql (sql): sql_set_user escaped user --> 'abc'
> > radius_xlat:  'SELECT id,UserName,Attribute,Value,op FROM radcheck
> > WHERE Username = 'abc' ORDER BY id'
> > rlm_sql (sql): Reserving sql socket id: 3
> > radius_xlat:  'SELECT
> > radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupch
> >eck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
> > usergroup.Username = 'abc' AND usergroup.GroupName =
> > radgroupcheck.GroupName ORDER BY
> > radgroupcheck.id'
> > radius_xlat:  'SELECT id,UserName,Attribute,Value,op FROM radreply
> > WHERE Username = 'abc' ORDER BY id'
> > radius_xlat:  'SELECT
> > radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupre
> >ply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
> > usergroup.Username = 'abc' AND usergroup.GroupName =
> > radgroupreply.GroupName ORDER BY
> > radgroupreply.id'
> > rlm_sql (sql): No matching entry in the database for request from user
> > [abc] rlm_sql (sql): Released sql socket id: 3
> >   modcall[authorize]: module "sql" returns notfound for request 1
> > modcall: group authorize returns ok for request 1
> >   rad_check_password:  Found Auth-Type System
> > auth: type "System"
> >   Processing the authenticate section of radiusd.conf
> > modcall: entering group authenticate for request 1
> >   modcall[authenticate]: module "unix" returns notfound for request 1
> > modcall: group authenticate returns notfound for request 1
> > auth: Failed to validate the user.
> >   WARNING: Unprintable characters in the password. ?  Double-check the
> > shared secret on the server and the NAS!
> > Delaying request 1 for 1 seconds
> > Finished request 1
> >
> > The successful one:
> >
> > rad_recv: Access-Request packet from host 192.168.1.1:32812, id=0,
> > length=84 User-Name = "abc"
> >       CHAP-Password = 0x04f97271e7e12220a7f6397cc15a62f7e2
> >       NAS-IP-Address = 192.168.1.1
> >       Acct-Session-Id = "5b010000"
> >       NAS-Port = 3
> >       CHAP-Challenge = 0x00ac45bdd7e79c6af29ee0b413c874a8
> >   Processing the authorize section of radiusd.conf
> > modcall: entering group authorize for request 2
> >   modcall[authorize]: module "preprocess" returns ok for request 2
> >   rlm_chap: Setting 'Auth-Type := CHAP'
> >   modcall[authorize]: module "chap" returns ok for request 2
> >   modcall[authorize]: module "mschap" returns noop for request 2
> >     rlm_realm: No '@' in User-Name = "abc", looking up realm NULL
> >     rlm_realm: No such realm "NULL"
> >   modcall[authorize]: module "suffix" returns noop for request 2
> >   rlm_eap: No EAP-Message, not doing EAP
> >   modcall[authorize]: module "eap" returns noop for request 2
> >     users: Matched entry DEFAULT at line 152
> >   modcall[authorize]: module "files" returns ok for request 2
> > radius_xlat:  'abc'
> > rlm_sql (sql): sql_set_user escaped user --> 'abc'
> > radius_xlat:  'SELECT id,UserName,Attribute,Value,op FROM radcheck
> > WHERE Username = 'abc' ORDER BY id'
> > rlm_sql (sql): Reserving sql socket id: 2
> > radius_xlat:  'SELECT
> > radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupch
> >eck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
> > usergroup.Username = 'abc' AND usergroup.GroupName =
> > radgroupcheck.GroupName ORDER BY
> > radgroupcheck.id'
> > radius_xlat:  'SELECT id,UserName,Attribute,Value,op FROM radreply
> > WHERE Username = 'abc' ORDER BY id'
> > radius_xlat:  'SELECT
> > radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupre
> >ply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
> > usergroup.Username = 'abc' AND usergroup.GroupName =
> > radgroupreply.GroupName ORDER BY
> > radgroupreply.id'
> > rlm_sql (sql): Released sql socket id: 2
> >   modcall[authorize]: module "sql" returns ok for request 2
> > modcall: group authorize returns ok for request 2
> >   rad_check_password:  Found Auth-Type Local
> > auth: type Local
> > auth: user supplied CHAP-Password matches local User-Password
> >   Processing the post-auth section of radiusd.conf
> > modcall: entering group post-auth for request 2
> > rlm_sql (sql): Processing sql_postauth
> > radius_xlat:  'abc'
> > rlm_sql (sql): sql_set_user escaped user --> 'abc'
> > radius_xlat:  'INSERT into radpostauth (id, user, pass, reply, date)
> > values ('', 'abc', 'Chap-Password', 'Access-Accept', NOW())'
> > rlm_sql (sql) in sql_postauth: query is INSERT into radpostauth (id,
> > user, pass, reply, date) values ('', 'abc', 'Chap-Password',
> > 'Access-Accept', NOW())
> > rlm_sql (sql): Reserving sql socket id: 1
> > rlm_sql (sql): Released sql socket id: 1
> >   modcall[post-auth]: module "sql" returns ok for request 2
> > modcall: group post-auth returns ok for request 2
> > Sending Access-Accept of id 0 to 192.168.1.1:32812
> >       NAS-IP-Address := 255.255.255.255
> > Finished request 2
> >
> > Sincerely,
> > Kun
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
>
> --
> Stefan WINTER
>
> Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de
> la Recherche
> Ingenieur Forschung & Entwicklung
>
> 6, rue Richard Coudenhove-Kalergi
> L-1359 Luxembourg
> E-Mail: stefan.winter at restena.lu Tel.:   +352 424409-1
> http://www.restena.lu   Fax: +352 422473




More information about the Freeradius-Users mailing list