"Shared secret is incorrect" - but it is identical!

ken k.brown at bbk.ac.uk
Wed Jul 4 18:57:58 CEST 2007 

Josh Howlett wrote:

> What happens if, using radtest, you specify the username *without* the
> realm from the remote machine?

It fails just the same way

It fails whether user is in /etc/passwd or /etc/raddb/users

It fails whether "Auth := local" is in there or not

It fails whether I check for User-password or Cleartext-password


=====================
rad_recv: Access-Request packet from host nnn.nnn.nnn.nnn:32773, 
id=209, length=58
         User-Name = "username"
         User-Password = "\356za\360V\202oljug\263\025M!)"
         NAS-IP-Address = 255.255.255.255
         NAS-Port = 212
   Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 35
   modcall[authorize]: module "preprocess" returns ok for request 35
radius_xlat: 
'/var/log/radius/radacct/nnn.nnn.nnn.nnn/auth-detail-20070704'
rlm_detail: 
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d 
expands to 
/var/log/radius/radacct/nnn.nnn.nnn.nnn/auth-detail-20070704
   modcall[authorize]: module "auth_log" returns ok for request 35
   modcall[authorize]: module "chap" returns noop for request 35
   modcall[authorize]: module "mschap" returns noop for request 35
     rlm_realm: No '@' in User-Name = "username", looking up 
realm NULL
     rlm_realm: Found realm "NULL"
     rlm_realm: Adding Stripped-User-Name = "username"
     rlm_realm: Proxying request from user username to realm NULL
     rlm_realm: Adding Realm = "NULL"
     rlm_realm: Authentication realm is LOCAL.
   modcall[authorize]: module "suffix" returns noop for request 35
   rlm_eap: No EAP-Message, not doing EAP
   modcall[authorize]: module "eap" returns noop for request 35
     users: Matched entry DEFAULT at line 20
   modcall[authorize]: module "files" returns ok for request 35
rlm_pap: WARNING! No "known good" password found for the user. 
Authentication may fail because of this.
   modcall[authorize]: module "pap" returns noop for request 35
modcall: leaving group authorize (returns ok) for request 35
   rad_check_password:  Found Auth-Type System
auth: type "System"
   Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 35
   modcall[authenticate]: module "unix" returns notfound for 
request 35
modcall: leaving group authenticate (returns notfound) for 
request 35
auth: Failed to validate the user.
   WARNING: Unprintable characters in the password. ? 
Double-check the shared secret on the server and the NAS!
=====================

If I try another user with no "Auth := local"  in the user 
definition, just the  username and "User-password",  it is much 
the same until:

=====================
   modcall[authorize]: module "suffix" returns noop for request 37
   rlm_eap: No EAP-Message, not doing EAP
   modcall[authorize]: module "eap" returns noop for request 37
     users: Matched entry username at line 6
   modcall[authorize]: module "files" returns ok for request 37
   modcall[authorize]: module "pap" returns updated for request 37
modcall: leaving group authorize (returns updated) for request 37
   rad_check_password:  Found Auth-Type pap
auth: type "PAP"
   Processing the authenticate section of radiusd.conf
modcall: entering group PAP for request 37
rlm_pap: login attempt with password pÌ?¶ákýÌ2p?c?¡MS
rlm_pap: Using clear text password "NoAuthpwd1".
rlm_pap: Passwords don't match
   modcall[authenticate]: module "pap" returns reject for request 37
modcall: leaving group PAP (returns reject) for request 37
auth: Failed to validate the user.
   WARNING: Unprintable characters in the password. ? 
Double-check the shared secret on the server and the NAS!
=====================

More information about the Freeradius-Users mailing list