Prefix/Suffix not working (FR 2.0.5, CentOS 5, System Auth)
Steve Weaver
sweaver at inetnebr.com
Tue Aug 12 18:18:45 CEST 2008
I'm having a strange problem I hope you can help me figure out. We're
finally moving from an ancient Livingston RADIUS to FreeRADIUS.
I compiled and installed version 2.0.5 on a freshly installed CentOS 5
box, read all the documentation I could find, installed our old users
file and adapted it until it now (mostly) works correctly.
System info:
# radiusd -v
radiusd: FreeRADIUS Version 2.0.5, for host i686-redhat-linux-gnu,
built on Aug 5 2008 at 15:40:15
# uname -a
Linux ****.*******.com 2.6.18-92.1.6.el5 #1 SMP Wed Jun 25 13:49:24 EDT
2008 i686 i686 i386 GNU/Linux
The problem I'm having is that we have a lot of legacy users still
logging in with "Pusername" for PPP connections. I've tried to set it
up in both the users file and the hints file (separately) and get the
same result. No matter what I do, it tries to authenticate (System
auth type) the username "Pusername" instead of "username".
If I add a user named "Pusername" everything works correctly. It hits
the right default entry and authenticates fine, so it's just not
stripping off the "P" when authenticating. I have also tried suffixes
(".ppp") to test if it was just the prefix that wasn't working. Same
problem.
We're not using any realms, proxying, LDAP, SQL, etc at this time.
Just a very simple single RADIUS server reading from a users file and
authenticating against the system password file.
I first tried to set it up in the users file. I commented out
everything in the hints file. Here's what the DEFAULT entry looks like
in the users file:
DEFAULT Auth-Type := System, Prefix == "P"
User-Service-Type = Framed-User,
Session-Timeout = 36000,
Idle-Timeout = 600,
Port-Limit = 1,
Framed-Protocol = PPP,
Framed-Address = 255.255.255.254,
Framed-Netmask = 255.255.255.255,
Framed-Routing = None,
Framed-MTU = 1500,
Framed-Compression = Van-Jacobsen-TCP-IP
I attempt to authenticate:
# radtest Psweaver ******** localhost 0 testing123
Sending Access-Request of id 43 to 127.0.0.1 port 1645
User-Name = "Psweaver"
User-Password = "********"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
rad_recv: Access-Reject packet from host 127.0.0.1 port 1645, id=43,
length=20
Things are working otherwise; without the "P" it works fine:
# radtest sweaver ******** localhost 0 testing123
Sending Access-Request of id 223 to 127.0.0.1 port 1645
User-Name = "sweaver"
User-Password = "********"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1 port 1645, id=223,
length=56
Session-Timeout = 36000
Idle-Timeout = 600
Port-Limit = 1
Service-Type = Login-User
Login-IP-Host = ***.***.***.***
Login-Service = Rlogin
With the "P", here's the output of radiusd -X
rad_recv: Access-Request packet from host 127.0.0.1 port 35915, id=175,
length=6
0
User-Name = "Psweaver"
User-Password = "********"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
+- entering group authorize
++[preprocess] returns ok
expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
-> /var/log/radius/radacct/127.0.0.1/auth-detail-20080812
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20080812
expand: %t -> Tue Aug 12 10:10:44 2008
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "Psweaver", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
users: Matched entry DEFAULT at line 3526
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
rad_check_password: Found Auth-Type System
auth: type "System"
+- entering group authenticate
++[unix] returns notfound
auth: Failed to validate the user.
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> Psweaver
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Sending Access-Reject of id 175 to 127.0.0.1 port 35915
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 2 ID 175 with timestamp +1013
Ready to process requests.
Note that it's matching line 3526, which is indeed the DEFAULT entry I
listed above.
If I move prefix information to the hints file, I end up with this
in the hints file:
DEFAULT Prefix == "P", Strip-User-Name = Yes
Hint = "PPP"
and this in the users file:
DEFAULT Auth-Type := System, Hint == "PPP"
User-Service-Type = Framed-User,
Session-Timeout = 36000,
Idle-Timeout = 600,
Port-Limit = 1,
Framed-Protocol = PPP,
Framed-Address = 255.255.255.254,
Framed-Netmask = 255.255.255.255,
Framed-Routing = None,
Framed-MTU = 1500,
Framed-Compression = Van-Jacobsen-TCP-IP
Test fails:
# radtest Psweaver ******** localhost 0 testing123
Sending Access-Request of id 161 to 127.0.0.1 port 1645
User-Name = "Psweaver"
User-Password = "********"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
rad_recv: Access-Reject packet from host 127.0.0.1 port 1645, id=161,
length=20
radiusd -X output:
rad_recv: Access-Request packet from host 127.0.0.1 port 35924, id=161,
length=60
User-Name = "Psweaver"
User-Password = "********"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
+- entering group authorize
hints: Matched DEFAULT at 65
++[preprocess] returns ok
expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
-> /var/log/radius/radacct/127.0.0.1/auth-detail-20080812
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20080812
expand: %t -> Tue Aug 12 10:44:04 2008
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "Psweaver", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
users: Matched entry DEFAULT at line 3526
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
rad_check_password: Found Auth-Type System
auth: type "System"
+- entering group authenticate
++[unix] returns notfound
auth: Failed to validate the user.
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> Psweaver
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Sending Access-Reject of id 161 to 127.0.0.1 port 35924
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 161 with timestamp +4
Ready to process requests.
It hits line 65 in the hints file (my "P" entry), and line 3526 in the
users file (my "PPP" entry.) When using the hints file, it even logs
this to the detail file showing that it's been stripped:
Tue Aug 12 10:44:04 2008
Packet-Type = Access-Request
User-Name = "Psweaver"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Stripped-User-Name = "sweaver"
Hint = "PPP"
Either way, everything works if I add a Psweaver entry to the password
file, and not if I don't.
I'm out of ideas. Anyone have any I can borrow? :)
TIA,
SW
--
Steven Weaver sweaver at inebraska.com
IT Director (402) 434-8680 x101
Internet Nebraska http://www.inebraska.com/
More information about the Freeradius-Users
mailing list