FreeRadius not sending access-deny

Ryan Kramer rkramer at gmail.com
Fri Aug 29 17:21:36 CEST 2008


That setting was at the default of 1, I tried setting to zero, no affect.

Here is the debug output with first a successful user followed by the same
user with a bad pwd.


--------------------------------------------------------------------------------------------------------------------------

rad_recv: Access-Request packet from host 10.15.251.232:1387, id=6,
length=62
        User-Name = "test"
        User-Password = "test"
        Message-Authenticator = 0x0adeae0c4cb8659e2aaede3adb6009a3
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat:  '/var/log/radius-switch/radacct-switch/
10.15.251.232/auth-detail-20080829'
rlm_detail:
/var/log/radius-switch/radacct-switch/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius-switch/radacct-switch/
10.15.251.232/auth-detail-20080829
  modcall[authorize]: module "auth_log" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
    rlm_realm: No '@' in User-Name = "test", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0
    rlm_realm: No '\' in User-Name = "test", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "ntdomain" returns noop for request 0
    users: Matched entry DEFAULT at line 1
    users: Matched entry test at line 33
rlm_ldap: Entering ldap_groupcmp()
radius_xlat:  'ou=***,dc=**,dc=**'
radius_xlat:  '(uid=test)'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 10.2.16.156:389, authentication 0
rlm_ldap: bind as cn=ITDRADIUSC,ou=USERS,ou=ITD,dc=nd,dc=gov/X27wireless45
to 10.2.16.156:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=***,dc=nd,**=***, with filter (uid=test)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap::ldap_groupcmp: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "files" returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for test
radius_xlat:  '(uid=test)'
radius_xlat:  'ou=***,dc=**,dc=***'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=***,**=nd,**=***, with filter (uid=test)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "********" returns notfound for request 0
modcall: leaving group authorize (returns ok) for request 0
  rad_check_password:  Found Auth-Type Local
auth: type Local
auth: user supplied User-Password matches local User-Password
Login OK: [test] (from client NetworkEquipment port 0)
  Processing the post-auth section of radiusd.conf
modcall: entering group post-auth for request 0
radius_xlat:  '/var/log/radius-switch/radacct-switch/
10.15.251.232/reply-detail-20080829'
rlm_detail:
/var/log/radius-switch/radacct-switch/%{Client-IP-Address}/reply-detail-%Y%m%d
expands to /var/log/radius-switch/radacct-switch/
10.15.251.232/reply-detail-20080829
  modcall[post-auth]: module "reply_log" returns ok for request 0
modcall: leaving group post-auth (returns ok) for request 0
Sending Access-Accept of id 6 to 10.15.251.232 port 1387
        NS-Admin-Privilege = Root-Admin
        APC-Service-Type = 1
        Service-Type = Administrative-User
        Cisco-AVPair = "shell:priv-lvl=15"
        Filter-Id = "unlim"
        Extreme-Shell-Command = "Enable"
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...



--------------------------------------------------------------------------------------------------------------------------





rad_recv: Access-Request packet from host 10.15.251.232:1337, id=5,
length=62
        User-Name = "test"
        User-Password = "test2"
        Message-Authenticator = 0x9bb6290c9d5e7dcffeeafe87e2c65b40
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat:  '/var/log/radius-switch/radacct-switch/
10.15.251.232/auth-detail-20080829'
rlm_detail:
/var/log/radius-switch/radacct-switch/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius-switch/radacct-switch/
10.15.251.232/auth-detail-20080829
  modcall[authorize]: module "auth_log" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
    rlm_realm: No '@' in User-Name = "test", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0
    rlm_realm: No '\' in User-Name = "test", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "ntdomain" returns noop for request 0
    users: Matched entry DEFAULT at line 1
rlm_ldap: Entering ldap_groupcmp()
radius_xlat:  'ou=ITD,dc=nd,dc=gov'
radius_xlat:  '(uid=test)'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 10.2.16.156:389, authentication 0
rlm_ldap: bind as cn=ITDRADIUSC,ou=USERS,ou=ITD,dc=nd,dc=gov/X27wireless45
to 10.2.16.156:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=ITD,dc=nd,dc=gov, with filter (uid=test)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap::ldap_groupcmp: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "files" returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for test
radius_xlat:  '(uid=test)'
radius_xlat:  'ou=ITD,dc=nd,dc=gov'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=ITD,dc=nd,dc=gov, with filter (uid=test)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "STATE" returns notfound for request 0
modcall: leaving group authorize (returns ok) for request 0
  rad_check_password:  Found Auth-Type LDAP
auth: type "LDAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group LDAP for request 0
rlm_ldap: - authenticate
rlm_ldap: login attempt by "test" with password "test"
radius_xlat:  '(uid=test)'
radius_xlat:  'ou=ITD,dc=nd,dc=gov'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=ITD,dc=nd,dc=gov, with filter (uid=test)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authenticate]: module "STATE" returns notfound for request 0
modcall: leaving group LDAP (returns notfound) for request 0
auth: Failed to validate the user.
Login incorrect (rlm_ldap: User not found): [test] (from client
NetworkEquipment port 0)
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 5 to 10.15.251.232 port 1337
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 5 with timestamp 48b80e1f
Nothing to do.  Sleeping until we see a request.


 Set "reject_delay = 0"
>
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080829/2716c2fb/attachment.html>


More information about the Freeradius-Users mailing list