Not authenticating after adding attributes
Karl Auer
kauer at biplane.com.au
Sun Oct 5 18:37:23 CEST 2008
After spending two days gettig a suitable virtual machine operational
(!) I have finally managed to get back to what I was actually trying to
do, namely come to grips with FreeRADIUS!
At the moment, a simple user entry in my database works; when I add
attributes, the entry stops working.
I have a feeling I am missing something embarrassingly obvious...
Details below; any ideas appreciated.
Regards, K.
Here is the first attempt, starting from an empty database (no data in
any tables):
mysql> insert into radcheck (username, attribute, op, value) value
("test1", "Cleartext-Password", ":=", "blather") ;
Query OK, 1 row affected (0.00 sec)
mysql> quit
Bye
kauer at ubuntu:/usr/local/etc/raddb$ radtest test1 blather 127.0.0.1 1812
testing123
Sending Access-Request of id 79 to 127.0.0.1 port 1812
User-Name = "test1"
User-Password = "blather"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=79,
length=20
******* that worked. Then I added a few reply attributes so that the
user looked like this:
mysql> select * from radcheck ;
+----+----------+--------------------------+----+----------------------+
| id | username | attribute | op | value |
+----+----------+--------------------------+----+----------------------+
| 1 | test1 | Cleartext-Password | := | blather |
| 2 | test1 | Tunnel-Client-Endpoint:0 | = | 2406:a000::6:4 |
| 3 | test1 | Tunnel-Server-Endpoint:0 | = | 2406:a000::6:5 |
| 4 | test1 | Framed-IPv6-Prefix | = | 2406:a000:0:100::/64 |
+----+----------+--------------------------+----+----------------------+
4 rows in set (0.01 sec)
mysql> quit
Bye
kauer at ubuntu:/usr/local/etc/raddb$ radtest test1 blather 127.0.0.1 1812
testing123
Sending Access-Request of id 220 to 127.0.0.1 port 1812
User-Name = "test1"
User-Password = "blather"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=220,
length=20
****************** That did not work. Here is the debug output from the
first (successful) attempt:
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 59653, id=79,
length=57
User-Name = "test1"
User-Password = "blather"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "test1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
[sql] expand: %{User-Name} -> test1
[sql] sql_set_user escaped user --> 'test1'
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER
BY id -> SELECT id, username, attribute, value, op FROM
radcheck WHERE username = 'test1' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER
BY id -> SELECT id, username, attribute, value, op FROM
radreply WHERE username = 'test1' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}' ORDER BY priority ->
SELECT groupname FROM radusergroup WHERE username =
'test1' ORDER BY priority
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "blather"
[pap] Using clear text password "blather"
[pap] User authenticated successfully
++[pap] returns ok
+- entering group post-auth {...}
[sql] expand: %{User-Name} -> test1
[sql] sql_set_user escaped user --> 'test1'
[sql] expand: %{User-Password} -> blather
[sql] expand: INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES (
'%{User-Name}',
'%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES (
'test1', 'blather',
'Access-Accept', '2008-10-06 02:43:41')
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES (
'test1', 'blather',
'Access-Accept', '2008-10-06 02:43:41')
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++[exec] returns noop
Sending Access-Accept of id 79 to 127.0.0.1 port 59653
Finished request 3.
************** Here is the debug output from the later (unsuccessful)
attempt:
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 58059, id=220,
length=57
User-Name = "test1"
User-Password = "blather"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "test1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
[sql] expand: %{User-Name} -> test1
[sql] sql_set_user escaped user --> 'test1'
rlm_sql (sql): Reserving sql socket id: 0
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER
BY id -> SELECT id, username, attribute, value, op FROM
radcheck WHERE username = 'test1' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}' ORDER BY priority ->
SELECT groupname FROM radusergroup WHERE username =
'test1' ORDER BY priority
rlm_sql (sql): Released sql socket id: 0
[sql] User test1 not found
++[sql] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> test1
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 11 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 11
Sending Access-Reject of id 220 to 127.0.0.1 port 58059
Waking up in 4.9 seconds.
Cleaning up request 11 ID 220 with timestamp +6643
Ready to process requests.
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer (kauer at biplane.com.au) +61-2-64957160 (h)
http://www.biplane.com.au/~kauer/ +61-428-957160 (mob)
GPG fingerprint: DD23 0DF3 2260 3060 7FEC 5CA8 1AF6 D9E3 CFEE 6B28
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20081006/7af3ce01/attachment.pgp>
More information about the Freeradius-Users
mailing list