Error: "user supplied User-Password does NOT match local User-Password" even though they do.

Rens Houben shadur at systemec.nl
Fri Aug 28 11:58:40 CEST 2009 

Hello,

I've been using FreeRadius for quite some time now, but after a recent
update (to 2.0.4, debian lenny variant) all users in a certain group
have stopped authenticating properly, with the above error -- even
though as far as I can tell the password transmitted (and logged) is
identical to the one in the database.

I've attached a sample of the logfile, with names and passwords slightly
edited but otherwise accurate:


I've tried everything I could think of, including deleting the user and
entering the data anew by hand, but the error persists.

Any suggestions to dig further and help me find what I may have missed
would be welcome.

Regards,

-- 
Rens Houben <shadur at systemec.nl>
-------------- next part --------------
++[suffix] returns noop 
  rlm_eap: No EAP-Message, not doing EAP 
++[eap] returns noop 
++[unix] returns updated 
++[files] returns noop 
	expand: %{User-Name} -> shadur 
rlm_sql (sql): sql_set_user escaped user --> 'shadur' 
rlm_sql (sql): Reserving sql socket id: 4 
	expand: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'shadur' ORDER BY id

 +-----+----------+--------------------+-------+------+
| id  | UserName | Attribute          | Value | op   |
+-----+----------+--------------------+-------+------+
| 346 | shadur   | Cleartext-Password | foo   | :=   | 
+-----+----------+--------------------+-------+------+


rlm_sql (sql): User found in radcheck table 
	expand: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'shadur' ORDER BY id 
+----+----------+---------------+--------+------+
| id | UserName | Attribute     | Value  | op   |
+----+----------+---------------+--------+------+
| 56 | shadur   | Giganews-mbpm | 512000 | :=   | 
+----+----------+---------------+--------+------+


	expand: SELECT GroupName FROM usergroup WHERE UserName='%{SQL-User-Name}' -> SELECT GroupName FROM usergroup WHERE UserName='shadur' 
+-----------+
| GroupName |
+-----------+
| news      | 
+-----------+

	expand: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op  FROM radgroupcheck,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id -> SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op  FROM radgroupcheck,usergroup WHERE usergroup.Username = 'shadur' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id 
+----+-----------+----------------+-------+------+
| id | GroupName | Attribute      | Value | op   |
+----+-----------+----------------+-------+------+
|  8 | news      | Huntgroup-Name | news  | ==   | 
|  9 | news      | Auth-Type      | Local | :=   | 
+----+-----------+----------------+-------+------+


rlm_sql (sql): User found in group news 
	expand: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op  FROM radgroupreply,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id -> SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op  FROM radgroupreply,usergroup WHERE usergroup.Username = 'shadur' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id 
+----+-----------+---------------+-------+------+
| id | GroupName | Attribute     | Value | op   |
+----+-----------+---------------+-------+------+
| 25 | news      | Auth-Type     | Local | :=   | 
| 27 | news      | Giganews-mbpm | 512   | :=   | 
+----+-----------+---------------+-------+------+


rlm_sql (sql): Released sql socket id: 4 
++[sql] returns ok 
rlm_pap: Found existing Auth-Type, not changing it. 
++[pap] returns noop 
  rad_check_password:  Found Auth-Type Local 
auth: type Local 
auth: user supplied User-Password does NOT match local User-Password 
auth: Failed to validate the user. 
Login incorrect: [shadur/foo] (from client giganews port 1)

More information about the Freeradius-Users mailing list