Blank Password Problem

Satyam Mathura satz.sm at gmail.com
Thu Jan 21 22:47:12 CET 2010 

Guys,
I'm experiencing a strange problem. I use FreeRadius to control cmd line
access to my routers and switches and I've configured FreeRadius to use a
MySQL back-end and thus far it works fine except for one condition. If i
supply a blank password when authenticating, FreeRadius allows the request
and authenticates me once my username is correct. Why is this happening? Is
there any way to have FreeRadius keep on prompting if a blank password is
supplied or reject the request altogether?
Thanks for your help.
Radius debug is below:

Ready to process requests.
rad_recv: Access-Request packet from host 192.168.1.1 port 1645, id=215,
length=104
        User-Name = "john.doe"
        Reply-Message = "Password: "
        User-Password = ""
        NAS-Port = 1
        NAS-Port-Id = "tty1"
        NAS-Port-Type = Virtual
        Calling-Station-Id = "192.168.1.1"
        NAS-IP-Address = 192.168.1.1
+- entering group authorize
++[preprocess] returns ok
rlm_sql (sql): - sql_xlat
        expand: %{User-Name} -> john.doe
rlm_sql (sql): sql_set_user escaped user --> 'john.doe'
        expand: SELECT groupname FROM radhuntgroup WHERE
nasipaddress="%{NAS-IP-Address}" AND nasportid LIKE IF
(SUBSTRING("%{NAS-Port-Id}", 1, 3) = 'tty', 'tty', "%{NAS-Port-Id}") AND
usergroup IN (SELECT groupname FROM radusergroup where username LIKE
"%{User-Name}")  -> SELECT groupname FROM radhuntgroup WHERE
nasipaddress="192.168.1.1" AND nasportid LIKE IF (SUBSTRING("tty1", 1, 3) =
'tty', 'tty', "tty1") AND usergroup IN (SELECT groupname FROM radusergroup
where username LIKE "john.doe")
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql (sql): - sql_xlat finished
rlm_sql (sql): Released sql socket id: 3
        expand: %{sql:SELECT groupname FROM radhuntgroup WHERE
nasipaddress="%{NAS-IP-Address}" AND nasportid LIKE IF
(SUBSTRING("%{NAS-Port-Id}", 1, 3) = 'tty', 'tty', "%{NAS-Port-Id}") AND
usergroup IN (SELECT groupname FROM radusergroup where username LIKE
"%{User-Name}") } -> admin
++[request] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '@' in User-Name = "john.doe", looking up realm NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
    users: Matched entry DEFAULT at line 204
++[files] returns ok
        expand: %{User-Name} -> john.doe
rlm_sql (sql): sql_set_user escaped user --> 'john.doe'
rlm_sql (sql): Reserving sql socket id: 2
        expand: SELECT id, username, attribute, value, op           FROM
radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id
-> SELECT id, username, attribute, value, op           FROM
radcheck           WHERE username = 'john.doe'           ORDER BY id
rlm_sql (sql): User found in radcheck table
        expand: SELECT id, username, attribute, value, op           FROM
radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id
-> SELECT id, username, attribute, value, op           FROM
radreply           WHERE username = 'john.doe'           ORDER BY id
        expand: SELECT groupname           FROM radusergroup           WHERE
username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT
groupname           FROM radusergroup           WHERE username =
'john.doe'           ORDER BY priority
        expand: SELECT id, groupname, attribute,           Value,
op           FROM radgroupcheck           WHERE groupname =
'%{Sql-Group}'           ORDER BY id -> SELECT id, groupname,
attribute,           Value, op           FROM radgroupcheck           WHERE
groupname = 'engineeringadmin'           ORDER BY id
rlm_sql (sql): User found in group engineeringadmin
        expand: SELECT id, groupname, attribute,           value,
op           FROM radgroupreply           WHERE groupname =
'%{Sql-Group}'           ORDER BY id -> SELECT id, groupname,
attribute,           value, op           FROM radgroupreply           WHERE
groupname = 'engineeringadmin'           ORDER BY id
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Normalizing SHA-Password from hex encoding
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
  rad_check_password:  Found Auth-Type Accept
  rad_check_password: Auth-Type = Accept, accepting the user
Login OK: [john.doe] (from client routerA port 1 cli 192.168.1.1)
+- entering group post-auth
++[exec] returns noop
Sending Access-Accept of id 215 to 192.168.1.1 port 1645
        Service-Type := Administrative-User
        Cisco-AVPair := "shell:priv-lvl=15"
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 215 with timestamp +9
Ready to process requests.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100121/59aa136c/attachment.html>

More information about the Freeradius-Users mailing list