Issues with squid_radius_auth
Ovi C
csoft2k5 at yahoo.com
Fri Jan 29 20:12:43 CET 2010
Hi. I'm using squid proxy server with freeradius
authentication with postgresql backend running on Debian Squeeze and I get the following error from
freeradius.
./squid_radius_auth -f
/etc/squid3/squid_radius_auth.conf
andrei tester
Warning: Received invalid reply digest from server
Warning: Received invalid reply digest from serverERR
I'll post the files configuration and output from freeradius
debug:
cat
/etc/squid3/squid_radius_auth.conf
# squid_rad_auth configuration file
# MvS: 28-10-1998
server 192.168.107.2
secret testing
--------------------------------------------------------------------------------------------------------------------------------
freeradius -X stripped output:
freeradius -X
including configuration file
/etc/freeradius/sites-enabled/default
main {
user = "freerad"
group = "freerad"
allow_core_dumps = no
}
including dictionary file /etc/freeradius/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/freeradius"
libdir =
"/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad =
"/usr/sbin/checkrad"
debug_level = 0
proxy_requests = no
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.107.2 port
48244, id=1, length=64
User-Name = "andrei"
User-Password = "WIdk\214\356\376G/\215X\367n\246h\224"
NAS-Port = 111
NAS-Port-Type = Async
NAS-IP-Address = 192.168.107.2
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
-> /var/log/freeradius/radacct/192.168.107.2/auth-detail-20100129
[auth_log]
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to
/var/log/freeradius/radacct/192.168.107.2/auth-detail-20100129
[auth_log] expand: %t -> Fri Jan 29 18:34:05 2010
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "andrei", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[unix] returns notfound
++[files] returns noop
[sql] expand: %{User-Name}
-> andrei
[sql] sql_set_user escaped user --> 'andrei'
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand:
SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE
Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, UserName,
Attribute, Value, Op FROM radcheck WHERE Username = 'andrei' ORDER BY id
rlm_sql_postgresql: Status:
PGRES_TUPLES_OK
rlm_sql_postgresql: query
affected rows = 1 , fields = 5
[sql] User found in radcheck table
[sql] expand:
SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE
Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, UserName,
Attribute, Value, Op FROM radreply WHERE Username = 'andrei' ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 5
[sql] expand: SELECT GroupName FROM radusergroup WHERE
UserName='%{SQL-User-Name}' ORDER BY priority -> SELECT GroupName
FROM radusergroup WHERE UserName='andrei' ORDER BY priority
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 1
rlm_sql (sql): Released sql socket id: 4
++[sql]
returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login
attempt with password "WIdk?��G/?X�n�h?"
[pap] Using
clear text password "tester"
[pap] Passwords don't match
++[pap] returns reject
Failed to authenticate
the user.
WARNING: Unprintable characters in the
password. Double-check the shared secret on the server and the
NAS!
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> andrei
attr_filter:
Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0
for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject
for request 0
Sending Access-Reject of id 1 to
192.168.107.2 port 48244
rad_recv: Access-Request
packet from host 192.168.107.2 port 48244, id=1, length=64
Sending duplicate reply to client localhost port 48244 - ID: 1
Sending Access-Reject of id 1 to 192.168.107.2 port 48244
Waking up in 4.9 seconds.
rad_recv: Access-Request
packet from host 192.168.107.2 port 48244, id=1, length=64
Sending duplicate reply to client localhost port 48244 - ID: 1
Sending Access-Reject of id 1 to 192.168.107.2 port 48244
Waking up in 3.9 seconds.
rad_recv: Access-Request
packet from host 192.168.107.2 port 48244, id=1, length=64
Sending duplicate reply to client localhost port 48244 - ID: 1
Sending Access-Reject of id 1 to 192.168.107.2 port 48244
Waking up in 2.9 seconds.
rad_recv: Access-Request
packet from host 192.168.107.2 port 48244, id=1, length=64
Sending duplicate reply to client localhost port 48244 - ID: 1
Sending Access-Reject of id 1 to 192.168.107.2 port 48244
Waking up in 1.9 seconds.
rad_recv: Access-Request
packet from host 192.168.107.2 port 48244, id=1, length=64
Sending duplicate reply to client localhost port 48244 - ID: 1
Sending Access-Reject of id 1 to 192.168.107.2 port 48244
Waking up in 0.9 seconds.
Cleaning up request 0 ID 1 with timestamp +3
Ready to process requests.
----------------------------------------------------------------------------------------------------------------------------------
cat /etc/freeradius/clients.conf
client localhost {
ipaddr = 192.168.107.2
netmask = 32
secret =
testing
require_message_authenticator = no
shortname = localhost
nastype = other
--------------------------------------------------------------------------------------------------------------------------
Somehow the client is not sending the cleartext password from database and this causes the error.
The shared secret is correct
as I use the same configuration for a PPPOE server and everything works
as it should. Any hints ?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100129/65d3a1ee/attachment.html>
More information about the Freeradius-Users
mailing list