still not working (newbie for radius)

Michael Lecuyer mjl at iterpacis.org
Mon Sep 20 04:26:55 CEST 2010 

By the looks of it you have two problems. The User-Password name 'bob' 
isn't matched by the response Juniper-Local-User-Name 'labrat'. Perhaps 
ssh cares.

Your broken client sends the identical packet for the new authentication 
attempt when it must send a brand new packet (different id, socket or 
port). That's why the server drops subsequent login attempts from ssh - 
they're duplicate requests which the server has already answered.

In your second attempt you're User-Name is 'labrat' and the 
Juniper-Local-User-Name 'labrat' is being returned in the response 
probably convincing SSH you are who you claim to be.

On 2010-09-19 9:35 PM, gahn wrote:
> thanks tim:
>
> yes, it is better but yet working correctly:
>
> gahn at giraffe:~:$ ssh bob at 192.168.255.138
> bob at 192.168.255.138's password:
> Permission denied, please try again.
> bob at 192.168.255.138's password:
> Permission denied, please try again.
> bob at 192.168.255.138's password:
> Permission denied (publickey,password,keyboard-interactive).
>
> but trying local username "labrat" is working fine:
>
> gahn at giraffe:~:$ ssh labrat at 192.168.255.138
> labrat at 192.168.255.138's password:
> --- JUNOS 8.5R4.3 built 2008-08-12 23:16:55 UTC
> labrat at lab-r8>
>
> what is interesting here is that now i can see "Access-Accept" in the debugging messages of "radiusd -X":
>
> rad_recv: Access-Request packet from host 192.168.255.138 port 65003, id=3, length=57
>          User-Name = "bob"
>          User-Password = "bob"
>          NAS-Identifier = "lab-r8"
>          NAS-IP-Address = 150.150.0.1
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "bob", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] No EAP-Message, not doing EAP
> ++[eap] returns noop
> ++[unix] returns notfound
> [files] users: Matched entry bob at line 1
> ++[files] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> ++[pap] returns updated
> Found Auth-Type = PAP
> +- entering group PAP {...}
> [pap] login attempt with password "bob"
> [pap] Using clear text password "bob"
> [pap] User authenticated successfully
> ++[pap] returns ok
> +- entering group post-auth {...}
> ++[exec] returns noop
> Sending Access-Accept of id 3 to 192.168.255.138 port 65003
>          Juniper-Local-User-Name = "labrat"
> Finished request 4.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.255.138 port 65003, id=3, length=57
> Sending duplicate reply to client r8 port 65003 - ID: 3
> Sending Access-Accept of id 3 to 192.168.255.138 port 65003
> Waking up in 1.9 seconds.
> Cleaning up request 4 ID 3 with timestamp +91
> Ready to process requests.
> rad_recv: Access-Request packet from host 192.168.255.138 port 65003, id=3, length=57
>          User-Name = "bob"
>          User-Password = "bob"
>          NAS-Identifier = "lab-r8"
>          NAS-IP-Address = 150.150.0.1
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "bob", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] No EAP-Message, not doing EAP
> ++[eap] returns noop
> ++[unix] returns notfound
> [files] users: Matched entry bob at line 1
> ++[files] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> ++[pap] returns updated
> Found Auth-Type = PAP
> +- entering group PAP {...}
> [pap] login attempt with password "bob"
> [pap] Using clear text password "bob"
> [pap] User authenticated successfully
> ++[pap] returns ok
> +- entering group post-auth {...}
> ++[exec] returns noop
> Sending Access-Accept of id 3 to 192.168.255.138 port 65003
>          Juniper-Local-User-Name = "labrat"
> Finished request 5.
> Going to the next request
> Waking up in 4.9 seconds.
> Cleaning up request 5 ID 3 with timestamp +97
> Ready to process requests.
>
>
>
> --- On Sun, 9/19/10, Tim Sylvester<tim.sylvester at networkradius.com>  wrote:
>
>> From: Tim Sylvester<tim.sylvester at networkradius.com>
>> Subject: RE: still not working (newbie for radius)
>> To: "'FreeRadius users mailing list'"<freeradius-users at lists.freeradius.org>
>> Date: Sunday, September 19, 2010, 5:52 PM
>>
>> well, i had tried other configuration for "users":
>>
>> bob     Cleartext-Password = "bob"
>>           Juniper-Local-User-Name = "labrat"
>>
>> labrat is local login user id so that all of radius users
>> will be mapped to
>> that user. unfortunately, it is also failed though with no
>> warning messages:
>>
>>
>> <tim>  You are missing a : - try the following:
>>
>> bob     Cleartext-Password := "bob"
>>          Juniper-Local-User-Name =
>> "labrat"

More information about the Freeradius-Users mailing list