still not working (newbie for radius)

gahn ipfreak at yahoo.com
Mon Sep 20 05:19:44 CEST 2010 

thanks. 

well, i don't have user "labrat" configured in file "users" on the radius server. the "labrat" is in local user password database on the juniper box. for the raqdius support on juniper routers, it must map a remote user (in the database of radius server) to a specific local user. in my case, i map the radius username "bob" to the juniper local username "labrat".

if i understand correctly what you were saying, this attribute of "Juniper-Local-User-Name" is not working?

also you are right, for some reasons, every login attempt will have two more duplicated messages besides the first one. why is that?

I am really new on this. thanks for the help...


--- On Sun, 9/19/10, Michael Lecuyer <mjl at iterpacis.org> wrote:

> From: Michael Lecuyer <mjl at iterpacis.org>
> Subject: Re: still not working (newbie for radius)
> To: "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
> Date: Sunday, September 19, 2010, 7:26 PM
> By the looks of it you have two
> problems. The User-Password name 'bob' 
> isn't matched by the response Juniper-Local-User-Name
> 'labrat'. Perhaps 
> ssh cares.
> 
> Your broken client sends the identical packet for the new
> authentication 
> attempt when it must send a brand new packet (different id,
> socket or 
> port). That's why the server drops subsequent login
> attempts from ssh - 
> they're duplicate requests which the server has already
> answered.
> 
> In your second attempt you're User-Name is 'labrat' and the
> 
> Juniper-Local-User-Name 'labrat' is being returned in the
> response 
> probably convincing SSH you are who you claim to be.
> 
> On 2010-09-19 9:35 PM, gahn wrote:
> > thanks tim:
> >
> > yes, it is better but yet working correctly:
> >
> > gahn at giraffe:~:$ ssh bob at 192.168.255.138
> > bob at 192.168.255.138's password:
> > Permission denied, please try again.
> > bob at 192.168.255.138's password:
> > Permission denied, please try again.
> > bob at 192.168.255.138's password:
> > Permission denied
> (publickey,password,keyboard-interactive).
> >
> > but trying local username "labrat" is working fine:
> >
> > gahn at giraffe:~:$ ssh labrat at 192.168.255.138
> > labrat at 192.168.255.138's password:
> > --- JUNOS 8.5R4.3 built 2008-08-12 23:16:55 UTC
> > labrat at lab-r8>
> >
> > what is interesting here is that now i can see
> "Access-Accept" in the debugging messages of "radiusd -X":
> >
> > rad_recv: Access-Request packet from host
> 192.168.255.138 port 65003, id=3, length=57
> >          User-Name = "bob"
> >          User-Password =
> "bob"
> >          NAS-Identifier =
> "lab-r8"
> >          NAS-IP-Address =
> 150.150.0.1
> > +- entering group authorize {...}
> > ++[preprocess] returns ok
> > ++[chap] returns noop
> > ++[mschap] returns noop
> > [suffix] No '@' in User-Name = "bob", looking up realm
> NULL
> > [suffix] No such realm "NULL"
> > ++[suffix] returns noop
> > [eap] No EAP-Message, not doing EAP
> > ++[eap] returns noop
> > ++[unix] returns notfound
> > [files] users: Matched entry bob at line 1
> > ++[files] returns ok
> > ++[expiration] returns noop
> > ++[logintime] returns noop
> > ++[pap] returns updated
> > Found Auth-Type = PAP
> > +- entering group PAP {...}
> > [pap] login attempt with password "bob"
> > [pap] Using clear text password "bob"
> > [pap] User authenticated successfully
> > ++[pap] returns ok
> > +- entering group post-auth {...}
> > ++[exec] returns noop
> > Sending Access-Accept of id 3 to 192.168.255.138 port
> 65003
> >         
> Juniper-Local-User-Name = "labrat"
> > Finished request 4.
> > Going to the next request
> > Waking up in 4.9 seconds.
> > rad_recv: Access-Request packet from host
> 192.168.255.138 port 65003, id=3, length=57
> > Sending duplicate reply to client r8 port 65003 - ID:
> 3
> > Sending Access-Accept of id 3 to 192.168.255.138 port
> 65003
> > Waking up in 1.9 seconds.
> > Cleaning up request 4 ID 3 with timestamp +91
> > Ready to process requests.
> > rad_recv: Access-Request packet from host
> 192.168.255.138 port 65003, id=3, length=57
> >          User-Name = "bob"
> >          User-Password =
> "bob"
> >          NAS-Identifier =
> "lab-r8"
> >          NAS-IP-Address =
> 150.150.0.1
> > +- entering group authorize {...}
> > ++[preprocess] returns ok
> > ++[chap] returns noop
> > ++[mschap] returns noop
> > [suffix] No '@' in User-Name = "bob", looking up realm
> NULL
> > [suffix] No such realm "NULL"
> > ++[suffix] returns noop
> > [eap] No EAP-Message, not doing EAP
> > ++[eap] returns noop
> > ++[unix] returns notfound
> > [files] users: Matched entry bob at line 1
> > ++[files] returns ok
> > ++[expiration] returns noop
> > ++[logintime] returns noop
> > ++[pap] returns updated
> > Found Auth-Type = PAP
> > +- entering group PAP {...}
> > [pap] login attempt with password "bob"
> > [pap] Using clear text password "bob"
> > [pap] User authenticated successfully
> > ++[pap] returns ok
> > +- entering group post-auth {...}
> > ++[exec] returns noop
> > Sending Access-Accept of id 3 to 192.168.255.138 port
> 65003
> >         
> Juniper-Local-User-Name = "labrat"
> > Finished request 5.
> > Going to the next request
> > Waking up in 4.9 seconds.
> > Cleaning up request 5 ID 3 with timestamp +97
> > Ready to process requests.
> >
> >
> >
> > --- On Sun, 9/19/10, Tim Sylvester<tim.sylvester at networkradius.com> wrote:
> >
> >> From: Tim Sylvester<tim.sylvester at networkradius.com>
> >> Subject: RE: still not working (newbie for
> radius)
> >> To: "'FreeRadius users mailing list'"<freeradius-users at lists.freeradius.org>
> >> Date: Sunday, September 19, 2010, 5:52 PM
> >>
> >> well, i had tried other configuration for
> "users":
> >>
> >> bob     Cleartext-Password =
> "bob"
> >>       
>    Juniper-Local-User-Name = "labrat"
> >>
> >> labrat is local login user id so that all of
> radius users
> >> will be mapped to
> >> that user. unfortunately, it is also failed though
> with no
> >> warning messages:
> >>
> >>
> >> <tim>  You are missing a : - try the
> following:
> >>
> >> bob     Cleartext-Password :=
> "bob"
> >>         
> Juniper-Local-User-Name =
> >> "labrat"
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

More information about the Freeradius-Users mailing list