authentication failing

Marlon Duksa mduksa at gmail.com
Thu Sep 23 00:04:14 CEST 2010 

I also noticed that it is failing for PPP users as well:

prko        Auth-Type := Local, User-Password == "xxxx"
            Framed-Pool := "22",
            Framed-IP-Netmask := 255.255.0.0,
            Fall-Through = No



With this:

rad_recv: Access-Request packet from host 114.0.1.11 port 50633, id=63,
length=146
        User-Name = "prko"
        NAS-IP-Address = 2.2.2.2
        Service-Type = Framed-User
        Framed-Protocol = PPP
        CHAP-Password = 0x019d64425b84c05b4dbef1cfc5d2665937
        CHAP-Challenge =
0xe546ec9fc842c4fe4dbaaf0c23cb4724b5f8ab7bc3522ea4d1cc9a455d2437446a2463b26628b13363e0bf862d072b627fd6dd43a98be87b
        NAS-Port-Type = 33
        NAS-Port-Id = "1/1/5:2"
        NAS-Identifier = "right-b4"
+- entering group authorize {...}
++[preprocess] returns ok
[chap] Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "prko", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files]         expand: %{User-Name} -> prko
[files]         expand: %{User-Name} -> prko
[files]         expand: %{User-Name} -> prko
[files]         expand: %{User-Name} -> prko
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
[files] users: Matched entry prko at line 244
[files]         expand: %{NAS-Port-Id}-%{User-Name} -> 1/1/5:2-prko
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = Local
WARNING: Please update your configuration, and remove 'Auth-Type = Local'
WARNING: Use the PAP or CHAP modules instead.
No "known good" password was configured for the user.
As a result, we cannot authenticate the user.
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> prko
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 2 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 2
Sending Access-Reject of id 63 to 114.0.1.11 port 50633
Waking up in 4.9 seconds.
Cleaning up request 2 ID 63 with timestamp +1009
Ready to process requests.



On Wed, Sep 22, 2010 at 2:59 PM, Marlon Duksa <mduksa at gmail.com> wrote:

> Hi - we recently upgraded to version 2.1.8 (freeradius) and my
> authentication does not work any more.
>
> This used to work (configured in Radius):
>
> basic-a   User-Password == "csetestp"
>             User-Name =~ "^([aA-zZ]+)-([aA-zZ]+)$",
>             Framed-Pool := "21",
>             Class := 2,
>             Session-Timeout := 600,
>             Fall-Through = No
>
>
> This is not pap/chap authentication -  our NAS is sending auth-req for a
> DHCP user.
>
> I also tried to change to cleartext-password.
> Also I tried this:
> basic-a     Auth-Type := Local, User-Password == "csetestp"  but no luck
>
>
> This is what I'm getting on Radius:
>
> rad_recv: Access-Request packet from host 114.0.1.11 port 50633, id=62,
> length=78
>         User-Name = "basic-a"
>         User-Password = "csetestp"
>         NAS-IP-Address = 2.2.2.2
>         NAS-Port-Type = Ethernet
>         NAS-Port-Id = "1/1/5:4"
>         NAS-Identifier = "right-b4"
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "basic-a", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] No EAP-Message, not doing EAP
> ++[eap] returns noop
> ++[unix] returns notfound
> [files]         expand: %{User-Name} -> basic-a
> [files]         expand: %{User-Name} -> basic-a
> [files]         expand: %{User-Name} -> basic-a
> [files]         expand: %{User-Name} -> basic-a
> WARNING: Found User-Password == "...".
> WARNING: Are you sure you don't mean Cleartext-Password?
> WARNING: See "man rlm_pap" for more information.
> [files] users: Matched entry basic-a at line 106
> ++[files] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING! No "known good" password found for the user.  Authentication
> may fail because of this.
> ++[pap] returns noop
> Found Auth-Type = Local
> WARNING: Please update your configuration, and remove 'Auth-Type = Local'
> WARNING: Use the PAP or CHAP modules instead.
> No "known good" password was configured for the user.
> As a result, we cannot authenticate the user.
> Failed to authenticate the user.
> Using Post-Auth-Type Reject
> +- entering group REJECT {...}
> [attr_filter.access_reject]     expand: %{User-Name} -> basic-a
>  attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] returns updated
> Delaying reject of request 1 for 1 seconds
> Going to the next request
> Waking up in 0.9 seconds.
> Sending delayed reject for request 1
> Sending Access-Reject of id 62 to 114.0.1.11 port 50633
> Waking up in 4.9 seconds.
> Cleaning up request 1 ID 62 with timestamp +37
> Ready to process requests.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100922/2376960b/attachment.html>

More information about the Freeradius-Users mailing list