PAP problem?

Matt Langthorpe matt.langthorpe at
Thu Mar 3 12:52:00 CET 2011

Hi list, 

I'm pretty sure this issue is straight forward but I've searched the list and cant come up with an answer.

I'm usuing freeradius 2.19 on cent OS 5.5   

Im trying to auth users from a NAC box (Bradford campus manager) against an AD domain using freeradius.  

All works fine when I point an AP at freeradius,  but things fail when using our NAC  to forward requests to FreeRadius.   I suspect the problem is that the NAC is trying to use PAP, but im not sure how to really resolve the problem. 

Here are my logs:

Ready to process requests.
rad_recv: Access-Request packet from host port 32960, id=174, length=78
        User-Name = "SAMBA_TEST"
        User-Password = "password"
        NAS-Identifier = ""
        NAS-IP-Address =
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log]      expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/
[auth_log]      expand: %t -> Thu Mar  3 11:45:17 2011
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "SAMBA_TEST", looking up realm NULL [suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
[ldap] performing user authorization for SAMBA_TEST [ldap] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for details [ldap]  expand: (&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})) -> (&(sAMAccountName=SAMBA_TEST)) [ldap]  expand: cn=Users,dc=PMB,dc=OX,dc=AC,dc=UK -> cn=Users,dc=PMB,dc=OX,dc=AC,dc=UK
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to, authentication 0
rlm_ldap: bind as cn=samba,cn=Users,dc=PMB,dc=OX,dc=AC,dc=UK/password to
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in cn=Users,dc=PMB,dc=OX,dc=AC,dc=UK, with filter (&(sAMAccountName=SAMBA_TEST)) [ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that the user is configured correctly?
[ldap] user SAMBA_TEST authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> SAMBA_TEST
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 174 to port 32960 Waking up in 4.9 seconds.
Cleaning up request 0 ID 174 with timestamp +


More information about the Freeradius-Users mailing list