Problem with crypt passwords matching
Robert Haskins
robert.haskins at gmail.com
Wed Aug 15 22:40:57 CEST 2012
I am running Freeradius 2.1.12 on a Centos box. I am able to
authenticate from the server command line, and from a Cisco ASR1k BRAS
via the command line. However, when I attempt to authenticate
customers from the DSL network, I get a reject, even though the
crypt'd passwords match! Here is a sample from a trace:
rad_recv: Access-Request packet from host 204.111.5.9 port 1645,
id=235, length=89
Framed-Protocol = PPP
User-Name = "k143rott"
User-Password = "k*****"
NAS-Port-Type = Virtual
NAS-Port = 0
NAS-Port-Id = "0/0/0/304"
Service-Type = Framed-User
NAS-IP-Address = 204.111.5.9
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "k143rott", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "k143rott"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns updated
[files] users: Matched entry DEFAULT at line 169
[files] users: Matched entry DEFAULT at line 172
[files] users: Matched entry DEFAULT at line 186
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "krt444"
[pap] Using CRYPT password "*3u.3LS/VKTOVc"
[pap] Passwords don't match
++[pap] returns reject
Failed to authenticate the user.
Login incorrect (rlm_pap: CRYPT password check failed):
[k143rott/k*****] (from client va-edbg-bras-1 port 0)
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> k143rott
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 30 for 1 seconds
Going to the next request
Sending delayed reject for request 21
Sending Access-Reject of id 227 to 204.111.5.9 port 1645
The crypt'd password ("*3u.3LS/VKTOVc") is exactly what is in the
/etc/shadow file. So I am confident the shared secret is correct.
What am I doing wrong?
--
Haskins Family Farm
Middletown, VA
web: http://www.haskinsfamilyfarm.com
FB: http://www.facebook.com/pages/Middletown-VA/Haskins-Family-Farm/114984971161
More information about the Freeradius-Users
mailing list