Problem with crypt passwords matching

Robert Haskins robert.haskins at gmail.com
Wed Aug 15 22:40:57 CEST 2012 

I am running Freeradius 2.1.12 on a Centos box. I am able to
authenticate from the server command line, and from a Cisco ASR1k BRAS
via the command line. However, when I attempt to authenticate
customers from the DSL network, I get a reject, even though the
crypt'd passwords match! Here is a sample from a trace:

rad_recv: Access-Request packet from host 204.111.5.9 port 1645,
id=235, length=89
        Framed-Protocol = PPP
        User-Name = "k143rott"
        User-Password = "k*****"
        NAS-Port-Type = Virtual
        NAS-Port = 0
        NAS-Port-Id = "0/0/0/304"
        Service-Type = Framed-User
        NAS-IP-Address = 204.111.5.9
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "k143rott", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "k143rott"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns updated
[files] users: Matched entry DEFAULT at line 169
[files] users: Matched entry DEFAULT at line 172
[files] users: Matched entry DEFAULT at line 186
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "krt444"
[pap] Using CRYPT password "*3u.3LS/VKTOVc"
[pap] Passwords don't match
++[pap] returns reject
Failed to authenticate the user.
Login incorrect (rlm_pap: CRYPT password check failed):
[k143rott/k*****] (from client va-edbg-bras-1 port 0)
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> k143rott
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 30 for 1 seconds
Going to the next request
Sending delayed reject for request 21
Sending Access-Reject of id 227 to 204.111.5.9 port 1645

The crypt'd password ("*3u.3LS/VKTOVc") is exactly what is in the
/etc/shadow file. So I am confident the shared secret is correct.

What am I doing wrong?

-- 
Haskins Family Farm
Middletown, VA
web: http://www.haskinsfamilyfarm.com
FB: http://www.facebook.com/pages/Middletown-VA/Haskins-Family-Farm/114984971161

More information about the Freeradius-Users mailing list