Authentication with Juniper SA
Mik J
mikydevel at yahoo.fr
Sun Sep 16 02:00:46 CEST 2012
Hello,
I don't know why I can't make my authentication working with Juniper secure access
I have a user
+----+----------+--------------------+------------+----+
| id | username | attribute | value | op |
+----+----------+--------------------+------------+----+
| 9 | t2 | Cleartext-Password | passsecret | == |
+----+----------+--------------------+------------+----+
Command line authentication works
# radtest t2 passsecret 127.0.0.1 1812 testing1234 PPP 192.168.1.1
I entered the Juniper device in clients.conf
client mag.mydomain.com {
ipaddr = 192.168.1.2
secret = mykey
shortname = mag
require_message_authenticator = no
nastype = other # localhost isn't usually a NAS...
}
I entered that same key in the Juniper secure access configuration
The complete debug output is below, does anyone see something that could explain why it doesn't work ?
It says: [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
However, the password is good !!!
rad_recv: Access-Request packet from host 192.168.1.2 port 65218, id=236, length=132
NAS-Identifier = "mag"
User-Name = "t2"
User-Password = "passsecret"
Tunnel-Client-Endpoint:0 = "192.168.1.3"
NAS-IP-Address = 192.168.1.2
NAS-Port = 0
Acct-Session-Id = "t2(Group XXXX)\"Sun Sep 16 01:43:02 2012\"VVZatHVK"
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "t2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry DEFAULT at line 202
++[files] returns ok
[sql] expand: %{User-Name} -> t2
[sql] sql_set_user escaped user --> 't2'
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 't2' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 't2' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 't2' ORDER BY priority
rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = 't2' ORDER BY priority
rlm_sql (sql): Released sql socket id: 3
[sql] User t2 not found
++[sql] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user
Failed to authenticate the user.
expand: Host %n -> Host 192.168.1.2
Login incorrect: [t2/passsecret] (from client mag port 0) Host 192.168.1.2
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> t2
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 5 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 5
Sending Access-Reject of id 236 to 192.168.1.2 port 65218
Waking up in 4.9 seconds.
Cleaning up request 5 ID 236 with timestamp +1809
Ready to process requests.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120916/2a7beed6/attachment-0001.html>
More information about the Freeradius-Users
mailing list