NEW NAS Password Doesn't Authenticate
mr. s
sigasecure at gmail.com
Tue Aug 20 20:03:03 CEST 2013
>From the logs I interpret, the error is incorrect password for the user. Is
this correct interpretation?
I believe we have added in the NAS correctly to the clients file.
Also the username and password, we are testing, authenticates both locally
and from another NAS, without issue.
Here is an excerpt of our radius -X
FreeRADIUS Version 2.1.7, for host i686-redhat-linux-gnu, built on Mar 31
2010 at 00:25:31
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
client 192.168.1.239 {
require_message_authenticator = no
secret = "FreeRADIUS"
shortname = "New_NAS"
}
rad_recv: Access-Request packet from host 192.168.1.239 port 1645, id=30,
length=140
Framed-Protocol = PPP
User-Name = "username at domain.com"
User-Password = "password"
NAS-Port-Type = Virtual
NAS-Port = 0
NAS-Port-Id = "0/0/1/2890"
Cisco-AVPair = "client-mac-address=a820.6654.6a6f"
Service-Type = Framed-User
NAS-IP-Address = 192.168.1.239
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "domain.com" for User-Name = "username at domain.com"
[suffix] Found realm "domain.com"
[suffix] Adding Stripped-User-Name = "username"
[suffix] Adding Realm = "domain.com"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++? if (control:Auth-Type == Reject)
(Attribute control:Auth-Type was not found)
++- entering else else {...}
[sql] expand: %{Stripped-User-Name} -> username
[sql] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> username
[sql] sql_set_user escaped user --> 'username'
rlm_sql (sql): Reserving sql socket id: 23
[sql] expand: SELECT '1' as id, userId as username, 'Cleartext-Password' as
attribute, checkNASIPPassword(
'%{NAS-IP-Address}','%{SQL-User-Name}') as value, ':=' as op FROM
radiusUsers WHERE userId = '%{SQL-User-Name}' ORDER BY
id -> SELECT '1' as id, userId as username, 'Cleartext-Password' as
attribute, checkNASIPPassword( '192.168.1.239','username') as
value, ':=' as op FROM radiusUsers WHERE userId =
'username' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT '1' as id, userId as username, 'Framed-IP-Address' as
attribute,
assignIPAddress('%{NAS-IP-Address}','%{SQL-User-Name}') as value, '==' as
op FROM radiusUsers WHERE userId = '%{SQL-User-Name}'
ORDER BY id -> SELECT '1' as id, userId as username,
'Framed-IP-Address' as attribute,
assignIPAddress('192.168.1.239','username') as value, '==' as op
FROM radiusUsers WHERE userId = 'username' ORDER BY id
[sql] expand: SELECT userID as groupname FROM radiusUsers
WHERE userId = '**-Not-Using-Groups-**' -> SELECT userID as groupname
FROM radiusUsers WHERE userId = '**-Not-Using-Groups-**'
rlm_sql (sql): Released sql socket id: 23
+++[sql] returns ok
++- else else returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "password"
[pap] Using clear text password "**-User-Not-Allowed-To-Use-This-NAS-**"
[pap] Passwords don't match
++[pap] returns reject
Failed to authenticate the user.
Login incorrect (rlm_pap: CLEAR TEXT password check failed): [
username at domain.com/password] (from client SHL-BRAS-01_239 port 0)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> username at domain.com
attr_filter: Matched entry DEFAULT attrt line 11
++[attr_filter.access_reject] returns updated
Sending Access-Reject of id 30 to 192.168.1.239 port 1645
Finished request 70.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130820/feaae5d8/attachment.html>
More information about the Freeradius-Users
mailing list