NEW NAS Password Doesn't Authenticate

mr. s sigasecure at gmail.com
Tue Aug 20 20:03:03 CEST 2013


>From the logs I interpret, the error is incorrect password for the user. Is
this correct interpretation?

I believe we have added in the NAS correctly to the clients file.

Also the username and password, we are testing, authenticates both locally
and from another NAS, without issue.

Here is an excerpt  of our radius -X


FreeRADIUS Version 2.1.7, for host i686-redhat-linux-gnu, built on Mar 31
2010 at 00:25:31

Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.

There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A

PARTICULAR PURPOSE.

You may redistribute copies of FreeRADIUS under the terms of the

GNU General Public License v2.

Starting - reading configuration files ...



 client 192.168.1.239 {

require_message_authenticator = no

secret = "FreeRADIUS"

shortname = "New_NAS"

 }





rad_recv: Access-Request packet from host 192.168.1.239 port 1645, id=30,
length=140

Framed-Protocol = PPP

User-Name = "username at domain.com"

User-Password = "password"

NAS-Port-Type = Virtual

NAS-Port = 0

NAS-Port-Id = "0/0/1/2890"

Cisco-AVPair = "client-mac-address=a820.6654.6a6f"

Service-Type = Framed-User

NAS-IP-Address = 192.168.1.239

+- entering group authorize {...}

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

[suffix] Looking up realm "domain.com" for User-Name = "username at domain.com"

[suffix] Found realm "domain.com"

[suffix] Adding Stripped-User-Name = "username"

[suffix] Adding Realm = "domain.com"

[suffix] Authentication realm is LOCAL.

++[suffix] returns ok

[eap] No EAP-Message, not doing EAP

++[eap] returns noop

++[files] returns noop

++? if (control:Auth-Type == Reject)

    (Attribute control:Auth-Type was not found)

++- entering else else {...}

[sql] expand: %{Stripped-User-Name} -> username

[sql] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> username

[sql] sql_set_user escaped user --> 'username'

rlm_sql (sql): Reserving sql socket id: 23

[sql] expand: SELECT '1' as id, userId as username, 'Cleartext-Password' as
attribute,           checkNASIPPassword(
'%{NAS-IP-Address}','%{SQL-User-Name}') as value, ':=' as op           FROM
radiusUsers           WHERE userId = '%{SQL-User-Name}'           ORDER BY
id -> SELECT '1' as id, userId as username, 'Cleartext-Password' as
attribute,           checkNASIPPassword( '192.168.1.239','username') as
value, ':=' as op           FROM radiusUsers           WHERE userId =
'username'           ORDER BY id

[sql] User found in radcheck table

[sql] expand: SELECT '1' as id, userId as username, 'Framed-IP-Address' as
attribute,
assignIPAddress('%{NAS-IP-Address}','%{SQL-User-Name}') as value, '==' as
op           FROM radiusUsers           WHERE userId = '%{SQL-User-Name}'
        ORDER BY id -> SELECT '1' as id, userId as username,
'Framed-IP-Address' as attribute,
assignIPAddress('192.168.1.239','username') as value, '==' as op
FROM radiusUsers           WHERE userId = 'username'           ORDER BY id

[sql] expand: SELECT userID as groupname           FROM radiusUsers
  WHERE userId = '**-Not-Using-Groups-**'  -> SELECT userID as groupname
        FROM radiusUsers           WHERE userId = '**-Not-Using-Groups-**'

rlm_sql (sql): Released sql socket id: 23

+++[sql] returns ok

++- else else returns ok

++[expiration] returns noop

++[logintime] returns noop

++[pap] returns updated

Found Auth-Type = PAP

+- entering group PAP {...}

[pap] login attempt with password "password"

[pap] Using clear text password "**-User-Not-Allowed-To-Use-This-NAS-**"

[pap] Passwords don't match

++[pap] returns reject

Failed to authenticate the user.

Login incorrect (rlm_pap: CLEAR TEXT password check failed): [
username at domain.com/password] (from client SHL-BRAS-01_239 port 0)

Using Post-Auth-Type Reject

+- entering group REJECT {...}

[attr_filter.access_reject] expand: %{User-Name} -> username at domain.com

 attr_filter: Matched entry DEFAULT attrt line 11

++[attr_filter.access_reject] returns updated

Sending Access-Reject of id 30 to 192.168.1.239 port 1645

Finished request 70.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130820/feaae5d8/attachment.html>


More information about the Freeradius-Users mailing list