ERROR at testing freeradius

Tania Romero tania.romero.aramayo at gmail.com
Thu Nov 20 18:38:47 CET 2014


This is the first time I install and test Freeradius.
This is the version of freeradius:

-- freeradius -v

freeradius: FreeRADIUS Version 2.1.10, for host i686-pc-linux-gnu, built on
Feb 24 2014 at 15:16:51
Copyright (C) 1999-2010 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.


This user is one of the default users, and I just uncommented that user
line in /etc/freeradius/users:

*******************************************************************************
#
#    Please read the documentation file ../doc/processing_users_file,
#    or 'man 5 users' (after installing the server) for more information.
#
#    This file contains authentication security and configuration
#    information for each user.  Accounting requests are NOT processed
#    through this file.  Instead, see 'acct_users', in this directory.
#
#    The first field is the user's name and can be up to
#    253 characters in length.  This is followed (on the same line) with
#    the list of authentication requirements for that user.  This can
#    include password, comm server name, comm server port number, protocol
#    type (perhaps set by the "hints" file), and huntgroup name (set by
#    the "huntgroups" file).
#
#    If you are not sure why a particular reply is being sent by the
#    server, then run the server in debugging mode (radiusd -X), and
#    you will see which entries in this file are matched.
#
#    When an authentication request is received from the comm server,
#    these values are tested. Only the first match is used unless the
#    "Fall-Through" variable is set to "Yes".
#
#    A special user named "DEFAULT" matches on all usernames.
#    You can have several DEFAULT entries. All entries are processed
#    in the order they appear in this file. The first entry that
#    matches the login-request will stop processing unless you use
#    the Fall-Through variable.
#
#    If you use the database support to turn this file into a .db or .dbm
#    file, the DEFAULT entries _have_ to be at the end of this file and
#    you can't have multiple entries for one username.
#
#    Indented (with the tab character) lines following the first
#    line indicate the configuration values to be passed back to
#    the comm server to allow the initiation of a user session.
#    This can include things like the PPP configuration values
#    or the host to log the user onto.
#
#    You can include another `users' file with `$INCLUDE users.other'
#

#
#    For a list of RADIUS attributes, and links to their definitions,
#    see:
#
#    http://www.freeradius.org/rfc/attributes.html
#

#
# Deny access for a specific user.  Note that this entry MUST
# be before any other 'Auth-Type' attribute which results in the user
# being authenticated.
#
# Note that there is NO 'Fall-Through' attribute, so the user will not
# be given any additional resources.
#
#lameuser    Auth-Type := Reject
#        Reply-Message = "Your account has been disabled."

#
# Deny access for a group of users.
#
# Note that there is NO 'Fall-Through' attribute, so the user will not
# be given any additional resources.
#
#DEFAULT    Group == "disabled", Auth-Type := Reject
#        Reply-Message = "Your account has been disabled."
#

#
# This is a complete entry for "steve". Note that there is no Fall-Through
# entry so that no DEFAULT entry will be used, and the user will NOT
# get any attributes in addition to the ones listed here.
#
steve    Cleartext-Password := "testing"
#    Service-Type = Framed-User,
#    Framed-Protocol = PPP,
#    Framed-IP-Address = 172.16.3.33,
#    Framed-IP-Netmask = 255.255.255.0,
#    Framed-Routing = Broadcast-Listen,
#    Framed-Filter-Id = "std.ppp",
#    Framed-MTU = 1500,
#    Framed-Compression = Van-Jacobsen-TCP-IP

#
# This is an entry for a user with a space in their name.
# Note the double quotes surrounding the name.
#
#"John Doe"    Cleartext-Password := "hello"
#        Reply-Message = "Hello, %{User-Name}"

#
# Dial user back and telnet to the default host for that port
#
#Deg    Cleartext-Password := "ge55ged"
#    Service-Type = Callback-Login-User,
#    Login-IP-Host = 0.0.0.0,
#    Callback-Number = "9,5551212",
#    Login-Service = Telnet,
#    Login-TCP-Port = Telnet

#
# Another complete entry. After the user "dialbk" has logged in, the
# connection will be broken and the user will be dialed back after which
# he will get a connection to the host "timeshare1".
#
#dialbk    Cleartext-Password := "callme"
#    Service-Type = Callback-Login-User,
#    Login-IP-Host = timeshare1,
#    Login-Service = PortMaster,
#    Callback-Number = "9,1-800-555-1212"

#
# user "swilson" will only get a static IP number if he logs in with
# a framed protocol on a terminal server in Alphen (see the huntgroups
file).
#
# Note that by setting "Fall-Through", other attributes will be added from
# the following DEFAULT entries
#
#swilson    Service-Type == Framed-User, Huntgroup-Name == "alphen"
#        Framed-IP-Address = 192.168.1.65,
#        Fall-Through = Yes

#
# If the user logs in as 'username.shell', then authenticate them
# using the default method, give them shell access, and stop processing
# the rest of the file.
#
#DEFAULT    Suffix == ".shell"
#        Service-Type = Login-User,
#        Login-Service = Telnet,
#        Login-IP-Host = your.shell.machine


#
# The rest of this file contains the several DEFAULT entries.
# DEFAULT entries match with all login names.
# Note that DEFAULT entries can also Fall-Through (see first entry).
# A name-value pair from a DEFAULT entry will _NEVER_ override
# an already existing name-value pair.
#

#
# Set up different IP address pools for the terminal servers.
# Note that the "+" behind the IP address means that this is the "base"
# IP address. The Port-Id (S0, S1 etc) will be added to it.
#
#DEFAULT    Service-Type == Framed-User, Huntgroup-Name == "alphen"
#        Framed-IP-Address = 192.168.1.32+,
#        Fall-Through = Yes

#DEFAULT    Service-Type == Framed-User, Huntgroup-Name == "delft"
#        Framed-IP-Address = 192.168.2.32+,
#        Fall-Through = Yes

#
# Sample defaults for all framed connections.
#
#DEFAULT    Service-Type == Framed-User
#    Framed-IP-Address = 255.255.255.254,
#    Framed-MTU = 576,
#    Service-Type = Framed-User,
#    Fall-Through = Yes

#
# Default for PPP: dynamic IP address, PPP mode, VJ-compression.
# NOTE: we do not use Hint = "PPP", since PPP might also be auto-detected
#    by the terminal server in which case there may not be a "P" suffix.
#    The terminal server sends "Framed-Protocol = PPP" for auto PPP.
#
DEFAULT    Framed-Protocol == PPP
    Framed-Protocol = PPP,
    Framed-Compression = Van-Jacobson-TCP-IP

#
# Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression.
#
DEFAULT    Hint == "CSLIP"
    Framed-Protocol = SLIP,
    Framed-Compression = Van-Jacobson-TCP-IP

#
# Default for SLIP: dynamic IP address, SLIP mode.
#
DEFAULT    Hint == "SLIP"
    Framed-Protocol = SLIP

#
# Last default: rlogin to our main server.
#
#DEFAULT
#    Service-Type = Login-User,
#    Login-Service = Rlogin,
#    Login-IP-Host = shellbox.ispdomain.com

# #
# # Last default: shell on the local terminal server.
# #
# DEFAULT
#     Service-Type = Administrative-User

# On no match, the user is denied access.

*******************************************************************************


I have a terminal where I see the debugging messages, and another where I
entered the following commands:


-- radtest steve testing 127.0.0.1 0 testing123

This is the outcome:

Sending Access-Request Id 79 from 0.0.0.0:37440 to 127.0.0.1:1812
    User-Name = 'steve'
    User-Password = 'testing'
    NAS-IP-Address = 127.0.0.1
    NAS-Port = 0
    Message-Authenticator = 0x00
Received Access-Reject Id 79 from 127.0.0.1:1812 to 127.0.0.1:37440 length
20
(0) -: Expected Access-Accept got Access-Reject



In the debug console, this is the result:

*******************************************************************************
rad_recv: Access-Request packet from host 127.0.0.1 port 37440, id=79,
length=75
    User-Name = "steve"
    User-Password = "testing"
    NAS-IP-Address = 127.0.0.1
    NAS-Port = 0
    Message-Authenticator = 0x57890edab06058e2770c96eea02e0d0a
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "steve", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication
may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting
the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> steve
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 22 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 22
Sending Access-Reject of id 79 to 127.0.0.1 port 37440
Waking up in 4.9 seconds.
Cleaning up request 22 ID 79 with timestamp +9927
Ready to process requests.
*******************************************************************************


I'm not sure if that's the file where I have to enable the "steve" user,
because for what I've read this line:
++[files] returns noop
Indicates that Freeradius hasn't found my user configuration.
Is it possible that I've been configuring the wrong file?
Any other ideas of why Freeradius keeps rejecting my request?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20141120/c4dc902b/attachment-0001.html>


More information about the Freeradius-Users mailing list