radtest works but Device Fails Authentication
Syed Rais Ahmad NON DRI
SAhmad at darden.com
Thu Jul 9 22:40:25 CEST 2015
Here is the debug info:
... adding new socket proxy address * port 52796
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.253.82.100 port 65457, id=165, length=79
User-Name = "gnssra9"
User-Password = "\325\353\nI>\t\362\373\0240\351\333\177\352\313l"
NAS-Identifier = "8200-FL-R"
Calling-Station-Id = "172.20.148.80"
NAS-IP-Address = 10.253.82.100
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "gnssra9", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry DEFAULT at line 2
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = ntlm_auth
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=gnssra9
[ntlm_auth] expand: --password=%{User-Password} -> --password=▒▒ I> ▒▒?0▒▒▒l
Child PID 29411 (/usr/bin/ntlm_auth) is taking too much time: forcing failure and killing child.
++[ntlm_auth] returns reject
Failed to authenticate the user.
WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> gnssra9
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Sending Access-Reject of id 165 to 10.253.82.100 port 65457
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.253.82.100 port 65457, id=165, length=79
Sending duplicate reply to client 10.253.82.100 port 65457 - ID: 165
Sending Access-Reject of id 165 to 10.253.82.100 port 65457
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.253.82.100 port 65457, id=165, length=79
Sending duplicate reply to client 10.253.82.100 port 65457 - ID: 165
Sending Access-Reject of id 165 to 10.253.82.100 port 65457
Waking up in 4.9 seconds.
Cleaning up request 0 ID 165 with timestamp +51
Ready to process requests.
Thanks.
-----Original Message-----
From: Freeradius-Users [mailto:freeradius-users-bounces+sahmad=darden.com at lists.freeradius.org] On Behalf Of Alan DeKok
Sent: Thursday, July 09, 2015 11:48 AM
To: FreeRadius users mailing list
Subject: Re: radtest works but Device Fails Authentication
On Jul 8, 2015, at 4:28 PM, Syed Rais Ahmad NON DRI <SAhmad at darden.com> wrote:
> I have the FreeRadius setup to use ntlm_auth for authentication. When I use radtest utility to test the setup, it returns Access-Accept. However, when I use the same credentials on a Juniper firewall, it gets Access-Reject with NT_STATUS_WRONG_PASSWORD: Wrong Password.
>
> Any idea what could be wrong? Apparently, the Juniper is changing the password when it's presenting it to freeRadius.
Run the server in debug mode as suggested in the FAQ, "man" page, web pages, and daily on this list.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
This e-mail message is for the sole use of the intended recipient and may contain information that is confidential, proprietary or privileged. Any unauthorized review, use, distribution, copying or disclosure is strictly prohibited. If you are not the intended recipient, or the employee or agent responsible for delivering it to the intended recipient, please notify sender of the delivery error by replying to this message and then delete it from your system. Receipt by anyone other than the intended recipient is not a waiver of confidentiality or privilege.
More information about the Freeradius-Users
mailing list