Help with Radius errors

Philip Bellino pbellino at
Fri May 15 15:10:59 CEST 2015

I changed the == to = for all entries in the users file and added the Begin-VENDOR and END-VENDOR in our dictionary.mrv file (thanks Herwin) and now it all performs perfectly.

Thanks for all your help.

-----Original Message-----
From: Philip Bellino
Sent: Friday, May 15, 2015 9:03 AM
To: 'FreeRadius users mailing list'
Subject: RE: Help with Radius errors

I sent it as an attachment.
I will include it here inline:

#  dictionary.mrv
# Version:$Id: dictionary.mrv,v 1.0 2002/11/12 15:44:38 nminka Exp $

VENDOR          MRV     33
ATTRIBUTE       MRV-Remote-Access-List       1 string MRV
ATTRIBUTE       MRV-Port-Access-List         2 string MRV
ATTRIBUTE       MRV-Outlet-Access-List       3 string MRV
ATTRIBUTE       MRV-Outlet-Group-Access-List 4 string MRV
ATTRIBUTE       MRV-Login-Mode               5 string MRV
ATTRIBUTE       MRV-Menu-Name                6 string MRV
ATTRIBUTE       MRV-Web-Menu-Name            7 string MRV
ATTRIBUTE     MRV-Security-Level           8 string MRV
ATTRIBUTE     MRV-User-Prompt              9 string MRV
ATTRIBUTE     MRV-Command-Logging         10 string MRV
ATTRIBUTE     MRV-Audit-Logging           11 string MRV
ATTRIBUTE     MRV-Web-Login-Mode          12 string MRV
ATTRIBUTE     MRV-Connect-Escape-Char     13 string MRV
ATTRIBUTE       MRV-Port-ReadOnly-List      14 string MRV
ATTRIBUTE      MRV-Acct-Command-Log       100 string MRV
ATTRIBUTE    MRV-Acct-Audit-Log         101 string MRV

-----Original Message-----
From: Philip Bellino
Sent: Friday, May 15, 2015 8:50 AM
To: 'FreeRadius users mailing list'
Subject: RE: Help with Radius errors

I attached an edited  dictionary.mrv by mistake. I attached our original one for you here.
My apologies.

-----Original Message-----
From: Philip Bellino
Sent: Friday, May 15, 2015 6:08 AM
To: FreeRadius users mailing list
Subject: RE: Help with Radius errors

Your points are well taken. Thank you.
We commented out using including our dictionary.mrv file (attached) in dictionary and references to our attributes in the users file and now Radius authentication succeeds.

Here is an entry in the users file that used our attributes successfully in freeradius 2.1.1

# MRV Vender Specific Testing
zeusCleartext-Password := "dog"
Service-Type == NAS-Prompt-User,
Idle-Timeout == 60,
MRV-Login-Mode == "cli",
MRV-Security-Level == "outlet shell",
MRV-Command-Logging == "syslog",
MRV-Audit-Logging == "syslog",
MRV-User-Prompt == "zeus",
MRV-Menu-Name == "/config/M_demo_menu",
MRV-Web-Menu-Name == "/config/M_demo_menu",
MRV-Port-Access-List == "2 4",
MRV-Remote-Access-List == "telnet",
MRV-Outlet-Access-List == "3:1 4:1",
MRV-Outlet-Group-Access-List == "2"

If you can point me in the right direction with regards to what I need to change to use our dictionary attributes, I would appreciate it.
Thanks again,

-----Original Message-----
From: Freeradius-Users [ at] On Behalf Of Alan DeKok
Sent: Thursday, May 14, 2015 4:02 PM
To: FreeRadius users mailing list
Subject: Re: Help with Radius errors

On May 14, 2015, at 3:40 PM, Philip Bellino <pbellino at> wrote:
> Due to a hard disk crash we had to replace our radius server PC. Our
> newer PC is running Fedora Core 21. We then downloaded the FreeRadius
> 3.0.8 tar.gz file, built and installed it.  We now cannot get past the following errors (in bold below).
> We have tried reconfiguring the shared secret as suggested, on the
> server (editing the clients.conf file and retyping the secret) and the client side but still get these errors.

  I think you've broken something.

> In the 2.1.1 version, the only files we changed were "radiusd.conf", "clients.conf" and "users" and added our own dictionary file.
> So for 3.0.8, we followed suit.

  What did you put into the dictionary file?
> Ready to process requests
> (0) Received Access-Request Id 24 from to length 68
> (0)   MRV-Remote-Access-List = 'gina'
> (0)   MRV-Outlet-Group-Access-List = ' ???'
> (0)   MRV-Login-Mode = '
> (0)   NAS-Port-Type = Virtual
> (0)   MRV-Port-Access-List = '^????D???a????S?'
> (0)   MRV-Menu-Name = '

  What are those attributes?  They are NOT standard RADIUS attributes.  There is no User-Name in the packet, which is typically required.  There is no User-Password in the packet, which is also typically required.

> (0) WARNING: Unprintable characters in the password.  Double-check the shared secret on the server and the NAS!

  That message is printed ONLY if there's a User-Password in the attribute.

  So.. .you've done something, and broken the server.  The short answer is "don't do that".

  Go back to the default configuration.  i.e. back out ALL of your local changes.  Check that you can get users authenticated, by adding a Cleartext-Password for that user.  Check that it works with radtest.  Then, make another change.

  You've fallen into the trap of "make 100 changes, and then something doesn't work".  You'll never get it debugged doing that.

  Make ONE change.  Test it.  Make ANOTHER change.  Test it.  This is all documented in "man radiusd".

  And post your dictionary here.  Odds are it poaches on the standard space, and breaks all of RADIUS.

  Alan DeKok.

List info/subscribe/unsubscribe? See

MRV Communications is a global supplier of packet and optical solutions that power the world’s largest networks. Our products combine innovative hardware with intelligent software to make networks smarter, faster and more efficient.

The contents of this message, together with any attachments, are intended only for the use of the person(s) to whom they are addressed and may contain confidential and/or privileged information. If you are not the intended recipient, immediately advise the sender, delete this message and any attachments and note that any distribution, or copying of this message, or any attachment, is prohibited.

More information about the Freeradius-Users mailing list