Issue with authorisation on Dlink switch

Tue Feb 2 19:33:04 CET 2016

Got stuck with a strange behaviour :

Listening on auth address 10.10.9.5 port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on proxy address * port 36922
Listening on proxy address :: port 52073
Ready to process requests
(0) Received Access-Request Id 188 from 10.10.9.10:1044 to 10.10.9.5:1812 length 86
(0)   User-Name = "admin"
(0)   User-Password = "c\375'\364D\212\021\257.?\327\017\336\177W\212"
(0)   NAS-IP-Address = 10.10.9.10
(0)   NAS-Identifier = "Test"
(0)   NAS-Port-Type = Virtual
(0)   Service-Type = Framed-User
(0)   Framed-Protocol = PPP
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (!&User-Name) {
(0)       if (!&User-Name)  -> FALSE
(0)       if (&User-Name =~ / /) {
(0)       if (&User-Name =~ / /)  -> FALSE
(0)       if (&User-Name =~ /@.*@/ ) {
(0)       if (&User-Name =~ /@.*@/ )  -> FALSE
(0)       if (&User-Name =~ /\.\./ ) {
(0)       if (&User-Name =~ /\.\./ )  -> FALSE
(0)       if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)       if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(0)       if (&User-Name =~ /\.$/)  {
(0)       if (&User-Name =~ /\.$/)   -> FALSE
(0)       if (&User-Name =~ /@\./)  {
(0)       if (&User-Name =~ /@\./)   -> FALSE
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0)     [chap] = noop
(0)     [mschap] = noop
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "admin", looking up realm NULL
(0) suffix: No such realm "NULL"
(0)     [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0) files: users: Matched entry DEFAULT at line 181
(0)     [files] = ok
(0)     [expiration] = noop
(0)     [logintime] = noop
(0) pap: WARNING: No "known good" password found for the user.  
Not setting Auth-Type
(0) pap: WARNING: Authentication will fail
 unless a "known good" password is available
(0)     [pap] = noop
(0)   } # authorize = ok
(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
(0) Failed to authenticate the user
(0) Login incorrect (No Auth-Type found: rejecting
 the user via Post-Auth-Type = Reject): [admin/c?'?
D???.?????W?] (from client switch port 0)
(0) WARNING: Unprintable characters in the password.  
Double-check the shared 
secret on the server and the NAS!
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0)   Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject:    --> admin
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0)     [attr_filter.access_reject] = updated
(0)     [eap] = noop
(0)     policy remove_reply_message_if_eap {
(0)       if (&reply:EAP-Message && &reply:Reply-Message) {
(0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)       else {
(0)         [noop] = noop
(0)       } # else = noop
(0)     } # policy remove_reply_message_if_eap = noop
(0)   } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 188 from 
10.10.9.5:1812 to 10.10.9.10:1044 length 20
Waking up in 3.9 seconds.
Waking up in 8.9 seconds.
(0) Cleaning up request packet ID 188 with timestamp +48
Ready to process requests
(1) Received Access-Request Id 205 from 10.10.9.10:1045 to 10.10.9.5:1812 length 86
(1)   User-Name = "admin"
(1)   User-Password = "\365yo\274\206Oz\203\024/\350\256p\317\312\353"
(1)   NAS-IP-Address = 10.10.9.10
(1)   NAS-Identifier = "test"
(1)   NAS-Port-Type = Virtual
(1)   Service-Type = Framed-User
(1)   Framed-Protocol = PPP
(1) # Executing section authorize from file /etc/raddb/sites-enabled/default
(1)   authorize {
(1)     policy filter_username {
(1)       if (!&User-Name) {
(1)       if (!&User-Name)  -> FALSE
(1)       if (&User-Name =~ / /) {
(1)       if (&User-Name =~ / /)  -> FALSE
(1)       if (&User-Name =~ /@.*@/ ) {
(1)       if (&User-Name =~ /@.*@/ )  -> FALSE
(1)       if (&User-Name =~ /\.\./ ) {
(1)       if (&User-Name =~ /\.\./ )  -> FALSE
(1)       if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(1)       if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(1)       if (&User-Name =~ /\.$/)  {
(1)       if (&User-Name =~ /\.$/)   -> FALSE
(1)       if (&User-Name =~ /@\./)  {
(1)       if (&User-Name =~ /@\./)   -> FALSE
(1)     } # policy filter_username = notfound
(1)     [preprocess] = ok
(1)     [chap] = noop
(1)     [mschap] = noop
(1)     [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "admin", looking up realm NULL
(1) suffix: No such realm "NULL"
(1)     [suffix] = noop
(1) eap: No EAP-Message, not doing EAP
(1)     [eap] = noop
(1) files: users: Matched entry DEFAULT at line 181
(1)     [files] = ok
(1)     [expiration] = noop
(1)     [logintime] = noop
(1) pap: WARNING: No "known good" password found for the user.  
Not setting Auth-Type
(1) pap: WARNING: Authentication 
will fail unless a "known good" password is available
(1)     [pap] = noop
(1)   } # authorize = ok
(1) ERROR: No Auth-Type found: rejecting the 
user via Post-Auth-Type = Reject
(1) Failed to authenticate the user
(1) Login incorrect (No Auth-Type found: rejecting the user via 
Post-Auth-Type = Reject): [admin/?yo??
Oz??/??p???] (from client switch port 0)
(1) WARNING: Unprintable characters in the password.  
Double-check the shared secret on the server 
and the NAS!
(1) Using Post-Auth-Type Reject
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1)   Post-Auth-Type REJECT {
(1) attr_filter.access_reject: EXPAND %{User-Name}
(1) attr_filter.access_reject:    --> admin
(1) attr_filter.access_reject: Matched entry DEFAULT at line 11
(1)     [attr_filter.access_reject] = updated
(1)     [eap] = noop
(1)     policy remove_reply_message_if_eap {
(1)       if (&reply:EAP-Message && &reply:Reply-Message) {
(1)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(1)       else {
(1)         [noop] = noop
(1)       } # else = noop
(1)     } # policy remove_reply_message_if_eap = noop
(1)   } # Post-Auth-Type REJECT = updated
(1) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(1) Sending delayed response
(1) Sent Access-Reject Id 205 from 10.10.9.5:1812 
to 10.10.9.10:1045 length 20
Waking up in 3.9 seconds.
Waking up in 8.9 seconds.
(1) Cleaning up request packet ID 205 with timestamp +114
Ready to process requests.

Just a few lines make me confused: 

(1) pap: WARNING: No "known good" password found 
for the user.  Not setting Auth-Type
(1) pap: WARNING: Authentication will fail unless a 
"known good" password is available

Here is some lines from config users:

user Cleartext-Password := "1234"
        Dlink-User-Level = 3

1) WARNING: Unprintable characters in the password.  
Double-check the shared secret on the server 
and the NAS!

the secret is 100% correct on both sides..... is is really simple 123.....

Got very confused..

I have tried to play around the whole day 
but could not sort the issue out :(

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2538 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20160202/07d956a9/attachment-0001.bin>