Wow, late night, glad some of our brains are still functioning, thanks!
On Wed, May 11, 2016 at 4:53 AM, aquilinux <aquilinux at gmail.com> wrote:
> > User-Password = '20c9d081bcc3'
> [...]
> > | 55 | 20C9D081BCC3 | Cleartext-Password | := | 20C9D081BCC3 |
>
> they do not match...
>
> On Wed, May 11, 2016 at 12:42 PM, orion doty <orion.doty at gmail.com> wrote:
>
> > I don't understand what is happening to the password as I can see it
> > correctly in the access request. I also would have expected to see the
> > password on this line just before the error:
> >
> >
> > (0) Auth-Type PAP {
> >
> > (0) pap : Login attempt with password [SHOULDN'T THE PASSWORD BE HERE???
> > IT IS NOT]
> >
> >
> >
> > Here is the full output (minus the IP addresses):
> >
> > Received Access-Request Id 8 from X:18852 to X:1812 length 107
> >
> > User-Name = '20c9d081bcc3'
> >
> > User-Password = '20c9d081bcc3'
> >
> > NAS-Identifier = '58-B6-33-1A-7D-20'
> >
> > NAS-IP-Address = X
> >
> > Service-Type = Login-User
> >
> > NAS-Port-Type = Wireless-802.11
> >
> > Message-Authenticator = 0xafa4b69194ca031fd61fa4c300b0198c
> >
> > (0) Received Access-Request packet from host X port 18852, id=8,
> length=107
> >
> > (0) User-Name = '20c9d081bcc3'
> >
> > (0) User-Password = '20c9d081bcc3'
> >
> > (0) NAS-Identifier = '58-B6-33-1A-7D-20'
> >
> > (0) NAS-IP-Address = X
> >
> > (0) Service-Type = Login-User
> >
> > (0) NAS-Port-Type = Wireless-802.11
> >
> > (0) Message-Authenticator = 0xafa4b69194ca031fd61fa4c300b0198c
> >
> > (0) # Executing section authorize from file
> > /etc/raddb/sites-enabled/default
> >
> > (0) authorize {
> >
> > (0) filter_username filter_username {
> >
> > (0) if (!&User-Name)
> >
> > (0) if (!&User-Name) -> FALSE
> >
> > (0) if (&User-Name =~ / /)
> >
> > (0) if (&User-Name =~ / /) -> FALSE
> >
> > (0) if (&User-Name =~ /@.*@/ )
> >
> > (0) if (&User-Name =~ /@.*@/ ) -> FALSE
> >
> > (0) if (&User-Name =~ /\\.\\./ )
> >
> > (0) if (&User-Name =~ /\\.\\./ ) -> FALSE
> >
> > (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
> >
> > (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) ->
> > FALSE
> >
> > (0) if (&User-Name =~ /\\.$/)
> >
> > (0) if (&User-Name =~ /\\.$/) -> FALSE
> >
> > (0) if (&User-Name =~ /@\\./)
> >
> > (0) if (&User-Name =~ /@\\./) -> FALSE
> >
> > (0) } # filter_username filter_username = notfound
> >
> > (0) [preprocess] = ok
> >
> > (0) sql : EXPAND %{User-Name}
> >
> > (0) sql : --> 20c9d081bcc3
> >
> > (0) sql : SQL-User-Name set to '20c9d081bcc3'
> >
> > rlm_sql (sql): Reserved connection (4)
> >
> > (0) sql : EXPAND SELECT id, username, attribute, value, op FROM radcheck
> > WHERE username = '%{SQL-User-Name}' ORDER BY id
> >
> > (0) sql : --> SELECT id, username, attribute, value, op FROM radcheck
> > WHERE username = '20c9d081bcc3' ORDER BY id
> >
> > rlm_sql (sql): Executing query: 'SELECT id, username, attribute, value,
> op
> > FROM radcheck WHERE username = '20c9d081bcc3' ORDER BY id'
> >
> > (0) sql : User found in radcheck table
> >
> > (0) sql : Check items matched
> >
> > (0) sql : EXPAND SELECT id, username, attribute, value, op FROM radreply
> > WHERE username = '%{SQL-User-Name}' ORDER BY id
> >
> > (0) sql : --> SELECT id, username, attribute, value, op FROM radreply
> > WHERE username = '20c9d081bcc3' ORDER BY id
> >
> > rlm_sql (sql): Executing query: 'SELECT id, username, attribute, value,
> op
> > FROM radreply WHERE username = '20c9d081bcc3' ORDER BY id'
> >
> > (0) sql : User found in radreply table
> >
> > (0) sql : EXPAND SELECT groupname FROM radusergroup WHERE username =
> > '%{SQL-User-Name}' ORDER BY priority
> >
> > (0) sql : --> SELECT groupname FROM radusergroup WHERE username =
> > '20c9d081bcc3' ORDER BY priority
> >
> > rlm_sql (sql): Executing query: 'SELECT groupname FROM radusergroup WHERE
> > username = '20c9d081bcc3' ORDER BY priority'
> >
> > (0) sql : User not found in any groups
> >
> > rlm_sql (sql): Released connection (4)
> >
> > (0) [sql] = ok
> >
> > (0) if (notfound)
> >
> > (0) if (notfound) -> FALSE
> >
> > (0) expiration : Account will expire at 'May 12 2016 13:00:00 UTC'
> >
> > (0) [expiration] = ok
> >
> > (0) if (userlock)
> >
> > (0) if (userlock) -> FALSE
> >
> > (0) [logintime] = noop
> >
> > (0) [pap] = updated
> >
> > (0) } # authorize = updated
> >
> > (0) Found Auth-Type = PAP
> >
> > (0) # Executing group from file /etc/raddb/sites-enabled/default
> >
> > (0) Auth-Type PAP {
> >
> > (0) pap : Login attempt with password
> >
> > *(0) ERROR: pap : Cleartext password does not match "known good"
> password*
> >
> > (0) pap : Passwords don't match
> >
> > (0) [pap] = reject
> >
> > (0) } # Auth-Type PAP = reject
> >
> > (0) Failed to authenticate the user
> >
> > (0) Using Post-Auth-Type Reject
> >
> > (0) # Executing group from file /etc/raddb/sites-enabled/default
> >
> > (0) Post-Auth-Type REJECT {
> >
> > (0) attr_filter.access_reject : EXPAND %{User-Name}
> >
> > (0) attr_filter.access_reject : --> 20c9d081bcc3
> >
> > (0) attr_filter.access_reject : Matched entry DEFAULT at line 11
> >
> > (0) [attr_filter.access_reject] = updated
> >
> > (0) } # Post-Auth-Type REJECT = updated
> >
> > (0) Delaying response for 1 seconds
> >
> > Waking up in 0.3 seconds.
> >
> > Waking up in 0.6 seconds.
> >
> > (0) Sending delayed response
> >
> > Waking up in 3.9 seconds.
> >
> > (0) Cleaning up request packet ID 8 with timestamp +6
> >
> >
> > of note: records in the mysql radcheck table related to the user
> >
> >
> > | 54 | 20C9D081BCC3 | Expiration | := | 12 May 2016 13:00 |
> >
> > | 55 | 20C9D081BCC3 | Cleartext-Password | := | 20C9D081BCC3 |
> >
> > | 56 | 20C9D081BCC3 | Site-Id | := | LAB |
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
>
>
>
>
> --
> "Madness, like small fish, runs in hosts, in vast numbers of instances."
>
> Nessuno mi pettina bene come il vento.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html