radtest OK ssh NOK

Joaquin Alzola Joaquin.Alzola at lebara.com
Tue May 24 03:19:09 CEST 2016


HI Guys

Doing an integration on te freeradiuos 3.0.11 into a OpenSuse Linux.
I got a successful on radtest.
testbedocg:/usr/local/etc/raddb/sites-enabled # radtest dop "dop" 172.16.173.31 1812 Lebara321
Sent Access-Request Id 212 from 0.0.0.0:56392 to 172.16.173.31:1812 length 73
        User-Name = "dop"
        User-Password = "dop"
        NAS-IP-Address = 192.168.23.31
        NAS-Port = 1812
        Message-Authenticator = 0x00
        Cleartext-Password = "dop"
Received Access-Accept Id 212 from 172.16.173.31:1812 to 0.0.0.0:0 length 26
        Session-Timeout = 86101
testbedocg:/usr/local/etc/raddb/sites-enabled #
client 172.16 {
    ipaddr = 172.16.0.0/16
    secret = Lebara321
    nas_type = other
}

But not successful on ssh. It clearly says that the passwords do not match but checking in SQL I have this line:
+----+----------+--------------------+----+------------------------------------+
| id | username | attribute          | op | value                              |
+----+----------+--------------------+----+------------------------------------+
| 42 | dop      | Max-All-Session    | := | 1464051644                         |
| 41 | dop      | Cleartext-Password | := | dop                                |

(4) Received Access-Request Id 3 from 172.16.173.31:52494 to 172.16.173.31:1812 length 84
(4)   User-Name = "dop"
(4)   User-Password = "\010\n\r\177INCORRECT"
(4)   NAS-IP-Address = 192.168.23.31
(4)   NAS-Identifier = "sshd"
(4)   NAS-Port = 92450
(4)   NAS-Port-Type = Virtual
(4)   Service-Type = Authenticate-Only
(4)   Calling-Station-Id = "127.0.0.1"
(4) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(4)   authorize {
(4)     policy filter_username {
(4)       if (&User-Name) {
(4)       if (&User-Name)  -> TRUE
(4)       if (&User-Name)  {
(4)         if (&User-Name =~ / /) {
(4)         if (&User-Name =~ / /)  -> FALSE
(4)         if (&User-Name =~ /@[^@]*@/ ) {
(4)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(4)         if (&User-Name =~ /\.\./ ) {
(4)         if (&User-Name =~ /\.\./ )  -> FALSE
(4)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(4)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(4)         if (&User-Name =~ /\.$/)  {
(4)         if (&User-Name =~ /\.$/)   -> FALSE
(4)         if (&User-Name =~ /@\./)  {
(4)         if (&User-Name =~ /@\./)   -> FALSE
(4)       } # if (&User-Name)  = notfound
(4)     } # policy filter_username = notfound
(4)     [preprocess] = ok
(4)     [chap] = noop
(4)     [mschap] = noop
(4)     [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "dop", looking up realm NULL
(4) suffix: No such realm "NULL"
(4)     [suffix] = noop
(4) eap: No EAP-Message, not doing EAP
(4)     [eap] = noop
(4)     [files] = noop
(4) sql: EXPAND %{User-Name}
(4) sql:    --> dop
(4) sql: SQL-User-Name set to 'dop'
rlm_sql (sql): Reserved connection (8)
(4) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(4) sql:    --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'dop' ORDER BY id
(4) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'dop' ORDER BY id
(4) sql: User found in radcheck table
(4) sql: Conditional check items matched, merging assignment check items
(4) sql:   Cleartext-Password := "dop"
(4) sql:   Max-All-Session := 1464051644
(4) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(4) sql:    --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'dop' ORDER BY id
(4) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'dop' ORDER BY id
(4) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(4) sql:    --> SELECT groupname FROM radusergroup WHERE username = 'dop' ORDER BY priority
(4) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'dop' ORDER BY priority
(4) sql: User not found in any groups
rlm_sql (sql): Released connection (8)
rlm_sql (sql): Need 1 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (10), 1 of 30 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.0.67, protocol version 10
(4)     [sql] = ok
sqlcounter_expand: 'select UNIX_TIMESTAMP(sysdate()) - value    from raduser_connection_time where username='%{User-Name}';'
(4) expired_Xh: EXPAND %{User-Name}
(4) expired_Xh:    --> dop
(4) expired_Xh: SQL-User-Name set to 'dop'
rlm_sql (sql): Reserved connection (9)
(4) expired_Xh: Executing select query: select UNIX_TIMESTAMP(sysdate()) - value        from raduser_connection_time where username='dop';
rlm_sql (sql): Released connection (9)
(4) expired_Xh: EXPAND %{sql:select UNIX_TIMESTAMP(sysdate()) - value   from raduser_connection_time where username='%{User-Name}';}
(4) expired_Xh:    --> 1463966096
(4) expired_Xh: Allowing user, &control:Max-All-Session value (1464051644) is greater than counter value (1463966096)
(4) expired_Xh: Setting &reply:Session-Timeout value to 85548
(4)     [expired_Xh] = ok
(4)     [expiration] = noop
(4)     [logintime] = noop
(4)     [pap] = updated
(4)   } # authorize = updated
(4) Found Auth-Type = PAP
(4) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(4)   Auth-Type PAP {
(4) pap: Login attempt with password
(4) pap: Comparing with "known good" Cleartext-Password
(4) pap: ERROR: Cleartext password "dop" does not match "known good" password
(4) pap: Passwords don't match
(4)     [pap] = reject
(4)   } # Auth-Type PAP = reject
(4) Failed to authenticate the user
(4) WARNING: Unprintable characters in the password.  Double-check the shared secret on the server and the NAS!
(4) Using Post-Auth-Type Reject
(4) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(4)   Post-Auth-Type REJECT {
(4) sql: EXPAND .query
(4) sql:    --> .query
(4) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (8)
(4) sql: EXPAND %{User-Name}
(4) sql:    --> dop
(4) sql: SQL-User-Name set to 'dop'
(4) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(4) sql:    --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'dop', '=3D08=5Cn=3D0D=3D7FINCORRECT', 'Access-Reject', '2016-05-24 02:14:56')
(4) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'dop', '=3D08=5Cn=3D0D=3D7FINCORRECT', 'Access-Reject', '2016-05-24 02:14:56')
(4) sql: SQL query returned: success
(4) sql: 1 record(s) updated
rlm_sql (sql): Released connection (8)
(4)     [sql] = ok
(4) attr_filter.access_reject: EXPAND %{User-Name}
(4) attr_filter.access_reject:    --> dop
(4) attr_filter.access_reject: Matched entry DEFAULT at line 11
(4)     [attr_filter.access_reject] = updated
(4)     [eap] = noop
(4)     policy remove_reply_message_if_eap {
(4)       if (&reply:EAP-Message && &reply:Reply-Message) {
(4)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(4)       else {
(4)         [noop] = noop
(4)       } # else = noop
(4)     } # policy remove_reply_message_if_eap = noop
(4)   } # Post-Auth-Type REJECT = updated
(4) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(5) Received Access-Request Id 39 from 127.0.0.1:52494 to 127.0.0.1:1812 length 84
(5)   User-Name = "dop"
(5)   User-Password = "\010\n\r\177INCORRECT"
(5)   NAS-IP-Address = 192.168.23.31
(5)   NAS-Identifier = "sshd"
(5)   NAS-Port = 92450
(5)   NAS-Port-Type = Virtual
(5)   Service-Type = Authenticate-Only
(5)   Calling-Station-Id = "127.0.0.1"
(5) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(5)   authorize {
(5)     policy filter_username {
(5)       if (&User-Name) {
(5)       if (&User-Name)  -> TRUE
(5)       if (&User-Name)  {
(5)         if (&User-Name =~ / /) {
(5)         if (&User-Name =~ / /)  -> FALSE
(5)         if (&User-Name =~ /@[^@]*@/ ) {
(5)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(5)         if (&User-Name =~ /\.\./ ) {
(5)         if (&User-Name =~ /\.\./ )  -> FALSE
(5)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(5)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(5)         if (&User-Name =~ /\.$/)  {
(5)         if (&User-Name =~ /\.$/)   -> FALSE
(5)         if (&User-Name =~ /@\./)  {
(5)         if (&User-Name =~ /@\./)   -> FALSE
(5)       } # if (&User-Name)  = notfound
(5)     } # policy filter_username = notfound
(5)     [preprocess] = ok
(5)     [chap] = noop
(5)     [mschap] = noop
(5)     [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "dop", looking up realm NULL
(5) suffix: No such realm "NULL"
(5)     [suffix] = noop
(5) eap: No EAP-Message, not doing EAP
(5)     [eap] = noop
(5)     [files] = noop
(5) sql: EXPAND %{User-Name}
(5) sql:    --> dop
(5) sql: SQL-User-Name set to 'dop'
rlm_sql (sql): Reserved connection (10)
(5) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(5) sql:    --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'dop' ORDER BY id
(5) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'dop' ORDER BY id
(5) sql: User found in radcheck table
(5) sql: Conditional check items matched, merging assignment check items
(5) sql:   Cleartext-Password := "dop"
(5) sql:   Max-All-Session := 1464051644
(5) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(5) sql:    --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'dop' ORDER BY id
(5) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'dop' ORDER BY id
(5) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(5) sql:    --> SELECT groupname FROM radusergroup WHERE username = 'dop' ORDER BY priority
(5) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'dop' ORDER BY priority
(5) sql: User not found in any groups
rlm_sql (sql): Released connection (10)
(5)     [sql] = ok
sqlcounter_expand: 'select UNIX_TIMESTAMP(sysdate()) - value    from raduser_connection_time where username='%{User-Name}';'
(5) expired_Xh: EXPAND %{User-Name}
(5) expired_Xh:    --> dop
(5) expired_Xh: SQL-User-Name set to 'dop'
rlm_sql (sql): Reserved connection (9)
(5) expired_Xh: Executing select query: select UNIX_TIMESTAMP(sysdate()) - value        from raduser_connection_time where username='dop';
rlm_sql (sql): Released connection (9)
(5) expired_Xh: EXPAND %{sql:select UNIX_TIMESTAMP(sysdate()) - value   from raduser_connection_time where username='%{User-Name}';}
(5) expired_Xh:    --> 1463966097
(5) expired_Xh: Allowing user, &control:Max-All-Session value (1464051644) is greater than counter value (1463966097)
(5) expired_Xh: Setting &reply:Session-Timeout value to 85547
(5)     [expired_Xh] = ok
(5)     [expiration] = noop
(5)     [logintime] = noop
(5)     [pap] = updated
(5)   } # authorize = updated
(5) Found Auth-Type = PAP
(5) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(5)   Auth-Type PAP {
(5) pap: Login attempt with password
(5) pap: Comparing with "known good" Cleartext-Password
(5) pap: ERROR: Cleartext password "dop" does not match "known good" password
(5) pap: Passwords don't match
(5)     [pap] = reject
(5)   } # Auth-Type PAP = reject
(5) Failed to authenticate the user
(5) WARNING: Unprintable characters in the password.  Double-check the shared secret on the server and the NAS!
(5) Using Post-Auth-Type Reject
(5) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(5)   Post-Auth-Type REJECT {
(5) sql: EXPAND .query
(5) sql:    --> .query
(5) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (8)
(5) sql: EXPAND %{User-Name}
(5) sql:    --> dop
(5) sql: SQL-User-Name set to 'dop'
(5) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(5) sql:    --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'dop', '=3D08=5Cn=3D0D=3D7FINCORRECT', 'Access-Reject', '2016-05-24 02:14:57')
(5) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'dop', '=3D08=5Cn=3D0D=3D7FINCORRECT', 'Access-Reject', '2016-05-24 02:14:57')
(5) sql: SQL query returned: success
(5) sql: 1 record(s) updated
rlm_sql (sql): Released connection (8)
(5)     [sql] = ok
(5) attr_filter.access_reject: EXPAND %{User-Name}
(5) attr_filter.access_reject:    --> dop
(5) attr_filter.access_reject: Matched entry DEFAULT at line 11
(5)     [attr_filter.access_reject] = updated
(5)     [eap] = noop
(5)     policy remove_reply_message_if_eap {
(5)       if (&reply:EAP-Message && &reply:Reply-Message) {
(5)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(5)       else {
(5)         [noop] = noop
(5)       } # else = noop
(5)     } # policy remove_reply_message_if_eap = noop
(5)   } # Post-Auth-Type REJECT = updated
(5) Delaying response for 1.000000 seconds
(4) Sending delayed response
(4) Sent Access-Reject Id 3 from 172.16.173.31:1812 to 172.16.173.31:52494 length 20
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(5) Sending delayed response
(5) Sent Access-Reject Id 39 from 127.0.0.1:1812 to 127.0.0.1:52494 length 20
Waking up in 3.0 seconds.
(4) Cleaning up request packet ID 3 with timestamp +169
Waking up in 0.9 seconds.
(5) Cleaning up request packet ID 39 with timestamp +170
Ready to process requests



This email is confidential and may be subject to privilege. If you are not the intended recipient, please do not copy or disclose its content but contact the sender immediately upon receipt.


More information about the Freeradius-Users mailing list