local user file authentication does not work

Seiichirou Hiraoka seiichirou.hiraoka at gmail.com
Tue Jan 24 05:16:14 CET 2017


Hello.

In the environment of CentOS 7.3, FreeRADIUS 3.0.4, local users file
(/etc/raddb/mods-config/files/authorize) can not authenticate.

It is set to authenticate with mschap using inner-tunnel,
and the following I confirmed that authentication succeeds
with the command.
(username at eduroam.test.edu is the user on the AD server)

# radtest - t mschap username at eduroam.test.edu test 127.0.0.1: 1812 0
testing 123
Received Access-Accept Id 32 from 127.0.0.1: 1812 to 127.0.0.1: 42901 length 84

Next, to monitor the service, add the following entry to local users file.

radtest at eduroam.test.edu Cleartext - Password: = "test"

Running radtest in this state will fail.

# radtest radtest at eduroam.test.edu test 127.0.0.1: 1812 0 testing 123
Received Access-Reject Id 79 from 127.0.0.1: 1812 to 127.0.0.1: 55380 length 20

Looking at the log (/var/log/radius/radius.log),
files seems to be noop and is not recognized.

(0) [suffix] = ok
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) [files] = noop      <- This is wrong????
(0) [expiration] = noop
(0) [logintime] = noop
(0) WARNING: pap: No "known good" password found for the user. Not
setting Auth-Type
(0) WARNING: pap: Authentication will fail unless a "known good"
password is available
(0) [pap] = noop
(0)} # authorize = ok
(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
(0) Failed to authenticate the user
(0) Login incorrect (No Auth-Type found: rejecting the user via
Post-Auth-Type = Reject): [radtest at eduroam.test.edu/test] (from client
localhost port 0)

Please tell me how to do RADIUS authentication with local user file
for service monitoring.

The difference of the setting file is as follows.

- / etc / raddb / site-available / inner-tunnel
# Diff -ruN inner-tunnel.ORG inner-tunnel
--- inner-tunnel.ORG 2015-03-06 08: 41: 49.000000000 + 0900
+++ inner-tunnel 2016 - 11 - 04 13: 45: 27.316287839 +0900
@@ -100, 9 + 100, 9 @ @
        # If you want the inner tunnel request to be proxied, delete
        # The next few lines.
        #
- update control {
- Proxy - To - Realm: = LOCAL
-}
+ # Update control {
+ # Proxy-To-Realm: = LOCAL
+ #}

        #
        # This module takes care of EAP-MSCHAPv2 authentication.
@@ -210,6 + 210, @ @ @
        # Pluggable Authentication Modules.
 # Pam

+ Ntlm_auth
+
        # Uncomment it if you want to use ldap for authentication
        #
        # Note that this means "check plain-text password against


- /etc/raddb/proxy.conf
Realm "~^eduroam\.test\.edu$" {
        Authhost = LOCAL
        Accthost = LOCAL
}

Home_server server1 {
        ....
}

Home_ server server 2 {
        ....
}

Home_server_pool server {
        Type = fail-over
        Home_server = server1
        Home_server = server2
}

Realm DEFAULT {
        Pool = server
        Nostrip
}

Best regards!


More information about the Freeradius-Users mailing list