Authorize section not getting called

Fri Feb 2 06:27:04 CET 2018

On Thu, Feb 1, 2018, Nathan Ward wrote:
> Usual expectation is that you show a radius debug with the packets being 
> processed.
> The one you have pasted only shows the process starting up and config 
> being parsed and such. You’ve sort of included some of that debug under 
> (A) and (B) sections so you’ve definitely got it, but for some reason 
> you haven’t posted it. If you could post the whole thing, people can 
> likely help you more.

Apologies, entire "radiusd -X" output from radclient executions are below.

I get what's going on with everything except the part that I marked:

  ## Mike: where could this Login incorrect be coming from?

>From what I can tell, group authorize was never called, so who/what/where is
nacking this username?

> Any reason you’re using 2.2.10 for what I presume is a new build? You 
> should use 3.0.16 if you can.

Unfortunately, this is the build that Synology is currently shipping:

https://www.synology.com/en-us/dsm/packages/RadiusServer

So it's the path of least resistance to get this older version working. If this
isn't possible, I'll look at running a newer version in a docker instance, but
that's a decent bit more work.

Thanks Nathan.
 -Mike

rad_recv: Access-Request packet from host 10.10.10.10 port 36379, id=65, length=48
        User-Name = "mikesart"
        User-Password = "password"
# Executing section authorize from file /usr/local/synoradius/rad_site_def_local
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "mikesart", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] No EAP-Message, not doing EAP
++[eap] = noop
rlm_unix: Find real name [mikesart] -> [mikesart]
++[unix] = updated
++[files] = noop
[smbpasswd] Added LM-Password: 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' to config_items 
[smbpasswd] Added NT-Password: '8846F7EAEE8FB117AD06BDD830B7586C' to config_items 
[smbpasswd] Added SMB-Account-CTRL-TEXT: '[U          ]' to config_items 
++[smbpasswd] = ok
++[expiration] = noop
++[logintime] = noop
[pap] Normalizing LM-Password from base64 encoding
[pap] Normalizing NT-Password from hex encoding
++[pap] = updated
+} # group authorize = updated
Found Auth-Type = PAP
# Executing group from file /usr/local/synoradius/rad_site_def_local
+group PAP {
[pap] login attempt with password "password"
[pap] Using CRYPT password "$6$tTVl/E3frQR2gIJl$RXuU9/AT0F2SLYRRbcJ.NeF5cOLBLL5u7uws7JIqMTMm.Ws7cIbiyPhit3.94TXEyOO4CSTXRrDiXeHELhZbN1"
[pap] User authenticated successfully
++[pap] = ok
+} # group PAP = ok
Login OK: [mikesart/password] (from client radiusclient port 0)
# Executing section post-auth from file /usr/local/synoradius/rad_site_def_local
+group post-auth {
++[exec] = noop
+} # group post-auth = noop
Sending Access-Accept of id 65 to 10.10.10.10 port 36379
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 1 ID 65 with timestamp +24
Ready to process requests.

rad_recv: Access-Request packet from host 10.10.10.10 port 51390, id=195, length=45
        User-Name = "alice"
        User-Password = "passme"
##
## Mike: where could this Login incorrect be coming from?
##
Login incorrect: Incorrect user name (input name [alice], full name [alice])
There was no response configured: rejecting request 2
Using Post-Auth-Type Reject
# Executing group from file /usr/local/synoradius/rad_site_def_local
+group REJECT {
[attr_filter.access_reject]     expand: %{User-Name} -> alice
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 2 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 2
Sending Access-Reject of id 195 to 10.10.10.10 port 51390
Waking up in 4.9 seconds.
Cleaning up request 2 ID 195 with timestamp +55
Ready to process requests.