FreeRADIUS server is not recognizing updates from my users file
Aaron Dalla-Longa
aaron at shortgrass.ca
Fri Apr 12 19:55:38 CEST 2019
sorry, accidently sent that last email incomplete, anyway:
As far as troubleshooting, I have tried to start and stop the freeradius
server, as well as completely restart the server that this is located on
(ubuntu x64 18.04 LTS)
*Debug file 1 (Notice how it is authenticating with password 12345, an old
password) *
Ready to process requests
(0) Received Access-Request Id 43 from 192.168.0.251:43064 to
192.168.0.34:1812 length 205
(0) NAS-IP-Address = 192.168.0.251
(0) NAS-Port = 0
(0) NAS-Port-Type = Wireless-802.11
(0) User-Name = "testing"
(0) Service-Type = Login-User
(0) Calling-Station-Id = "0.0.0.0"
(0) Called-Station-Id = "000B86DC7500"
(0) MS-CHAP-Challenge = 0x72afbc5215acc3801eeaeb6a8028bf0a
(0) MS-CHAP2-Response =
0x0000c1a72376f832a9551a72d73845155c310000000000000000ce5037dbf4859d34dc9124eec53caef6cf8d72ccae7ccdc5
(0) Aruba-Location-Id = "N/A"
(0) Aruba-AP-Group = "N/A"
(0) NAS-Identifier = "aruba"
(0) Message-Authenticator = 0x8301ff3e6feee4afcf1d1b89a6b11802
(0) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
(0) [mschap] = ok
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "testing", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) files: users: Matched entry testing at line 223
(0) [files] = ok
(0) [expiration] = noop
(0) [logintime] = noop
(0) pap: WARNING: Auth-Type already set. Not setting to PAP
(0) [pap] = noop
(0) } # authorize = ok
(0) Found Auth-Type = mschap
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) authenticate {
(0) mschap: Found Cleartext-Password, hashing to create NT-Password
(0) mschap: Found Cleartext-Password, hashing to create LM-Password
(0) mschap: Creating challenge hash with username: testing
(0) mschap: Client is using MS-CHAPv2
(0) mschap: Adding MS-CHAPv2 MPPE keys
(0) [mschap] = ok
(0) } # authenticate = ok
(0) # Executing section post-auth from file
/etc/freeradius/3.0/sites-enabled/default
(0) post-auth {
(0) update {
(0) No attributes updated
(0) } # update = noop
(0) [exec] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # post-auth = noop
(0) Sent Access-Accept Id 43 from 192.168.0.34:1812 to 192.168.0.251:43064
length 0
(0) MS-CHAP2-Success =
0x00533d37463746344639363836363138424141333835374136383231454639463933423039363637443633
(0) MS-MPPE-Recv-Key = 0x470e62a64268cbb27fedeca0ec416bdf
(0) MS-MPPE-Send-Key = 0x773dbf8aba00cc631699463aa9db6f3e
(0) MS-MPPE-Encryption-Policy = Encryption-Allowed
(0) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(0) Finished request
Waking up in 4.9 seconds.
(0) Cleaning up request packet ID 43 with timestamp +4
Ready to process requests
*Debug 2, using password 52345, gets rejected: *
Ready to process requests
(1) Received Access-Request Id 44 from 192.168.0.251:43064 to
192.168.0.34:1812 length 205
(1) NAS-IP-Address = 192.168.0.251
(1) NAS-Port = 0
(1) NAS-Port-Type = Wireless-802.11
(1) User-Name = "testing"
(1) Service-Type = Login-User
(1) Calling-Station-Id = "0.0.0.0"
(1) Called-Station-Id = "000B86DC7500"
(1) MS-CHAP-Challenge = 0x06dc76b4c9a101e7ff9799d66ce4689e
(1) MS-CHAP2-Response =
0x0000f8dbc20f2d288d874d88c4479566ac0d00000000000000002ac451293f31a0639a3409c825f328e2d1655e4fc5d3951d
(1) Aruba-Location-Id = "N/A"
(1) Aruba-AP-Group = "N/A"
(1) NAS-Identifier = "aruba"
(1) Message-Authenticator = 0x5c0fd3d522a5d7f3ed3977c68c402630
(1) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /@\./) {
(1) if (&User-Name =~ /@\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
(1) [mschap] = ok
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "testing", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: No EAP-Message, not doing EAP
(1) [eap] = noop
(1) files: users: Matched entry testing at line 223
(1) [files] = ok
(1) [expiration] = noop
(1) [logintime] = noop
(1) pap: WARNING: Auth-Type already set. Not setting to PAP
(1) [pap] = noop
(1) } # authorize = ok
(1) Found Auth-Type = mschap
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1) authenticate {
(1) mschap: Found Cleartext-Password, hashing to create NT-Password
(1) mschap: Found Cleartext-Password, hashing to create LM-Password
(1) mschap: Creating challenge hash with username: testing
(1) mschap: Client is using MS-CHAPv2
(1) mschap: ERROR: MS-CHAP2-Response is incorrect
(1) [mschap] = reject
(1) } # authenticate = reject
(1) Failed to authenticate the user
(1) Using Post-Auth-Type Reject
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1) Post-Auth-Type REJECT {
(1) attr_filter.access_reject: EXPAND %{User-Name}
(1) attr_filter.access_reject: --> testing
(1) attr_filter.access_reject: Matched entry DEFAULT at line 11
(1) [attr_filter.access_reject] = updated
(1) [eap] = noop
(1) policy remove_reply_message_if_eap {
(1) if (&reply:EAP-Message && &reply:Reply-Message) {
(1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(1) else {
(1) [noop] = noop
(1) } # else = noop
(1) } # policy remove_reply_message_if_eap = noop
(1) } # Post-Auth-Type REJECT = updated
(1) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(1) Sending delayed response
(1) Sent Access-Reject Id 44 from 192.168.0.34:1812 to 192.168.0.251:43064
length 103
(1) MS-CHAP-Error = "\000E=691 R=1 C=91a925843c440ae78ba26a7744bd4a25 V=3
M=Authentication rejected"
Waking up in 3.9 seconds.
(1) Cleaning up request packet ID 44 with timestamp +168
Ready to process requests
On Fri, Apr 12, 2019 at 11:51 AM Aaron Dalla-Longa <aaron at shortgrass.ca>
wrote:
> for example, lines from my users file:
>
> testing Cleartext-Password := "52345"
> guestuser Cleartext-Password := "16109"
>
> Debug file 1 (Notice how it is authenticating with password 12345, an old
> password)
>
>
>
> --
> *Aaron Dalla-Longa*
> Systems Administrator
> Shortgrass Library System
> tf: 1.866.529.0550 | p: 403.529.0550
>
--
*Aaron Dalla-Longa*
Systems Administrator
Shortgrass Library System
tf: 1.866.529.0550 | p: 403.529.0550
More information about the Freeradius-Users
mailing list