FreeRADIUS server is not recognizing updates from my users file

Aaron Dalla-Longa aaron at shortgrass.ca
Fri Apr 12 19:57:11 CEST 2019


Yes Alex, sorry, accidently hit send too early. I have tried to restart the
service but it seems it will not grab the new file, and keeps reading an
'old version' of it for some reason. Is there a different command I can use
in order to try to force it to grab the updated file?

On Fri, Apr 12, 2019 at 11:55 AM Aaron Dalla-Longa <aaron at shortgrass.ca>
wrote:

> sorry, accidently sent that last email incomplete, anyway:
>
> As far as troubleshooting, I have tried to start and stop the freeradius
> server, as well as completely restart the server that this is located on
> (ubuntu x64 18.04 LTS)
>
>
> *Debug file 1 (Notice how it is authenticating with password 12345, an old
> password)  *
>
> Ready to process requests
> (0) Received Access-Request Id 43 from 192.168.0.251:43064 to
> 192.168.0.34:1812 length 205
> (0)   NAS-IP-Address = 192.168.0.251
> (0)   NAS-Port = 0
> (0)   NAS-Port-Type = Wireless-802.11
> (0)   User-Name = "testing"
> (0)   Service-Type = Login-User
> (0)   Calling-Station-Id = "0.0.0.0"
> (0)   Called-Station-Id = "000B86DC7500"
> (0)   MS-CHAP-Challenge = 0x72afbc5215acc3801eeaeb6a8028bf0a
> (0)   MS-CHAP2-Response =
> 0x0000c1a72376f832a9551a72d73845155c310000000000000000ce5037dbf4859d34dc9124eec53caef6cf8d72ccae7ccdc5
> (0)   Aruba-Location-Id = "N/A"
> (0)   Aruba-AP-Group = "N/A"
> (0)   NAS-Identifier = "aruba"
> (0)   Message-Authenticator = 0x8301ff3e6feee4afcf1d1b89a6b11802
> (0) # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/default
> (0)   authorize {
> (0)     policy filter_username {
> (0)       if (&User-Name) {
> (0)       if (&User-Name)  -> TRUE
> (0)       if (&User-Name)  {
> (0)         if (&User-Name =~ / /) {
> (0)         if (&User-Name =~ / /)  -> FALSE
> (0)         if (&User-Name =~ /@[^@]*@/ ) {
> (0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
> (0)         if (&User-Name =~ /\.\./ ) {
> (0)         if (&User-Name =~ /\.\./ )  -> FALSE
> (0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
> (0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
>  -> FALSE
> (0)         if (&User-Name =~ /\.$/)  {
> (0)         if (&User-Name =~ /\.$/)   -> FALSE
> (0)         if (&User-Name =~ /@\./)  {
> (0)         if (&User-Name =~ /@\./)   -> FALSE
> (0)       } # if (&User-Name)  = notfound
> (0)     } # policy filter_username = notfound
> (0)     [preprocess] = ok
> (0)     [chap] = noop
> (0) mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
> (0)     [mschap] = ok
> (0)     [digest] = noop
> (0) suffix: Checking for suffix after "@"
> (0) suffix: No '@' in User-Name = "testing", looking up realm NULL
> (0) suffix: No such realm "NULL"
> (0)     [suffix] = noop
> (0) eap: No EAP-Message, not doing EAP
> (0)     [eap] = noop
> (0) files: users: Matched entry testing at line 223
> (0)     [files] = ok
> (0)     [expiration] = noop
> (0)     [logintime] = noop
> (0) pap: WARNING: Auth-Type already set.  Not setting to PAP
> (0)     [pap] = noop
> (0)   } # authorize = ok
> (0) Found Auth-Type = mschap
> (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (0)   authenticate {
> (0) mschap: Found Cleartext-Password, hashing to create NT-Password
> (0) mschap: Found Cleartext-Password, hashing to create LM-Password
> (0) mschap: Creating challenge hash with username: testing
> (0) mschap: Client is using MS-CHAPv2
> (0) mschap: Adding MS-CHAPv2 MPPE keys
> (0)     [mschap] = ok
> (0)   } # authenticate = ok
> (0) # Executing section post-auth from file
> /etc/freeradius/3.0/sites-enabled/default
> (0)   post-auth {
> (0)     update {
> (0)       No attributes updated
> (0)     } # update = noop
> (0)     [exec] = noop
> (0)     policy remove_reply_message_if_eap {
> (0)       if (&reply:EAP-Message && &reply:Reply-Message) {
> (0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
> (0)       else {
> (0)         [noop] = noop
> (0)       } # else = noop
> (0)     } # policy remove_reply_message_if_eap = noop
> (0)   } # post-auth = noop
> (0) Sent Access-Accept Id 43 from 192.168.0.34:1812 to 192.168.0.251:43064
> length 0
> (0)   MS-CHAP2-Success =
> 0x00533d37463746344639363836363138424141333835374136383231454639463933423039363637443633
> (0)   MS-MPPE-Recv-Key = 0x470e62a64268cbb27fedeca0ec416bdf
> (0)   MS-MPPE-Send-Key = 0x773dbf8aba00cc631699463aa9db6f3e
> (0)   MS-MPPE-Encryption-Policy = Encryption-Allowed
> (0)   MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
> (0) Finished request
> Waking up in 4.9 seconds.
> (0) Cleaning up request packet ID 43 with timestamp +4
> Ready to process requests
>
> *Debug 2, using password 52345, gets rejected: *
>
> Ready to process requests
> (1) Received Access-Request Id 44 from 192.168.0.251:43064 to
> 192.168.0.34:1812 length 205
> (1)   NAS-IP-Address = 192.168.0.251
> (1)   NAS-Port = 0
> (1)   NAS-Port-Type = Wireless-802.11
> (1)   User-Name = "testing"
> (1)   Service-Type = Login-User
> (1)   Calling-Station-Id = "0.0.0.0"
> (1)   Called-Station-Id = "000B86DC7500"
> (1)   MS-CHAP-Challenge = 0x06dc76b4c9a101e7ff9799d66ce4689e
> (1)   MS-CHAP2-Response =
> 0x0000f8dbc20f2d288d874d88c4479566ac0d00000000000000002ac451293f31a0639a3409c825f328e2d1655e4fc5d3951d
> (1)   Aruba-Location-Id = "N/A"
> (1)   Aruba-AP-Group = "N/A"
> (1)   NAS-Identifier = "aruba"
> (1)   Message-Authenticator = 0x5c0fd3d522a5d7f3ed3977c68c402630
> (1) # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/default
> (1)   authorize {
> (1)     policy filter_username {
> (1)       if (&User-Name) {
> (1)       if (&User-Name)  -> TRUE
> (1)       if (&User-Name)  {
> (1)         if (&User-Name =~ / /) {
> (1)         if (&User-Name =~ / /)  -> FALSE
> (1)         if (&User-Name =~ /@[^@]*@/ ) {
> (1)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
> (1)         if (&User-Name =~ /\.\./ ) {
> (1)         if (&User-Name =~ /\.\./ )  -> FALSE
> (1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
> (1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
>  -> FALSE
> (1)         if (&User-Name =~ /\.$/)  {
> (1)         if (&User-Name =~ /\.$/)   -> FALSE
> (1)         if (&User-Name =~ /@\./)  {
> (1)         if (&User-Name =~ /@\./)   -> FALSE
> (1)       } # if (&User-Name)  = notfound
> (1)     } # policy filter_username = notfound
> (1)     [preprocess] = ok
> (1)     [chap] = noop
> (1) mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
> (1)     [mschap] = ok
> (1)     [digest] = noop
> (1) suffix: Checking for suffix after "@"
> (1) suffix: No '@' in User-Name = "testing", looking up realm NULL
> (1) suffix: No such realm "NULL"
> (1)     [suffix] = noop
> (1) eap: No EAP-Message, not doing EAP
> (1)     [eap] = noop
> (1) files: users: Matched entry testing at line 223
> (1)     [files] = ok
> (1)     [expiration] = noop
> (1)     [logintime] = noop
> (1) pap: WARNING: Auth-Type already set.  Not setting to PAP
> (1)     [pap] = noop
> (1)   } # authorize = ok
> (1) Found Auth-Type = mschap
> (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (1)   authenticate {
> (1) mschap: Found Cleartext-Password, hashing to create NT-Password
> (1) mschap: Found Cleartext-Password, hashing to create LM-Password
> (1) mschap: Creating challenge hash with username: testing
> (1) mschap: Client is using MS-CHAPv2
> (1) mschap: ERROR: MS-CHAP2-Response is incorrect
> (1)     [mschap] = reject
> (1)   } # authenticate = reject
> (1) Failed to authenticate the user
> (1) Using Post-Auth-Type Reject
> (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (1)   Post-Auth-Type REJECT {
> (1) attr_filter.access_reject: EXPAND %{User-Name}
> (1) attr_filter.access_reject:    --> testing
> (1) attr_filter.access_reject: Matched entry DEFAULT at line 11
> (1)     [attr_filter.access_reject] = updated
> (1)     [eap] = noop
> (1)     policy remove_reply_message_if_eap {
> (1)       if (&reply:EAP-Message && &reply:Reply-Message) {
> (1)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
> (1)       else {
> (1)         [noop] = noop
> (1)       } # else = noop
> (1)     } # policy remove_reply_message_if_eap = noop
> (1)   } # Post-Auth-Type REJECT = updated
> (1) Delaying response for 1.000000 seconds
> Waking up in 0.3 seconds.
> Waking up in 0.6 seconds.
> (1) Sending delayed response
> (1) Sent Access-Reject Id 44 from 192.168.0.34:1812 to 192.168.0.251:43064
> length 103
> (1)   MS-CHAP-Error = "\000E=691 R=1 C=91a925843c440ae78ba26a7744bd4a25
> V=3 M=Authentication rejected"
> Waking up in 3.9 seconds.
> (1) Cleaning up request packet ID 44 with timestamp +168
> Ready to process requests
>
>
> On Fri, Apr 12, 2019 at 11:51 AM Aaron Dalla-Longa <aaron at shortgrass.ca>
> wrote:
>
>> for example, lines from my users file:
>>
>> testing Cleartext-Password := "52345"
>> guestuser Cleartext-Password := "16109"
>>
>> Debug file 1 (Notice how it is authenticating with password 12345, an old
>> password)
>>
>>
>>
>> --
>> *Aaron Dalla-Longa*
>> Systems Administrator
>> Shortgrass Library System
>> tf: 1.866.529.0550 | p: 403.529.0550
>>
>
>
> --
> *Aaron Dalla-Longa*
> Systems Administrator
> Shortgrass Library System
> tf: 1.866.529.0550 | p: 403.529.0550
>


-- 
*Aaron Dalla-Longa*
Systems Administrator
Shortgrass Library System
tf: 1.866.529.0550 | p: 403.529.0550


More information about the Freeradius-Users mailing list