Auth: Login incorrect: [maxx09/<no User-Password attribute>]

Alan DeKok aland at deployingradius.com
Sun Mar 22 13:58:00 CET 2020


On Mar 21, 2020, at 9:23 PM, Sam T <givemesam at gmail.com> wrote:
> 
> I have been working hard at making our already wonderful freeradius
> implementation also work with some VPN radius functions. A lot of this is a
> bit over my head, but i am grasping it as i go. So far, this server config
> works great for user/pass on PPTP, L2TP, OpenVPN, Soft-ether AAA but I am
> getting stuck with IKEv2.
> 
> Ideally we can get ikev2 working on all devices, but it does require a lot
> of certificate work. I have been able to deal with the cert stuff from
> client, to router, and get the router to send the radius request, it comes
> back timeout. I tried it with also loading the cert chain in eap.conf but
> it didnt make a difference. i saw the <no User-Password attribute> in the
> radius.log either way.

  And what does the debug log say?

> I think the issue is with something with the password being sent from the
> router, maybe it is hashed, maybe it is not sent, but this is what i see in
> the radius.log:
> 
> Sun Mar 22 00:10:28 2020 : Auth: Login incorrect: [user123/<no
> User-Password attribute>] (from client wificpa port 0 cli 444.555.666.777)
> 
> Any idea where i should dig, or what i should do to see why we see
> user123/<no User-Password attribute>?

  The debug output?

  Read http://wiki.freeradius.org/list-help

> Is this the app not sending it, the router not sending it, or it arriving
> in some other attribute that radius is not listening for? (hashed,
> something specific for EAP?)

  If it's EAP, then there may not be a User-Password.  Again... see the debug log for more information.


> I found that specifying the cert chain didnt make a difference when adding
> them in eap.conf, but here are some of those configs, and I will also
> include a -X:

  Read http://wiki.freeradius.org/list-help

  We do NOT need to see configuration files.  We DO need to see "radiusd -X" where it RECEIVES PACKETS.  We do NOT need to see a debug output ending in:

> Failed binding to authentication address * port 1812: Address already in use
> /etc/freeradius/radiusd.conf[20]: Error binding to port for 0.0.0.0 port
> 1812

  That does not help at all.

> Android StrongSwan verifies all the cert stuff is ok, but errors and logs:
> N(Auth_FAILED)
> 
> From router log:

  You cannot debug a server issue by looking at the client logs.

  All of this is *extensively* documented.  Follow the documentation.  Post the information that the documentation says we need.  Do NOT post random other things that the documentation says we do NOT need.

  Alan DeKok.




More information about the Freeradius-Users mailing list