Auth: Login incorrect: [maxx09/<no User-Password attribute>]

Sam T givemesam at gmail.com
Sun Mar 22 18:07:35 CET 2020


Thank you for the advice.

What you are trying to do: Get radius to work with mikrotik ikev2
authorization / client has self signed CA cert, Server has signed server +
CA cert

   - why you are trying to do it: to add ikev2 radius auth while also
   supporting wifi authorization (which is working great)
   - what you expect the server to do: to accept user pass from mikrotik,
   and provide authorization reply w/ radreply attributes
   - what the server does instead (i.e. debug output). see output

(my previous submission ran freeradius -X on top of a running server, this
time i followed the instructions, here is 1 clean process of the ikev2
request)

rad_recv: Access-Request packet from host 45.63.66.220 port 40641, id=66,
length=143
User-Name = "maxx09"
Called-Station-Id = "444.555.666.777"
Calling-Station-Id = "222.333.444.555"
NAS-Port-Id = "\000\000\000\r"
NAS-Port-Type = Virtual
Service-Type = Framed-User
Event-Timestamp = "Mar 22 2020 16:54:39 UTC"
Framed-MTU = 1400
EAP-Message = 0x0200000b016d6178783039
Message-Authenticator = 0xa0d6653f0433fd6aaba395e394bb7def
NAS-Identifier = "router01"
NAS-IP-Address = 45.63.66.220
# Executing section authorize from file
/etc/freeradius/sites-enabled/server01.rad
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "maxx09", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[sql] expand: %{User-Name} -> maxx09
[sql] sql_set_user escaped user --> 'maxx09'
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: SELECT id, UserName, Attribute, Value, op           FROM
radcheck           WHERE Username = REPLACE('%{SQL-User-Name}',':','-') AND
ExpDate >= now()          ORDER BY id -> SELECT id, UserName, Attribute,
Value, op           FROM radcheck           WHERE Username =
REPLACE('maxx09',':','-') AND ExpDate >= now()          ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, UserName,
REPLACE(Attribute,'Max-Octets','ChilliSpot-Max-Total-Octets') AS Attribute,
Value, REPLACE(op,':=','=') AS op           FROM radreply           WHERE
Username = REPLACE('%{SQL-User-Name}',':','-')           ORDER BY id ->
SELECT id, UserName,
REPLACE(Attribute,'Max-Octets','ChilliSpot-Max-Total-Octets') AS Attribute,
Value, REPLACE(op,':=','=') AS op           FROM radreply           WHERE
Username = REPLACE('maxx09',':','-')           ORDER BY id
[sql] expand: SELECT GroupName FROM usergroup WHERE
UserName=REPLACE('%{SQL-User-Name}',':','-') -> SELECT GroupName FROM
usergroup WHERE UserName=REPLACE('maxx09',':','-')
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[noresetcounter] returns noop
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[dailycounter] returns noop
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[monthlycounter] returns noop
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!    Replacing User-Password in config items with Cleartext-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good"
!!!
!!! clear text password is in Cleartext-Password, and not in User-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: Please update your configuration, and remove 'Auth-Type = Local'
WARNING: Use the PAP or CHAP modules instead.
No User-Password or CHAP-Password attribute in the request.
Cannot perform authentication.
Failed to authenticate the user.
Login incorrect: [maxx09/<no User-Password attribute>] (from client wificpa
port 0 cli 222.333.444.555)
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 45.63.66.220 port 40641, id=66,
length=143
Waiting to send Access-Reject to client wificpa port 40641 - ID: 66
Waking up in 0.6 seconds.
rad_recv: Access-Request packet from host 45.63.66.220 port 40641, id=66,
length=143
Waiting to send Access-Reject to client wificpa port 40641 - ID: 66
Waking up in 0.3 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 66 to 45.63.66.220 port 40641
WISPr-Bandwidth-Max-Up = 200000000
WISPr-Bandwidth-Max-Down = 200000000
Acct-Interim-Interval = 300
Session-Timeout = 90000
Idle-Timeout = 90000
Mikrotik-Rate-Limit = ""
WISPr-Session-Terminate-Time = "2021-03-31T08:00:00+00:00"
Waking up in 4.9 seconds.
Cleaning up request 0 ID 66 with timestamp +16
Ready to process requests.



i ran one with non EAP, and it still gave this warning block, but it
authorized, i think the issue is the password is not being sent? or its
hashed somehow? (is that what EAP-message is?)
this one is not ikev2.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!    Replacing User-Password in config items with Cleartext-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good"
!!!
!!! clear text password is in Cleartext-Password, and not in User-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: Please update your configuration, and remove 'Auth-Type = Local'
WARNING: Use the PAP or CHAP modules instead.
User-Password in the request is correct.
Login OK: [auth00/000000] (from client wificpa port 0)

On Sun, Mar 22, 2020 at 6:00 AM Alan DeKok <aland at deployingradius.com>
wrote:

> On Mar 21, 2020, at 9:23 PM, Sam T <givemesam at gmail.com> wrote:
> >
> > I have been working hard at making our already wonderful freeradius
> > implementation also work with some VPN radius functions. A lot of this
> is a
> > bit over my head, but i am grasping it as i go. So far, this server
> config
> > works great for user/pass on PPTP, L2TP, OpenVPN, Soft-ether AAA but I am
> > getting stuck with IKEv2.
> >
> > Ideally we can get ikev2 working on all devices, but it does require a
> lot
> > of certificate work. I have been able to deal with the cert stuff from
> > client, to router, and get the router to send the radius request, it
> comes
> > back timeout. I tried it with also loading the cert chain in eap.conf but
> > it didnt make a difference. i saw the <no User-Password attribute> in the
> > radius.log either way.
>
>   And what does the debug log say?
>
> > I think the issue is with something with the password being sent from the
> > router, maybe it is hashed, maybe it is not sent, but this is what i see
> in
> > the radius.log:
> >
> > Sun Mar 22 00:10:28 2020 : Auth: Login incorrect: [user123/<no
> > User-Password attribute>] (from client wificpa port 0 cli
> 444.555.666.777)
> >
> > Any idea where i should dig, or what i should do to see why we see
> > user123/<no User-Password attribute>?
>
>   The debug output?
>
>   Read http://wiki.freeradius.org/list-help
>
> > Is this the app not sending it, the router not sending it, or it arriving
> > in some other attribute that radius is not listening for? (hashed,
> > something specific for EAP?)
>
>   If it's EAP, then there may not be a User-Password.  Again... see the
> debug log for more information.
>
>
> > I found that specifying the cert chain didnt make a difference when
> adding
> > them in eap.conf, but here are some of those configs, and I will also
> > include a -X:
>
>   Read http://wiki.freeradius.org/list-help
>
>   We do NOT need to see configuration files.  We DO need to see "radiusd
> -X" where it RECEIVES PACKETS.  We do NOT need to see a debug output ending
> in:
>
> > Failed binding to authentication address * port 1812: Address already in
> use
> > /etc/freeradius/radiusd.conf[20]: Error binding to port for 0.0.0.0 port
> > 1812
>
>   That does not help at all.
>
> > Android StrongSwan verifies all the cert stuff is ok, but errors and
> logs:
> > N(Auth_FAILED)
> >
> > From router log:
>
>   You cannot debug a server issue by looking at the client logs.
>
>   All of this is *extensively* documented.  Follow the documentation.
> Post the information that the documentation says we need.  Do NOT post
> random other things that the documentation says we do NOT need.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list