radtest No "known good" password

thenderson at system.de thenderson at system.de
Thu Aug 10 10:11:40 UTC 2023 

Have done much Googling/Binging, can’t find a similar situation.

 

Debian 11. Installed with apt-get install freeradius freeradius-mysql
freeradius-utils.

 

Added to /etc/freeradius/mods-config/files/authorize:

testing Cleartext-Password := “password”

 

During that process I had to create the folder
/etc/freeradius/mods-config/files, it was not already present. Naturally due
to this, the authorize file is empty other than the one line I added.

 

Then I:

radtest testing password 127.0.0.1 0 testing123

 

Outputs are:

On Terminal A:

 

Sent Access-Request Id 29 from 0.0.0.0:53848 to 127.0.0.1:1812 length 77

        User-Name = "testing"

        User-Password = "password"

        NAS-IP-Address = 127.0.1.1

        NAS-Port = 0

        Message-Authenticator = 0x00

        Cleartext-Password = "password"

Received Access-Reject Id 29 from 127.0.0.1:1812 to 127.0.0.1:53848 length
20

(0) -: Expected Access-Accept got Access-Reject

 

Debug from Terminal B:

 

(8) Received Access-Request Id 29 from 127.0.0.1:53848 to 127.0.0.1:1812
length 77

(8)   User-Name = "testing"

(8)   User-Password = "password"

(8)   NAS-IP-Address = 127.0.1.1

(8)   NAS-Port = 0

(8)   Message-Authenticator = 0xbf1bb85fcdf0c1a4fbc4c65ff5c466b0

(8) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default

(8)   authorize {

(8)     policy filter_username {

(8)       if (&User-Name) {

(8)       if (&User-Name)  -> TRUE

(8)       if (&User-Name)  {

(8)         if (&User-Name =~ / /) {

(8)         if (&User-Name =~ / /)  -> FALSE

(8)         if (&User-Name =~ /@[^@]*@/ ) {

(8)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(8)         if (&User-Name =~ /\.\./ ) {

(8)         if (&User-Name =~ /\.\./ )  -> FALSE

(8)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(8)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE

(8)         if (&User-Name =~ /\.$/)  {

(8)         if (&User-Name =~ /\.$/)   -> FALSE

(8)         if (&User-Name =~ /@\./)  {

(8)         if (&User-Name =~ /@\./)   -> FALSE

(8)       } # if (&User-Name)  = notfound

(8)     } # policy filter_username = notfound

(8)     [preprocess] = ok

(8)     [chap] = noop

(8)     [mschap] = noop

(8)     [digest] = noop

(8) suffix: Checking for suffix after "@"

(8) suffix: No '@' in User-Name = "testing", looking up realm NULL

(8) suffix: No such realm "NULL"

(8)     [suffix] = noop

(8) eap: No EAP-Message, not doing EAP

(8)     [eap] = noop

(8)     [files] = noop

(8)     [expiration] = noop

(8)     [logintime] = noop

(8) pap: WARNING: No "known good" password found for the user.  Not setting
Auth-Type

(8) pap: WARNING: Authentication will fail unless a "known good" password is
available

(8)     [pap] = noop

(8)   } # authorize = ok

(8) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type =
Reject

(8) Failed to authenticate the user

(8) Using Post-Auth-Type Reject

(8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(8)   Post-Auth-Type REJECT {

(8) attr_filter.access_reject: EXPAND %{User-Name}

(8) attr_filter.access_reject:    --> testing

(8) attr_filter.access_reject: Matched entry DEFAULT at line 11

(8)     [attr_filter.access_reject] = updated

(8)     [eap] = noop

(8)     policy remove_reply_message_if_eap {

(8)       if (&reply:EAP-Message && &reply:Reply-Message) {

(8)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE

(8)       else {

(8)         [noop] = noop

(8)       } # else = noop

(8)     } # policy remove_reply_message_if_eap = noop

(8)   } # Post-Auth-Type REJECT = updated

(8) Delaying response for 1.000000 seconds

Waking up in 0.3 seconds.

Waking up in 0.6 seconds.

(8) Sending delayed response

(8) Sent Access-Reject Id 29 from 127.0.0.1:1812 to 127.0.0.1:53848 length
20

Waking up in 3.9 seconds.

(8) Cleaning up request packet ID 29 with timestamp +2957

 

Random thought: is the MySQL package making FreeRadius expect a different
configuration method? I thought it was required to install but I’m not using
any MySQL as far as I know, I’m doing a very basic setup, authorizing some
Cisco vIOS routers/switches. 

 

I’m probably missing something fairly obvious. Please help?

 

 

--           

Tristan Henderson

Network Support Engineer

 <mailto:thenderson at system.de> thenderson at system.de    

 

system.de – System & Project GmbH

Knesebeckstr. 96, 10623 Berlin

 <http://www.system.de/> www.system.de

 

T +49 30 2902315 350

F +49 30 2902315 440       

 

Amtsgericht Berlin-Charlottenburg: HRB 53740

Geschäftsführer: Peter Schulte, Wilhelm Boeddinghaus

 

Think before you print!

More information about the Freeradius-Users mailing list