I encountered the problem that there is an account in the database, but the authentication process feedback does not exist. Please help.
娶你苟命
qunigouming at gmail.com
Fri Dec 8 03:22:23 UTC 2023
Yes, Matthew you are right. Yesterday I used a GNS3 simulated switch to
test three solutions to compare wireshark messages (1. Log in with a local
account on the switch, 2. Accounts stored in the radius server database, 3.
Accounts coexisting in the local switch and radius server databases, but
both passwords are inconsistent), only the third one is successful. Judging
from the debugging files, the second and third options both return
Access-Accept. However, in the second solution, the log on the GNS3
simulator returns an incorrect user password, while on the real network
device, the log returns that the account does not exist. As for the
authorization issue, I don't think this is the reason. Because in the third
test scenario, you successfully log in to the switch and can execute any
command. Considering the rigor of the experiment, I will use real network
equipment to test and then provide you with new test data.
Matthew Newton via Freeradius-Users <freeradius-users at lists.freeradius.org>
于2023年12月6日周三 19:15写道:
> On 06/12/2023 03:00, 娶你苟命 wrote:
> > * I'm having trouble with freeradius and don't know if I should ask
> > freeradius-users at lists.freeradius.org
>
> This is the right place to ask.
>
> > (0) Received Access-Request Id 228 from 192.168.1.243:38272 to
> > 192.168.2.118:1812 length 215
> > (0) User-Name = "netnoc"
> ...> (0) H3C-Product-ID = "H3C S6812-48X6C"
>
> PAP auth from H3C
>
> > (0) pap: User authenticated successfully
> ...
> > (0) Sent Access-Accept Id 228 from 192.168.2.118:1812 to
> > 192.168.1.243:38272 length 0
>
> Login OK
>
>
> > (1) Received Access-Request Id 175 from 192.168.1.244:63378 to
> > 192.168.2.118:1812 length 170
> > (1) User-Name = "netnoc"
> > (1) User-Password = "123456"
> ...
> > (1) Huawei-Version = "Huawei VRP Software Version"
>
> PAP auth from Huawei
>
> > (1) pap: User authenticated successfully
> ...
> > (1) Sent Access-Accept Id 175 from 192.168.2.118:1812 to
>
> Login OK
>
>
> There nothing wrong with FreeRADIUS. It is returning Access-Accept
> because the login is OK on both occasions.
>
>
> > *What is puzzling is that the user "netnoc" exists on my mysql, but
> > when using H3C network supplier products, it will prompt that the user
> does
> > not exist. I have repeatedly confirmed that there is no problem with the
> > switch configuration file. This problem will not exist when testing with
> > Cisco ACS.*
>
> You need to look at the switch and find out why it does not allow the
> user on after receiving an Access-Accept. It might be expecting other
> attributes in the reply (such as Service-Type), but only the switch log
> output or documentation can tell you what is going wrong.
>
> This page might help: https://knowledge.h3c.com/Theme/details/191858
>
> That seems to imply you need to add at least these attributes to your
> reply (e.g. using the "users" file, or add to the SQL database.)
>
> Service-Type=Login-User
> Session-Timeout=86400
> Login-Service=Telnet
>
> and possibly also one of
>
> H3c-Exec-Privilege=1
>
> H3c-User-Roles="shell:roles="network-admin""
>
> --
> Matthew
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list