• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1208
  • Last Modified:

freeradius user login problem

from /etc/raddb/users

test2@xyz.com Cleartext-Password := "pass2"

from /etc/raddbb/proxy.conf

realm medsign.com {
nostrip
}

from radius -X

Ready to process requests.
rad_recv: Access-Request packet from host 64.136.173.11 port 8282, id=47, length=205
        User-Name = "test2@medsign.com"
        User-Password = "pass2"
        NAS-IP-Address = 63.215.29.155
        NAS-Port = 293
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Ascend-Data-Rate = 14400
        Ascend-Calling-Id-Type-Of-Num = Unknown
        Ascend-Calling-Id-Number-Plan = Unknown
        Ascend-Xmit-Rate = 14400
        Called-Station-Id = "2567124020"
        Calling-Station-Id = "2567127777"
        NAS-Identifier = "nas54.2ga1.Level3.net"
        Acct-Session-Id = "490017813"
        NAS-Port-Type = Async
        Ascend-NAS-Port-Format = 4
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "medsign.com" for User-Name = "test2@medsign.com"
[suffix] Found realm "medsign.com"
[suffix] Adding Realm = "medsign.com"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 172
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> test2@medsign.com
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 47 to 64.136.173.11 port 8282
Waking up in 4.9 seconds.
Cleaning up request 0 ID 47 with timestamp +42
Ready to process requests.


0
iaroot
Asked:
iaroot
  • 3
1 Solution
 
iarootAuthor Commented:
sorry - xyz.com = medsign.com
0
 
iarootAuthor Commented:
Here is a successful transaction from a unix client
 
Ready to process requests.
rad_recv: Access-Request packet from host 64.136.164.52 port 8282, id=35, length=104
        User-Name = "test2@medsign.com"
        Service-Type = Framed-User
        NAS-IP-Address = 0.0.0.0
        NAS-Port = 1
        Called-Station-Id = "123456789"
        Calling-Station-Id = "0987654321"
        NAS-Port-Type = Async
        User-Password = "pass2"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "medsign.com" for User-Name = "test2@medsign.com"
[suffix] Found realm "medsign.com"
[suffix] Adding Realm = "medsign.com"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry test2@medsign.com at line 205
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "pass2"
[pap] Using clear text password "pass2"
[pap] User authenticated successfully
++[pap] returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 35 to 64.136.164.52 port 8282
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 35 with timestamp +49
Ready to process requests.
0
 
nociSoftware EngineerCommented:
[files] users: Matched entry DEFAULT at line 172
[files] users: Matched entry test2@medsign.com at line 205

So:
Check your users file, somewhere between line 172 and 205  a setting is done which sets the auth-type to pap, and then allows access.
The match at line 172 aborts the further attempts to match.

The unix login misses the Framed-protocol = PPP attribute.

My guess: check the statement on line 172 if it is approprate...
0
 
iarootAuthor Commented:
Lines 172-174 - now commented out

DEFAULT        Framed-Protocol == PPP
       Framed-Protocol = PPP,
       Framed-Compression = Van-Jacobson-TCP-IP
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now