Guys, I'm experiencing a strange problem. I use FreeRadius to control cmd line access to my routers and switches and I've configured FreeRadius to use a MySQL back-end and thus far it works fine except for one condition. If i supply a blank password when authenticating, FreeRadius allows the request and authenticates me once my username is correct. Why is this happening? Is there any way to have FreeRadius keep on prompting if a blank password is supplied or reject the request altogether? Thanks for your help. Radius debug is below:
Ready to process requests. rad_recv: Access-Request packet from host 192.168.1.1 port 1645, id=215, length=104 User-Name = "john.doe" Reply-Message = "Password: " User-Password = "" NAS-Port = 1 NAS-Port-Id = "tty1" NAS-Port-Type = Virtual Calling-Station-Id = "192.168.1.1" NAS-IP-Address = 192.168.1.1 +- entering group authorize ++[preprocess] returns ok rlm_sql (sql): - sql_xlat expand: %{User-Name} -> john.doe rlm_sql (sql): sql_set_user escaped user --> 'john.doe' expand: SELECT groupname FROM radhuntgroup WHERE nasipaddress="%{NAS-IP-Address}" AND nasportid LIKE IF (SUBSTRING("%{NAS-Port-Id}", 1, 3) = 'tty', 'tty', "%{NAS-Port-Id}") AND usergroup IN (SELECT groupname FROM radusergroup where username LIKE "%{User-Name}") -> SELECT groupname FROM radhuntgroup WHERE nasipaddress="192.168.1.1" AND nasportid LIKE IF (SUBSTRING("tty1", 1, 3) = 'tty', 'tty', "tty1") AND usergroup IN (SELECT groupname FROM radusergroup where username LIKE "john.doe") rlm_sql (sql): Reserving sql socket id: 3 rlm_sql (sql): - sql_xlat finished rlm_sql (sql): Released sql socket id: 3 expand: %{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress="%{NAS-IP-Address}" AND nasportid LIKE IF (SUBSTRING("%{NAS-Port-Id}", 1, 3) = 'tty', 'tty', "%{NAS-Port-Id}") AND usergroup IN (SELECT groupname FROM radusergroup where username LIKE "%{User-Name}") } -> admin ++[request] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "john.doe", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound users: Matched entry DEFAULT at line 204 ++[files] returns ok expand: %{User-Name} -> john.doe rlm_sql (sql): sql_set_user escaped user --> 'john.doe' rlm_sql (sql): Reserving sql socket id: 2 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'john.doe' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'john.doe' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'john.doe' ORDER BY priority expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'engineeringadmin' ORDER BY id rlm_sql (sql): User found in group engineeringadmin expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'engineeringadmin' ORDER BY id rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Normalizing SHA-Password from hex encoding rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type Accept rad_check_password: Auth-Type = Accept, accepting the user Login OK: [john.doe] (from client routerA port 1 cli 192.168.1.1) +- entering group post-auth ++[exec] returns noop Sending Access-Accept of id 215 to 192.168.1.1 port 1645 Service-Type := Administrative-User Cisco-AVPair := "shell:priv-lvl=15" Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 215 with timestamp +9 Ready to process requests.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html