Package: freeradius
Version: 2.1.12+dfsg-1.2
Severity: normal
Dear maintainer,
There is a small problem with including another 'users' file with '$INCLUDE
users.other'. Just take a look at my simple setup.
Working directory:
(root@poligon freeradius)# pwd
/etc/freeradius
Two 'users' files:
(root@poligon freeradius)# ls -l users*
-rw-r--r-- 1 root root6618 Mar 2 10:17 users
-rw-r--r-- 1 root freerad 34 Mar 2 10:04 users.login
One user defined in the standard 'users' file (at the beginning of the file):
(root@poligon freeradius)# grep bob users
bob Cleartext-Password := "hello"
One user defined in the additional 'users' file:
(root@poligon freeradius)# cat users.login
ben Cleartext-Password := "hello"
Including without full path:
$INCLUDE users.login
Effect:
(r...@poligon.test.local ~)# radtest ben hello localhost 0 testing123
Sending Access-Request of id 250 to 127.0.0.1 port 1812
User-Name = "ben"
User-Password = "hello"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0x
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=250, length=20
Including with full path:
$INCLUDE /etc/freeradius/users.login
Authorization is working fine:
(root@poligon ~)# radtest ben hello localhost 0 testing123
Sending Access-Request of id 136 to 127.0.0.1 port 1812
User-Name = "ben"
User-Password = "hello"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0x
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=136, length=20
I believe this is some bug, as I don't see such behavior on CentOS/RHEL 6
native package and vanilla build on Slackware.
There are two debug logs attached.
Regards,
Mike
POLANDrad_recv: Access-Request packet from host 127.0.0.1 port 37290, id=246,
length=73
User-Name = "ben"
User-Password = "hello"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0x5edf5dc66d82c3ff177f3143b2c6fc49
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "ben", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry ben at line 1
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "hello"
[pap] Using clear text password "hello"
[pap] User authenticated successfully
++[pap] returns ok
Login OK: [ben] (from client localhost port 0)
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 246 to 127.0.0.1 port 37290
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 246 with timestamp +3
Ready to process requests.rad_recv: Access-Request packet from host 127.0.0.1 port 45288, id=64, length=73
User-Name = "ben"
User-Password = "hello"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0xf74c34ed60a5138376e0ffbbf72f088a
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "ben", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may
fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the
user
Failed to authenticate the user.
Login incorrect: [ben/hello] (from client localhost port 0)
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> ben
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 64 to 127.0.0.1 port 45288
Waking up in 4.9 seconds.
Cleaning up request 0 ID 64 with timestamp +3
Ready to process requests.