Invalid reply digest received? Password encryption?
Freeradius reports "Sending Access-Accept " (see log below) but we are
getting the message on our Cisco VPN box
"Radius: Invalid reply digest received; the shared-secret may be incorrect"
We have triple checked the shared secrete and it is correct. With the
wrong secrete it does not authenticate at all. Any ideas on what else
might be causing that?
Also, the password comes from the Cisco VPN to freeradius encrypted.
I had to resort to including the token in the userid field to make it
work. Any ideas how to decrypt the password? I have tried some tools
on the net like cisco-decrypt but it says the encrypted password I
give it is invalid. I notice users in the users file are
authenticated properly although the password is encrytped. I need
to decrypt the password in my python module.
Thanks,
Jim
Ready to process requests.
rad_recv: Access-Request packet from host 135.207.5.9 port 1936,
id=173, length=133
User-Name = "jw701e%1307649138237"
User-Password = "||\027\327j=\225\035|\376\0221\376j\366`"
NAS-Port = 2017
Service-Type = Framed-User
Framed-Protocol = PPP
Called-Station-Id = "204.178.3.9"
Calling-Station-Id = "204.178.9.131"
Tunnel-Client-Endpoint:0 = "204.178.9.131"
NAS-IP-Address = 135.207.5.9
NAS-Port-Type = Virtual
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "jw701e%1307649138237", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
*** authorize ***
*** RADlog call in authorize ***
(('User-Name', '"jw701e%1307649138237"'), ('User-Password',
'"||\\027\\327j=\\225\\035|\\376\\0221\\376j\\366`"'), ('NAS-Port',
'2017'), ('Service-Type', 'Framed-User'), ('Framed-Protocol', 'PPP'),
('Called-Station-Id', '"204.178.3.9"'), ('Calling-Station-Id',
'"204.178.9.131"'), ('Tunnel-Client-Endpoint:0', '"204.178.9.131"'),
('NAS-IP-Address', '135.207.5.9'), ('NAS-Port-Type', 'Virtual'))
User-Name: "jw701e%1307649138237"
User-Password: "||\027\327j=\225\035|\376\0221\376j\366`"
NAS-Port: 2017
Service-Type: Framed-User
Framed-Protocol: PPP
Called-Station-Id: "204.178.3.9"
Calling-Station-Id: "204.178.9.131"
Tunnel-Client-Endpoint:0: "204.178.9.131"
NAS-IP-Address: 135.207.5.9
NAS-Port-Type: Virtual
User: jw701e%1307649138237 Pwd: ||\027\327j=\225\035|\376\0221\376j\366`
Userid: jw7...@research.att.com Pwd: 1307649138237
Authenticate User: jw701e
SAFE authentication successful: jw701e
++[python] returns ok
[files] users: Matched entry DEFAULT at line 1
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = PYTHON
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group PYTHON {...}
++[python] returns ok
# Executing section post-auth from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 173 to 135.207.5.9 port 1936
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 173 with timestamp +13
Ready to process requests.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user
Thank's Alan, it works! We had the same issue with python auths being serialized that we had with pam, but running out of debug mode fixed the issue. Pam probably would have worked if we tried that, but it was a pam_python module anyway so it is better going directly to python. Thanks again, Jim On Wed, May 18, 2011 at 1:44 AM, Alan DeKok wrote: > Jim Whitescarver wrote: >> The only thing we want is python authentication. I just commented out >> everything else. I will start again and try to minimize edits. I am >> rather clueless about the nature the minimum edits should have. > > Add what you need. The default configuration *works*. > >> It seems that every configuration file needs python in every section >> for it to be recognized. > > No. You need to list "python" everywhere you want it to be *used*. > >> I don't think we want to use the "users" file. We only want to call >> the python module for any request. > > That's just rude. > > The first message you posted showed a "users" file entry, and wondered > why it didn't work. Now you say you don't want to use it. > > Figure out what you want to do. The majority of the issues you're > having are due to inconsistency. > >> It's not clear why we would leave other stuff in if we are not using >> anything but the python module. > > Because you don't understand what it does. If you don't understand > it, deleting it is wrong. > > "Hey, I don't understand what this widget is on my car engine. I'll > just rip it off. Hmm, my car no longer works. I know... I'll blame the > mechanic!" > > You wouldn't do that to a car mechanic. Don't do it here. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user
On Tue, May 17, 2011 at 3:08 PM, Alan DeKok wrote: > Jim Whitescarver wrote: >> But, after sucessfully calling our python module the user is rejected >> >> ERROR: No authenticate method (Auth-Type) found for the request: >> Rejecting the user > > Don't edit the default configuration and break it. The only thing we want is python authentication. I just commented out everything else. I will start again and try to minimize edits. I am rather clueless about the nature the minimum edits should have. It seems that every configuration file needs python in every section for it to be recognized. >> Any ideas of what we may be doing wrong? > > (1) Run the server in debugging mode. "-Xx" gives *too* much information > > (2) If you 3ant to use the "users" file, *DON'T* delete "files" from > the "authorize" section. I don't think we want to use the "users" file. We only want to call the python module for any request. > All of the work you put into "simplifying" the configuration files was > wasted. If you don't understand how the server works, change as little > as possible. We will try again. It's not clear why we would leave other stuff in if we are not using anything but the python module. Thanks for the tips. Jim. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user
I am hoping someone can help me. We compiled 2.1.x from source and
finally got it to accept our python Auth-Type as the default in the
users file.
DEFAULT Auth-Type := python
But, after sucessfully calling our python module the user is rejected
ERROR: No authenticate method (Auth-Type) found for the request:
Rejecting the user
Below is the complete log.
Any ideas of what we may be doing wrong?
Thanks,
Jim
Tue May 17 14:15:37 2011 : Debug: Listening on proxy address * port 1814
Tue May 17 14:15:37 2011 : Info: Ready to process requests.
rad_recv: Access-Request packet from host 135.207.164.41 port 49346,
id=131, length=55
User-Name = "owk"
User-Password = "test123"
NAS-IP-Address = 135.207.164.41
NAS-Port = 1812
Tue May 17 14:15:50 2011 : Info: # Executing section authorize from
file /usr/local/etc/raddb/sites-enabled/default
Tue May 17 14:15:50 2011 : Info: +- entering group authorize {...}
Tue May 17 14:15:50 2011 : Info: ++[preprocess] returns ok
*** authorize ***
Tue May 17 14:15:50 2011 : Info: *** radlog call in authorize ***
(('User-Name', '"owk"'), ('User-Password', '"test123"'),
('NAS-IP-Address', '135.207.164.41'), ('NAS-Port', '1812'))
User-Name: "owk"
User-Password: "test123"
NAS-IP-Address: 135.207.164.41
NAS-Port: 1812
Authenticate User: owk
Tue May 17 14:16:16 2011 : Info: ++[python] returns ok
Tue May 17 14:16:16 2011 : Info: ERROR: No authenticate method
(Auth-Type) found for the request: Rejecting the user
Tue May 17 14:16:16 2011 : Info: Failed to authenticate the user.
Tue May 17 14:16:16 2011 : Info: Using Post-Auth-Type Reject
Tue May 17 14:16:16 2011 : Info: # Executing group from file
/usr/local/etc/raddb/sites-enabled/default
Tue May 17 14:16:16 2011 : Info: +- entering group REJECT {...}
Tue May 17 14:16:16 2011 : Info: [attr_filter.access_reject]
expand: %{User-Name} -> owk
Tue May 17 14:16:16 2011 : Debug: attr_filter: Matched entry DEFAULT at line 11
Tue May 17 14:16:16 2011 : Info: ++[attr_filter.access_reject] returns updated
Sending Access-Reject of id 131 to 135.207.164.41 port 49346
Tue May 17 14:16:16 2011 : Info: Finished request 0.
Tue May 17 14:16:16 2011 : Debug: Going to the next request
Tue May 17 14:16:16 2011 : Debug: Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 135.207.164.41 port 49346,
id=131, length=55
Tue May 17 14:16:16 2011 : Info: Sending duplicate reply to client
five-10 port 49346 - ID: 131
Sending Access-Reject of id 131 to 135.207.164.41 port 49346
Tue May 17 14:16:16 2011 : Debug: Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 135.207.164.41 port 49346,
id=131, length=55
Tue May 17 14:16:16 2011 : Info: Sending duplicate reply to client
five-10 port 49346 - ID: 131
Sending Access-Reject of id 131 to 135.207.164.41 port 49346
Tue May 17 14:16:16 2011 : Debug: Waking up in 4.9 seconds.
Tue May 17 14:16:21 2011 : Info: Cleaning up request 0 ID 131 with timestamp +13
Tue May 17 14:16:21 2011 : Info: Ready to process requests.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
