NEW NAS Password Doesn't Authenticate
From the logs I interpret, the error is incorrect password for the user. Is
this correct interpretation?
I believe we have added in the NAS correctly to the clients file.
Also the username and password, we are testing, authenticates both locally
and from another NAS, without issue.
Here is an excerpt of our radius -X
FreeRADIUS Version 2.1.7, for host i686-redhat-linux-gnu, built on Mar 31
2010 at 00:25:31
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
client 192.168.1.239 {
require_message_authenticator = no
secret = FreeRADIUS
shortname = New_NAS
}
rad_recv: Access-Request packet from host 192.168.1.239 port 1645, id=30,
length=140
Framed-Protocol = PPP
User-Name = usern...@domain.com
User-Password = password
NAS-Port-Type = Virtual
NAS-Port = 0
NAS-Port-Id = 0/0/1/2890
Cisco-AVPair = client-mac-address=a820.6654.6a6f
Service-Type = Framed-User
NAS-IP-Address = 192.168.1.239
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm domain.com for User-Name = usern...@domain.com
[suffix] Found realm domain.com
[suffix] Adding Stripped-User-Name = username
[suffix] Adding Realm = domain.com
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++? if (control:Auth-Type == Reject)
(Attribute control:Auth-Type was not found)
++- entering else else {...}
[sql] expand: %{Stripped-User-Name} - username
[sql] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} - username
[sql] sql_set_user escaped user -- 'username'
rlm_sql (sql): Reserving sql socket id: 23
[sql] expand: SELECT '1' as id, userId as username, 'Cleartext-Password' as
attribute, checkNASIPPassword(
'%{NAS-IP-Address}','%{SQL-User-Name}') as value, ':=' as op FROM
radiusUsers WHERE userId = '%{SQL-User-Name}' ORDER BY
id - SELECT '1' as id, userId as username, 'Cleartext-Password' as
attribute, checkNASIPPassword( '192.168.1.239','username') as
value, ':=' as op FROM radiusUsers WHERE userId =
'username' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT '1' as id, userId as username, 'Framed-IP-Address' as
attribute,
assignIPAddress('%{NAS-IP-Address}','%{SQL-User-Name}') as value, '==' as
op FROM radiusUsers WHERE userId = '%{SQL-User-Name}'
ORDER BY id - SELECT '1' as id, userId as username,
'Framed-IP-Address' as attribute,
assignIPAddress('192.168.1.239','username') as value, '==' as op
FROM radiusUsers WHERE userId = 'username' ORDER BY id
[sql] expand: SELECT userID as groupname FROM radiusUsers
WHERE userId = '**-Not-Using-Groups-**' - SELECT userID as groupname
FROM radiusUsers WHERE userId = '**-Not-Using-Groups-**'
rlm_sql (sql): Released sql socket id: 23
+++[sql] returns ok
++- else else returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password password
[pap] Using clear text password **-User-Not-Allowed-To-Use-This-NAS-**
[pap] Passwords don't match
++[pap] returns reject
Failed to authenticate the user.
Login incorrect (rlm_pap: CLEAR TEXT password check failed): [
usern...@domain.com/password] (from client SHL-BRAS-01_239 port 0)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - usern...@domain.com
attr_filter: Matched entry DEFAULT attrt line 11
++[attr_filter.access_reject] returns updated
Sending Access-Reject of id 30 to 192.168.1.239 port 1645
Finished request 70.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NEW NAS Password Doesn't Authenticate
Understood, however I am not the one who set this up or created the non-default configuration. Any other guidance is greatly appreciated. Thanks- On Tue, Aug 20, 2013 at 8:30 PM, Alan DeKok al...@deployingradius.comwrote: mr. s wrote: From the logs I interpret, the error is incorrect password for the user. Is this correct interpretation? No. [pap] Using clear text password **-User-Not-Allowed-To-Use-This-NAS-** This is not in the default configuration. You're supposed to understand the configuration you created. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NEW NAS Password Doesn't Authenticate
And thats the rub, thanks very very much. It is a stored query in our sql. Easy once you know where its at. On Tue, Aug 20, 2013 at 9:54 PM, Alan DeKok al...@deployingradius.comwrote: mr. s wrote: Understood, however I am not the one who set this up or created the non-default configuration. Any other guidance is greatly appreciated. Ask the people who created this configuration. We didn't create it, and we don't have access to your system to debug it. The data is in SQL. Look at it. The password **-User-Not-Allowed-To-Use-This-NAS-** should explain itself. Does it suggest anything to you? Perhaps you should look at your SQL queries and your SQL database to see what's going on. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radperf unavailable?
Is there any another location to get Radperf? It is still unavailable, or returning a 405 error. Cheers - On Fri, Oct 26, 2012 at 7:21 AM, Alan DeKok al...@deployingradius.comwrote: Marius Booysen wrote: I see that there is a problem downloading Radperf from networkradius.com. Does anybody know if it will become available once again at some point? I'll try to get it back online in a few weeks. Are there any other benchmarking utilities for Freeradius? Most are pretty simple, or very expensive. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed login lockout protection in FreeRADIUS
For edification, what its worth.. Heres the question asked by the author of the article, I was referring to, and the answer from Alan D. -- Here’s my question and response from Alan T DeKok al...@freeradius.org about this. You can check with him on more details if needed or send to the mailing list. ** ** Does FR support an account lockout feature to block users after so many failed password attempts? ** ** Yes. It's not enabled in the default configuration, but you can make *any* policy decision based on *any* data source, including logs. Cheers - On Fri, Sep 14, 2012 at 10:25 AM, Marinko Tarlać mangi...@gmail.com wrote: Nice option but please keep in mind that suspended routers can behave like a brute force attacker and you'll lock them too. On 14.9.2012 15:36, Phil Mayers wrote: On 14/09/12 13:57, mr. s wrote: Hello, I was reading an article in computer world comparing a few RADIUS servers. It said that FreeRADIUS had failed login lockout protection, however I can't find that particular verbiage in the FreeRADIUS documentation, FAQ or HowTos. What are you asking here? How to lock out a user after X failed logins? - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Failed login lockout protection in FreeRADIUS
Hello, I was reading an article in computer world comparing a few RADIUS servers. It said that FreeRADIUS had failed login lockout protection, however I can't find that particular verbiage in the FreeRADIUS documentation, FAQ or HowTos. Can anyone point me to what this may be referring to or clear up my confusion. Thanks for your time. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
users file - file module
Hello, I am new to FreeRADIUS.. Does the files module periodically reload the users file into memory, if so how often? Thanks for your time. -S - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
