Access request-access reject
users: Matched entry DEFAULT at line 153 users: Matched entry abc at line 216 modcall[authorize]: module files returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rlm_pap: Found existing Auth-Type, not changing it. rad_check_password: Found Auth-Type System modcall[authenticate]: module unix returns notfound for request 0 It shouldn't be using an auth-type of System, that means to lookup the user in the /etc/passwd (/etc/shadow) file. But you don't have a user on your system named abc so the not found result makes sense, right? Why is it trying to find abc amongst the unix users on your system? The answer is right above, look at the lines labeled users:, that's your users file, also look at the line that says Found Auth-Type, not changing it. So somthing in your users file forced the user abc to have an Auth-Type of system or unix, it also tells you which lines in the users files it matched. Go fix your users file so it doesn't do that. I found in users file that line: DEFAULTAuth-Type = System i decommented it but same problem. i think i must change it to other attribut? I'm guessing in your attempts to get things working you may have mangled the example users file, you might want to start with the unaltered users file and just add your test user. All this is documented in the link I sent you a week ago: http://deployingradius.com/documents/configuration/pap.html -- John Dennis jden...@redhat.com _ Hotmail: Trusted email with powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access request-access reject
Hi, I found in users file that line: DEFAULTAuth-Type = System comment this line out and restart the daemon remove calls to 'unix' from your configuration if you dont want to even think about /etc/passwd alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Access request-access reject
Date: Thu, 13 May 2010 11:01:10 +0100
From: a.l.m.bu...@lboro.ac.uk
To: freeradius-users@lists.freeradius.org
Subject: Re: Access request-access reject
Hi,
I found in users file that line:
DEFAULTAuth-Type = System
comment this line out and restart the daemon
remove calls to 'unix' from your configuration
if you dont want to even think about /etc/passwd
i commented it like that:
#DEFAULT Auth-Type = System
Fall-Through = 1
also in file radiusd.conf:
authenticate {
#
# PAP authentication, when a back-end database listed
# in the 'authorize' section supplies a password. The
# password can be clear-text, or encrypted.
Auth-Type PAP {
pap
}
#
# Most people want CHAP authentication
# A back-end database listed in the 'authorize' section
# MUST supply a CLEAR TEXT password. Encrypted passwords
# won't work.
Auth-Type CHAP {
chap
}
#
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}
#
# If you have a Cisco SIP server authenticating against
# FreeRADIUS, uncomment the following line, and the 'digest'
# line in the 'authorize' section.
#digest
#
# Pluggable Authentication Modules.
#pam
#
# See 'man getpwent' for information on how the 'unix'
# module checks the users password. Note that packets
# containing CHAP-Password attributes CANNOT be authenticated
# against /etc/passwd! See the FAQ for details.
#
unix
# Uncomment it if you want to use ldap for authentication
#
# Note that this means check plain-text password against
# the ldap database, which means that EAP won't work,
# as it does not supply a plain-text password.
#Auth-Type LDAP {
#ldap
#}
#
# Allow EAP authentication.
eap
}
i commented :unix
...
and i have this output in the deamon:
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1:40128, id=130, length=55
User-Name = abc
User-Password = 123
NAS-IP-Address = 255.255.255.255
NAS-Port = 1812
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
modcall[authorize]: module chap returns noop for request 0
modcall[authorize]: module mschap returns noop for request 0
rlm_realm: No '@' in User-Name = abc, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 0
users: Matched entry DEFAULT at line 153
users: Matched entry abc at line 216
modcall[authorize]: module files returns ok for request 0
rlm_pap: Found existing Auth-Type, not changing it.
modcall[authorize]: module pap returns noop for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type System
auth: type System
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
modcall[authenticate]: module unix returns notfound for request 0
modcall: leaving group authenticate (returns notfound) for request 0
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 130 to 127.0.0.1 port 40128
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 130 with timestamp 4bebd86e
Nothing to do. Sleeping until we see a request.
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_
Hotmail: Free, trusted and rich email service.
https://signup.live.com/signup.aspx?id=60969-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access request-access reject
Hi, comment this line out and restart the daemon remove calls to 'unix' from your configuration if you dont want to even think about /etc/passwd i commented it like that: #DEFAULT Auth-Type = System Fall-Through = 1 comment out both lines.the DEFAULT line and the fall-through and you didnt read my original email...which is a pity, where i said to comment out calls to 'unix' in your config if you dont use it or need it. as you are not reading what i am telling you then i'm afraid i wont bother replying to you again over this issue :-( alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Access request-access reject
no plz sorry i'm not so well in english. thank you Alan :))) it's working now see it: r...@pfe-laptop:/home/pfe# radtest abc 123 localhost 1812 testing123 Sending Access-Request of id 185 to 127.0.0.1 port 1812 User-Name = abc User-Password = 123 NAS-IP-Address = 255.255.255.255 NAS-Port = 1812 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=185, length=20 thakkksss Date: Thu, 13 May 2010 13:07:45 +0100 From: a.l.m.bu...@lboro.ac.uk To: freeradius-users@lists.freeradius.org Subject: Re: Access request-access reject Hi, comment this line out and restart the daemon remove calls to 'unix' from your configuration if you dont want to even think about /etc/passwd i commented it like that: #DEFAULT Auth-Type = System Fall-Through = 1 comment out both lines.the DEFAULT line and the fall-through and you didnt read my original email...which is a pity, where i said to comment out calls to 'unix' in your config if you dont use it or need it. as you are not reading what i am telling you then i'm afraid i wont bother replying to you again over this issue :-( alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Hotmail: Trusted email with powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sending Access-request, Access-Reject
hi can someone help me in that i add a users : abc cleartext-password:=123 and i run freeradius -X after that i do: r...@pfe-laptop:/home/pfe# radtest abc 123 localhost 1812 testing123 Sending Access-Request of id 48 to 127.0.0.1 port 1812 User-Name = abc User-Password = 123 NAS-IP-Address = 255.255.255.255 NAS-Port = 1812 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=48, length=20 and this is the output of deamon: Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:41804, id=48, length=55 User-Name = abc User-Password = 123 NAS-IP-Address = 255.255.255.255 NAS-Port = 1812 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = abc, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 153 users: Matched entry abc at line 216 modcall[authorize]: module files returns ok for request 0 rlm_pap: Found existing Auth-Type, not changing it. modcall[authorize]: module pap returns noop for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type System auth: type System Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 modcall[authenticate]: module unix returns notfound for request 0 modcall: leaving group authenticate (returns notfound) for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 48 to 127.0.0.1 port 41804 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 48 with timestamp 4beb3ff9 Nothing to do. Sleeping until we see a request. _ Hotmail: Free, trusted and rich email service. https://signup.live.com/signup.aspx?id=60969- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sending Access-request, Access-Reject
On 05/12/2010 08:01 PM, dorra aa wrote: hi can someone help me in that i add a users : abc cleartext-password:=123 It's right there in the debug output users: Matched entry DEFAULT at line 153 users: Matched entry abc at line 216 modcall[authorize]: module files returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rlm_pap: Found existing Auth-Type, not changing it. rad_check_password: Found Auth-Type System modcall[authenticate]: module unix returns notfound for request 0 It shouldn't be using an auth-type of System, that means to lookup the user in the /etc/passwd (/etc/shadow) file. But you don't have a user on your system named abc so the not found result makes sense, right? Why is it trying to find abc amongst the unix users on your system? The answer is right above, look at the lines labeled users:, that's your users file, also look at the line that says Found Auth-Type, not changing it. So somthing in your users file forced the user abc to have an Auth-Type of system or unix, it also tells you which lines in the users files it matched. Go fix your users file so it doesn't do that. I'm guessing in your attempts to get things working you may have mangled the example users file, you might want to start with the unaltered users file and just add your test user. All this is documented in the link I sent you a week ago: http://deployingradius.com/documents/configuration/pap.html -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
