Ive got, well think I have, radius to accept all logins no
matter what password they send.
However some users still cannot login, its around 10 users out of 200.
Ill show details for one user that can login ok and one user
that cant.
Im guessing its something the end user is doing because
they all come in via the same NAS and have exactly the same radius entry.
If I can get around this by just accepting anything that would be
ideal, since our realm is the only radius logins that are sent to us.
Here is a user that cant login:
##
Thu Mar 2 09:59:03 2006 : Auth: Login incorrect (rlm_chap: Clear
text password not available): [EMAIL PROTECTED]/CHAP-Password]
(from client l2tp port 510)
##
Here is someone that did authenticate ok:
##
Thu Mar 2 09:55:26 2006 : Auth: Login OK:
[EMAIL PROTECTED]/CHAP-Password] (from client l2tp port 492)
##
My users file has:
##
DEFAULT Auth-Type = Accept
##
And the entries for both users above are identical apart from the
username and IP assignment:
##
[EMAIL PROTECTED] Auth-Type := Accept
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-Address = 192.168.0.1,
Framed-Netmask =
255.255.255.255,
Framed-Compression =
Van-Jacobsen-TCP-IP,
[EMAIL PROTECTED] Auth-Type := Accept
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-Address = 192.168.0.2,
Framed-Netmask =
255.255.255.255,
Framed-Compression =
Van-Jacobsen-TCP-IP,
##
Here is some radius debug first for the user that cant login:
##
rad_recv: Access-Request packet from host 10.0.0.2:1645, id=46,
length=98
Framed-Protocol = PPP
User-Name =
[EMAIL PROTECTED]
CHAP-Password =
0x01295999be562b2eab944deb9647c5a664
NAS-Port-Type = Virtual
NAS-Port = 563
Service-Type = Framed-User
NAS-IP-Address = 10.0.0.2
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module preprocess returns ok for
request 1
rlm_chap: Setting 'Auth-Type := CHAP'
modcall[authorize]: module chap returns ok for
request 1
modcall[authorize]: module mschap returns noop for
request 1
rlm_realm: Looking up realm dsl.realm.com
for User-Name = [EMAIL PROTECTED]
rlm_realm: No such realm dsl.realm.com
modcall[authorize]: module suffix returns noop for
request 1
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for
request 1
users: Matched DEFAULT at 152
modcall[authorize]: module files returns ok for
request 1
modcall: group authorize returns ok for request 1
rad_check_password: Found Auth-Type CHAP
auth: type CHAP
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 1
rlm_chap: login attempt by [EMAIL PROTECTED]
with CHAP password
rlm_chap: Could not find clear text password for user
[EMAIL PROTECTED]
modcall[authenticate]: module chap returns invalid
for request 1
modcall: group Auth-Type returns invalid for request 1
auth: Failed to validate the user.
Login incorrect (rlm_chap: Clear text password not available): [
[EMAIL PROTECTED]/CHAP-Password] (from client l2tp port 563)
##
And a user that can login:
##
rad_recv: Access-Request packet from host 10.0.0.2:1645, id=200,
length=97
Framed-Protocol = PPP
User-Name =
[EMAIL PROTECTED]
CHAP-Password =
0x012d51dff5b1bda7f6a370e79ff84e0dcf
NAS-Port-Type = Virtual
NAS-Port = 717
Service-Type = Framed-User
NAS-IP-Address = 10.0.0.2
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
modcall[authorize]: module preprocess returns ok for
request 2
rlm_chap: Setting 'Auth-Type := CHAP'
modcall[authorize]: module chap returns ok for
request 2
modcall[authorize]: module mschap returns noop for
request 2
rlm_realm: Looking up realm
dsl.realm.com for User-Name = [EMAIL PROTECTED]
rlm_realm: No such realm dsl.realm.com
modcall[authorize]: module suffix returns noop for
request 2
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for
request 2
users: Matched DEFAULT at 152
users: Matched [EMAIL PROTECTED] at 243
modcall[authorize]: module files returns ok for
request 2
modcall: group authorize returns ok for request 2
rad_check_password: Found Auth-Type Accept
rad_check_password: Auth-Type = Accept, accepting the user
Login OK: [EMAIL PROTECTED]/CHAP-Password] (from client l2tp
port 717)
Sending Access-Accept of id 200 to 10.0.0.2:1645
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Address =
192.168.0.2
Framed-IP-Netmask = 255.255.255.255
Framed-Compression =
Van-Jacobson-TCP-IP
Finished request 2
##
I can see that it seems user33 is sending a blank white space before
his username, but I dont see that this would make a difference since Im
accepting everything anyway. And from the command line I can use radtest
and send blank spaces and it works fine. Although I do see that the user
