Re: pap always returns noop for windows dialup authentication [solved]
On Mon, 23 Sep 2013 at 22:03, Phil Mayers opined: PM:Carefully examine the two entries on line 1 and 172, determine what's PM:different, examine the unredacted data in the packets, and correct it. hi phil - thanks for the advice, i figured out that placement of the $INCLUDE statement (and user info in general) in the users file is important for windows authentication. strangely enough, it doesn't seem to matter for a linux dialup, though. thanks to everyone for the help! regards, paul - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pap always returns noop for windows dialup authentication [solved]
paul trader wrote: hi phil - thanks for the advice, i figured out that placement of the $INCLUDE statement (and user info in general) in the users file is important for windows authentication. strangely enough, it doesn't seem to matter for a linux dialup, though. That is a *terrible* explanation. It's wrong and misleading. It also contradicts your previous messages. You claimed you put the users file entry at line one of the file. But now you talk about a $INCLUDE statement. So... which is it? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pap always returns noop for windows dialup authentication [solved]
On Tue, 24 Sep 2013 at 10:36, Alan DeKok opined: AD: It also contradicts your previous messages. You claimed you put the AD:users file entry at line one of the file. But now you talk about a AD:$INCLUDE statement. AD: AD: So... which is it? hi alan - well, i did both. at first the $INCLUDE was put at the bottom of the users file, and there was 1 entry in the included file, at line 1. i removed the $INCLUDE statement and put the username/password entry directly in the users file, but it was at the bottom where the $INCLUDE was removed from. either way the linux clients could authenticate but not the windows ones. only after i tried moving the entry directly under the 'steve' example did it start working, so i moved the $INCLUDE statement there too. regards, paul - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pap always returns noop for windows dialup authentication [solved]
paul trader wrote: hi alan - well, i did both. at first the $INCLUDE was put at the bottom of the users file, and there was 1 entry in the included file, at line 1. Why do you have a $INCLUDE? You did NOT mention it in your other posts. The help here presumes that you accurately describe what you're doing. If you're not doing that, the help will be unhelpful. i removed the $INCLUDE statement and put the username/password entry directly in the users file, but it was at the bottom where the $INCLUDE was removed from. So when you were told to put the entry on line 1, you instead put it on the bottom of the file? either way the linux clients could authenticate but not the windows ones. only after i tried moving the entry directly under the 'steve' example did it start working, so i moved the $INCLUDE statement there too. That makes absolutely no sense. Given your other mis-statments, I think you're wrong here, too. When you follow the documentation and instructions here, it WILL WORK. Doing random other things will make it NOT WORK. I have no idea what you're doing, or what you changed to make it work. And likely neither do you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pap always returns noop for windows dialup authentication
On Mon, 23 Sep 2013 at 13:31, John Dennis opined: JD:You still haven't sent the full debug. hi john - thanks for your reply. i sent the output from running radiusd -X, are you saying i need to run -Xxx and send that instead? or are you looking for the startup output as well? i only included the output for the particular requests. JD:Also, you said you were moving from v1 to v2, you can't just copy v1 JD:configs over, they're different, hope you weren't doing that. i used a default v2 install and only changed the users and clients.conf files. everything else was left alone. regards, paul - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pap always returns noop for windows dialup authentication
On 23/09/13 17:33, paul trader wrote: am i doing something glaringly wrong, or just going plain crazy? It's difficult to say, because the debug you sent has all the useful bits trimmed out - like the original packet, and the full module processing chain. Send a full debug, and odds are someone will spot the issue. Most likely is that the Windows machine is sending a different format of username e.g. DOMAIN\user, so whatever database you're doing a lookup for the password or hash - SQL, LDAP, files - isn't matching. But that's a guess - post the full debug. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pap always returns noop for windows dialup authentication
On 09/23/2013 01:19 PM, paul trader wrote: eOn Mon, 23 Sep 2013 at 17:52, Phil Mayers opined: PM:It's difficult to say, because the debug you sent has all the useful PM:bits trimmed out - like the original packet, and the full module PM:processing chain. You still haven't sent the full debug. hi phil - ok, here's the full debug for a successful request: [files] users: Matched entry test at line 1 and here's the full output of a failed request: [files] users: Matched entry DEFAULT at line 172 So there's your answer, in the successful case it matched the entry for text on line 1, on the failed case it didn't match. So either you're not using the same users file (a full debug would have told us that) or you've got some criteria set for the test entry which isn't being matched. Also, you said you were moving from v1 to v2, you can't just copy v1 configs over, they're different, hope you weren't doing that. -- John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pap always returns noop for windows dialup authentication
eOn Mon, 23 Sep 2013 at 17:52, Phil Mayers opined: PM:It's difficult to say, because the debug you sent has all the useful PM:bits trimmed out - like the original packet, and the full module PM:processing chain. hi phil - ok, here's the full debug for a successful request: rad_recv: Access-Request packet from host x.x.x.x port 1812, id=37, length=133 User-Name = test User-Password = testing User-Password = testing NAS-IP-Address = x.x.x.x NAS-Identifier = x.x.x.x NAS-Port = 2561 Acct-Session-Id = 167773864 Service-Type = Login-User Calling-Station-Id = xx Called-Station-Id = xxx NAS-Port-Type = Async # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = test, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry test at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group PAP {...} [pap] login attempt with password testing [pap] Using clear text password testing [pap] User authenticated successfully ++[pap] returns ok # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 37 to x.x.x.x port 1812 Finished request 2. Going to the next request Waking up in 4.9 seconds. Cleaning up request 2 ID 37 with timestamp +676 and here's the full output of a failed request: Ready to process requests. rad_recv: Access-Request packet from host x.x.x.x port 1812, id=35, length=121 User-Name = test User-Password = testing NAS-IP-Address = x.x.x.x NAS-Identifier = x.x.x.x NAS-Port = 2561 Acct-Session-Id = 167773862 Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = xx Called-Station-Id = xxx NAS-Port-Type = Async # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = test, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry DEFAULT at line 172 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - test attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 35 to 64.214.93.3 port 1812 Waking up in 4.9 seconds. Cleaning up request 0 ID 35 with timestamp +361 from what i can see, the successful request finds the user's entry in the user table, but the failed request doesn't (and uses DEFAULT instead). but the usernames passed in seem to be the same. i don't know, we've used freeradius for years and this is the 1st time i'm having a problem. weird. regards, paul - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pap always returns noop for windows dialup authentication
On 09/23/2013 02:07 PM, paul trader wrote: On Mon, 23 Sep 2013 at 13:31, John Dennis opined: JD:You still haven't sent the full debug. hi john - thanks for your reply. i sent the output from running radiusd -X, are you saying i need to run -Xxx and send that instead? No. It means all the output from radiusd -X. Yes, that might seem like a lot but it contains useful information. But before you do send it to this list see below. or are you looking for the startup output as well? i only included the output for the particular requests. That's not the full debug is it? :-) JD:Also, you said you were moving from v1 to v2, you can't just copy v1 JD:configs over, they're different, hope you weren't doing that. i used a default v2 install and only changed the users and clients.conf files. everything else was left alone. You have all the information you need to debug your problem. It does require reading the debug output carefully. But you should really try to do that yourself first. As a said earlier, verify you're reading the exact same users file in both cases (the debug output will tell you what files are being read), If they are then look at your users file and determine why the user name is not matching, there is nothing magic about it, it should be straight forward. Still stumped? Then come back to the list for help. -- John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pap always returns noop for windows dialup authentication
paul trader wrote: i used a default v2 install and only changed the users and clients.conf files. everything else was left alone. Well, there's no magic. If the users file entry doesn't match, it's because the User-Name isn't test. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pap always returns noop for windows dialup authentication
On Mon, 23 Sep 2013 at 14:42, John Dennis opined: JD:You have all the information you need to debug your problem. It does JD:require reading the debug output carefully. But you should really try JD:to do that yourself first. As a said earlier, verify you're reading the JD:exact same users file in both cases (the debug output will tell you JD:what files are being read), If they are then look at your users file JD:and determine why the user name is not matching, there is nothing magic JD:about it, it should be straight forward. Still stumped? Then come back JD:to the list for help. hi john - thanks for the help. however, i've read the debug output about 50 thousand times and am just not seeing what is causing the problem, other than it not finding the username in the /etc/raddb/users file when trying to authenticate from a windows box. i mean, the debug output from the authentication request shows the username to be test and there's clearly a user named test in the users file. every place in the debug output where it lists the username it's test. there doesn't seem to be any domain prepended to it. when starting the server, the debug output shows the file 'modules/files' is being instantiated: Module: Instantiating module files from file /etc/raddb/modules/files files { usersfile = /etc/raddb/users acctusersfile = /etc/raddb/acct_users preproxy_usersfile = /etc/raddb/preproxy_users compat = no } and the user/password is in the /etc/raddb/users file. if it weren't then the linux authentication requests wouldn't be working either, right? i'm not trying anything complicated. this setup is not using ldap, active directory, and it's not talking to a database. it's just supposed to be reading a plain-text username and password from the users file. here's the full debug output: [root@ikano raddb]# radiusd -X FreeRADIUS Version 2.1.12, for host x86_64-redhat-linux-gnu, built on Oct 3 2012 at 01:22:51 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including configuration file /etc/raddb/clients.conf.swave including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/replicate including configuration file /etc/raddb/modules/rediswho including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/opendirectory including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/dynamic_clients including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/ntlm_auth including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/soh including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/files including configuration file
Re: pap always returns noop for windows dialup authentication
On 23/09/2013 18:19, paul trader wrote: hi phil - ok, here's the full debug for a successful request: [files] users: Matched entry test at line 1 Versus and here's the full output of a failed request: [files] users: Matched entry DEFAULT at line 172 The two request look very similar, but you've x.x.x.x'ed out some data (grr...). Whatever you've X'ed out, one request is matching on line 1 of the users file, one on line 172, so they're obviously different. Carefully examine the two entries on line 1 and 172, determine what's different, examine the unredacted data in the packets, and correct it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html