Re: pap always returns noop for windows dialup authentication [solved]

[paul trader]

On Mon, 23 Sep 2013 at 22:03, Phil Mayers opined:

PM:Carefully examine the two entries on line 1 and 172, determine what's 
PM:different, examine the unredacted data in the packets, and correct it. 

hi phil - thanks for the advice, i figured out that placement of the 
$INCLUDE statement (and user info in general) in the users file is 
important for windows authentication.  strangely enough, it doesn't seem 
to matter for a linux dialup, though.

thanks to everyone for the help!

regards, paul
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: pap always returns noop for windows dialup authentication [solved]

[Alan DeKok]

paul trader wrote:
 hi phil - thanks for the advice, i figured out that placement of the 
 $INCLUDE statement (and user info in general) in the users file is 
 important for windows authentication.  strangely enough, it doesn't seem 
 to matter for a linux dialup, though.

  That is a *terrible* explanation.  It's wrong and misleading.

  It also contradicts your previous messages.  You claimed you put the
users file entry at line one of the file.  But now you talk about a
$INCLUDE statement.

  So... which is it?

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: pap always returns noop for windows dialup authentication [solved]

[paul trader]

On Tue, 24 Sep 2013 at 10:36, Alan DeKok opined:

AD:  It also contradicts your previous messages.  You claimed you put the 
AD:users file entry at line one of the file.  But now you talk about a 
AD:$INCLUDE statement.
AD:
AD:  So... which is it?

hi alan - well, i did both.  at first the $INCLUDE was put at the bottom 
of the users file, and there was 1 entry in the included file, at line 1.  
i removed the $INCLUDE statement and put the username/password entry 
directly in the users file, but it was at the bottom where the $INCLUDE 
was removed from.  either way the linux clients could authenticate but not 
the windows ones.  only after i tried moving the entry directly under the 
'steve' example did it start working, so i moved the $INCLUDE statement 
there too.

regards, paul
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: pap always returns noop for windows dialup authentication [solved]

[Alan DeKok]

paul trader wrote:
 hi alan - well, i did both.  at first the $INCLUDE was put at the bottom 
 of the users file, and there was 1 entry in the included file, at line 1.  

  Why do you have a $INCLUDE?  You did NOT mention it in your other posts.

  The help here presumes that you accurately describe what you're doing.
 If you're not doing that, the help will be unhelpful.

 i removed the $INCLUDE statement and put the username/password entry 
 directly in the users file, but it was at the bottom where the $INCLUDE 
 was removed from.

  So when you were told to put the entry on line 1, you instead put it
on the bottom of the file?

  either way the linux clients could authenticate but not 
 the windows ones.  only after i tried moving the entry directly under the 
 'steve' example did it start working, so i moved the $INCLUDE statement 
 there too.

  That makes absolutely no sense.

  Given your other mis-statments, I think you're wrong here, too.  When
you follow the documentation and instructions here, it WILL WORK.  Doing
random other things will make it NOT WORK.

  I have no idea what you're doing, or what you changed to make it work.
 And likely neither do you.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: pap always returns noop for windows dialup authentication

[paul trader]

On Mon, 23 Sep 2013 at 13:31, John Dennis opined:

JD:You still haven't sent the full debug.

hi john - thanks for your reply.  i sent the output from running radiusd 
-X, are you saying i need to run -Xxx and send that instead?

or are you looking for the startup output as well?  i only included the 
output for the particular requests.

JD:Also, you said you were moving from v1 to v2, you can't just copy v1 
JD:configs over, they're different, hope you weren't doing that.

i used a default v2 install and only changed the users and clients.conf 
files.  everything else was left alone.

regards, paul
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: pap always returns noop for windows dialup authentication

[Phil Mayers]

On 23/09/13 17:33, paul trader wrote:


am i doing something glaringly wrong, or just going plain crazy?


It's difficult to say, because the debug you sent has all the useful 
bits trimmed out - like the original packet, and the full module 
processing chain.


Send a full debug, and odds are someone will spot the issue.

Most likely is that the Windows machine is sending a different format of 
username e.g. DOMAIN\user, so whatever database you're doing a lookup 
for the password or hash - SQL, LDAP, files - isn't matching. But that's 
a guess - post the full debug.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: pap always returns noop for windows dialup authentication

[John Dennis]

On 09/23/2013 01:19 PM, paul trader wrote:
 eOn Mon, 23 Sep 2013 at 17:52, Phil Mayers opined:
 
 PM:It's difficult to say, because the debug you sent has all the useful 
 PM:bits trimmed out - like the original packet, and the full module 
 PM:processing chain.

You still haven't sent the full debug.

 hi phil - ok, here's the full debug for a successful request:

 [files] users: Matched entry test at line 1

 and here's the full output of a failed request:

 [files] users: Matched entry DEFAULT at line 172

So there's your answer, in the successful case it matched the entry for
text on line 1, on the failed case it didn't match. So either you're not
using the same users file (a full debug would have told us that) or
you've got some criteria set for the test entry which isn't being matched.

Also, you said you were moving from v1 to v2, you can't just copy v1
configs over, they're different, hope you weren't doing that.

-- 
John
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: pap always returns noop for windows dialup authentication

[paul trader]

eOn Mon, 23 Sep 2013 at 17:52, Phil Mayers opined:

PM:It's difficult to say, because the debug you sent has all the useful 
PM:bits trimmed out - like the original packet, and the full module 
PM:processing chain.

hi phil - ok, here's the full debug for a successful request:

rad_recv: Access-Request packet from host x.x.x.x port 1812, id=37, 
length=133
User-Name = test
User-Password = testing
User-Password = testing
NAS-IP-Address = x.x.x.x
NAS-Identifier = x.x.x.x
NAS-Port = 2561
Acct-Session-Id = 167773864
Service-Type = Login-User
Calling-Station-Id = xx
Called-Station-Id = xxx
NAS-Port-Type = Async
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = test, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry test at line 1
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password testing
[pap] Using clear text password testing
[pap] User authenticated successfully
++[pap] returns ok
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 37 to x.x.x.x port 1812
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 2 ID 37 with timestamp +676


and here's the full output of a failed request:

Ready to process requests.
rad_recv: Access-Request packet from host x.x.x.x port 1812, id=35, 
length=121
User-Name = test
User-Password = testing
NAS-IP-Address = x.x.x.x
NAS-Identifier = x.x.x.x
NAS-Port = 2561
Acct-Session-Id = 167773862
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = xx
Called-Station-Id = xxx
NAS-Port-Type = Async
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = test, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry DEFAULT at line 172
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user.  
Authentication may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting 
the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - test
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 35 to 64.214.93.3 port 1812
Waking up in 4.9 seconds.
Cleaning up request 0 ID 35 with timestamp +361

from what i can see, the successful request finds the user's entry in the 
user table, but the failed request doesn't (and uses DEFAULT instead).  
but the usernames passed in seem to be the same.  i don't know, we've used 
freeradius for years and this is the 1st time i'm having a problem.  
weird.

regards, paul
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: pap always returns noop for windows dialup authentication

[John Dennis]

On 09/23/2013 02:07 PM, paul trader wrote:
 On Mon, 23 Sep 2013 at 13:31, John Dennis opined:
 
 JD:You still haven't sent the full debug.
 
 hi john - thanks for your reply.  i sent the output from running radiusd 
 -X, are you saying i need to run -Xxx and send that instead?

No. It means all the output from radiusd -X. Yes, that might seem like a
lot but it contains useful information. But before you do send it to
this list see below.
 
 or are you looking for the startup output as well?  i only included the 
 output for the particular requests.

That's not the full debug is it? :-)

 
 JD:Also, you said you were moving from v1 to v2, you can't just copy v1 
 JD:configs over, they're different, hope you weren't doing that.
 
 i used a default v2 install and only changed the users and clients.conf 
 files.  everything else was left alone.

You have all the information you need to debug your problem. It does
require reading the debug output carefully. But you should really try to
do that yourself first. As a said earlier, verify you're reading the
exact same users file in both cases (the debug output will tell you what
files are being read), If they are then look at your users file and
determine why the user name is not matching, there is nothing magic
about it, it should be straight forward. Still stumped? Then come back
to the list for help.


-- 
John
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: pap always returns noop for windows dialup authentication

[Alan DeKok]

paul trader wrote:
 i used a default v2 install and only changed the users and clients.conf 
 files.  everything else was left alone.

  Well, there's no magic.  If the users file entry doesn't match, it's
 because the User-Name isn't test.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: pap always returns noop for windows dialup authentication

[paul trader]

On Mon, 23 Sep 2013 at 14:42, John Dennis opined:

JD:You have all the information you need to debug your problem. It does 
JD:require reading the debug output carefully. But you should really try 
JD:to do that yourself first. As a said earlier, verify you're reading the 
JD:exact same users file in both cases (the debug output will tell you 
JD:what files are being read), If they are then look at your users file 
JD:and determine why the user name is not matching, there is nothing magic 
JD:about it, it should be straight forward. Still stumped? Then come back 
JD:to the list for help.

hi john - thanks for the help.  however, i've read the debug output about 
50 thousand times and am just not seeing what is causing the problem, 
other than it not finding the username in the /etc/raddb/users file when 
trying to authenticate from a windows box.  i mean, the debug output from 
the authentication request shows the username to be test and there's 
clearly a user named test in the users file.  every place in the debug 
output where it lists the username it's test.  there doesn't seem to be 
any domain prepended to it.

when starting the server, the debug output shows the file 'modules/files' 
is being instantiated:

 Module: Instantiating module files from file /etc/raddb/modules/files
  files {
usersfile = /etc/raddb/users
acctusersfile = /etc/raddb/acct_users
preproxy_usersfile = /etc/raddb/preproxy_users
compat = no
  }

and the user/password is in the /etc/raddb/users file.  if it weren't then 
the linux authentication requests wouldn't be working either, right?

i'm not trying anything complicated.  this setup is not using ldap, active 
directory, and it's not talking to a database.  it's just supposed to be 
reading a plain-text username and password from the users file.

here's the full debug output:

[root@ikano raddb]# radiusd -X
FreeRADIUS Version 2.1.12, for host x86_64-redhat-linux-gnu, built on Oct  
3 2012 at 01:22:51
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. 
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A 
PARTICULAR PURPOSE. 
You may redistribute copies of FreeRADIUS under the terms of the 
GNU General Public License v2. 
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including configuration file /etc/raddb/clients.conf.swave
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/replicate
including configuration file /etc/raddb/modules/rediswho
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/opendirectory
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/dynamic_clients
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/soh
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/files
including configuration file 

Re: pap always returns noop for windows dialup authentication

[Phil Mayers]

On 23/09/2013 18:19, paul trader wrote:


hi phil - ok, here's the full debug for a successful request:

[files] users: Matched entry test at line 1


Versus


and here's the full output of a failed request:

[files] users: Matched entry DEFAULT at line 172


The two request look very similar, but you've x.x.x.x'ed out some data 
(grr...). Whatever you've X'ed out, one request is matching on line 1 of 
the users file, one on line 172, so they're obviously different.


Carefully examine the two entries on line 1 and 172, determine what's 
different, examine the unredacted data in the packets, and correct it.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html