Ben Hockenhull <[EMAIL PROTECTED]> wrote:
> auth: Failed to validate the user.
> Sending Access-Reject of id 93 to 10.0.20.100:2054
>
> But I couldn't get any more specific detail as to why it failed to
> validate the user, even if I'd run radiusd -x -x -x. Is there something
> else I should be trying?
Not really. The 'Failed to validate the user' means that the
password is incorrect, or wasn't found.
Hmm... I'll re-visit the problem code in rad_check_password. It
should print out a few more helpful error messages, and some of the
code is *weird*.
> I'm not able to find explicit documentation that the password attribute
> must be on the first line. The examples all do it that way, but there
> wasn't anything I could find that explicitly said that was required.
'man users' explains this, but it doesn't specificially mention the
'Password' attribute. To quote:
The check items are a list of attributes used to match the
incoming request. If the username matches, AND all of the
check items match the incoming request, then the reply
items are added to the list of attributes which will be
used in the reply to that request. This process is
repeated for all of the entries in the users file.
> Sure enough. That was the problem. Thanks for the pointer. It works
> now. It might be helpful to include an explicit note in the documentation
> that explains that the placement of the password attribute is critical.
> New users to any radius will probably build their user files based on the
> examples, but people converting from another radius server may not.
Hmmm.. all of the Livingston compatible servers I'm aware of use the
original Livingston format for the 'users' file. FreeRADIUS follows
this behaviour.
> Coming from Merit RADIUS, there were several ways in which one could
> structure the users file, so my assumption was that this was one of
> several valid ways and I didn't really think anything of it.
That's the problem. Don't believe *anything* that Merit does.
Nothing else works like Merit does, because Merit sucks.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
