By the looks of it you have two problems. The User-Password name 'bob'
isn't matched by the response Juniper-Local-User-Name 'labrat'. Perhaps
ssh cares.
Your broken client sends the identical packet for the new authentication
attempt when it must send a brand new packet (different id, socket or
port). That's why the server drops subsequent login attempts from ssh -
they're duplicate requests which the server has already answered.
In your second attempt you're User-Name is 'labrat' and the
Juniper-Local-User-Name 'labrat' is being returned in the response
probably convincing SSH you are who you claim to be.
On 2010-09-19 9:35 PM, gahn wrote:
thanks tim:
yes, it is better but yet working correctly:
g...@giraffe:~:$ ssh [email protected]
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Permission denied (publickey,password,keyboard-interactive).
but trying local username "labrat" is working fine:
g...@giraffe:~:$ ssh [email protected]
[email protected]'s password:
--- JUNOS 8.5R4.3 built 2008-08-12 23:16:55 UTC
lab...@lab-r8>
what is interesting here is that now i can see "Access-Accept" in the debugging messages
of "radiusd -X":
rad_recv: Access-Request packet from host 192.168.255.138 port 65003, id=3,
length=57
User-Name = "bob"
User-Password = "bob"
NAS-Identifier = "lab-r8"
NAS-IP-Address = 150.150.0.1
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "bob", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry bob at line 1
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "bob"
[pap] Using clear text password "bob"
[pap] User authenticated successfully
++[pap] returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 3 to 192.168.255.138 port 65003
Juniper-Local-User-Name = "labrat"
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.255.138 port 65003, id=3,
length=57
Sending duplicate reply to client r8 port 65003 - ID: 3
Sending Access-Accept of id 3 to 192.168.255.138 port 65003
Waking up in 1.9 seconds.
Cleaning up request 4 ID 3 with timestamp +91
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.255.138 port 65003, id=3,
length=57
User-Name = "bob"
User-Password = "bob"
NAS-Identifier = "lab-r8"
NAS-IP-Address = 150.150.0.1
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "bob", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry bob at line 1
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "bob"
[pap] Using clear text password "bob"
[pap] User authenticated successfully
++[pap] returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 3 to 192.168.255.138 port 65003
Juniper-Local-User-Name = "labrat"
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 5 ID 3 with timestamp +97
Ready to process requests.
--- On Sun, 9/19/10, Tim Sylvester<[email protected]> wrote:
From: Tim Sylvester<[email protected]>
Subject: RE: still not working (newbie for radius)
To: "'FreeRadius users mailing list'"<[email protected]>
Date: Sunday, September 19, 2010, 5:52 PM
well, i had tried other configuration for "users":
bob Cleartext-Password = "bob"
Juniper-Local-User-Name = "labrat"
labrat is local login user id so that all of radius users
will be mapped to
that user. unfortunately, it is also failed though with no
warning messages:
<tim> You are missing a : - try the following:
bob Cleartext-Password := "bob"
Juniper-Local-User-Name =
"labrat"
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
