Re: still not working (newbie for radius)

Sun, 19 Sep 2010 22:05:31 -0700

I'm merely speculating that your SSH client is rejecting the response where the User-Name & Juniper-Local-User-Name for 'bob' but accepts the name 'labrat' and response name 'labrat'. 

> well, i don't have user "labrat" configured in file "users" on the
> radius server.

KISS:
Set up the server to test the Juniper-Local-User-Name responses. You might consider testing just that side of things 'til you figure out the pattern. This part is not a RADIUS problem.
BTW the Access-Request packet should use either the NAS-Identifier OR the NAS-IP-Address but not both. Something is likely to mysteriously break later. Choose one. 

> also you are right, for some reasons, every login attempt will have
> two more duplicated messages besides the first one. why is that?

The RADIUS server is working properly. Your client is not.
Your RADIUS client sends an identical packet for each different attempt to log in. This is just plain wrong and the server is replying with a copy of the original response. 

Either the client is broken or SSH is misusing the client.

On 2010-09-19 11:19 PM, gahn wrote:

thanks.

well, i don't have user "labrat" configured in file "users" on the
radius server. the "labrat" is in local user password database on the
juniper box. for the raqdius support on juniper routers, it must map
a remote user (in the database of radius server) to a specific local
user. in my case, i map the radius username "bob" to the juniper
local username "labrat".

if i understand correctly what you were saying, this attribute of
"Juniper-Local-User-Name" is not working?

also you are right, for some reasons, every login attempt will have
two more duplicated messages besides the first one. why is that?

I am really new on this. thanks for the help...


--- On Sun, 9/19/10, Michael Lecuyer<[email protected]>  wrote:


From: Michael Lecuyer<[email protected]> Subject: Re: still not
working (newbie for radius) To: "FreeRadius users mailing
list"<[email protected]> Date: Sunday,
September 19, 2010, 7:26 PM By the looks of it you have two
problems. The User-Password name 'bob' isn't matched by the
response Juniper-Local-User-Name 'labrat'. Perhaps ssh cares.

Your broken client sends the identical packet for the new
authentication attempt when it must send a brand new packet
(different id, socket or port). That's why the server drops
subsequent login attempts from ssh - they're duplicate requests
which the server has already answered.

In your second attempt you're User-Name is 'labrat' and the

Juniper-Local-User-Name 'labrat' is being returned in the response
probably convincing SSH you are who you claim to be.

On 2010-09-19 9:35 PM, gahn wrote:

thanks tim:

yes, it is better but yet working correctly:

g...@giraffe:~:$ ssh [email protected] [email protected]'s
password: Permission denied, please try again.
[email protected]'s password: Permission denied, please try
again. [email protected]'s password: Permission denied

(publickey,password,keyboard-interactive).


but trying local username "labrat" is working fine:

g...@giraffe:~:$ ssh [email protected]
[email protected]'s password: --- JUNOS 8.5R4.3 built
2008-08-12 23:16:55 UTC lab...@lab-r8>

what is interesting here is that now i can see

"Access-Accept" in the debugging messages of "radiusd -X":


rad_recv: Access-Request packet from host

192.168.255.138 port 65003, id=3, length=57

User-Name = "bob" User-Password =

"bob"

NAS-Identifier =

"lab-r8"

NAS-IP-Address =

150.150.0.1

+- entering group authorize {...} ++[preprocess] returns ok
++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in
User-Name = "bob", looking up realm

NULL

[suffix] No such realm "NULL" ++[suffix] returns noop [eap] No
EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns
notfound [files] users: Matched entry bob at line 1 ++[files]
returns ok ++[expiration] returns noop ++[logintime] returns
noop ++[pap] returns updated Found Auth-Type = PAP +- entering
group PAP {...} [pap] login attempt with password "bob" [pap]
Using clear text password "bob" [pap] User authenticated
successfully ++[pap] returns ok +- entering group post-auth
{...} ++[exec] returns noop Sending Access-Accept of id 3 to
192.168.255.138 port

65003



Juniper-Local-User-Name = "labrat"

Finished request 4. Going to the next request Waking up in 4.9
seconds. rad_recv: Access-Request packet from host

192.168.255.138 port 65003, id=3, length=57

Sending duplicate reply to client r8 port 65003 - ID:

3

Sending Access-Accept of id 3 to 192.168.255.138 port

65003

Waking up in 1.9 seconds. Cleaning up request 4 ID 3 with
timestamp +91 Ready to process requests. rad_recv: Access-Request
packet from host

192.168.255.138 port 65003, id=3, length=57

User-Name = "bob" User-Password =

"bob"

NAS-Identifier =

"lab-r8"

NAS-IP-Address =

150.150.0.1

+- entering group authorize {...} ++[preprocess] returns ok
++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in
User-Name = "bob", looking up realm

NULL

[suffix] No such realm "NULL" ++[suffix] returns noop [eap] No
EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns
notfound [files] users: Matched entry bob at line 1 ++[files]
returns ok ++[expiration] returns noop ++[logintime] returns
noop ++[pap] returns updated Found Auth-Type = PAP +- entering
group PAP {...} [pap] login attempt with password "bob" [pap]
Using clear text password "bob" [pap] User authenticated
successfully ++[pap] returns ok +- entering group post-auth
{...} ++[exec] returns noop Sending Access-Accept of id 3 to
192.168.255.138 port

65003



Juniper-Local-User-Name = "labrat"

Finished request 5. Going to the next request Waking up in 4.9
seconds. Cleaning up request 5 ID 3 with timestamp +97 Ready to
process requests.



--- On Sun, 9/19/10, Tim
Sylvester<[email protected]>

wrote:



From: Tim Sylvester<[email protected]> Subject:
RE: still not working (newbie for

radius)

To: "'FreeRadius users mailing
list'"<[email protected]> Date: Sunday,
September 19, 2010, 5:52 PM

well, i had tried other configuration for

"users":


bob     Cleartext-Password =

"bob"



Juniper-Local-User-Name = "labrat"


labrat is local login user id so that all of

radius users

will be mapped to that user. unfortunately, it is also failed
though

with no

warning messages:


<tim>   You are missing a : - try the

following:


bob     Cleartext-Password :=

"bob"



Juniper-Local-User-Name =

"labrat"



- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html






- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to