Hi, I have a problem with passwor-matching. Everything seams to be all right, but radius still won't accept shared_secret.
I use radius with mysql-database for ssh authenticate. If I try to authenticate with radtest on server (10.10.10.11) - it works fine. If I try to authenticate vom client with IP 10.10.10.200 it works as well. If I try to authenticate from ssh I receive this message: rad_recv: Access-Request packet from host 127.0.0.1 port 3666, id=208, length=88 User-Name = "lisa" User-Password = "\010\n\r\177INCORRECT" NAS-IP-Address = 10.10.10.11 NAS-Identifier = "sshd" NAS-Port = 2641 NAS-Port-Type = Virtual Service-Type = Authenticate-Only Calling-Station-Id = "10.10.10.200" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "lisa", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop expand: %{User-Name} -> lisa rlm_sql (sql): sql_set_user escaped user --> 'lisa' rlm_sql (sql): Reserving sql socket id: 4 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'lisa' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'lisa' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'lisa' ORDER BY priority expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'dynamic' ORDER BY id rlm_sql (sql): User found in group dynamic expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'dynamic' ORDER BY id rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated rad_check_password: Found Auth-Type auth: type "PAP" +- entering group PAP rlm_pap: login attempt with password "? INCORRECT" rlm_pap: Using clear text password "lisa123" rlm_pap: Passwords don't match ++[pap] returns reject auth: Failed to validate the user. Login incorrect (rlm_pap: CLEAR TEXT password check failed): [lisa/\010\n\r\177INCORRECT] (from client localhost port 2641 cli 10.10.10.200) WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> lisa attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 1.0 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 208 to 127.0.0.1 port 3666 Waking up in 4.9 seconds. clients.conf: ============= client 127.0.0.1 { secret = Test shortname = localhost nastype = other # localhost isn't usually a NAS... } client 10.10.10.0/24 { secret = Test shortname = local-net } pam_radius_auth.conf: ===================== 127.0.0.1 Test 3 10.10.10.11 Test 3 pam.d/common-auth: ================== # Radius auth # For these next three lines to grant auth, you must have a local user name # This must be the same as your RADIUS name # Remove the "debug" argument on the next line after everything works auth sufficient pam_radius_auth.so debug account required pam_radius_auth.so session required pam_radius_auth.so # Generic unix auth services below auth required pam_unix.so nullok_secure users: ====== "susi" Cleartext-Password := "123" If I add the user susi out of users with adduser susi and the user lisa from database adduser lisa, then NTRadPING receives Reject. If password is set in passwd - authentication works. But the password shouldn't read out of passwd... Any suggestions, where my fault or what to do? Cheers MM - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html