Pairs do not match user [xxx]
Hi again. I've found my question many times in mailinglist archives, but not
suitable solution.
I keep receiving 'pairs do not match user'; in the end, follows copy of log.
I have installed sql tables from the FreeRadius template. Since I'm not
using crypt now, I tried to change 'Password' to 'User-Password' as
attribute in the sql, but still no joy.
Reading the log, it says
modcall[authorize]: module sql returns notfound
users: Matched DEFAULT at 85
modcall[authorize]: module files returns ok
modcall: group authorize returns ok
rad_check_password: Found Auth-Type system
auth: type System
(after the message about pairs was sent); of course, I don't have a module
'sql {' in radiusd.conf, and don't know how to build one. Then, in the end
of log, I see Found Auth-Type System (is this correct? in my
'authorization' section I'm trying sql, but the module doesn't exists, and
we start it all over..) Is this the problem?
But, according the log, rlm_sql is checking the sql tables after stripping
username - and in this phase I get the error message... Yet, no joy.
Where the error / missing config could be?
-- Fernando
rad_recv: Access-Request packet from host 192.168.1.25:1027, id=35,
length=75
Thread 1 assigned request 0
--- Walking the entire request list ---
Threads: total/active/spare threads = 5/1/4
Nothing to do. Sleeping until we see a request.
Thread 1 handling request 0, (1 handled so far)
User-Name = ferds
User-Password = twister
NAS-IP-Address = 192.168.1.25
NAS-Port = 2
NAS-Port-Type = Async
Service-Type = Framed-User
Framed-Protocol = PPP
modcall: entering group authorize
modcall[authorize]: module preprocess returns ok
rlm_realm: No '@' in User-Name = ferds, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop
radius_xlat: 'ferds'
rlm_sql (sql): sql_set_user escaped user -- 'ferds'
(...)
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep
ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
usergroup.Username = 'ferds' AND usergroup.GroupName =
radgroupreply.GroupName ORDER BY radgroupreply.id
rlm_sql (sql): Pairs do not match for user [ferds]
rlm_sql (sql): Released sql socket id: 4
modcall[authorize]: module sql returns notfound
users: Matched DEFAULT at 85
modcall[authorize]: module files returns ok
modcall: group authorize returns ok
rad_check_password: Found Auth-Type system
auth: type System
auth: Failed to validate the user.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pairs do not match
hi all, i am just install freeradius and i am newbie for that. what should i do if get error message : Wed Nov 27 04:38:32 2002 : Error: rlm_eap: EAP-Message not found Wed Nov 27 04:38:32 2002 : Info: rlm_sql: Pairs do not match [2101704] (in radcheck table, i set value for attribute = Password and op = ==) Wed Nov 27 04:38:37 2002 : Error: rlm_sql: Stop packet with zero session length. (user '2101704', nas '199.37.116.117') Wed Nov 27 04:38:42 2002 : Error: rlm_sql: Stop packet with zero session length. (user '2101704', nas '199.37.116.117') Wed Nov 27 04:38:47 2002 : Error: rlm_sql: Stop packet with zero session length. (user '2101704', nas '199.37.116.117') Wed Nov 27 04:38:52 2002 : Error: rlm_sql: Stop packet with zero session length. (user '2101704', nas '199.37.116.117') i am using freeradius-0.4, suse 8.0 and cisco AS5300. thank you for your help. Regards, Tjenen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pairs do not match
perhaps you should upgrade to freeradius-0.8 ? On Wed, 27 Nov 2002, betux wrote: hi all, i am just install freeradius and i am newbie for that. what should i do if get error message : Wed Nov 27 04:38:32 2002 : Error: rlm_eap: EAP-Message not found Wed Nov 27 04:38:32 2002 : Info: rlm_sql: Pairs do not match [2101704] (in radcheck table, i set value for attribute = Password and op = ==) Wed Nov 27 04:38:37 2002 : Error: rlm_sql: Stop packet with zero session length. (user '2101704', nas '199.37.116.117') Wed Nov 27 04:38:42 2002 : Error: rlm_sql: Stop packet with zero session length. (user '2101704', nas '199.37.116.117') Wed Nov 27 04:38:47 2002 : Error: rlm_sql: Stop packet with zero session length. (user '2101704', nas '199.37.116.117') Wed Nov 27 04:38:52 2002 : Error: rlm_sql: Stop packet with zero session length. (user '2101704', nas '199.37.116.117') i am using freeradius-0.4, suse 8.0 and cisco AS5300. thank you for your help. Regards, Tjenen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question about rlm_sql Pairs do not match for user ...
Hello,
In src/modules/rlm_sql/rlm_sql.c around line 575 there is a
block of code which looks like:
if (paircmp(request, request-packet-vps, check_tmp, reply_tmp) != 0) {
radlog(L_INFO, rlm_sql (%s): Pairs do not match for user [%s],
inst-config-xlat_name, sqlusername);
/* Remove the username we (maybe) added above */
pairdelete(request-packet-vps, PW_SQL_USER_NAME);
sql_release_socket(inst, sqlsocket);
pairfree(reply_tmp);
pairfree(check_tmp);
return RLM_MODULE_NOTFOUND;
}
This seems to be comparing the pairs from the:
authorize_group_check_query and authorize_group_reply_query
results when used with the rlm_sql module. My question is why
should the reply and check pairs be the same? The code has no
comments explaining this (I'll write some up and submit a patch if
someone explains it to me). I uncommented the extra debugging above
this section, and what I see is:
rlm_sql: check items
Crypt-Password = $1$xxx$x
Simultaneous-Use = 1
rlm_sql: reply items
rlm_sql (sql): Pairs do not match for user [wizardit]
rlm_sql (sql): Released sql socket id: 9
modcall[authorize]: module sql returns notfound
modcall: group authorize returns ok
rad_check_password: Found Auth-Type Local
auth: type Local
auth: No password configured for the user
Section 4 of the doc/Simultaneous-Use says:
Note that you need to add the Simultaneous-Use parameter to the
check item (first line), not the reply item, using the ':=' operator.
So it seems to me that there the check_items should never match the
reply items (of which I have none) when using Simultaneous-Use. Is
this correct? If so the code in rlm_sql.c is wrong, otherwise what
am I missing?
With the block of code above commented out in rlm_sql.c
authentication works properly (as it did in previous versions), and
I haven't noticed any other problems. Is there a problem with leaving
this out?
Thanks,
Josh
--
Josh Wilsdon [EMAIL PROTECTED] Programmer Analyst
Wizard IT Services - http://www.wizard.ca
Linux Support Specialist - http://linuxmagic.com
Unix Administration, Website Hosting, Network Services, Programming
(604) 589-0037 Beautiful British Columbia, Canada
LinuxMagic is a TradeMark of Wizard Tower TechnoServices Ltd.
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to which
they are addressed. If you have received this email in error please
notify the system manager. Please note that any views or opinions
presented in this email are solely those of the author and do not
necessarily represent those of the company.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql - pairs do not match - but everything seems to be there
Hi,
Look in te archives for subject: anyone uses sql authorization with
radius. You find your answers in there.
bash
On Tue, 8 Jan 2002, Steve Sobol wrote:
I'm currently using FreeRadius - just upgraded to 0.4 - to authenticate
users with account info in /etc/passwd and /etc/shadow.
Currently all I use is a default entry in /usr/local/etc/raddb/users.
This works fine.
However, I'm testing a setup where as much information as possible will go
into a MySQL database. I'm also setting up LDAP
for authentication, so I'm using an LDAP account to test... As you will
see, this is not an LDAP issue...
Here's the contents of the relevant fields out of my database
[radcheck]
++--+---+---+
| id | UserName | Attribute | Value |
++--+---+---+
| 11 | [EMAIL PROTECTED] | Auth-Type | LDAP |
++--+---+---+
[usergroup]
++--+---+
| id | UserName | GroupName |
++--+---+
| 4 | [EMAIL PROTECTED] | ldap |
++--+---+
[radgroupcheck]
++---+---+---+
| id | GroupName | Attribute | Value |
++---+---+---+
| 6 | ldap | Auth-Type | Ldap |
++---+---+---+
[radgroupreply]
++---+---+-+
| id | GroupName | Attribute | Value |
++---+---+-+
| 10 | ldap | Idle-Timeout | 600 |
| 9 | ldap | Port-Limit| 1 |
| 13 | ldap | Service-Type | Framed-User |
| 14 | ldap | Framed-Protocol | PPP |
| 15 | ldap | Framed-IP-Address | 255.255.255.254 |
| 20 | ldap | Framed-IP-Netmask | 255.255.255.255 |
| 19 | ldap | Session-Timeout | 28800 |
++---+---+-+
Ok, first: If the account isn't in radcheck, usergroup doesn't get checked
for the username.
The next apparent step if the account isn't in radcheck is that the various
tables are checked
for DEFAULT - and this seems like a bug to me.
Now... This is what happens when I try to dial in using sjs-ldap
Thread 1 handling request 0, (1 handled so far)
User-Name = [EMAIL PROTECTED]
Password = \352{\252\236M4\257}3KwZl\006\274[
NAS-IP-Address = 64.24.224.229
NAS-Port = 44
NAS-Port-Type = Async
Service-Type = Framed-User
Framed-Protocol = PPP
Connect-Info = 16800 LAPM/V42BIS
Called-Station-Id = 4408560016
Calling-Station-Id = 4402098862
Proxy-State =
0x3c3b74724018e0e5040210007c1462fc83ad10f33842ef6c7294576d
rad_lowerpair: User-Name now '[EMAIL PROTECTED]'
rad_lowerpair: Password now 'myDialupPassword'
rad_rmspace_pair: User-Name now '[EMAIL PROTECTED]'
rad_rmspace_pair: Password now 'myDialupPassword'
modcall: entering group authorize
modcall[authorize]: module preprocess returns ok
modcall[authorize]: module suffix returns ok
rlm_sql: Reserving sql socket id: 4
radius_xlat: '[EMAIL PROTECTED]'
sql_escape in: '[EMAIL PROTECTED]'
sql_escape out: '[EMAIL PROTECTED]'
sql_set_user: escaped user -- '[EMAIL PROTECTED]'
radius_xlat: 'SELECT id,UserName,Attribute,Value FROM radcheck WHERE
Username = '[EMAIL PROTECTED]' ORDER BY id'
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value
FROM radgroupcheck,usergroup WHERE usergroup.Username =
'[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupcheck.GroupName
ORDER BY radgroupcheck.id'
radius_xlat: 'SELECT id,UserName,Attribute,Value FROM radreply WHERE
Username = '[EMAIL PROTECTED]' ORDER BY id'
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value
FROM radgroupreply,usergroup WHERE usergroup.Username =
'[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupreply.GroupName
ORDER BY radgroupreply.id'
rlm_sql: Released sql socket id: 4
rlm_sql: Pairs do not match [[EMAIL PROTECTED]]
modcall[authorize]: module sql returns notfound
users: Matched DEFAULT at 2
modcall[authorize]: module files returns ok
modcall: group authorize returns ok
rad_check_password: Found Auth-Type System
auth: type System
modcall: entering group authenticate
modcall[authenticate]: module unix returns notfound
modcall: group authenticate returns notfound
auth: Failed to validate the user.
Sending Access-Reject of id 109 to 216.126.128.8:1650
Proxy-State =
0x3c3b74724018e0e5040210007c1462fc83ad10f33842ef6c7294576d
Finished request 0
Going to the next request
Now, for some reason, enabling debugging on 0.4 doesn't print the results
of the
SQL queries. :( However, with 0.3, I'd see
Re: rlm_sql - pairs do not match - but everything seems to be there
At 06:23 PM 1/8/2002 -0500, Steve Sobol wrote: I'm currently using FreeRadius - just upgraded to 0.4 - to authenticate users with account info in /etc/passwd and /etc/shadow. Currently all I use is a default entry in /usr/local/etc/raddb/users. You'll want to update to a CVS snapshot. The current CVS has an updated sql table definition that adds support for the 'operator'. If no operator is returned, the code assumes '=='. To set an Auth-Type, you need to use the ':=' operator. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sql - pairs do not match - but everything seems to be there
I'm currently using FreeRadius - just upgraded to 0.4 - to
authenticate users with account info in /etc/passwd and
/etc/shadow.
Currently all I use is a default entry in
/usr/local/etc/raddb/users.
This works fine.
However, I'm testing a setup where as much information as possible will
go into a MySQL database. I'm also setting up LDAP
for authentication, so I'm using an LDAP account to test... As you
will see, this is not an LDAP issue...
Here's the contents of the relevant fields out of my database
[radcheck]
++--+---+---+
| id |
UserName
| Attribute | Value |
++--+---+---+
| 11 | [EMAIL PROTECTED] | Auth-Type | LDAP |
++--+---+---+
[usergroup]
++--+---+
| id |
UserName
| GroupName |
++--+---+
| 4 | [EMAIL PROTECTED] | ldap
|
++--+---+
[radgroupcheck]
++---+---+---+
| id | GroupName | Attribute | Value |
++---+---+---+
| 6 | ldap | Auth-Type | Ldap
|
++---+---+---+
[radgroupreply]
++---+---+-+
| id | GroupName |
Attribute |
Value |
++---+---+-+
| 10 | ldap |
Idle-Timeout |
600
|
| 9 | ldap |
Port-Limit |
1
|
| 13 | ldap |
Service-Type |
Framed-User |
| 14 | ldap | Framed-Protocol |
PPP
|
| 15 | ldap | Framed-IP-Address |
255.255.255.254 |
| 20 | ldap | Framed-IP-Netmask |
255.255.255.255 |
| 19 | ldap | Session-Timeout |
28800 |
++---+---+-+
Ok, first: If the account isn't in radcheck, usergroup doesn't get
checked for the username.
The next apparent step if the account isn't in radcheck is that the
various tables are checked
for DEFAULT - and this seems like a bug to me.
Now... This is what happens when I try to dial in using
sjs-ldap
Thread 1 handling request 0, (1 handled so far)
User-Name =
[EMAIL PROTECTED]
Password =
\352{\252\236M4\257}3KwZl\006\274[
NAS-IP-Address =
64.24.224.229
NAS-Port = 44
NAS-Port-Type = Async
Service-Type =
Framed-User
Framed-Protocol = PPP
Connect-Info = 16800
LAPM/V42BIS
Called-Station-Id =
4408560016
Calling-Station-Id =
4402098862
Proxy-State =
0x3c3b74724018e0e5040210007c1462fc83ad10f33842ef6c7294576d
rad_lowerpair: User-Name now '[EMAIL PROTECTED]'
rad_lowerpair: Password now 'myDialupPassword'
rad_rmspace_pair: User-Name now '[EMAIL PROTECTED]'
rad_rmspace_pair: Password now 'myDialupPassword'
modcall: entering group authorize
modcall[authorize]: module preprocess returns ok
modcall[authorize]: module suffix returns ok
rlm_sql: Reserving sql socket id: 4
radius_xlat: '[EMAIL PROTECTED]'
sql_escape in: '[EMAIL PROTECTED]'
sql_escape out: '[EMAIL PROTECTED]'
sql_set_user: escaped user -- '[EMAIL PROTECTED]'
radius_xlat: 'SELECT id,UserName,Attribute,Value FROM radcheck
WHERE Username = '[EMAIL PROTECTED]' ORDER BY id'
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value
FROM radgroupcheck,usergroup WHERE usergroup.Username =
'[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupcheck.GroupName
ORDER BY radgroupcheck.id'
radius_xlat: 'SELECT id,UserName,Attribute,Value FROM radreply
WHERE Username = '[EMAIL PROTECTED]' ORDER BY id'
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value
FROM radgroupreply,usergroup WHERE usergroup.Username =
'[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupreply.GroupName
ORDER BY radgroupreply.id'
rlm_sql: Released sql socket id: 4
rlm_sql: Pairs do not match [[EMAIL PROTECTED]]
modcall[authorize]: module sql returns notfound
users: Matched DEFAULT at 2
modcall[authorize]: module files returns ok
modcall: group authorize returns ok
rad_check_password: Found Auth-Type System
auth: type System
modcall: entering group authenticate
modcall[authenticate]: module unix returns
notfound
modcall: group authenticate returns notfound
auth: Failed to validate the user.
Sending Access-Reject of id 109 to 216.126.128.8:1650
Proxy-State =
0x3c3b74724018e0e5040210007c1462fc83ad10f33842ef6c7294576d
Finished request 0
Going to the next request
Now, for some reason, enabling debugging on 0.4 doesn't print the results
of the
SQL queries. :( However, with 0.3, I'd see that the check and reply items
were being retrieved correctly.
Even so, and even though the reply pairs are what my dialup provider
expects to see, I still
get the pairs do not match message. rlm_sql fails, and
control falls through to the users file, which only has one entry that
specifies that the user is to be authenticated through the passwd
file. This, of course, doesn't work. sjs-ldap doesn't exist in
/etc/passwd, only in LDAP.
I'm at a total loss - I can't figure out why this is happening. Help
:(
Thanks, S
--
JustThe.net LLC - Steve Web Dude Sobol,
CTO
rlm_sql: Pairs do not match
Who can tell me what does 'rlm_sql: Pairs do not match' mean? please... --- query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,r adgroupreply.Value FROM radgroupreply,usergroup WHERE usergroup.Username = 'steve' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_postgresql Status: PGRES_TUPLES_OK sql_postgresql: affected rows = Service-Type = Framed-User Service-Type = Framed-User Framed-Protocol = PPP Service-Type = Framed-User Framed-Protocol = PPP Framed-Address = 255.255.255.254 Service-Type = Framed-User Framed-Protocol = PPP Framed-Address = 255.255.255.254 Framed-Compression = Van-Jacobson-TCP-IP Service-Type = Framed-User Framed-Protocol = PPP Framed-Address = 255.255.255.254 Framed-Compression = Van-Jacobson-TCP-IP Framed-MTU = 1500 Service-Type = Framed-User Framed-Protocol = PPP Framed-Address = 255.255.255.254 Framed-Compression = Van-Jacobson-TCP-IP Framed-MTU = 1500 Fall-Through = Yes rlm_sql: Released sql socket id: 4 rlm_sql: Pairs do not match [steve] Sending Access-Reject of id 137 to 127.0.0.1:2083 -- cron - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Pairs do not match
Hi ! I need to configure user with Exec-Program-wait. I am using Freeradius and MySQL, an i already imported the dictionary and configured the user in the radcheck table this way: (34,SomeUser,Exec-Program-Wait,/sbin/exec_program) Is this correct ? I receive pairs do not match err when i try to connect. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pairs do not match
At 06:09 PM 11/22/2001 +1000, Mark Constable wrote:
On Thu, 22 Nov 2001 00:45, Chris Parker wrote:
It looks like you are storing a plaintext password in a Crypt
password container. Either store the encrypted password in the
table, or change the attribute name to 'User-Password'.
Oh oh, where does User-Password come from ? I've been
using either just Password for plain text entries or
Crypt-Password for encrypt('pw')ed entries.
User-Password and Password would be the same thing. Password is
what's defined in the dictionary, so use that.
The RFC gives the proper name as User-Password, so that's why I
mentioned it, however, regardless of the RFC, you need to use
Password.
-Chris
--
\\\|||/// \ Chris Parker-Manager, Development Engineering
\ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED]
| @ @ |\ http://www.starnetwx.net \ (847) 963-0116
oOo---(_)---oOo--\--
\ Without C we would have 'obol', 'basi', and 'pasal'
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pairs do not match
On Thu, 22 Nov 2001 00:45, Chris Parker wrote:
It looks like you are storing a plaintext password in a Crypt
password container. Either store the encrypted password in the
table, or change the attribute name to 'User-Password'.
Oh oh, where does User-Password come from ? I've been
using either just Password for plain text entries or
Crypt-Password for encrypt('pw')ed entries.
Using radtest confirms my user/pw entries are OK.
This has been going on for a while. It looks like series of debugging
statements that should be commented out somewhere, as the server is
iterating through a loop. Not that there is a definite pattern to this
series, as if it's printing the a/v pair list each time through a loop:
Pass 1:
Service-Type = Framed-User
Pass 2:
Ah right, I never noticed that obvious pattern.
So it's a cosmetic bug, unless you are seeing the reply being sent with
that many attributes out from the NAS.
Nope.
I'd look at the SQL module for this, if you want to clean it up.
As long as I know it's not part of my problem(s) then
like everyone else, I'll put up with it until someone
else cleans it up with CVS access.
Thanks for the response Chris.
--markc
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pairs do not match
At 03:23 PM 11/21/2001 +1000, Mark Constable wrote: Could anyone please explain what might be going on here and which Pairs do not match ? rlm_sql: Pairs do not match [[EMAIL PROTECTED]] It looks like you are storing a plaintext password in a Crypt password container. Either store the encrypted password in the table, or change the attribute name to 'User-Password'. And why might I be seeing doubled up reply pairs ? This has been going on for a while. It looks like series of debugging statements that should be commented out somewhere, as the server is iterating through a loop. Not that there is a definite pattern to this series, as if it's printing the a/v pair list each time through a loop: Pass 1: Service-Type = Framed-User Pass 2: Service-Type = Framed-User Framed-Protocol = PPP Pass 3: Service-Type = Framed-User Framed-Protocol = PPP Framed-Netmask = 255.255.255.255 Pass 4: Service-Type = Framed-User Framed-Protocol = PPP Framed-Netmask = 255.255.255.255 Framed-MTU = 1500 Pass 5: Service-Type = Framed-User Framed-Protocol = PPP Framed-Netmask = 255.255.255.255 Framed-MTU = 1500 Framed-Compression = Van-Jacobson-TCP-IP So it's a cosmetic bug, unless you are seeing the reply being sent with that many attributes out from the NAS. I'd look at the SQL module for this, if you want to clean it up. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
