Pairs do not match user [xxx]
Hi again. I've found my question many times in mailinglist archives, but not suitable solution. I keep receiving 'pairs do not match user'; in the end, follows copy of log. I have installed sql tables from the FreeRadius template. Since I'm not using crypt now, I tried to change 'Password' to 'User-Password' as attribute in the sql, but still no joy. Reading the log, it says modcall[authorize]: module sql returns notfound users: Matched DEFAULT at 85 modcall[authorize]: module files returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type system auth: type System (after the message about pairs was sent); of course, I don't have a module 'sql {' in radiusd.conf, and don't know how to build one. Then, in the end of log, I see Found Auth-Type System (is this correct? in my 'authorization' section I'm trying sql, but the module doesn't exists, and we start it all over..) Is this the problem? But, according the log, rlm_sql is checking the sql tables after stripping username - and in this phase I get the error message... Yet, no joy. Where the error / missing config could be? -- Fernando rad_recv: Access-Request packet from host 192.168.1.25:1027, id=35, length=75 Thread 1 assigned request 0 --- Walking the entire request list --- Threads: total/active/spare threads = 5/1/4 Nothing to do. Sleeping until we see a request. Thread 1 handling request 0, (1 handled so far) User-Name = ferds User-Password = twister NAS-IP-Address = 192.168.1.25 NAS-Port = 2 NAS-Port-Type = Async Service-Type = Framed-User Framed-Protocol = PPP modcall: entering group authorize modcall[authorize]: module preprocess returns ok rlm_realm: No '@' in User-Name = ferds, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop radius_xlat: 'ferds' rlm_sql (sql): sql_set_user escaped user -- 'ferds' (...) radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'ferds' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): Pairs do not match for user [ferds] rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module sql returns notfound users: Matched DEFAULT at 85 modcall[authorize]: module files returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type system auth: type System auth: Failed to validate the user. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pairs do not match
hi all, i am just install freeradius and i am newbie for that. what should i do if get error message : Wed Nov 27 04:38:32 2002 : Error: rlm_eap: EAP-Message not found Wed Nov 27 04:38:32 2002 : Info: rlm_sql: Pairs do not match [2101704] (in radcheck table, i set value for attribute = Password and op = ==) Wed Nov 27 04:38:37 2002 : Error: rlm_sql: Stop packet with zero session length. (user '2101704', nas '199.37.116.117') Wed Nov 27 04:38:42 2002 : Error: rlm_sql: Stop packet with zero session length. (user '2101704', nas '199.37.116.117') Wed Nov 27 04:38:47 2002 : Error: rlm_sql: Stop packet with zero session length. (user '2101704', nas '199.37.116.117') Wed Nov 27 04:38:52 2002 : Error: rlm_sql: Stop packet with zero session length. (user '2101704', nas '199.37.116.117') i am using freeradius-0.4, suse 8.0 and cisco AS5300. thank you for your help. Regards, Tjenen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pairs do not match
perhaps you should upgrade to freeradius-0.8 ? On Wed, 27 Nov 2002, betux wrote: hi all, i am just install freeradius and i am newbie for that. what should i do if get error message : Wed Nov 27 04:38:32 2002 : Error: rlm_eap: EAP-Message not found Wed Nov 27 04:38:32 2002 : Info: rlm_sql: Pairs do not match [2101704] (in radcheck table, i set value for attribute = Password and op = ==) Wed Nov 27 04:38:37 2002 : Error: rlm_sql: Stop packet with zero session length. (user '2101704', nas '199.37.116.117') Wed Nov 27 04:38:42 2002 : Error: rlm_sql: Stop packet with zero session length. (user '2101704', nas '199.37.116.117') Wed Nov 27 04:38:47 2002 : Error: rlm_sql: Stop packet with zero session length. (user '2101704', nas '199.37.116.117') Wed Nov 27 04:38:52 2002 : Error: rlm_sql: Stop packet with zero session length. (user '2101704', nas '199.37.116.117') i am using freeradius-0.4, suse 8.0 and cisco AS5300. thank you for your help. Regards, Tjenen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question about rlm_sql Pairs do not match for user ...
Hello, In src/modules/rlm_sql/rlm_sql.c around line 575 there is a block of code which looks like: if (paircmp(request, request-packet-vps, check_tmp, reply_tmp) != 0) { radlog(L_INFO, rlm_sql (%s): Pairs do not match for user [%s], inst-config-xlat_name, sqlusername); /* Remove the username we (maybe) added above */ pairdelete(request-packet-vps, PW_SQL_USER_NAME); sql_release_socket(inst, sqlsocket); pairfree(reply_tmp); pairfree(check_tmp); return RLM_MODULE_NOTFOUND; } This seems to be comparing the pairs from the: authorize_group_check_query and authorize_group_reply_query results when used with the rlm_sql module. My question is why should the reply and check pairs be the same? The code has no comments explaining this (I'll write some up and submit a patch if someone explains it to me). I uncommented the extra debugging above this section, and what I see is: rlm_sql: check items Crypt-Password = $1$xxx$x Simultaneous-Use = 1 rlm_sql: reply items rlm_sql (sql): Pairs do not match for user [wizardit] rlm_sql (sql): Released sql socket id: 9 modcall[authorize]: module sql returns notfound modcall: group authorize returns ok rad_check_password: Found Auth-Type Local auth: type Local auth: No password configured for the user Section 4 of the doc/Simultaneous-Use says: Note that you need to add the Simultaneous-Use parameter to the check item (first line), not the reply item, using the ':=' operator. So it seems to me that there the check_items should never match the reply items (of which I have none) when using Simultaneous-Use. Is this correct? If so the code in rlm_sql.c is wrong, otherwise what am I missing? With the block of code above commented out in rlm_sql.c authentication works properly (as it did in previous versions), and I haven't noticed any other problems. Is there a problem with leaving this out? Thanks, Josh -- Josh Wilsdon [EMAIL PROTECTED] Programmer Analyst Wizard IT Services - http://www.wizard.ca Linux Support Specialist - http://linuxmagic.com Unix Administration, Website Hosting, Network Services, Programming (604) 589-0037 Beautiful British Columbia, Canada LinuxMagic is a TradeMark of Wizard Tower TechnoServices Ltd. This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to which they are addressed. If you have received this email in error please notify the system manager. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql - pairs do not match - but everything seems to be there
Hi, Look in te archives for subject: anyone uses sql authorization with radius. You find your answers in there. bash On Tue, 8 Jan 2002, Steve Sobol wrote: I'm currently using FreeRadius - just upgraded to 0.4 - to authenticate users with account info in /etc/passwd and /etc/shadow. Currently all I use is a default entry in /usr/local/etc/raddb/users. This works fine. However, I'm testing a setup where as much information as possible will go into a MySQL database. I'm also setting up LDAP for authentication, so I'm using an LDAP account to test... As you will see, this is not an LDAP issue... Here's the contents of the relevant fields out of my database [radcheck] ++--+---+---+ | id | UserName | Attribute | Value | ++--+---+---+ | 11 | [EMAIL PROTECTED] | Auth-Type | LDAP | ++--+---+---+ [usergroup] ++--+---+ | id | UserName | GroupName | ++--+---+ | 4 | [EMAIL PROTECTED] | ldap | ++--+---+ [radgroupcheck] ++---+---+---+ | id | GroupName | Attribute | Value | ++---+---+---+ | 6 | ldap | Auth-Type | Ldap | ++---+---+---+ [radgroupreply] ++---+---+-+ | id | GroupName | Attribute | Value | ++---+---+-+ | 10 | ldap | Idle-Timeout | 600 | | 9 | ldap | Port-Limit| 1 | | 13 | ldap | Service-Type | Framed-User | | 14 | ldap | Framed-Protocol | PPP | | 15 | ldap | Framed-IP-Address | 255.255.255.254 | | 20 | ldap | Framed-IP-Netmask | 255.255.255.255 | | 19 | ldap | Session-Timeout | 28800 | ++---+---+-+ Ok, first: If the account isn't in radcheck, usergroup doesn't get checked for the username. The next apparent step if the account isn't in radcheck is that the various tables are checked for DEFAULT - and this seems like a bug to me. Now... This is what happens when I try to dial in using sjs-ldap Thread 1 handling request 0, (1 handled so far) User-Name = [EMAIL PROTECTED] Password = \352{\252\236M4\257}3KwZl\006\274[ NAS-IP-Address = 64.24.224.229 NAS-Port = 44 NAS-Port-Type = Async Service-Type = Framed-User Framed-Protocol = PPP Connect-Info = 16800 LAPM/V42BIS Called-Station-Id = 4408560016 Calling-Station-Id = 4402098862 Proxy-State = 0x3c3b74724018e0e5040210007c1462fc83ad10f33842ef6c7294576d rad_lowerpair: User-Name now '[EMAIL PROTECTED]' rad_lowerpair: Password now 'myDialupPassword' rad_rmspace_pair: User-Name now '[EMAIL PROTECTED]' rad_rmspace_pair: Password now 'myDialupPassword' modcall: entering group authorize modcall[authorize]: module preprocess returns ok modcall[authorize]: module suffix returns ok rlm_sql: Reserving sql socket id: 4 radius_xlat: '[EMAIL PROTECTED]' sql_escape in: '[EMAIL PROTECTED]' sql_escape out: '[EMAIL PROTECTED]' sql_set_user: escaped user -- '[EMAIL PROTECTED]' radius_xlat: 'SELECT id,UserName,Attribute,Value FROM radcheck WHERE Username = '[EMAIL PROTECTED]' ORDER BY id' radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value FROM radgroupcheck,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value FROM radreply WHERE Username = '[EMAIL PROTECTED]' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value FROM radgroupreply,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql: Released sql socket id: 4 rlm_sql: Pairs do not match [[EMAIL PROTECTED]] modcall[authorize]: module sql returns notfound users: Matched DEFAULT at 2 modcall[authorize]: module files returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type System auth: type System modcall: entering group authenticate modcall[authenticate]: module unix returns notfound modcall: group authenticate returns notfound auth: Failed to validate the user. Sending Access-Reject of id 109 to 216.126.128.8:1650 Proxy-State = 0x3c3b74724018e0e5040210007c1462fc83ad10f33842ef6c7294576d Finished request 0 Going to the next request Now, for some reason, enabling debugging on 0.4 doesn't print the results of the SQL queries. :( However, with 0.3, I'd see
Re: rlm_sql - pairs do not match - but everything seems to be there
At 06:23 PM 1/8/2002 -0500, Steve Sobol wrote: I'm currently using FreeRadius - just upgraded to 0.4 - to authenticate users with account info in /etc/passwd and /etc/shadow. Currently all I use is a default entry in /usr/local/etc/raddb/users. You'll want to update to a CVS snapshot. The current CVS has an updated sql table definition that adds support for the 'operator'. If no operator is returned, the code assumes '=='. To set an Auth-Type, you need to use the ':=' operator. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sql - pairs do not match - but everything seems to be there
I'm currently using FreeRadius - just upgraded to 0.4 - to authenticate users with account info in /etc/passwd and /etc/shadow. Currently all I use is a default entry in /usr/local/etc/raddb/users. This works fine. However, I'm testing a setup where as much information as possible will go into a MySQL database. I'm also setting up LDAP for authentication, so I'm using an LDAP account to test... As you will see, this is not an LDAP issue... Here's the contents of the relevant fields out of my database [radcheck] ++--+---+---+ | id | UserName | Attribute | Value | ++--+---+---+ | 11 | [EMAIL PROTECTED] | Auth-Type | LDAP | ++--+---+---+ [usergroup] ++--+---+ | id | UserName | GroupName | ++--+---+ | 4 | [EMAIL PROTECTED] | ldap | ++--+---+ [radgroupcheck] ++---+---+---+ | id | GroupName | Attribute | Value | ++---+---+---+ | 6 | ldap | Auth-Type | Ldap | ++---+---+---+ [radgroupreply] ++---+---+-+ | id | GroupName | Attribute | Value | ++---+---+-+ | 10 | ldap | Idle-Timeout | 600 | | 9 | ldap | Port-Limit | 1 | | 13 | ldap | Service-Type | Framed-User | | 14 | ldap | Framed-Protocol | PPP | | 15 | ldap | Framed-IP-Address | 255.255.255.254 | | 20 | ldap | Framed-IP-Netmask | 255.255.255.255 | | 19 | ldap | Session-Timeout | 28800 | ++---+---+-+ Ok, first: If the account isn't in radcheck, usergroup doesn't get checked for the username. The next apparent step if the account isn't in radcheck is that the various tables are checked for DEFAULT - and this seems like a bug to me. Now... This is what happens when I try to dial in using sjs-ldap Thread 1 handling request 0, (1 handled so far) User-Name = [EMAIL PROTECTED] Password = \352{\252\236M4\257}3KwZl\006\274[ NAS-IP-Address = 64.24.224.229 NAS-Port = 44 NAS-Port-Type = Async Service-Type = Framed-User Framed-Protocol = PPP Connect-Info = 16800 LAPM/V42BIS Called-Station-Id = 4408560016 Calling-Station-Id = 4402098862 Proxy-State = 0x3c3b74724018e0e5040210007c1462fc83ad10f33842ef6c7294576d rad_lowerpair: User-Name now '[EMAIL PROTECTED]' rad_lowerpair: Password now 'myDialupPassword' rad_rmspace_pair: User-Name now '[EMAIL PROTECTED]' rad_rmspace_pair: Password now 'myDialupPassword' modcall: entering group authorize modcall[authorize]: module preprocess returns ok modcall[authorize]: module suffix returns ok rlm_sql: Reserving sql socket id: 4 radius_xlat: '[EMAIL PROTECTED]' sql_escape in: '[EMAIL PROTECTED]' sql_escape out: '[EMAIL PROTECTED]' sql_set_user: escaped user -- '[EMAIL PROTECTED]' radius_xlat: 'SELECT id,UserName,Attribute,Value FROM radcheck WHERE Username = '[EMAIL PROTECTED]' ORDER BY id' radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value FROM radgroupcheck,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value FROM radreply WHERE Username = '[EMAIL PROTECTED]' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value FROM radgroupreply,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql: Released sql socket id: 4 rlm_sql: Pairs do not match [[EMAIL PROTECTED]] modcall[authorize]: module sql returns notfound users: Matched DEFAULT at 2 modcall[authorize]: module files returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type System auth: type System modcall: entering group authenticate modcall[authenticate]: module unix returns notfound modcall: group authenticate returns notfound auth: Failed to validate the user. Sending Access-Reject of id 109 to 216.126.128.8:1650 Proxy-State = 0x3c3b74724018e0e5040210007c1462fc83ad10f33842ef6c7294576d Finished request 0 Going to the next request Now, for some reason, enabling debugging on 0.4 doesn't print the results of the SQL queries. :( However, with 0.3, I'd see that the check and reply items were being retrieved correctly. Even so, and even though the reply pairs are what my dialup provider expects to see, I still get the pairs do not match message. rlm_sql fails, and control falls through to the users file, which only has one entry that specifies that the user is to be authenticated through the passwd file. This, of course, doesn't work. sjs-ldap doesn't exist in /etc/passwd, only in LDAP. I'm at a total loss - I can't figure out why this is happening. Help :( Thanks, S -- JustThe.net LLC - Steve Web Dude Sobol, CTO
rlm_sql: Pairs do not match
Who can tell me what does 'rlm_sql: Pairs do not match' mean? please... --- query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,r adgroupreply.Value FROM radgroupreply,usergroup WHERE usergroup.Username = 'steve' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_postgresql Status: PGRES_TUPLES_OK sql_postgresql: affected rows = Service-Type = Framed-User Service-Type = Framed-User Framed-Protocol = PPP Service-Type = Framed-User Framed-Protocol = PPP Framed-Address = 255.255.255.254 Service-Type = Framed-User Framed-Protocol = PPP Framed-Address = 255.255.255.254 Framed-Compression = Van-Jacobson-TCP-IP Service-Type = Framed-User Framed-Protocol = PPP Framed-Address = 255.255.255.254 Framed-Compression = Van-Jacobson-TCP-IP Framed-MTU = 1500 Service-Type = Framed-User Framed-Protocol = PPP Framed-Address = 255.255.255.254 Framed-Compression = Van-Jacobson-TCP-IP Framed-MTU = 1500 Fall-Through = Yes rlm_sql: Released sql socket id: 4 rlm_sql: Pairs do not match [steve] Sending Access-Reject of id 137 to 127.0.0.1:2083 -- cron - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Pairs do not match
Hi ! I need to configure user with Exec-Program-wait. I am using Freeradius and MySQL, an i already imported the dictionary and configured the user in the radcheck table this way: (34,SomeUser,Exec-Program-Wait,/sbin/exec_program) Is this correct ? I receive pairs do not match err when i try to connect. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pairs do not match
At 06:09 PM 11/22/2001 +1000, Mark Constable wrote: On Thu, 22 Nov 2001 00:45, Chris Parker wrote: It looks like you are storing a plaintext password in a Crypt password container. Either store the encrypted password in the table, or change the attribute name to 'User-Password'. Oh oh, where does User-Password come from ? I've been using either just Password for plain text entries or Crypt-Password for encrypt('pw')ed entries. User-Password and Password would be the same thing. Password is what's defined in the dictionary, so use that. The RFC gives the proper name as User-Password, so that's why I mentioned it, however, regardless of the RFC, you need to use Password. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pairs do not match
On Thu, 22 Nov 2001 00:45, Chris Parker wrote: It looks like you are storing a plaintext password in a Crypt password container. Either store the encrypted password in the table, or change the attribute name to 'User-Password'. Oh oh, where does User-Password come from ? I've been using either just Password for plain text entries or Crypt-Password for encrypt('pw')ed entries. Using radtest confirms my user/pw entries are OK. This has been going on for a while. It looks like series of debugging statements that should be commented out somewhere, as the server is iterating through a loop. Not that there is a definite pattern to this series, as if it's printing the a/v pair list each time through a loop: Pass 1: Service-Type = Framed-User Pass 2: Ah right, I never noticed that obvious pattern. So it's a cosmetic bug, unless you are seeing the reply being sent with that many attributes out from the NAS. Nope. I'd look at the SQL module for this, if you want to clean it up. As long as I know it's not part of my problem(s) then like everyone else, I'll put up with it until someone else cleans it up with CVS access. Thanks for the response Chris. --markc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pairs do not match
At 03:23 PM 11/21/2001 +1000, Mark Constable wrote: Could anyone please explain what might be going on here and which Pairs do not match ? rlm_sql: Pairs do not match [[EMAIL PROTECTED]] It looks like you are storing a plaintext password in a Crypt password container. Either store the encrypted password in the table, or change the attribute name to 'User-Password'. And why might I be seeing doubled up reply pairs ? This has been going on for a while. It looks like series of debugging statements that should be commented out somewhere, as the server is iterating through a loop. Not that there is a definite pattern to this series, as if it's printing the a/v pair list each time through a loop: Pass 1: Service-Type = Framed-User Pass 2: Service-Type = Framed-User Framed-Protocol = PPP Pass 3: Service-Type = Framed-User Framed-Protocol = PPP Framed-Netmask = 255.255.255.255 Pass 4: Service-Type = Framed-User Framed-Protocol = PPP Framed-Netmask = 255.255.255.255 Framed-MTU = 1500 Pass 5: Service-Type = Framed-User Framed-Protocol = PPP Framed-Netmask = 255.255.255.255 Framed-MTU = 1500 Framed-Compression = Van-Jacobson-TCP-IP So it's a cosmetic bug, unless you are seeing the reply being sent with that many attributes out from the NAS. I'd look at the SQL module for this, if you want to clean it up. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html