Re: Problem: switch authentication against Freeradius server
On 05/23/2013 03:34 PM, Roberto Carna wrote: Dear, I've implemented Linux SSH authentication using PAM against a Freeradius server, it was OK !!! But know I'm trying to authenticate some Allied switch users against the same Freeradius server...in the Allied switch I've defined the radius server IP, port and secret, and when I try to telnet this switch from other computer I fail and get this Freeradius log: (..) [pap] login attempt with password kqî½`_R??²m³- ½ [pap] Using clear text password 1234 [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! (..) Please can you guide me in this problem ??? Have you double-checked the shared secret on the server and the NAS? -Øystein - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem: switch authentication against Freeradius server
Roberto Carna wrote: But know I'm trying to authenticate some Allied switch users against the same Freeradius server...in the Allied switch I've defined the radius server IP, port and secret, and when I try to telnet this switch from other computer I fail and get this Freeradius log: It helps to read the debug output. rad_recv: Access-Request packet from host 10.4.133.254 port 49154, id=0, length=76 User-Name = bapro2 User-Password = kq\356\275`_R\005\034\262m\263-\r\275 ... WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! Does that mean anything to you? I see this line is completed with a wrong or cipher password, I don't know why: [pap] login attempt with password kqî½`_R??²m³- ½ Please can you guide me in this problem ??? I did. I made FreeRADIUS print out a big WARNING message which you're ignoring. Read it. Follow the instructions. And don't argue that the secret is correct. It's not. Fix it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem: switch authentication against Freeradius server
Hi, what exactly means double-checked the secret ??? I've defined the same secret in client.conf from Freeradius and in the config from Allied switch Thanks again... 2013/5/23 Øystein Gyland oyst...@usit.uio.no On 05/23/2013 03:34 PM, Roberto Carna wrote: Dear, I've implemented Linux SSH authentication using PAM against a Freeradius server, it was OK !!! But know I'm trying to authenticate some Allied switch users against the same Freeradius server...in the Allied switch I've defined the radius server IP, port and secret, and when I try to telnet this switch from other computer I fail and get this Freeradius log: (..) [pap] login attempt with password kqî½`_R??²m³- ½ [pap] Using clear text password 1234 [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! (..) Please can you guide me in this problem ??? Have you double-checked the shared secret on the server and the NAS? -Øystein - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem: switch authentication against Freeradius server
Dear Alan, my shared secret is testing123 in bothe switch and freeradius.it's the default shared secret as you can seeso I get lost :( 2013/5/23 Alan DeKok al...@deployingradius.com Roberto Carna wrote: But know I'm trying to authenticate some Allied switch users against the same Freeradius server...in the Allied switch I've defined the radius server IP, port and secret, and when I try to telnet this switch from other computer I fail and get this Freeradius log: It helps to read the debug output. rad_recv: Access-Request packet from host 10.4.133.254 port 49154, id=0, length=76 User-Name = bapro2 User-Password = kq\356\275`_R\005\034\262m\263-\r\275 ... WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! Does that mean anything to you? I see this line is completed with a wrong or cipher password, I don't know why: [pap] login attempt with password kqî½`_R??²m³- ½ Please can you guide me in this problem ??? I did. I made FreeRADIUS print out a big WARNING message which you're ignoring. Read it. Follow the instructions. And don't argue that the secret is correct. It's not. Fix it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem: switch authentication against Freeradius server
Roberto Carna wrote: Dear Alan, my shared secret is testing123 in bothe switch and freeradius.it's the default shared secret as you can seeso I get lost :( No, it's not the same shared secret. I don't know what's going on. But the message Unprintable characters in the password means that the shared secret is wrong. NOTHING ELSE will cause the problem. Go back and read the REST of the debug output. Verify that the client section printed out by the server has the CORRECT shared secret. i.e. you can sit there and say but it's right! all day. That will NOT fix the problem. FreeRADIUS will NOT magically start working. The shared secret is wrong. Go fix it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem: switch authentication against Freeradius server
OK, just a last questionI have Freeradius with MySQL, where is the NAS in order to check the pre-shared secret ??? Thanks again. 2013/5/23 Alan DeKok al...@deployingradius.com Roberto Carna wrote: Dear Alan, my shared secret is testing123 in bothe switch and freeradius.it's the default shared secret as you can seeso I get lost :( No, it's not the same shared secret. I don't know what's going on. But the message Unprintable characters in the password means that the shared secret is wrong. NOTHING ELSE will cause the problem. Go back and read the REST of the debug output. Verify that the client section printed out by the server has the CORRECT shared secret. i.e. you can sit there and say but it's right! all day. That will NOT fix the problem. FreeRADIUS will NOT magically start working. The shared secret is wrong. Go fix it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem: switch authentication against Freeradius server
Roberto Carna wrote: OK, just a last questionI have Freeradius with MySQL, where is the NAS in order to check the pre-shared secret ??? If you have already edited the shared secret, you should know where it is. Go read the documentation. If you're too lazy to read it, I'm too lazy to cut paste it here. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem: switch authentication against Freeradius server
OK, but using radtest utility with user, password and shared secret from other machine, I get the correct response from Freeradius, accepting the authentication. So, the problem maybe is in my Allied switch, maybe the OS is wrong in certain aspects like cipher libraries. Thanks to all. 2013/5/23 Alan DeKok al...@deployingradius.com Roberto Carna wrote: OK, just a last questionI have Freeradius with MySQL, where is the NAS in order to check the pre-shared secret ??? If you have already edited the shared secret, you should know where it is. Go read the documentation. If you're too lazy to read it, I'm too lazy to cut paste it here. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem: switch authentication against Freeradius server
What you're after is in the clients - file surely - that's where you set up the clients and secrets..? Otherwise maybe check if the secret in your switch is encrypted or not, cisco switches allow input of a 7 or 0 after certain commands to signify encryption or not - from a cisco NAS.. Not sure if allied is the same, not seen one. 0 Specifies an UNENCRYPTED key will follow 7 Specifies HIDDEN key will follow I dunno,maybe I am on the wrong tack - can't pretend I know much! Andy From: freeradius-users-bounces+andy.franks=sath.nhs...@lists.freeradius.org [mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk@lists.freeradiu s.org] On Behalf Of Roberto Carna Sent: 23 May 2013 15:52 To: FreeRadius users mailing list Subject: Re: Problem: switch authentication against Freeradius server OK, but using radtest utility with user, password and shared secret from other machine, I get the correct response from Freeradius, accepting the authentication. So, the problem maybe is in my Allied switch, maybe the OS is wrong in certain aspects like cipher libraries. Thanks to all. 2013/5/23 Alan DeKok al...@deployingradius.com Roberto Carna wrote: OK, just a last questionI have Freeradius with MySQL, where is the NAS in order to check the pre-shared secret ??? If you have already edited the shared secret, you should know where it is. Go read the documentation. If you're too lazy to read it, I'm too lazy to cut paste it here. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html