ISSUE: Authentication will fail unless a "known good" password is available

classic Classic list List threaded Threaded
2 messages Options
| Threaded
Open this post in threaded view
|

ISSUE: Authentication will fail unless a "known good" password is available

somanath.mishra
Hi Team,
 I am facing issue with radtest. I am getting error like:
Authentication will fail unless a "known good" password is available

Below debug details:


Received Access-Request Id 241 from 127.0.0.1:38747 to 127.0.0.1:1812
length 74
(3)   User-Name = "test"
(3)   User-Password = "test123"
(3)   NAS-IP-Address = 127.0.1.1
(3)   NAS-Port = 1812
(3)   Message-Authenticator = 0x73b04566a900069b236e748aee43500c
(3) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(3)   authorize {
(3)     policy filter_username {
(3)       if (&User-Name) {
(3)       if (&User-Name)  -> TRUE
(3)       if (&User-Name)  {
(3)         if (&User-Name =~ / /) {
(3)         if (&User-Name =~ / /)  -> FALSE
(3)         if (&User-Name =~ /@[^@]*@/ ) {
(3)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(3)         if (&User-Name =~ /\.\./ ) {
(3)         if (&User-Name =~ /\.\./ )  -> FALSE
(3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  
-> FALSE
(3)         if (&User-Name =~ /\.$/)  {
(3)         if (&User-Name =~ /\.$/)   -> FALSE
(3)         if (&User-Name =~ /@\./)  {
(3)         if (&User-Name =~ /@\./)   -> FALSE
(3)       } # if (&User-Name)  = notfound
(3)     } # policy filter_username = notfound
(3)     [preprocess] = ok
(3)     [chap] = noop
(3)     [mschap] = noop
(3)     [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "test", looking up realm NULL
(3) suffix: No such realm "NULL"
(3)     [suffix] = noop
(3) eap: No EAP-Message, not doing EAP
(3)     [eap] = noop
(3)     [files] = noop
(3) sql: EXPAND %{User-Name}
(3) sql:    --> test
(3) sql: SQL-User-Name set to 'test'
rlm_sql (sql): Closing connection (8): Hit idle_timeout, was idle for 141
seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (9): Hit idle_timeout, was idle for 141
seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (7): Hit idle_timeout, was idle for 141
seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): 0 of 0 connections in use.  You  may need to increase "spare"
rlm_sql (sql): Opening additional connection (10), 1 of 32 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX
socket, server version 5.7.22-0ubuntu0.16.04.1, protocol version 10
rlm_sql (sql): Reserved connection (10)
(3) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck
WHERE username = '%{SQL-User-Name}' ORDER BY id
(3) sql:    --> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'test' ORDER BY id
(3) sql: Executing select query: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'test' ORDER BY id
(3) sql: User found in radcheck table
(3) sql: Conditional check items matched, merging assignment check items
(3) sql:   User-Password := "test123"
(3) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply
WHERE username = '%{SQL-User-Name}' ORDER BY id
(3) sql:    --> SELECT id, username, attribute, value, op FROM radreply
WHERE username = 'test' ORDER BY id
(3) sql: Executing select query: SELECT id, username, attribute, value, op
FROM radreply WHERE username = 'test' ORDER BY id
(3) sql: EXPAND SELECT groupname FROM radusergroup WHERE username =
'%{SQL-User-Name}' ORDER BY priority
(3) sql:    --> SELECT groupname FROM radusergroup WHERE username = 'test'
ORDER BY priority
(3) sql: Executing select query: SELECT groupname FROM radusergroup WHERE
username = 'test' ORDER BY priority
(3) sql: User not found in any groups
rlm_sql (sql): Released connection (10)
Need 2 more connections to reach min connections (3)
rlm_sql (sql): Opening additional connection (11), 1 of 31 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX
socket, server version 5.7.22-0ubuntu0.16.04.1, protocol version 10
(3)     [sql] = ok
(3)     [expiration] = noop
(3)     [logintime] = noop
(3) pap: WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
(3) pap: WARNING: !!! Ignoring control:User-Password.  Update your        !!!
(3) pap: WARNING: !!! configuration so that the "known good" clear text !!!
(3) pap: WARNING: !!! password is in Cleartext-Password and NOT in        !!!
(3) pap: WARNING: !!! User-Password.                                      !!!
(3) pap: WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
(3) pap: WARNING: No "known good" password found for the user.  Not
setting Auth-Type
(3) pap: WARNING: Authentication will fail unless a "known good" password
is available
(3)     [pap] = noop
(3)   } # authorize = ok
(3) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
(3) Failed to authenticate the user
(3) Using Post-Auth-Type Reject
(3) # Executing group from file /etc/freeradius/sites-enabled/default
(3)   Post-Auth-Type REJECT {
(3) sql: EXPAND .query
(3) sql:    --> .query
(3) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (10)
(3) sql: EXPAND %{User-Name}
(3) sql:    --> test
(3) sql: SQL-User-Name set to 'test'
(3) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate)
VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S')
(3) sql:    --> INSERT INTO radpostauth (username, pass, reply, authdate)
VALUES ( 'test', 'test123', 'Access-Reject', '2018-04-26 20:51:05')
(3) sql: Executing query: INSERT INTO radpostauth (username, pass, reply,
authdate) VALUES ( 'test', 'test123', 'Access-Reject', '2018-04-26
20:51:05')
(3) sql: SQL query returned: success
(3) sql: 1 record(s) updated
rlm_sql (sql): Released connection (10)
(3)     [sql] = ok
(3) attr_filter.access_reject: EXPAND %{User-Name}
(3) attr_filter.access_reject:    --> test
(3) attr_filter.access_reject: Matched entry DEFAULT at line 11
(3)     [attr_filter.access_reject] = updated
(3)     [eap] = noop
(3)     policy remove_reply_message_if_eap {
(3)       if (&reply:EAP-Message && &reply:Reply-Message) {
(3)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(3)       else {
(3)         [noop] = noop
(3)       } # else = noop
(3)     } # policy remove_reply_message_if_eap = noop
(3)   } # Post-Auth-Type REJECT = updated
(3) Login incorrect (No Auth-Type found: rejecting the user via
Post-Auth-Type = Reject): [test/test123] (from client localhost port 1812)
(3) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(3) Sending delayed response
(3) Sent Access-Reject Id 241 from 127.0.0.1:1812 to 127.0.0.1:38747
length 20
Waking up in 3.9 seconds.
(3) Cleaning up request packet ID 241 with timestamp +264
Ready to process requests


Please help me on that.



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: ISSUE: Authentication will fail unless a "known good" password is available

Nathan Ward
Hi,

It tells you what to do, just a few lines above, with a big box of ! marks around it and it says “WARNING” on every line.

Your database is returning a User-Password. Change the attribute name to Cleartext-Password.

> On 26/04/2018, at 5:28 PM, Somanath Mishra <[hidden email]> wrote:
>
> (3) sql: Conditional check items matched, merging assignment check items
> (3) sql:   User-Password := “test123"


> (3) pap: WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> (3) pap: WARNING: !!! Ignoring control:User-Password.  Update your        !!!
> (3) pap: WARNING: !!! configuration so that the "known good" clear text !!!
> (3) pap: WARNING: !!! password is in Cleartext-Password and NOT in        !!!
> (3) pap: WARNING: !!! User-Password.                                      !!!
> (3) pap: WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> (3) pap: WARNING: No "known good" password found for the user.  Not
> setting Auth-Type
> (3) pap: WARNING: Authentication will fail unless a "known good" password
> is available


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html