Freeradius 错误(pap:错误:密码不能为空)
[英]Freeradius Error (pap: ERROR: Password must not be empty)
问题描述
This is a situation where we linked DHCP between Freeradius and Mikrotik Router.
这是我们在 Freeradius 和 Mikrotik 路由器之间链接 DHCP 的情况。
The data is stored in mysql and works fine.数据存储在 mysql 中并且工作正常。
However, due to the nature of the Mikrotik Router, the User-Password is sent empty .但是,由于 Mikrotik 路由器的性质, User-Password发送为空。
(0) User-Name = "00:0C:29:55:D0:C4"
(0) NAS-Port-Type = Ethernet
(0) NAS-Port = 2197815782
(0) Service-Type = Framed-User
(0) Calling-Station-Id = "ff:bc:9a:4a:2d:0:2:0:0:ab:11:c0:56:c7:e1:e8:28:59:1c"
(0) Called-Station-Id = "defconf"
(0) User-Password = "" # <--- Here
(0) NAS-Identifier = "MikroTik"
(0) NAS-IP-Address = 192.168.88.1
I found a way to solve this problem and found that there are the following methods.我找到了解决这个问题的方法,发现有以下几种方法。
However, eventually, the PAP receives an error message stating that the empty password cannot be authenticated, and authentication fails.但是,最终,PAP 会收到一条错误消息,指出无法验证空密码,并且验证失败。
authorize {
update request {
User-Password = "%{User-Name}"
}
It seems to be updating, but the message (1) pap: ERROR: Password must not be empty is printed.它似乎正在更新,但(1) pap: ERROR: Password must not be empty is printed.
Is there a way?有办法吗? Thank you in advance for your reply.预先感谢您的回复。
Full Log完整日志
(0) Received Access-Request Id 53 from 192.168.88.1:51985 to 192.168.88.10:1812 length 154
(0) User-Name = "00:0C:29:55:D0:C4"
(0) NAS-Port-Type = Ethernet
(0) NAS-Port = 2197815782
(0) Service-Type = Framed-User
(0) Calling-Station-Id = "ff:bc:9a:4a:2d:0:2:0:0:ab:11:c0:56:c7:e1:e8:28:59:1c"
(0) Called-Station-Id = "defconf"
(0) User-Password = ""
(0) NAS-Identifier = "MikroTik"
(0) NAS-IP-Address = 192.168.88.1
(0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(0) authorize {
(0) update request {
(0) EXPAND %{User-Name}
(0) --> 00:0C:29:55:D0:C4
(0) User-Password = 00:0C:29:55:D0:C4
(0) } # update request = noop
(0) sql: EXPAND %{User-Name}
(0) sql: --> 00:0C:29:55:D0:C4
(0) sql: SQL-User-Name set to '00:0C:29:55:D0:C4'
rlm_sql (sql): Reserved connection (1)
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '00:0C:29:55:D0:C4' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '00:0C:29:55:D0:C4' ORDER BY id
(0) sql: User found in radcheck table
(0) sql: Conditional check items matched, merging assignment check items
(0) sql: Cleartext-Password := "00:0C:29:55:D0:C4"
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = '00:0C:29:55:D0:C4' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = '00:0C:29:55:D0:C4' ORDER BY id
(0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(0) sql: --> SELECT groupname FROM radusergroup WHERE username = '00:0C:29:55:D0:C4' ORDER BY priority
(0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = '00:0C:29:55:D0:C4' ORDER BY priority
(0) sql: User not found in any groups
rlm_sql (sql): Released connection (1)
Need more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on 192.168.5.238 via TCP/IP, server version 5.5.5-10.6.7-MariaDB-2ubuntu1.1, protocol version 10
(0) [sql] = ok
(0) sql: EXPAND %{User-Name}
(0) sql: --> 00:0C:29:55:D0:C4
(0) sql: SQL-User-Name set to '00:0C:29:55:D0:C4'
rlm_sql (sql): Reserved connection (2)
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '00:0C:29:55:D0:C4' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '00:0C:29:55:D0:C4' ORDER BY id
(0) sql: User found in radcheck table
(0) sql: Conditional check items matched, merging assignment check items
(0) sql: Cleartext-Password := "00:0C:29:55:D0:C4"
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = '00:0C:29:55:D0:C4' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = '00:0C:29:55:D0:C4' ORDER BY id
(0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(0) sql: --> SELECT groupname FROM radusergroup WHERE username = '00:0C:29:55:D0:C4' ORDER BY priority
(0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = '00:0C:29:55:D0:C4' ORDER BY priority
(0) sql: User not found in any groups
rlm_sql (sql): Released connection (2)
(0) [sql] = ok
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = ok
(0) } # policy filter_username = ok
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "00:0C:29:55:D0:C4", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) [files] = noop
(0) [expiration] = noop
(0) [logintime] = noop
(0) [pap] = updated
(0) } # authorize = updated
(0) Found Auth-Type = PAP
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) Auth-Type PAP {
(0) pap: ERROR: Password must not be empty
(0) [pap] = invalid
(0) } # Auth-Type PAP = invalid
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) Post-Auth-Type REJECT {
(0) sql: EXPAND .query
(0) sql: --> .query
(0) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (3)
(0) sql: EXPAND %{User-Name}
(0) sql: --> 00:0C:29:55:D0:C4
(0) sql: SQL-User-Name set to '00:0C:29:55:D0:C4'
(0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate ) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S.%M' )
(0) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate ) VALUES ( '00:0C:29:55:D0:C4', '', 'Access-Reject', '2022-07-26 17:27:35.827521' )
(0) sql: EXPAND /var/log/freeradius/sqllog.sql
(0) sql: --> /var/log/freeradius/sqllog.sql
(0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate ) VALUES ( '00:0C:29:55:D0:C4', '', 'Access-Reject', '2022-07-26 17:27:35.827521' )
(0) sql: SQL query returned: success
(0) sql: 1 record(s) updated
rlm_sql (sql): Released connection (3)
(0) [sql] = ok
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject: --> 00:0C:29:55:D0:C4
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) [eap] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
(0) (0) Discarding duplicate request from client Mikrotik_Test port 51985 - ID: 53 due to delayed response
Waking up in 0.6 seconds.
(0) (0) Discarding duplicate request from client Mikrotik_Test port 51985 - ID: 53 due to delayed response
Waking up in 0.3 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 53 from 192.168.88.10:1812 to 192.168.88.1:51985 length 20
Waking up in 3.9 seconds.
1 个解决方案
解决方案1
0 2022-09-20 07:44:22
I have really scratched my head for teh last 2 days to sort teh problem.在过去的两天里,我真的为解决问题而挠头。 It turns out it has a very simple solution.事实证明它有一个非常简单的解决方案。 Apprently, the pap configuration does not accept empty passwords.显然,pap 配置不接受空密码。 The workaround is as below解决方法如下
In the radcheck table, add the following在 radcheck 表中,添加以下内容
username - "Mac Address"用户名- “Mac 地址”
Attribute - "Auth-Type"属性- “身份验证类型”
OP - ':="操作- ':="
value - 'Accept"价值- '接受'
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.
相关问题
DHCP DNS DualServer配置错误:服务器未被授权 - DHCP DNS DualServer configuration error: Server is not authorized
端口68上的DHCP客户端绑定错误 - DHCP client bind error on port 68
DHCP C ++错误LNK2019 - DHCP C++ error LNK2019
DHCP服务器授权失败,错误码:20079 - The authorized of DHCP server failed with Error Code : 20079
Isc-dhcp-server 未启动错误:未配置为侦听任何接口 - Isc-dhcp-server not starting error: not configured to listen to any interfaces
DDNS 的 ISC-DHCP 和 PowerDNS“无法添加转发映射<FQDN>到<IP> :意外的错误 - ISC-DHCP and PowerDNS for DDNS "Unable to add forward map <FQDN> to <IP>:unexpected error
Eltex路由器不断重置子网掩码,结束ips和管理员密码 - Eltex router keeps resetting subnet mask, end ips and admin password
在虚拟框中添加 host=-only 服务器时出错。 [ E_INVALIDARG (0x80070057) ] - Getting error while adding host=-only server in virtual box. [ E_INVALIDARG (0x80070057) ]
在虚拟盒子上运行时genymotion错误 - genymotion error while run on virtual box
DhcpEnumFilterV4(P /调用)始终报告ERROR_NO_MORE_ITEMS - DhcpEnumFilterV4 (P/Invoke) always reports ERROR_NO_MORE_ITEMS
相关标签