# [solved]FreeRADIUS+Extreme Networks: no administrative login

## 0x4a47

hi,

i'm currently using extreme networks switches (black diamonds, alpines,...) with epicenter and radius login.

now i need to setup a secondary radius server and i installed freeradius on one of our gentoo servers.

the epicenter is configured as primary radius-server on the switches. during my tests i just disabled epicenter, didn't change the setup on the switches (except for secondary server).

with the help of this thread https://forums.gentoo.org/viewtopic.php?t=101967 i've set up freeradius with one user who is already able to login.

the problem i'm facing is, that this user should be admin on the switches, but even when setting "Service-Type = Administrative-User" i don't have the rights to do anything on the switch.

/etc/raddb/myuserfile:

user1    Auth-Type := System, Crypt-Password == "$1$Q8ddOA63$qwR8llXXIpTgmZ9Y8VwVr/", Service-Type == "Administrative-User"

this is the output of one login attempt via telnet (radiusd -sfxxyz -l stdout):

```

Starting - reading configuration files ...

reread_config:  reading radiusd.conf

Config:   including file: /etc/raddb/proxy.conf

Config:   including file: /etc/raddb/clients.conf

Config:   including file: /etc/raddb/snmp.conf

 main: prefix = "/usr"

 main: localstatedir = "/var"

 main: logdir = "/var/log/radius"

 main: libdir = "/usr/lib"

 main: radacctdir = "/var/log/radius/radacct"

 main: hostname_lookups = no

 main: max_request_time = 30

 main: cleanup_delay = 5

 main: max_requests = 1024

 main: delete_blocked_requests = 0

 main: port = 0

 main: allow_core_dumps = no

 main: log_stripped_names = no

 main: log_file = "/var/log/radius/radius.log"

 main: log_auth = yes

 main: log_auth_badpass = yes

 main: log_auth_goodpass = yes

 main: pidfile = "/var/run/radiusd/radiusd.pid"

 main: user = "radiusd"

 main: group = "radiusd"

 main: usercollide = no

 main: lower_user = "no"

 main: lower_pass = "no"

 main: nospace_user = "no"

 main: nospace_pass = "no"

 main: checkrad = "/usr/sbin/checkrad"

 main: proxy_requests = no

 proxy: retry_delay = 5

 proxy: retry_count = 3

 proxy: synchronous = no

 proxy: default_fallback = yes

 proxy: dead_time = 120

 proxy: post_proxy_authorize = yes

 proxy: wake_all_if_all_dead = no

 security: max_attributes = 200

 security: reject_delay = 1

 security: status_server = no

 main: debug_level = 0

read_config_files:  reading dictionary

read_config_files:  reading naslist

read_config_files:  reading clients

read_config_files:  reading realms

radiusd:  entering modules setup

Module: Library search path is /usr/lib

Module: Loaded preprocess

 preprocess: huntgroups = "/etc/raddb/huntgroups"

 preprocess: hints = "/etc/raddb/hints"

 preprocess: with_ascend_hack = no

 preprocess: ascend_channels_per_line = 23

 preprocess: with_ntdomain_hack = no

 preprocess: with_specialix_jetstream_hack = no

 preprocess: with_cisco_vsa_hack = no

Module: Instantiated preprocess (preprocess)

Module: Loaded detail

 detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d"

 detail: detailperm = 384

 detail: dirperm = 493

 detail: locking = no

Module: Instantiated detail (auth_log)

Module: Loaded files

 files: usersfile = "/etc/raddb/users"

 files: acctusersfile = "/etc/raddb/acct_users"

 files: preproxy_usersfile = "/etc/raddb/preproxy_users"

 files: compat = "no"

Module: Instantiated files (files)

Module: Loaded Acct-Unique-Session-Id

 acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port-Id"

Module: Instantiated acct_unique (acct_unique)

 detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"

 detail: detailperm = 384

 detail: dirperm = 493

 detail: locking = no

Module: Instantiated detail (detail)

Module: Loaded radutmp

 radutmp: filename = "/var/log/radius/radutmp"

 radutmp: username = "%{User-Name}"

 radutmp: case_sensitive = yes

 radutmp: check_with_nas = yes

 radutmp: perm = 384

 radutmp: callerid = yes

Module: Instantiated radutmp (radutmp)

Listening on IP address *, ports 1812/udp and 1813/udp.

Ready to process requests.

rad_recv: Access-Request packet from host 10.6.0.1:1279, id=208, length=82

        User-Name = "user1"

        User-Password = "password"

        NAS-IP-Address = 10.6.0.1

        Service-Type = Login-User

        Calling-Station-Id = "212.xx.xx.xx"

        NAS-Port-Type = Virtual

modcall: entering group authorize for request 0

  modcall[authorize]: module "preprocess" returns ok for request 0

radius_xlat:  '/var/log/radius/radacct/10.6.0.1/auth-detail-20040324'

rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/ra

dacct/10.6.0.1/auth-detail-20040324

  modcall[authorize]: module "auth_log" returns ok for request 0

  modcall[authorize]: module "files" returns notfound for request 0

modcall: group authorize returns ok for request 0

auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user

auth: Failed to validate the user.

Login incorrect: [user1/password] (from client switches

 port 0 cli 212.xx.xx.xx)

  WARNING: Unprintable characters in the password. ?  Double-check the shared secret on the server and the NAS!

Delaying request 0 for 1 seconds

Finished request 0

Going to the next request

--- Walking the entire request list ---

Waking up in 1 seconds...

--- Walking the entire request list ---

Waking up in 1 seconds...

--- Walking the entire request list ---

Sending Access-Reject of id 208 to 10.6.0.1:1279

Waking up in 4 seconds...

rad_recv: Access-Request packet from host 10.6.0.1:1280, id=28, length=82

        User-Name = "user1"

        User-Password = "password"

        NAS-IP-Address = 10.6.0.1

        Service-Type = Administrative-User

        Calling-Station-Id = "212.xx.xx.xx"

        NAS-Port-Type = Virtual

modcall: entering group authorize for request 1

  modcall[authorize]: module "preprocess" returns ok for request 1

radius_xlat:  '/var/log/radius/radacct/10.6.0.1/auth-detail-20040324'

rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/ra                dacct/10.6.0.1/auth-detail-20040324

  modcall[authorize]: module "auth_log" returns ok for request 1

    users: Matched user1 at 1

  modcall[authorize]: module "files" returns ok for request 1

modcall: group authorize returns ok for request 1

  rad_check_password:  Found Auth-Type System

auth: type Crypt

Login OK: [user1/password] (from client switches port 0 cli 212.xx.xx.xx)

Sending Access-Accept of id 28 to 10.6.0.1:1280

Finished request 1

Going to the next request

Waking up in 4 seconds...

--- Walking the entire request list ---

Cleaning up request 0 ID 208 with timestamp 4061a032

Waking up in 2 seconds...

--- Walking the entire request list ---

Cleaning up request 1 ID 28 with timestamp 4061a034

Nothing to do.  Sleeping until we see a request.

```

it is strange, that one login attempt triggers 2 accesses, where the first one is "Service-Type = Login-User" with a warning that the shared secret is wrong (which isn't).

so it is likely that i have misconfigured something, but i just didn't find the problem...

i also found this http://lists.cistron.nl/pipermail/freeradius-users/2002-November/013423.html but it there was no solution  :Sad: 

thx for any hint,

JGLast edited by 0x4a47 on Mon Mar 29, 2004 3:08 pm; edited 1 time in total

----------

## 0x4a47

well, yeah  :Wink:  after hours of debugging/trying i found the problem (with the help of this site:

http://www.extremenetworks.com/services/documentation/ExtremeWareUser622-Chapter03.asp#pgfId-27194) what a shame *gg*

everything was setup fine and correctly, but the users-file had an incorrect syntax, although check-radiusd-config didn't report any errors...

must have overlooked that in the docu, found it on the extreme networks homepage in the cistron radius server paragraph.

it was missing a tabulator before Service-Type, here's the correct file, just in case someone else will search for this:

```
user1     Crypt-Password == "$1$Q8ddOA63$qwR8llXXIpTgmZ9Y8VwVr/"

        Service-Type == "Administrative-User",

        Filter-Id == "unlim"

```

JG

----------

