Topic: User with valid password is not allowed (sometimes) - please help !

Hello all,

I'm dealing with strange issue for longer time, so I decided describe it here. Maybe you had similiar problem and will help me ..

Scenario:

Chillispot + Freeradius + MySQL on same machine...

All works fine, but sometimes, when user supplied valid password, it's proclaimed as wrong by Freeradius (there is no limit reached). When user repeat login with same password is correctly validated (sometimes after the third try). Passwords are stored in plain text. I completely reinstalled server to new Freeradius (1.x -> 2.x) but still same behaviour. This happens time to time and there is no rule for this. I also changed attribute from User-Password to the Cleartext-Password as suggested dialog within Freeradius debug (freeradius -X), but still same...

I'm sure, that users types valid passwords without any spaces and non printable characters....

Do you have any ideas why this happens ?

Thank you..



#MySQL

select * from radcheck where username like 'testuser';
+--------+-----------------+--------------------+----+------------+
| id     | UserName        | Attribute          | op | Value      |
+--------+-----------------+--------------------+----+------------+
| 634393 | testuser | Cleartext-Password | := | testpass |
+--------+-----------------+--------------------+----+------------+
3 rows in set (0.00 sec)



#Failed login:

rad_recv: Access-Request packet from host 127.0.0.1 port 42455, id=0, length=221
    User-Name = "testuser"
    CHAP-Challenge = 0xeccf148d53f051667a9823e5de873733
    CHAP-Password = 0x00d3f4797e4f3259203648b663cf70e1ec
    NAS-IP-Address = 0.0.0.0
    Service-Type = Login-User
    Framed-IP-Address = 172.25.156.18
    Calling-Station-Id = "00-1C-B3-C2-8A-F5"
    Called-Station-Id = "00-0C-29-58-63-5B"
    NAS-Identifier = "nas01"
    Acct-Session-Id = "4c93741900000011"
    NAS-Port-Type = Wireless-802.11
    NAS-Port = 17
    Message-Authenticator = 0xe0b1d438223cc799308111bd8151a15b
    WISPr-Logoff-URL = "http://172.25.156.1:3990/logoff"
+- entering group authorize
    expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/127.0.0.1/auth-detail-20100917
rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20100917
    expand: %t -> Fri Sep 17 16:00:31 2010
++[auth_log] returns ok
  rlm_chap: Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
    rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
    expand: %{User-Name} -> testuser
rlm_sql (sql): sql_set_user escaped user --> 'testuser'
rlm_sql (sql): Reserving sql socket id: 1
    expand: SELECT id, UserName, Attribute, Value, op           FROM radcheck           WHERE Username = '%{SQL-User-Name}' and Attribute != 'Qos-Rate'          ORDER BY id  -> SELECT id, UserName, Attribute, Value, op           FROM radcheck           WHERE Username = 'testuser' and Attribute != 'Qos-Rate'          ORDER BY id
rlm_sql (sql): User found in radcheck table
    expand: SELECT id, UserName, Attribute, Value, op           FROM radreply           WHERE Username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, UserName, Attribute, Value, op           FROM radreply           WHERE Username = 'testuser'           ORDER BY id
    expand: SELECT GroupName FROM usergroup WHERE UserName='%{SQL-User-Name}' -> SELECT GroupName FROM usergroup WHERE UserName='testuser'
    expand: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op  FROM radgroupcheck,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id -> SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op  FROM radgroupcheck,usergroup WHERE usergroup.Username = 'testuser' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id
rlm_sql (sql): User found in group pacienti
    expand: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op  FROM radgroupreply,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id -> SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op  FROM radgroupreply,usergroup WHERE usergroup.Username = 'testuser' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id
rlm_sql (sql): Released sql socket id: 1
++[sql] returns ok
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[noresetcounter] returns noop
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[dailycounter] returns noop
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[weeklycounter] returns noop
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[monthlycounter] returns noop
  rad_check_password:  Found Auth-Type CHAP
auth: type "CHAP"
+- entering group CHAP
  rlm_chap: login attempt by "testuser" with CHAP password
  rlm_chap: Using clear text password "testpass" for user testuser authentication.
  rlm_chap: Password check failed
++[chap] returns reject
auth: Failed to validate the user.
Login incorrect (rlm_chap: Wrong user password): [testuser/<CHAP-Password>] (from client localhost port 17 cli 00-1C-B3-C2-8A-F5)
Delaying reject of request 50 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed rejec
Sending Access-Reject of id 0 to 127.0.0.1 port 42455
    Idle-Timeout := 600
    Acct-Interim-Interval := 600
Waking up in 4.9 secondsrad_recv: Access-Request packet from host 127.0.0.1 port 42455, id=0, length=221
    User-Name = "testuser"
    CHAP-Challenge = 0xeccf148d53f051667a9823e5de873733
    CHAP-Password = 0x00d3f4797e4f3259203648b663cf70e1ec
    NAS-IP-Address = 0.0.0.0
    Service-Type = Login-User
    Framed-IP-Address = 172.25.156.18
    Calling-Station-Id = "00-1C-B3-C2-8A-F5"
    Called-Station-Id = "00-0C-29-58-63-5B"
    NAS-Identifier = "nas01"
    Acct-Session-Id = "4c93741900000011"
    NAS-Port-Type = Wireless-802.11
    NAS-Port = 17
    Message-Authenticator = 0xe0b1d438223cc799308111bd8151a15b
    WISPr-Logoff-URL = "http://172.25.156.1:3990/logoff"
+- entering group authorize
    expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/127.0.0.1/auth-detail-20100917
rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20100917
    expand: %t -> Fri Sep 17 16:00:31 2010
++[auth_log] returns ok
  rlm_chap: Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
    rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
    expand: %{User-Name} -> testuser
rlm_sql (sql): sql_set_user escaped user --> 'testuser'
rlm_sql (sql): Reserving sql socket id: 1
    expand: SELECT id, UserName, Attribute, Value, op           FROM radcheck           WHERE Username = '%{SQL-User-Name}' and Attribute != 'Qos-Rate'          ORDER BY id  -> SELECT id, UserName, Attribute, Value, op           FROM radcheck           WHERE Username = 'testuser' and Attribute != 'Qos-Rate'          ORDER BY id
rlm_sql (sql): User found in radcheck table
    expand: SELECT id, UserName, Attribute, Value, op           FROM radreply           WHERE Username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, UserName, Attribute, Value, op           FROM radreply           WHERE Username = 'testuser'           ORDER BY id
    expand: SELECT GroupName FROM usergroup WHERE UserName='%{SQL-User-Name}' -> SELECT GroupName FROM usergroup WHERE UserName='testuser'
    expand: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op  FROM radgroupcheck,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id -> SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op  FROM radgroupcheck,usergroup WHERE usergroup.Username = 'testuser' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id
rlm_sql (sql): User found in group pacienti
    expand: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op  FROM radgroupreply,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id -> SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op  FROM radgroupreply,usergroup WHERE usergroup.Username = 'testuser' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id
rlm_sql (sql): Released sql socket id: 1
++[sql] returns ok
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[noresetcounter] returns noop
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[dailycounter] returns noop
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[weeklycounter] returns noop
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[monthlycounter] returns noop
  rad_check_password:  Found Auth-Type CHAP
auth: type "CHAP"
+- entering group CHAP
  rlm_chap: login attempt by "testuser" with CHAP password
  rlm_chap: Using clear text password "testpass" for user testuser authentication.
  rlm_chap: Password check failed
++[chap] returns reject
auth: Failed to validate the user.
Login incorrect (rlm_chap: Wrong user password): [testuser/<CHAP-Password>] (from client localhost port 17 cli 00-1C-B3-C2-8A-F5)
Delaying reject of request 50 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 50
Sending Access-Reject of id 0 to 127.0.0.1 port 42455
    Idle-Timeout := 600
    Acct-Interim-Interval := 600
Waking up in 4.9 seconds..



#Success login:

rad_recv: Access-Request packet from host 127.0.0.1 port 37286, id=0, length=221
    User-Name = "testuser"
    CHAP-Challenge = 0x3bbd1bb8af26015543db853c2ed4bf57
    CHAP-Password = 0x004184904f618b872506a5ff847d774796
    NAS-IP-Address = 0.0.0.0
    Service-Type = Login-User
    Framed-IP-Address = 172.25.156.18
    Calling-Station-Id = "00-1C-B3-C2-8A-F5"
    Called-Station-Id = "00-0C-29-58-63-5B"
    NAS-Identifier = "nas01"
    Acct-Session-Id = "4c93741900000011"
    NAS-Port-Type = Wireless-802.11
    NAS-Port = 17
    Message-Authenticator = 0xa77fc5e84182b49504d2574eaf4dd1f4
    WISPr-Logoff-URL = "http://172.25.156.1:3990/logoff"
+- entering group authorize
    expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/127.0.0.1/auth-detail-20100917
rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20100917
    expand: %t -> Fri Sep 17 16:00:57 2010
++[auth_log] returns ok
  rlm_chap: Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
    rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
    expand: %{User-Name} -> testuser
rlm_sql (sql): sql_set_user escaped user --> 'testuser'
rlm_sql (sql): Reserving sql socket id: 1
    expand: SELECT id, UserName, Attribute, Value, op           FROM radcheck           WHERE Username = '%{SQL-User-Name}' and Attribute != 'Qos-Rate'          ORDER BY id  -> SELECT id, UserName, Attribute, Value, op           FROM radcheck           WHERE Username = 'testuser' and Attribute != 'Qos-Rate'          ORDER BY id
rlm_sql (sql): User found in radcheck table
    expand: SELECT id, UserName, Attribute, Value, op           FROM radreply           WHERE Username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, UserName, Attribute, Value, op           FROM radreply           WHERE Username = 'testuser'           ORDER BY id
    expand: SELECT GroupName FROM usergroup WHERE UserName='%{SQL-User-Name}' -> SELECT GroupName FROM usergroup WHERE UserName='testuser'
    expand: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op  FROM radgroupcheck,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id -> SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op  FROM radgroupcheck,usergroup WHERE usergroup.Username = 'testuser' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id
rlm_sql (sql): User found in group pacienti
    expand: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op  FROM radgroupreply,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id -> SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op  FROM radgroupreply,usergroup WHERE usergroup.Username = 'testuser' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id
rlm_sql (sql): Released sql socket id: 1
++[sql] returns ok
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[noresetcounter] returns noop
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[dailycounter] returns noop
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[weeklycounter] returns noop
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[monthlycounter] returns noop
  rad_check_password:  Found Auth-Type CHAP
auth: type "CHAP"
+- entering group CHAP
  rlm_chap: login attempt by "testuser" with CHAP password
  rlm_chap: Using clear text password "testpass" for user testuser authentication.
  rlm_chap: chap user testuser authenticated succesfully
++[chap] returns ok
Login OK: [testuser/<CHAP-Password>] (from client localhost port 17 cli 00-1C-B3-C2-8A-F5)
+- entering group post-auth
    expand: /var/log/freeradius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d -> /var/log/freeradius/radacct/127.0.0.1/reply-detail-20100917
rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /var/log/freeradius/radacct/127.0.0.1/reply-detail-20100917
    expand: %t -> Fri Sep 17 16:00:57 2010
++[reply_log] returns ok
rlm_sql (sql): Processing sql_postauth
    expand: %{User-Name} -> testuser
rlm_sql (sql): sql_set_user escaped user --> 'testuser'
WARNING: Deprecated conditional expansion ":-".  See "man unlang" for details
    expand: INSERT into radpostauth (id, user, pass, reply, date) values ('', '%{User-Name}', '%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', NOW()) -> INSERT into radpostauth (id, user, pass, reply, date) values ('', 'testuser', 'Chap-Password', 'Access-Accept', NOW())
rlm_sql (sql) in sql_postauth: query is INSERT into radpostauth (id, user, pass, reply, date) values ('', 'testuser', 'Chap-Password', 'Access-Accept', NOW())
rlm_sql (sql): Reserving sql socket id: 0
rlm_sql (sql): Released sql socket id: 0
++[sql] returns ok
Sending Access-Accept of id 0 to 127.0.0.1 port 37286
    Idle-Timeout := 600
    Acct-Interim-Interval := 600
Finished request 53.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Accounting-Request packet from host 127.0.0.1 port 51236, id=43, length=137
    Acct-Status-Type = Start
    User-Name = "testuser"
    Calling-Station-Id = "00-1C-B3-C2-8A-F5"
    Called-Station-Id = "00-0C-29-58-63-5B"
    NAS-Port-Type = Wireless-802.11
    NAS-Port = 17
    NAS-Port-Id = "00000017"
    NAS-IP-Address = 0.0.0.0
    NAS-Identifier = "nas01"
    Framed-IP-Address = 172.25.156.18
    Acct-Session-Id = "4c93741900000011"
+- entering group preacct
rlm_acct_unique: Hashing 'NAS-Port = 17,Client-IP-Address = 127.0.0.1,NAS-IP-Address = 0.0.0.0,Acct-Session-Id = "4c93741900000011",User-Name = "testuser"'
rlm_acct_unique: Acct-Unique-Session-ID = "7b48c9ff641f78a5".
++[acct_unique] returns ok
    rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
+- entering group accounting
    expand: /var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d -> /var/log/freeradius/radacct/127.0.0.1/detail-20100917
rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/freeradius/radacct/127.0.0.1/detail-20100917
    expand: %t -> Fri Sep 17 16:00:57 2010
++[detail] returns ok
    expand: /var/log/freeradius/radutmp -> /var/log/freeradius/radutmp
    expand: %{User-Name} -> testuser
++[radutmp] returns ok
++[acct_unique] returns noop
    expand: %{User-Name} -> testuser
rlm_sql (sql): sql_set_user escaped user --> 'testuser'
    expand: INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', '0', '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Acct-Delay-Time}', '0') -> INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('4c93741900000011', '7b48c9ff641f78a5', 'testuser', '', '0.0.0.0', '17', 'Wireless-802.11', '2010-09-17 16:00:57', '0', '0', '', '', '', '0', '0', '00-0C-29-58-63-5B', '00-1C-B3-C2-8A-F5', '', '', '', '172.25.156.18', '', '0')
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
Sending Accounting-Response of id 43 to 127.0.0.1 port 51236
Finished request 54.
Cleaning up request 54 ID 43 with timestamp +1249
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 53 ID 0 with timestamp +1249
Ready to process requests.


#radiusd.conf



prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct

confdir = ${raddbdir}
run_dir = ${localstatedir}/run/freeradius

log_file = ${logdir}/radius.log

libdir = /usr/lib/freeradius

pidfile = ${run_dir}/freeradius.pid

user = freerad
group = freerad

max_request_time = 30

delete_blocked_requests = no

cleanup_delay = 5

max_requests = 1024

bind_address = *

port = 0

hostname_lookups = no

allow_core_dumps = no

regular_expressions    = yes
extended_expressions    = yes

log_stripped_names = yes

log_auth = yes

log_auth_badpass = yes
log_auth_goodpass = yes

usercollide = no

lower_user = no
lower_pass = no

nospace_user = no
nospace_pass = no

checkrad = ${sbindir}/checkrad

security {
    max_attributes = 200
    reject_delay = 1
    status_server = no
}

proxy_requests  = yes
$INCLUDE  ${confdir}/proxy.conf

$INCLUDE  ${confdir}/clients.conf
snmp    = no
$INCLUDE  ${confdir}/snmp.conf
thread pool {
    start_servers = 5
    max_servers = 32
    min_spare_servers = 3
    max_spare_servers = 10
    max_requests_per_server = 0
}

modules {
    pap {
        encryption_scheme = clear
    }
    chap {
        authtype = CHAP
    }
    pam {
        pam_auth = radiusd
    }

    unix {
        cache = no
        cache_reload = 600
        shadow = /etc/shadow
        radwtmp = ${logdir}/radwtmp
    }

$INCLUDE ${confdir}/eap.conf

    mschap {
    }

    ldap {
        server = "ldap.your.domain"
        basedn = "o=My Org,c=UA"
        filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"

        start_tls = no
        access_attr = "dialupAccess"
        dictionary_mapping = ${raddbdir}/ldap.attrmap
        ldap_connections_number = 5
        timeout = 4
        timelimit = 3
        net_timeout = 1
    }

    realm IPASS {
        format = prefix
        delimiter = "/"
        ignore_default = no
        ignore_null = no
    }

    realm suffix {
        format = suffix
        delimiter = "@"
        ignore_default = no
        ignore_null = no
    }

    realm realmpercent {
        format = suffix
        delimiter = "%"
        ignore_default = no
        ignore_null = no
    }

    realm ntdomain {
        format = prefix
        delimiter = "\\"
        ignore_default = no
        ignore_null = no
    }   

    checkval {
        item-name = Calling-Station-Id
        check-name = Calling-Station-Id
        data-type = string
    }

    detail {
        detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
        detailperm = 0600
    }

     detail auth_log {
         detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d
     }

     detail reply_log {
         detailfile = ${radacctdir}/%{Client-IP-Address}/reply-detail-%Y%m%d
     }

    acct_unique {
        key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
    }
    $INCLUDE  ${confdir}/sql.conf

    radutmp {
        filename = ${logdir}/radutmp
        username = %{User-Name}
        case_sensitive = yes
        check_with_nas = yes       
        perm = 0600
        callerid = "yes"
    }

    radutmp sradutmp {
        filename = ${logdir}/sradutmp
        perm = 0644
        callerid = "no"
    }

    attr_filter {
        attrsfile = ${confdir}/attrs
    }

    counter daily {
        filename = ${raddbdir}/db.daily
        key = User-Name
        count-attribute = Acct-Session-Time
        reset = daily
        counter-name = Daily-Session-Time
        check-name = Max-Daily-Session
        allowed-servicetype = Framed-User
        cache-size = 5000
    }

    sqlcounter noresetcounter {
        counter-name = Max-All-Session-Time
        check-name = Max-All-Session
        sqlmod-inst = sql
        key = User-Name
        reset = never
        query = "SELECT IFNULL(SUM(AcctSessionTime),0) FROM radacct WHERE UserName='%{%k}'"
    }

    sqlcounter weeklycounter {
        driver = "rlm_sqlcounter"
        counter-name = Weekly-Session-Time
        check-name = Max-Weekly-Session
        sqlmod-inst = sqlcca3
        key = User-Name
        reset = weekly
        query = "SELECT SUM(AcctSessionTime - GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}' AND \
        UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > %b"
    }

    sqlcounter dailycounter {
        counter-name = Daily-Session-Time
        check-name = Max-Daily-Session
        sqlmod-inst = sql
        key = User-Name
        reset = daily

        query = "SELECT IFNULL(SUM(AcctSessionTime - \
                 GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)),0) \
                 FROM radacct WHERE UserName='%{%k}' AND \
                 UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > %b"
    }

    sqlcounter monthlycounter {
        counter-name = Monthly-Session-Time
        check-name = Max-Monthly-Session
        sqlmod-inst = sql
        key = User-Name
        reset = monthly

        query = "SELECT SUM(AcctSessionTime - \
                 GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
                 FROM radacct WHERE UserName='%{%k}' AND \
                 UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > %b"
    }

    always fail {
        rcode = fail
    }
    always reject {
        rcode = reject
    }
    always ok {
        rcode = ok
        simulcount = 0
        mpp = no
    }

    expr {
    }

    digest {
    }

    exec {
        wait = yes
        input_pairs = request
    }

    exec echo {
        wait = yes

        program = "/bin/echo %{User-Name}"

        input_pairs = request

        output_pairs = reply

    }

    ippool main_pool {

        range-start = 192.168.1.1
        range-stop = 192.168.3.254
        netmask = 255.255.255.0
        cache-size = 800
        session-db = ${raddbdir}/db.ippool
        ip-index = ${raddbdir}/db.ipindex
        override = no
        maximum-timeout = 0
    }
}

instantiate {
    exec
    expr
}

authorize {
    auth_log
    chap
    mschap
    suffix
    eap
    sql
    noresetcounter
    dailycounter
    weeklycounter
    monthlycounter
}



authenticate {
    Auth-Type PAP {
        pap
    }

    Auth-Type CHAP {
        chap
    }

    Auth-Type MS-CHAP {
        mschap
    }
    unix
    eap
}


preacct {
    acct_unique
    suffix
}

accounting {
    detail
    radutmp
    acct_unique
    sql
}


session {
    sql
}


post-auth {
    reply_log
    sql
}

pre-proxy {

}

post-proxy {
    eap
}

log {
    syslog_facility = daemon
}

Re: User with valid password is not allowed (sometimes) - please help !

The same problem here. Any solution for this issue?
Thanks