users file: =~ and User-Password
stefan.winter at restena.lu
Fri Mar 24 12:40:50 CET 2006
> That will not work. How is the mschap module supposed to know which
> plaintext password to perform the challenge/response with? In fact,
> since the "value" is a regexp, how is it supposed to even know what the
> alternative values are (you cannot in general reverse a regexp to get
> the matching inputs).
I don't expect it to do that. This line in the users file is supposed to work
only for services that use PAP, and can actually do a string comparison on
User-Password. What I would like to do when these people use VPN is that
"users" doesn't match, and the VPN-only password is subsequently fetched in
authorize->sql, with which the mschap module can do its magic. (Sorry for not
mentioning beforehand that these users also are in sql - just with
User-Password := VPN password)
> Hmm. You're probably right - it should never match.
Thanks. That's my point. If it wouldn't match, user validation would work
beautifully by fetching the appropriate VPN password from sql and my case was
> Given that it should never match, why don't you just delete those
> entries? What are you expecting them to do? Are you expecting that to
> somehow try two passwords in turn for a user, because it won't. See
> below for a possible solution.
Well, as said above, these lines are supposed to match against PAP requests.
(And they do - it's just the VPN case that makes trouble)
> No. The "files" modules definitely does nothing like that.
Then I really wonder why the debug output says:
users: Matched entry foobar at line 115
> It's not, and it's not happening. Something else is going on. I would
> have to look at the source to determine what, and am busy a.t.m.
Okay, no problem. It's not urgent, I found a way around it. Still it is
strange. And the debug output is painfully clear about "users" matching this
> Well, what you're doing (at least, the way you're doing it) is not
> possible. MSCHAP is a challenge/response algorithm, and needs a single
> unambiguous plaintext at the server to validate the response.
If =~ would work like expected, things would work the way I set them up.
> You might be able to use the module failover to do something:
Huh. Better not. My workaround was to add an entry for the VPN concentrator IP
that does nothing and does not fall through, before the lines with the uneasy
users. That way it jumps to sql and is happy.
> My advice to you would be to solve the non-technical problem
> non-technically and educate your users to use the correct (VPN) password
> when accessing VPN.
*sigh* We're underway. Actually, we tell these people to update their
passwords, because then they will automatically get synchronised. But we need
something for the transition time.
RESTENA Foundation - Réseau Téléinformatique de l'Education Nationale et de
6, rue Richard Coudenhove-Kalergi
email: stefan.winter at restena.lu Tel.: +352 424409-1
http://www.restena.lu Fax: +352 422473
More information about the Freeradius-Users