FreeRadius + MySQL & Encrypted passwords

Bogdan Dumitriu - Technical Support Team helpdesk22 at mycybernet.net
Thu May 4 21:41:58 CEST 2006 

Hi all,
 
I've been trying to encrypt the passwords in mySQL using SHA1 or MD5
without any luck for the last several days.
 
First let me tell you a bit about our system:
 
RedHat ES 4
freeradius-1.0.1-2.RHEL4
freeradius-mysql-1.0.1-2.RHEL4
mysql-server-4.1.7-4.RHEL4.1
mysql-4.1.7-4.RHEL4.1
 
Everything works fine with clear text passwords and if I use Unix Crypt.
 
This is the config that works with Unix Crypt:
 
radcheck
+-----+------------+---------------+----+-------------------------------
---------------------------+
| id  | UserName   | Attribute     | op | Value
|
+-----+------------+---------------+----+-------------------------------
---------------------------+
| 844 | bogdan | Crypt-Password | == | 55MCU5TXMoKsA |
+-----+------------+---------------+----+-------------------------------
---------------------------+
usergroup
+-----+------------+-------------+
| id  | UserName   | GroupName   |
+-----+------------+-------------+
| 844 | bogdan | adsl-static |
+-----+------------+-------------+
radgroupcheck
+----+-------------+-----------+----+-------+
| id | GroupName   | Attribute | op | Value |
+----+-------------+-----------+----+-------+
|  1 | adsl        | Auth-Type | := | PAP   |
|  2 | adsl-static | Auth-Type | := | PAP   |
 
 
radius.conf
-------------
...........................
 
modules {
..................
        pap {
                encryption_scheme = crypt
        }
....................
}
 
authenticate {
..............
        Auth-Type PAP {
               pap
        }
...............
}
 
 
This works perfect !
 
now I want to use MD5 or SHA1 so I change:
 
        pap {
                encryption_scheme = sha1 (or md5)
        }
 
and this is what I get in /usr/sbin/radiusd -X
 
 
  modcall[authorize]: module "sql" returns ok for request 0
modcall: group authorize returns ok for request 0
  rad_check_password:  Found Auth-Type PAP
auth: type "PAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 0
rlm_pap: login attempt by "shipcoadsl" with password test
rlm_pap: Crypt-Password attribute but encryption scheme is not set to
CRYPT
  modcall[authenticate]: module "pap" returns fail for request 0
modcall: group Auth-Type returns fail for request 0
 
if I change:
 
+-----+------------+---------------+----+-------------------------------
---------------------------+
| id  | UserName   | Attribute     | op | Value
|
+-----+------------+---------------+----+-------------------------------
---------------------------+
| 844 | bogdan | Crypt-Password | == | {md5} password |
+-----+------------+---------------+----+-------------------------------
---------------------------+
 
to:
 
+-----+------------+---------------+----+-------------------------------
---------------------------+
| id  | UserName   | Attribute     | op | Value
|
+-----+------------+---------------+----+-------------------------------
---------------------------+
| 844 | bogdan | User-Password | == | {md5} password |
+-----+------------+---------------+----+-------------------------------
---------------------------+
 
and this is what I get:
 
rlm_sql (sql): No matching entry in the database for request from user
[shipcoadsl]
rlm_sql (sql): Released sql socket id: 4
  modcall[authorize]: module "sql" returns notfound for request 0
modcall: group authorize returns ok for request 0
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Login incorrect: [shipcoadsl/test] (from client TestNAS2 port 0)
 
 
I also tried changing:
 
radgroupcheck
+----+-------------+-----------+----+-------+
| id | GroupName   | Attribute | op | Value |
+----+-------------+-----------+----+-------+
|  1 | adsl        | Auth-Type | := | PAP   |

to:
 
radgroupcheck
+----+-------------+-----------+----+-------+
| id | GroupName   | Attribute | op | Value |
+----+-------------+-----------+----+-------+
|  1 | adsl        | Auth-Type | := | MD5   |
 
 
then add:
 
authenticate {
..............
        Auth-Type MD5 {
               pap
        }
...............
}

an I got exactly the same answer as before!
 
 
Tried adding to the radgroupreply:
 
| 26 | adsl-static | Auth-Type         | := | PAP           |    0 |

but still no luck!
 
Is this a bug? What am I missing?
 
Your help will be greatly appreciated!
 
Thanks,
Bogdan.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060504/1cb517e0/attachment.html>

More information about the Freeradius-Users mailing list