PAP questions.

Keith Woodworth kwoody at citytel.net
Fri Sep 8 05:39:46 CEST 2006 

On Tue, 22 Aug 2006, Alan DeKok wrote:

|->Keith Woodworth <kwoody at citytel.net> wrote:
|->> One of the things I did try was add PAP to the authorize section, but
|->> radius failed to start when I did that.
|->
|->  And the error message was...?

Had to put this project a side for the last 2 weeks...Hate when I have to
do that. Also this post has lots of debug output.

Anyway here is the error:

radiusd.conf: "PAP" modules aren't allowed in 'authorize' sections -- they
have no such method.
radiusd.conf[1569] Failed to parse authorize section.

Here is where I put pap, with all the comments stripped:

authorize {
        preprocess
#       auth_log
#       attr_filter
        ### KEITH
        pap
        chap
        mschap
#       digest
#       IPASS
#       ntdomain
        #eap
        files
        sql
#       etc_smbpasswd
#       ldap
#       daily
#       checkval
}

|->> Deployingradius.com did say there were very few circumstances to set
|->> Auth-Type, but not which ones. Guess I found one?
|->
|->  Possibly.  Much of this is fixed in CVS head, which is currently
|->planned to be 2.0 before Christmas.  The PAP module does more there,
|->and there are MANY fewer cases where you have to set Auth-Type.

At the rate I'm going, it will be Christmas before I'm ready to go.

|->> How stable is the current server version? Anyone using it in production?
|->
|->  Yes.  A number of people.  There are 3 issues that need addressing
|->before it's ready for an official 2.0, however.

Would it be advisable to upgrade at this point or wait till its official?

|->> Sounds like I might have to be using the CVS version to do what I want
|->> properly of only having the user in one table and do PAP authentication
|->> with the crypt password stored in sql.
|->
|->  1.1.2 can do it, it just takes a little more configuration.
|->Basically, for every user who has a Crypt-Password attribute, you have
|->to set "Auth-Type = Local".    Not ":=", but "=".

After having to put this aside for a few weeks I have finally done some
testing.

One. If the user has a crypt password in radcheck:

 4 | tester     | Crypt-Password | := | f3RCpSYQzT292

is listed in Usergroup:

14 | tester     | default

And default is in radgroupcheck:

+----+-----------+-----------+----+-------+
| id | GroupName | Attribute | op | Value |
+----+-----------+-----------+----+-------+
|  1 | default   | Auth-Type | =  | Local |

This is the debug output:

rad_recv: Access-Request packet from host 204.244.99.67:1645, id=92,
length=76
        NAS-Port-Type = Async
        User-Name = "tester"
        User-Password = "test"
        Service-Type = Framed-User
        Framed-Protocol = PPP
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
  modcall[authorize]: module "files" returns notfound for request 0
radius_xlat:  'tester'
rlm_sql (sql): sql_set_user escaped user --> 'tester'
radius_xlat:  'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = 'tester' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 4
radius_xlat:  'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'tester' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat:  'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Username = 'tester' ORDER BY id'
radius_xlat:  'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = 'tester' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): Released sql socket id: 4
  modcall[authorize]: module "sql" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
  rad_check_password:  Found Auth-Type Local
auth: type Local
auth: user supplied User-Password does NOT match local User-Password
auth: Failed to validate the user.

Ok, so next change radgroupcheck so Auth-Type is PAP:

+----+-----------+-----------+----+-------+
| id | GroupName | Attribute | op | Value |
+----+-----------+-----------+----+-------+
|  1 | default   | Auth-Type | := | PAP   |

and do another dialup try:

rad_recv: Access-Request packet from host 204.244.99.67:1645, id=93,
length=76
        NAS-Port-Type = Async
        User-Name = "tester"
        User-Password = "test"
        Service-Type = Framed-User
        Framed-Protocol = PPP
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
  modcall[authorize]: module "files" returns notfound for request 0
radius_xlat:  'tester'
rlm_sql (sql): sql_set_user escaped user --> 'tester'
radius_xlat:  'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = 'tester' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 4
radius_xlat:  'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'tester' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat:  'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Username = 'tester' ORDER BY id'
radius_xlat:  'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = 'tester' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): Released sql socket id: 4
  modcall[authorize]: module "sql" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
  rad_check_password:  Found Auth-Type PAP
auth: type "PAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group PAP for request 0
rlm_pap: login attempt by "tester" with password test
rlm_pap: Using password "f3RCpSYQzT292" for user tester authentication.
rlm_pap: Using CRYPT encryption.
rlm_pap: User authenticated succesfully
  modcall[authenticate]: module "pap" returns ok for request 0
modcall: leaving group PAP (returns ok) for request 0
Sending Access-Accept of id 93 to 204.244.99.67 port 1645
        Service-Type := Framed-User
        Framed-Protocol := PPP
        Framed-Compression := Van-Jacobson-TCP-IP
        Framed-MTU := 1500
        Framed-Routing := None
        Framed-IP-Netmask := 255.255.255.255
Finished request 0

I get authenticated, I get an IP and away I go.

Now here is the main issue: I remove the user tester from the UserGroup
table but leave Auth-Type := PAP

rad_recv: Access-Request packet from host 204.244.99.67:1645, id=97,
length=76
        NAS-Port-Type = Async
        User-Name = "tester"
        User-Password = "test"
        Service-Type = Framed-User
        Framed-Protocol = PPP
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
  modcall[authorize]: module "files" returns notfound for request 0
radius_xlat:  'tester'
rlm_sql (sql): sql_set_user escaped user --> 'tester'
radius_xlat:  'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = 'tester' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 4
radius_xlat:  'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'tester' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat:  'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Username = 'tester' ORDER BY id'
radius_xlat:  'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = 'tester' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): Released sql socket id: 4
  modcall[authorize]: module "sql" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
auth: type Crypt
Sending Access-Accept of id 97 to 204.244.99.67 port 1645
Finished request 0

And while Radius seems to send an Access-Accept, the dialup user gets an
error 691 password invalid.

So last change set Auth-Type = Local in radgroupcheck as per the
suggestion above:

 1 | default   | Auth-Type | =  | Local

Debug output:

rad_recv: Access-Request packet from host 204.244.99.67:1645, id=100,
length=76
        NAS-IP-Address = 204.244.98.67
        NAS-Port = 23
        NAS-Port-Type = Async
        User-Name = "tester"
        User-Password = "test"
        Service-Type = Framed-User
        Framed-Protocol = PPP
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
  modcall[authorize]: module "preprocess" returns ok for request 1
  modcall[authorize]: module "chap" returns noop for request 1
  modcall[authorize]: module "mschap" returns noop for request 1
  modcall[authorize]: module "files" returns notfound for request 1
radius_xlat:  'tester'
rlm_sql (sql): sql_set_user escaped user --> 'tester'
radius_xlat:  'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = 'tester' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 3
radius_xlat:  'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'tester' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat:  'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Username = 'tester' ORDER BY id'
radius_xlat:  'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = 'tester' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): Released sql socket id: 3
  modcall[authorize]: module "sql" returns ok for request 1
modcall: leaving group authorize (returns ok) for request 1
auth: type Crypt
Sending Access-Accept of id 100 to 204.244.99.67 port 1645
Finished request 1
Going to the next request

Again I get Access-Accept, but a 691 password error on the client side.

So as I see it with this:

I have to have the user listed in UserGroup AND RadCheck with a
Crypt-Password attribute and RadGroupCheck with Auth-Type := PAP
for the user to authenticate and be able to get online.

If the username is in UserGroup AND RadCheck with the Auth-Type = Local I
see this:

 modcall[authorize]: module "sql" returns ok for request 5
modcall: leaving group authorize (returns ok) for request 5
  rad_check_password:  Found Auth-Type Local
auth: type Local
auth: user supplied User-Password does NOT match local User-Password
auth: Failed to validate the user.

So I guess I missed something completely or its not possible to have
a username ONLY listed in Radcheck with Crypt-Password and authenticate
that user?

Does the username really need to be be in both the UserGroup table and
Radcheck table for a crypt-password method to work?

Sorry for the long post.

Thanks,
Keith

More information about the Freeradius-Users mailing list