Re: Using the various User-Password, Chap-Password, etc... with MySQL

To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org>
Subject: Re: Using the various User-Password, Chap-Password, etc... with MySQL
From: "liran tal" <liransgarage@gmail.com>
Date: Mon, 30 Jul 2007 17:44:15 +0200
In-reply-to: <46ACF0AD.4010304@deployingradius.com>
References: <3ed55890707291122h7def92e0je01ce4c21f84aa85@mail.gmail.com> <46ACF0AD.4010304@deployingradius.com>
Reply-to: FreeRadius users mailing list <freeradius-users@lists.freeradius.org>

Thanks Alan,

I've read the manpage on rlm_pap.
Regarding the User-Password attribute I understand that it is still support but we moved
to using Cleartext-Password which is essentially the same.

Regarding the other attributes like Crypt-Password or MD5-Password, the manpage says that
these contain the crypted/md5 hashed form of the password. Does that mean that if I use
those as the password attribute then in the database I'm supposed to use the MD5() function
to encrypt the password I save there?

This also brings me to another question, if I can encrypt like that a password in the database
even for the Cleartext-Password (or the deprecated User-Password) attribute as the manpage
also mentions that rlm_pap, if put last in the authorize section will try to decrypt the password.

Do I understand this correctly?

Regards,
Liran.

On 7/29/07, Alan DeKok <aland@deployingradius.com > wrote:

liran tal wrote:
> I was wondering if someone can clearly explain the use of different
> Password attributes when they're used in a scenario where MySQL is involved.

  The different password attributes have nothing to do with MySQL.

  Put a clear-text password in MySQL, and let the server deal with
different authentication protocols.

> The basic case of User-Password is clear.
> When the attribute in the radcheck table is User-Password then it's value is
> the password in clear text and the op is ==

  No.  See the recent documentation in 1.1.5 and following.  The
attribute is Cleartext-Password, and the operator is :=.

> What about Cleartext-Password? I've added this attribute with op of := and
> value password in clear text and used radtest as a test, and it results in
> just re-transmission of Access-Request queries, and basically not working.

  See the FAQ for "it doesn't work".  The FAQ, README, INSTALL, etc. all
say to run the server in debugging mode.

> What about Chap-Password, MD5-Password, SHA1-Password, what are their
> corresponding values and op like?

  Read the documentation in "man rlm_pap", as suggested in the README.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Follow-Ups:
- Re: Using the various User-Password, Chap-Password, etc... with MySQL
  - From: Dennis Skinner <dskinner@bluefrog.com>
- Re: Using the various User-Password, Chap-Password, etc... with MySQL
  - From: "liran tal" <liransgarage@gmail.com>

References:
- Using the various User-Password, Chap-Password, etc... with MySQL
  - From: "liran tal" <liransgarage@gmail.com>
- Re: Using the various User-Password, Chap-Password, etc... with MySQL
  - From: Alan DeKok <aland@deployingradius.com>

Previous by Date: Re: Adding a NAS via SQL
Next by Date: Re: Using the various User-Password, Chap-Password, etc... with MySQL
Previous by Thread: Re: Using the various User-Password, Chap-Password, etc... with MySQL
Next by Thread: Re: Using the various User-Password, Chap-Password, etc... with MySQL
Freeradius-Users July 2007 archives indexes sorted by: [ thread ] [ subject ] [ author ] [ date ]
Freeradius-Users list archive Table of Contents
More information about the Freeradius-Users mailing list

This archive was generated by a fusion of Pipermail (Mailman edition) and MHonArc.