Problems with PAP, upgrading from 1.1.3

Josh Endries jendries at pragmeta.com
Tue Mar 20 22:28:06 CET 2007 

Hi everyone,

I'm having a hell of a time upgrading from 1.1.3 to 1.1.4 due to PAP. 
First of all, leaving my settings as they are doesn't work at all. I'm 
beginning to wonder if my 1.1.3 configuration shouldn't work at all yet 
somehow magically does what I want it to. I currently (1.1.3) don't have 
a *-Password attribute. The table has a "password" field in it that I 
use in a crazy SQL query. It fakes a row with the "User-Password" 
attribute. The passwords are all SHA1 hashed. This is what happens when 
using the 1.1.3 config ("encryption_scheme = sha1"):

rad_recv: Access-Request packet from host 192.168.0.10:54288, id=46, 
length=56
         User-Name = "test"
         User-Password = "qwertyuiop1"
         NAS-IP-Address = 255.255.255.255
         NAS-Port = 1
   Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
radius_xlat:  'test'
rlm_sql (sql): sql_set_user escaped user --> 'test'
...
   modcall[authorize]: module "sql" returns ok for request 1
modcall: leaving group authorize (returns ok) for request 1
   rad_check_password:  Found Auth-Type PAP
auth: type "PAP"
   Processing the authenticate section of radiusd.conf
modcall: entering group PAP for request 1
rlm_pap: login attempt with password qwertyuiop1
rlm_pap: No password configured for the user.  Cannot do authentication
   modcall[authenticate]: module "pap" returns fail for request 1
modcall: leaving group PAP (returns fail) for request 1
auth: Failed to validate the user.
Login incorrect: [test] (from client localhost port 1)

This is where I get lost, radiusd.conf:

modules {
   pap {
     encryption_scheme = sha1
   }
...
}
...
authorize {
   sql
}
authenticate {
   Auth-Type PAP {
     pap
   }
}

I know the rlm_pap man page talks about putting "pap" into authorize{}, 
so maybe that is what is preventing it from working, though it does seem 
to get to into rlm_pap above. Adding the header onto the password in the 
DB doesn't help (though I didn't expect it to).

So at this point I tried making things the way they should be:

modules {
   pap {
#    encryption_scheme = sha1
     auto_header = yes
   }
...
}

Didn't work with non-prefixed password (duh). This is what I get after 
prepending "{sha1}" to the password:

   Processing the authenticate section of radiusd.conf
modcall: entering group PAP for request 0
rlm_pap: login attempt with password qwertyuiop1
rlm_pap: Using clear text password.
rlm_pap: Passwords don't match
   modcall[authenticate]: module "pap" returns reject for request 0
modcall: leaving group PAP (returns reject) for request 0
auth: Failed to validate the user.
Login incorrect (rlm_pap: CLEAR TEXT password check failed): [test] 
(from client localhost port 1)

Okay, so it didn't pick up the header, so I put pap into authorize{} 
after "sql" as the man page says and now I get:

   Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
radius_xlat:  'test'
rlm_sql (sql): sql_set_user escaped user --> 'test'
...
   modcall[authorize]: module "sql" returns ok for request 0
rlm_pap: Found unknown header {{sha1}}: Not doing anything
rlm_pap: Found existing Auth-Type, not changing it.
   modcall[authorize]: module "pap" returns noop for request 0
modcall: leaving group authorize (returns ok) for request 0
   rad_check_password:  Found Auth-Type PAP
auth: type "PAP"
   Processing the authenticate section of radiusd.conf
modcall: entering group PAP for request 0
rlm_pap: login attempt with password qwertyuiop1
rlm_pap: Using clear text password.
rlm_pap: Passwords don't match
   modcall[authenticate]: module "pap" returns reject for request 0
modcall: leaving group PAP (returns reject) for request 0
auth: Failed to validate the user.
Login incorrect (rlm_pap: CLEAR TEXT password check failed): [test] 
(from client localhost port 1)

Now it says unknown header {{sha1}}. I dunno what this means, maybe it 
wasn't compiled correctly, or I'm specifying the header wrong? I have 
"{sha1}ar3h8ir4r4a3r..." in the field. I tried skipping this (according 
to my understanding of the man page) by changing User-Password to 
SHA1-Password, but that breaks my SQL driver:

rlm_sql: Failed to create the pair: Unknown attribute "SHA1-Password"
rlm_sql (sql): Error getting data from database
rlm_sql (sql): SQL query error; rejecting user

I'm kinda lost now. I'm guessing that if the header was known, things 
would work, but for some reason it doesn't understand the "{sha1}" prefix...

Thanks,
Josh

More information about the Freeradius-Users mailing list