pap "Cleartext-Password", sql etc...
Andrew Long
fursink at gmail.com
Thu Jan 31 02:32:47 CET 2008
With attribute `User-Password' and op = `==' we get this:
rlm_sql (sql): Reserving sql socket id: 4
expand: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = '%{SQL-User-Name}'
ORDER BY id ->
SELECT id, username, attribute, value, op FROM radcheck WHERE
username = 'mainaroma_cn3200' ORDER BY id
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
rlm_sql (sql): User found in radcheck table
mysql> SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'mainaroma_cn3200' ORDER BY id;
+-----+------------------+---------------+-------------+----+
| id | username | attribute | value | op |
+-----+------------------+---------------+-------------+----+
| 409 | mainaroma_cn3200 | User-Password | nicepassword | == |
+-----+------------------+---------------+-------------+----+
1 row in set (0.01 sec)
========
Now, with `op' = `:=' rather than `==' as Ivan suggests :
we see the same error...
rad_check_password: Found Auth-Type CHAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Replacing User-Password in config items with Cleartext-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good" !!!
!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
auth: type "CHAP"
+- entering group CHAP
rlm_chap: login attempt by "mainaroma_cn3200" with CHAP password
rlm_chap: Using clear text password "aromaescape" for user
mainaroma_cn3200 authentication.
rlm_chap: chap user mainaroma_cn3200 authenticated succesfully
++[chap] returns ok
The only difference is that when I use `:=' there are two
access-requests from the host and two access-accepts:
access-request id 40 --> access-accept id 40
and then immediately
access-request id 160 --> access-accept id 160.
None of this is in users file; we pass the info from sql.
Andrew
EWS Solutions
=======================================================
On Jan 30, 2008 5:21 PM, Kevin Bonner <keb at pa.net> wrote:
> On Wednesday 30 January 2008 15:31:51 Andrew Long wrote:
> > If I change the attribute to `Cleartext-Password', authentication
> > fails and I see:
> >
> > rlm_pap: WARNING! No "known good" password found for the user.
> > Authentication may fail because of this.
> > ++[pap] returns noop
> > rad_check_password: Found Auth-Type CHAP
> > auth: type "CHAP"
> > +- entering group CHAP
> > rlm_chap: login attempt by "elmaroma_cn3000" with CHAP password
> > rlm_chap: Cleartext-Password is required for authentication
> > ++[chap] returns invalid
> > auth: Failed to validate the user.
> > Login incorrect (rlm_chap: Clear text password not available):
> > [elmaroma_cn3000/<CHAP-Password>] (from client cn3000_aroma port 0 cli
> > 00-02-6F-xx-xx-92)
> >
> > Thanks muchly,
> > Andrew Long
> > EWS
2008/1/30 Ivan Kalik <tnt at kalik.net>:
> Can you post users entry in the database. it's quite likely that you
> left == as the operator instead of using :=.
>
> Ivan Kalik
> Kalik Informatika ISP
>
> Dana 30/1/2008, "Andrew Long" <fursink at gmail.com> piše:
>
>
> >When I have (radcheck) attribute `User-Password', authentication
> >succeeds but we see the following:
> >
> >rlm_pap: Found existing Auth-Type, not changing it.
> >++[pap] returns noop
> > rad_check_password: Found Auth-Type CHAP
> >!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> >!!! Replacing User-Password in config items with Cleartext-Password. !!!
> >!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> >!!! Please update your configuration so that the "known good" !!!
> >!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
> >!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> >auth: type "CHAP"
> >+- entering group CHAP
> > rlm_chap: login attempt by "elmaroma_cn3000" with CHAP password
> > rlm_chap: Using clear text password "aromaescape" for user
> >elmaroma_cn3000 authentication.
> > rlm_chap: chap user elmaroma_cn3000 authenticated succesfully
> >++[chap] returns ok
> >
> >If I change the attribute to `Cleartext-Password', authentication
> >fails and I see:
> >
> >rlm_pap: WARNING! No "known good" password found for the user.
> >Authentication may fail because of this.
> >++[pap] returns noop
> > rad_check_password: Found Auth-Type CHAP
> >auth: type "CHAP"
> >+- entering group CHAP
> > rlm_chap: login attempt by "elmaroma_cn3000" with CHAP password
> > rlm_chap: Cleartext-Password is required for authentication
> >++[chap] returns invalid
> >auth: Failed to validate the user.
> >Login incorrect (rlm_chap: Clear text password not available):
> >[elmaroma_cn3000/<CHAP-Password>] (from client cn3000_aroma port 0 cli
> >00-02-6F-xx-xx-92)
> >
> >The "users" file
> >----------------------
> >DEFAULT Fall-Through = 1
> >DEFAULT Service-Type == Framed-User
> > Framed-IP-Address = 255.255.255.254,
> > Framed-MTU = 576,
> > Service-Type = Framed-User,
> > Fall-Through = Yes
> >DEFAULT Framed-Protocol == PPP
> > Framed-Protocol = PPP,
> > Framed-Compression = Van-Jacobson-TCP-IP
> >---------------------
> >authorize {
> > preprocess
> > chap
> > mschap
> > suffix
> > unix
> > files
> > sql
> > expiration
> > logintime
> > noresetcounter
> > dailycounter
> > monthlycounter
> > daypasscounter
> > pap}
> >authenticate {
> > pap
> > chap
> > mschap}
> >
> >Thanks muchly,
> >
> >Andrew Long
> >EWS
> >-
> >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> >
> >
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list