PAP Authentication User-Password not working properly

Yago Fdez. Hansen sti at soportec.com
Fri May 9 21:17:25 CEST 2008


Yes sorry:

With debug I noticed I was not very exact in my explanation. It was 
Crypt-Password algorithm problem:


First authentication:

root at radius1:~# radtest papsqluser papsecret localhost 0 testing123
Sending Access-Request of id 144 to 127.0.0.1 port 1812
        User-Name = "papsqluser"
        User-Password = "papsecret"
        NAS-IP-Address = 192.168.1.100
        NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=144, 
length=20

root at radius1:~# freeradius -X
FreeRADIUS Version 2.0.4, for host i486-pc-linux-gnu, built on May  8 2008 
at 09:16:48
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including configuration file /etc/freeradius/snmp.conf
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/sql.conf
including configuration file /etc/freeradius/sql/mysql/dialup.conf
including configuration file /etc/freeradius/sql/mysql/counter.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/sites-enabled/default
including dictionary file /etc/freeradius/dictionary
main {
        prefix = "/usr"
        localstatedir = "/var"
        logdir = "/var/log/freeradius"
        libdir = "/usr/lib/freeradius"
        radacctdir = "/var/log/freeradius/radacct"
        hostname_lookups = no
        max_request_time = 30
        cleanup_delay = 5
        max_requests = 1024
        allow_core_dumps = no
        pidfile = "/var/run/freeradius/freeradius.pid"
        user = "freerad"
        group = "freerad"
        checkrad = "/usr/sbin/checkrad"
        debug_level = 0
        proxy_requests = yes
 security {
        max_attributes = 200
        reject_delay = 1
        status_server = yes
 }
}
 client localhost {
        require_message_authenticator = no
        secret = "testing123"
        shortname = "localhost"
        nastype = "other"
 }
 client 192.168.1.0 {
        require_message_authenticator = no
        secret = "testing123"
        shortname = "labs"
        nastype = "other"
 }
radiusd: #### Loading Realms and Home Servers ####
 proxy server {
        retry_delay = 5
        retry_count = 3
        default_fallback = no
        dead_time = 120
        wake_all_if_all_dead = no
 }
 home_server localhost {
        ipaddr = 127.0.0.1
        port = 1812
        type = "auth"
        secret = "testing123"
        response_window = 20
        max_outstanding = 65536
        zombie_period = 40
        status_check = "status-server"
        ping_check = "none"
        ping_interval = 30
        check_interval = 30
        num_answers_to_alive = 3
        num_pings_to_alive = 3
        revive_interval = 120
        status_check_timeout = 4
 }
 home_server_pool my_auth_failover {
        type = fail-over
        home_server = localhost
 }
 realm example.com {
        auth_pool = my_auth_failover
 }
 realm LOCAL {
 }
radiusd: #### Instantiating modules ####
 instantiate {
 Module: Linked to module rlm_exec
 Module: Instantiating exec
  exec {
        wait = yes
        input_pairs = "request"
        shell_escape = yes
  }
 Module: Linked to module rlm_expr
 Module: Instantiating expr
 Module: Linked to module rlm_expiration
 Module: Instantiating expiration
  expiration {
        reply-message = "Password Has Expired  "
  }
 Module: Linked to module rlm_logintime
 Module: Instantiating logintime
  logintime {
        reply-message = "You are calling outside your allowed timespan  "
        minimum-timeout = 60
  }
 }
radiusd: #### Loading Virtual Servers ####
server inner-tunnel {
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_pap
 Module: Instantiating pap
  pap {
        encryption_scheme = "auto"
        auto_header = no
  }
 Module: Linked to module rlm_chap
 Module: Instantiating chap
 Module: Linked to module rlm_mschap
 Module: Instantiating mschap
  mschap {
        use_mppe = yes
        require_encryption = no
        require_strong = no
        with_ntdomain_hack = no
  }
 Module: Linked to module rlm_unix
 Module: Instantiating unix
  unix {
        radwtmp = "/var/log/freeradius/radwtmp"
  }
 Module: Linked to module rlm_eap
 Module: Instantiating eap
  eap {
        default_eap_type = "md5"
        timer_expire = 60
        ignore_unknown_eap_types = no
        cisco_accounting_username_bug = no
  }
 Module: Linked to sub-module rlm_eap_md5
 Module: Instantiating eap-md5
 Module: Linked to sub-module rlm_eap_leap
 Module: Instantiating eap-leap
 Module: Linked to sub-module rlm_eap_gtc
 Module: Instantiating eap-gtc
   gtc {
        challenge = "Password: "
        auth_type = "PAP"
   }
 Module: Linked to sub-module rlm_eap_tls
 Module: Instantiating eap-tls
   tls {
        rsa_key_exchange = no
        dh_key_exchange = yes
        rsa_key_length = 512
        dh_key_length = 512
        verify_depth = 0
        CA_path = "/etc/freeradius/certs/masterCA/crl"
        pem_file_type = yes
        private_key_file = "/etc/certs/server/radius1_keycert.pem"
        certificate_file = "/etc/certs/server/radius1_keycert.pem"
        CA_file = "/etc/freeradius/certs/masterCA/cacert.pem"
        private_key_password = "misecreto"
        dh_file = "/etc/freeradius/certs/dh"
        random_file = "/etc/freeradius/certs/random"
        fragment_size = 1024
        include_length = yes
        check_crl = yes
        cipher_list = "DEFAULT"
   }
 Module: Linked to sub-module rlm_eap_ttls
 Module: Instantiating eap-ttls
   ttls {
        default_eap_type = "md5"
        copy_request_to_tunnel = no
        use_tunneled_reply = no
        virtual_server = "inner-tunnel"
   }
 Module: Linked to sub-module rlm_eap_peap
 Module: Instantiating eap-peap
   peap {
        default_eap_type = "mschapv2"
        copy_request_to_tunnel = no
        use_tunneled_reply = no
        proxy_tunneled_request_as_eap = yes
        virtual_server = "inner-tunnel"
   }
 Module: Linked to sub-module rlm_eap_mschapv2
 Module: Instantiating eap-mschapv2
   mschapv2 {
        with_ntdomain_hack = no
   }
 Module: Checking authorize {...} for more modules to load
 Module: Linked to module rlm_realm
 Module: Instantiating suffix
  realm suffix {
        format = "suffix"
        delimiter = "@"
        ignore_default = no
        ignore_null = no
  }
 Module: Linked to module rlm_files
 Module: Instantiating files
  files {
        usersfile = "/etc/freeradius/users"
        acctusersfile = "/etc/freeradius/acct_users"
        preproxy_usersfile = "/etc/freeradius/preproxy_users"
        compat = "no"
  }
 Module: Checking session {...} for more modules to load
 Module: Linked to module rlm_radutmp
 Module: Instantiating radutmp
  radutmp {
        filename = "/var/log/freeradius/radutmp"
        username = "%{User-Name}"
        case_sensitive = yes
        check_with_nas = yes
        perm = 384
        callerid = yes
  }
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 Module: Linked to module rlm_attr_filter
 Module: Instantiating attr_filter.access_reject
  attr_filter attr_filter.access_reject {
        attrsfile = "/etc/freeradius/attrs.access_reject"
        key = "%{User-Name}"
  }
 }
}
server {
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_ldap
 Module: Instantiating ldap
  ldap {
        server = "ldap1.midominio.loc"
        port = 389
        password = "misecreto"
        identity = "cn=admin,dc=midominio,dc=loc"
        net_timeout = 1
        timeout = 4
        timelimit = 3
        tls_mode = no
        start_tls = no
        tls_require_cert = "allow"
   tls {
        start_tls = no
        require_cert = "allow"
   }
        basedn = "dc=midominio,dc=loc"
        filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
        base_filter = "(objectclass=radiusprofile)"
        auto_header = no
        access_attr_used_for_allow = yes
        groupname_attribute = "cn"
        groupmembership_filter = 
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
        dictionary_mapping = "/etc/freeradius/ldap.attrmap"
        ldap_debug = 0
        ldap_connections_number = 5
        compare_check_items = no
        do_xlat = yes
        edir_account_policy_check = no
        set_auth_type = yes
  }
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap<->radius mappings from file 
/etc/freeradius/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS 
Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS 
Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS 
Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
conns: 0x817f160
 Module: Checking authorize {...} for more modules to load
 Module: Linked to module rlm_preprocess
 Module: Instantiating preprocess
  preprocess {
        huntgroups = "/etc/freeradius/huntgroups"
        hints = "/etc/freeradius/hints"
        with_ascend_hack = no
        ascend_channels_per_line = 23
        with_ntdomain_hack = no
        with_specialix_jetstream_hack = no
        with_cisco_vsa_hack = no
        with_alvarion_vsa_hack = no
  }
 Module: Linked to module rlm_sql
 Module: Instantiating sql
  sql {
        driver = "rlm_sql_mysql"
        server = "localhost"
        port = ""
        login = "radius"
        password = "mysqlsecret"
        radius_db = "radius"
        read_groups = yes
        sqltrace = no
        sqltracefile = "/var/log/freeradius/sqltrace.sql"
        readclients = no
        deletestalesessions = yes
        num_sql_socks = 5
        sql_user_name = "%{User-Name}"
        default_user_profile = ""
        nas_query = "SELECT id, nasname, shortname, type, secret FROM nas"
        authorize_check_query = "SELECT id, username, attribute, value, op 
FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER 
BY id"
        authorize_reply_query = "SELECT id, username, attribute, value, op 
FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER 
BY id"
        authorize_group_check_query = "SELECT id, groupname, attribute, 
Value, op           FROM radgroupcheck           WHERE groupname = 
'%{Sql-Group}'           ORDER BY id"
        authorize_group_reply_query = "SELECT id, groupname, attribute, 
value, op           FROM radgroupreply           WHERE groupname = 
'%{Sql-Group}'           ORDER BY id"
        accounting_onoff_query = "          UPDATE radacct           SET 
acctstoptime       =  '%S',              acctsessiontime    = 
unix_timestamp('%S') - 
unix_timestamp(acctstarttime),              acctterminatecause = 
'%{Acct-Terminate-Cause}',              acctstopdelay      = 
%{%{Acct-Delay-Time}:-0}           WHERE acctstoptime      =  NULL 
AND nasipaddress      =  '%{NAS-IP-Address}'           AND acctstarttime 
<= '%S'"
        accounting_update_query = "           UPDATE radacct           SET 
framedipaddress = '%{Framed-IP-Address}',              acctsessiontime     = 
'%{Acct-Session-Time}',              acctinputoctets     = 
'%{%{Acct-Input-Gigawords}:-0}'  << 32 | 
'%{%{Acct-Input-Octets}:-0}',              acctoutputoctets    = 
'%{%{Acct-Output-Gigawords}:-0}' << 32 | 
'%{%{Acct-Output-Octets}:-0}'           WHERE acctsessionid = 
'%{Acct-Session-Id}'           AND username        = '%{SQL-User-Name}' 
AND nasipaddress    = '%{NAS-IP-Address}'"
        accounting_update_query_alt = "           INSERT INTO radacct 
(acctsessionid,    acctuniqueid,      username,              realm, 
nasipaddress,      nasportid,              nasporttype,      acctstarttime, 
acctsessiontime,              acctauthentic,    connectinfo_start, 
acctinputoctets,              acctoutputoctets, calledstationid, 
callingstationid,              servicetype,      framedprotocol, 
framedipaddress,              acctstartdelay,   xascendsessionsvrkey) 
VALUES             ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', 
'%{SQL-User-Name}',              '%{Realm}', '%{NAS-IP-Address}', 
'%{NAS-Port}',              '%{NAS-Port-Type}',              DATE_SUB('%S', 
INTERVAL (%{%{Acct-Session-Time}:-0} + 
%{%{Acct-Delay-Time}:-0}) SECOND), 
'%{Acct-Session-Time}',              '%{Acct-Authentic}', '', 
'%{%{Acct-Input-Gigawords}:-0}' << 32 | 
'%{%{Acct-Input-Octets}:-0}',              '%{%{Acct-Output-Gigawords}:-0}' 
<< 32 |              '%{%{Acct-Output-Octets}:-0}', 
'%{Called-Station-Id}', '%{Calling-Station-Id}', 
'%{Service-Type}', '%{Framed-Protocol}', 
'%{Framed-IP-Address}',              '0', '%{X-Ascend-Session-Svr-Key}')"
        accounting_start_query = "           INSERT INTO radacct 
(acctsessionid,    acctuniqueid,     username,              realm, 
nasipaddress,     nasportid,              nasporttype,      acctstarttime, 
acctstoptime,              acctsessiontime,  acctauthentic, 
connectinfo_start,              connectinfo_stop, acctinputoctets, 
acctoutputoctets,              calledstationid,  callingstationid, 
acctterminatecause,              servicetype,      framedprotocol, 
framedipaddress,              acctstartdelay,   acctstopdelay, 
xascendsessionsvrkey)           VALUES             ('%{Acct-Session-Id}', 
'%{Acct-Unique-Session-Id}',              '%{SQL-User-Name}', 
'%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', 
'%{NAS-Port-Type}', '%S', NULL,              '0', '%{Acct-Authentic}', 
'%{Connect-Info}',              '', '0', '0', 
'%{Called-Station-Id}', '%{Calling-Station-Id}', '', 
'%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', 
'%{%{Acct-Delay-Time}:-0}', '0', '%{X-Ascend-Session-Svr-Key}')"
        accounting_start_query_alt = "           UPDATE radacct SET 
acctstarttime     = '%S',              acctstartdelay    = 
'%{%{Acct-Delay-Time}:-0}',              connectinfo_start = 
'%{Connect-Info}'           WHERE acctsessionid  = '%{Acct-Session-Id}' 
AND username         = '%{SQL-User-Name}'           AND nasipaddress     = 
'%{NAS-IP-Address}'"
        accounting_stop_query = "           UPDATE radacct SET 
acctstoptime       = '%S',              acctsessiontime    = 
'%{Acct-Session-Time}',              acctinputoctets    = 
'%{%{Acct-Input-Gigawords}:-0}' << 32 | 
'%{%{Acct-Input-Octets}:-0}',              acctoutputoctets   = 
'%{%{Acct-Output-Gigawords}:-0}' << 32 | 
'%{%{Acct-Output-Octets}:-0}',              acctterminatecause = 
'%{Acct-Terminate-Cause}',              acctstopdelay      = 
'%{%{Acct-Delay-Time}:-0}',              connectinfo_stop   = 
'%{Connect-Info}'           WHERE acctsessionid   = '%{Acct-Session-Id}' 
AND username          = '%{SQL-User-Name}'           AND nasipaddress      = 
'%{NAS-IP-Address}'"
        accounting_stop_query_alt = "           INSERT INTO radacct 
(acctsessionid, acctuniqueid, username,              realm, nasipaddress, 
nasportid,              nasporttype, acctstarttime, acctstoptime, 
acctsessiontime, acctauthentic, connectinfo_start, 
connectinfo_stop, acctinputoctets, acctoutputoctets, 
calledstationid, callingstationid, acctterminatecause, 
servicetype, framedprotocol, framedipaddress,              acctstartdelay, 
acctstopdelay)           VALUES             ('%{Acct-Session-Id}', 
'%{Acct-Unique-Session-Id}',              '%{SQL-User-Name}', 
'%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', 
'%{NAS-Port-Type}',              DATE_SUB('%S',                  INTERVAL 
(%{%{Acct-Session-Time}:-0} +                  %{%{Acct-Delay-Time}:-0}) 
SECOND),              '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '', 
'%{Connect-Info}',              '%{%{Acct-Input-Gigawords}:-0}' << 32 | 
'%{%{Acct-Input-Octets}:-0}',              '%{%{Acct-Output-Gigawords}:-0}' 
<< 32 |              '%{%{Acct-Output-Octets}:-0}', 
'%{Called-Station-Id}', '%{Calling-Station-Id}', 
'%{Acct-Terminate-Cause}',              '%{Service-Type}', 
'%{Framed-Protocol}', '%{Framed-IP-Address}',              '0', 
'%{%{Acct-Delay-Time}:-0}')"
        group_membership_query = "SELECT groupname           FROM 
radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER 
BY priority"
        connect_failure_retry_delay = 60
        simul_count_query = ""
        simul_verify_query = "SELECT radacctid, acctsessionid, username, 
nasipaddress, nasportid, framedipaddress, 
callingstationid, framedprotocol                                FROM radacct 
WHERE username = '%{SQL-User-Name}'                                AND 
acctstoptime = NULL"
        postauth_query = "INSERT INTO radpostauth 
(username, pass, reply, authdate)                           VALUES 
(                           '%{User-Name}', 
'%{%{User-Password}:-%{Chap-Password}}', 
'%{reply:Packet-Type}', '%S')"
        safe-characters = 
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
  }
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
rlm_sql (sql): Attempting to connect to radius at localhost:/radius
rlm_sql (sql): starting 0
rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
rlm_sql_mysql: Starting connect to MySQL server for #0
rlm_sql (sql): Connected new DB handle, #0
rlm_sql (sql): starting 1
rlm_sql (sql): Attempting to connect rlm_sql_mysql #1
rlm_sql_mysql: Starting connect to MySQL server for #1
rlm_sql (sql): Connected new DB handle, #1
rlm_sql (sql): starting 2
rlm_sql (sql): Attempting to connect rlm_sql_mysql #2
rlm_sql_mysql: Starting connect to MySQL server for #2
rlm_sql (sql): Connected new DB handle, #2
rlm_sql (sql): starting 3
rlm_sql (sql): Attempting to connect rlm_sql_mysql #3
rlm_sql_mysql: Starting connect to MySQL server for #3
rlm_sql (sql): Connected new DB handle, #3
rlm_sql (sql): starting 4
rlm_sql (sql): Attempting to connect rlm_sql_mysql #4
rlm_sql_mysql: Starting connect to MySQL server for #4
rlm_sql (sql): Connected new DB handle, #4
 Module: Checking preacct {...} for more modules to load
 Module: Linked to module rlm_acct_unique
 Module: Instantiating acct_unique
  acct_unique {
        key = "User-Name, Acct-Session-Id, NAS-IP-Address, 
Client-IP-Address, NAS-Port"
  }
 Module: Checking accounting {...} for more modules to load
 Module: Linked to module rlm_detail
 Module: Instantiating detail
  detail {
        detailfile = 
"/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
        header = "%t"
        detailperm = 384
        dirperm = 493
        locking = no
        log_packet_header = no
  }
 Module: Instantiating attr_filter.accounting_response
  attr_filter attr_filter.accounting_response {
        attrsfile = "/etc/freeradius/attrs.accounting_response"
        key = "%{User-Name}"
  }
 Module: Checking session {...} for more modules to load
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 }
}
radiusd: #### Opening IP addresses and Ports ####
listen {
        type = "auth"
        ipaddr = *
        port = 0
}
listen {
        type = "acct"
        ipaddr = *
        port = 0
}
main {
        snmp = no
        smux_password = ""
        snmp_write_access = no
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 60121, id=144, 
length=62
        User-Name = "papsqluser"
        User-Password = "papsecret"
        NAS-IP-Address = 192.168.1.100
        NAS-Port = 0
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '@' in User-Name = "papsqluser", looking up realm NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
        expand: %{User-Name} -> papsqluser
rlm_sql (sql): sql_set_user escaped user --> 'papsqluser'
rlm_sql (sql): Reserving sql socket id: 4
        expand: SELECT id, username, attribute, value, op           FROM 
radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY 
id -> SELECT id, username, attribute, value, op           FROM radcheck 
WHERE username = 'papsqluser'           ORDER BY id
rlm_sql (sql): User found in radcheck table
        expand: SELECT id, username, attribute, value, op           FROM 
radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY 
id -> SELECT id, username, attribute, value, op           FROM radreply 
WHERE username = 'papsqluser'           ORDER BY id
        expand: SELECT groupname           FROM radusergroup           WHERE 
username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT 
groupname           FROM radusergroup           WHERE username = 
'papsqluser'           ORDER BY priority
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
rlm_ldap: - authorize
rlm_ldap: performing user authorization for papsqluser
WARNING: Deprecated conditional expansion ":-".  See "man unlang" for 
details
        expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> 
(uid=papsqluser)
        expand: dc=midominio,dc=loc -> dc=midominio,dc=loc
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap1.midominio.loc:389, authentication 0
rlm_ldap: bind as cn=admin,dc=midominio,dc=loc/misecreto to 
ldap1.midominio.loc:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=midominio,dc=loc, with filter 
(uid=papsqluser)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: searcch failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns notfound
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
  rad_check_password:  Found Auth-Type Crypt-Local
auth: type Crypt
Login OK: [papsqluser/papsecret] (from client localhost port 0)
+- entering group post-auth
++[exec] returns noop
Sending Access-Accept of id 144 to 127.0.0.1 port 60121
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 144 with timestamp +4
Ready to process requests.

-----------------------------------------------------------------------------------------------------------------------
Seccond auth:

rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=144, 
length=20
root at radius1:~#
root at radius1:~# radtest papsqluser papsecret1233323 localhost 0 testing123
Sending Access-Request of id 167 to 127.0.0.1 port 1812
        User-Name = "papsqluser"
        User-Password = "papsecret1233323"
        NAS-IP-Address = 192.168.1.100
        NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=167, 
length=20

rad_recv: Access-Request packet from host 127.0.0.1 port 53931, id=167, 
length=62
        User-Name = "papsqluser"
        User-Password = "papsecret1233323"
        NAS-IP-Address = 192.168.1.100
        NAS-Port = 0
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '@' in User-Name = "papsqluser", looking up realm NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
        expand: %{User-Name} -> papsqluser
rlm_sql (sql): sql_set_user escaped user --> 'papsqluser'
rlm_sql (sql): Reserving sql socket id: 4
        expand: SELECT id, username, attribute, value, op           FROM 
radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY 
id -> SELECT id, username, attribute, value, op           FROM radcheck 
WHERE username = 'papsqluser'           ORDER BY id
rlm_sql (sql): User found in radcheck table
        expand: SELECT id, username, attribute, value, op           FROM 
radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY 
id -> SELECT id, username, attribute, value, op           FROM radreply 
WHERE username = 'papsqluser'           ORDER BY id
        expand: SELECT groupname           FROM radusergroup           WHERE 
username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT 
groupname           FROM radusergroup           WHERE username = 
'papsqluser'           ORDER BY priority
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
rlm_ldap: - authorize
rlm_ldap: performing user authorization for papsqluser
WARNING: Deprecated conditional expansion ":-".  See "man unlang" for 
details
        expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> 
(uid=papsqluser)
        expand: dc=midominio,dc=loc -> dc=midominio,dc=loc
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap1.midominio.loc:389, authentication 0
rlm_ldap: bind as cn=admin,dc=midominio,dc=loc/misecreto to 
ldap1.midominio.loc:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=midominio,dc=loc, with filter 
(uid=papsqluser)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns notfound
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
  rad_check_password:  Found Auth-Type Crypt-Local
auth: type Crypt
Login OK: [papsqluser/papsecret1233323] (from client localhost port 0)
+- entering group post-auth
++[exec] returns noop
Sending Access-Accept of id 167 to 127.0.0.1 port 53931
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 167 with timestamp +9
Ready to process requests.

------------------------------------------------------------------------------------------------------------

mysql> select  * from radcheck
    -> ;
+----+-------------+----------------+----+---------------+
| id | username    | attribute      | op | value         |
+----+-------------+----------------+----+---------------+
|  1 | Chapsqluser | User-Password  | == | chapsecret    |
|  2 | Chapsqluser | Auth-Type      | := | Local         |
|  3 | Papsqluser  | Crypt-Password | == | /gTPHauHkNjWE |
|  4 | Papsqluser  | Auth-Type      | := | Crypt-Local   |
+----+-------------+----------------+----+---------------+
4 rows in set (0.00 sec)









----- Original Message ----- 
From: "Ivan Kalik" <tnt at kalik.net>
To: "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
Sent: Friday, May 09, 2008 7:58 PM
Subject: Re: PAP Authentication User-Password not working properly


radiusd -X

Ivan Kalik
Kalik Informatika ISP


Dana 9/5/2008, "Yago Fdez. Hansen" <sti at soportec.com> piše:

>Hi everybody:
>
>I am installing a lab test server with Freeradius 2.0.4 with all the
>authentication installed: CHAP, PAP, EAP and authorization over MySQL,
>users, system, and LDAP.
>
>I installed it in the few last days and I have everything working now, but
>as I was testing it, I could notice a bug. I created users in every DB and
>file all of them with own password and user entries. When I was testing 
>with
>radtest ALL worked fine, but I noticed that ONLY with PAP authentication 
>and
>MySQL user it doesn't matter if I put a clear password in radtest larger
>than the original one I get an Access-Accept message.
>
>Example:
>
>radtest papsqluser papsecret localhost 0 testing123
>Access-Accept
>
>radtest papsqluser papsecret43343 localhost 0 testing123
>Access-Accept
>
>-
>List info/subscribe/unsubscribe? See 
>http://www.freeradius.org/list/users.html
>
>

-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


__________ Información de NOD32, revisión 3089 (20080509) __________

Este mensaje ha sido analizado con  NOD32 antivirus system
http://www.nod32.com





More information about the Freeradius-Users mailing list