User-Name Modification Assistance

Alan Buxey alan.buxey at gmail.com
Fri May 11 19:36:43 CEST 2018


there IS a password...its not a plain PAP user-Password though - its in
that EAP-Message that you can see.
so, you need to add to your SQL DB the value that the NAS is sending in its
EAP-MD5 auth request

you cannot just Access-Accept an EAP request, there needs to be a full,
correct response.

alan

On 11 May 2018 at 18:22, Jeremy Lundquist <pmudan01 at gmail.com> wrote:

> Here is the username/password from the mysql DB - note no password (blank).
>
> MariaDB [radiusdb]> select * from radcheck where username='107b44c186e0';
> +------+--------------+--------------------+----+-------+
> | id   | username     | attribute          | op | value |
> +------+--------------+--------------------+----+-------+
> | 2308 | 107b44c186e0 | Cleartext-Password | := |       |
> +------+--------------+--------------------+----+-------+
> 1 row in set (0.00 sec)
>
>
> So when I tested using radclient (sending just username, no password)
> without adding the following to my authorize section in
> sites-enabled/default it failed (which I believe is expected? ).
>                 update control {
>                         Auth-Type := Accept
>                 }
>
> Debug snippet:
> .
> .
> rlm_sql (sql): Released connection (2)
> (0)     [sql] = ok
> (0)     [expiration] = noop
> (0)     [logintime] = noop
> (0) pap: No User-Password attribute in the request.  Cannot do PAP
> (0)     [pap] = noop
> (0)   } # authorize = updated
> (0) WARNING: Please update your configuration, and remove 'Auth-Type =
> Local'
> (0) WARNING: Use the PAP or CHAP modules instead
> (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type =
> Reject
> (0) Failed to authenticate the user
> (0) Using Post-Auth-Type Reject
> (0) # Executing group from file /etc/raddb/sites-enabled/default
> (0)   Post-Auth-Type REJECT {
> (0) sql: EXPAND .query
> .
> .
>
> NOTE - I verified in my configs, I have not set "Auth-Type = Local"
> anywhere.
>
> But when I added it, it passed (again, expected per one of your
> instructions in previous email).
>
> Debug snippet:
> .
> .
> (0)     [sql] = ok
> (0)     [expiration] = noop
> (0)     [logintime] = noop
> (0) pap: WARNING: Auth-Type already set.  Not setting to PAP
> (0)     [pap] = noop
> (0)   } # authorize = updated
> (0) Found Auth-Type = Accept
> (0) Auth-Type = Accept, accepting the user
> (0) # Executing section post-auth from file /etc/raddb/sites-enabled/
> default
> (0)   post-auth {
> (0)     update {
> (0)       No attributes updated
> (0)     } # update = noop
> .
> .
>
> So going back to my using the test HW, you are saying even without a
> password it should work as long as what's in the DB and what's passed via
> the HW is the same. But there is no password passed in the Access-Request
> and there is none in the DB, thus it should work, but it's not? That's were
> I'm getting hung up. I'd expect it to work as both are the same (nothing),
> but it's not, unless I'm not understanding properly what you are saying.
>
> Jeremy
>
>
> On Fri, May 11, 2018 at 9:07 AM, Alan DeKok <aland at deployingradius.com>
> wrote:
>
> > On May 11, 2018, at 12:02 PM, Jeremy Lundquist <pmudan01 at gmail.com>
> wrote:
> > >
> > > Let me add an updated Debug output to be thorough:
> >
> >   Reading it, and my messages would help.
> >
> >   The reason there's no User-Password in the request is because the NAS
> is
> > doing EAP.
> >
> >   As I said before, it's doing EAP-MD5.  And EAP-MD5 is failing because
> > the password is wrong.
> >
> >   Stop trying to create a User-Password.  It's not necessary.  Test PAP
> > with radclient.  It should work.
> >
> >   EAP-MD5 is basically CHAP.  So if the user enters the same password as
> > what's in the DB, it *will* work.
> >
> >   The only reason it won't work is that the passwords *are not the same*.
> >
> >   Alan DeKok.
> >
> >
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/
> > list/users.html
> >
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>


More information about the Freeradius-Users mailing list