Rest Authentication User-Password missing

Alan DeKok aland at deployingradius.com
Tue Apr 23 03:43:50 CEST 2019 

On Apr 22, 2019, at 9:04 PM, Sean Hamilton <sean at kettlespace.com> wrote:
> 
> I have a problem authenticating users on my freeradius server. It appears
> as if the `User-Password` attribute is empty.

  It's not empty, it's missing entirely.  Because the client isn't sending User-Password.

> I receive the following error
> when authenticating:
> 
> rest: ERROR: You set 'Auth-Type = REST' for a request that does not contain
> a User-Password attribute!

  That's pretty clear.

> I'm not sure if the problem is with my AP. radtest work as expected.

  Because radtest sends a User-Password attribute.

> [root at ip-172-31-54-190 raddb]# radiusd -X
> 
> FreeRADIUS Version 3.0.18
> 
> Copyright (C) 1999-2019 The FreeRADIUS server project and contributors

  There's no need to post double-spaced text to the list.  That just makes it harder to read.

> No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client ::/0. Please
> fix your configuration

  That should be fixed.

> Ready to process requests
> 
> (0) Received Access-Request Id 1 from 172.254.122.110:39189 to
> 172.31.54.190:1812 length 237
> (0)   User-Name = "sean at kettlespace.com"
> (0)   NAS-IP-Address = 10.1.3.100
> (0)   NAS-Identifier = "f09fc2cba179"
> (0)   Called-Station-Id = "02-9F-C2-CC-A1-79:SeanRadiusTest"
> (0)   NAS-Port-Type = Wireless-802.11
> (0)   Service-Type = Framed-User
> (0)   Calling-Station-Id = "6C-E8-5C-66-76-FD"
> (0)   Connect-Info = "CONNECT 0Mbps 802.11b"
> (0)   Acct-Session-Id = "4AF926FF85930522"
> (0)   WLAN-Pairwise-Cipher = 1027076
> (0)   WLAN-Group-Cipher = 1027076
> (0)   WLAN-AKM-Suite = 1027073
> (0)   Framed-MTU = 1400
> (0)   EAP-Message = 0x02010019017365616e406b6574746c6573706163652e636f6d

  And there we have it.  As expected, the authentication is EAP, not PAP.  So there's no User-Password attribute.

  The later debug shows it's doing EAP-MD5.  Which definitely doesn't have a User-Password attribute.

  What you want to do is impossible.

  FreeRADIUS is an authentication server.  The REST API you're using is a database, not an authentication server.  Have the REST API provide the cleartext password to FreeRADIUS.  FreeRADIUS will then do the right thing.

  Alan DeKok.

More information about the Freeradius-Users mailing list