Rest Authentication User-Password missing
aland at deployingradius.com
Tue Apr 23 03:43:50 CEST 2019
On Apr 22, 2019, at 9:04 PM, Sean Hamilton <sean at kettlespace.com> wrote:
> I have a problem authenticating users on my freeradius server. It appears
> as if the `User-Password` attribute is empty.
It's not empty, it's missing entirely. Because the client isn't sending User-Password.
> I receive the following error
> when authenticating:
> rest: ERROR: You set 'Auth-Type = REST' for a request that does not contain
> a User-Password attribute!
That's pretty clear.
> I'm not sure if the problem is with my AP. radtest work as expected.
Because radtest sends a User-Password attribute.
> [root at ip-172-31-54-190 raddb]# radiusd -X
> FreeRADIUS Version 3.0.18
> Copyright (C) 1999-2019 The FreeRADIUS server project and contributors
There's no need to post double-spaced text to the list. That just makes it harder to read.
> No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client ::/0. Please
> fix your configuration
That should be fixed.
> Ready to process requests
> (0) Received Access-Request Id 1 from 18.104.22.168:39189 to
> 172.31.54.190:1812 length 237
> (0) User-Name = "sean at kettlespace.com"
> (0) NAS-IP-Address = 10.1.3.100
> (0) NAS-Identifier = "f09fc2cba179"
> (0) Called-Station-Id = "02-9F-C2-CC-A1-79:SeanRadiusTest"
> (0) NAS-Port-Type = Wireless-802.11
> (0) Service-Type = Framed-User
> (0) Calling-Station-Id = "6C-E8-5C-66-76-FD"
> (0) Connect-Info = "CONNECT 0Mbps 802.11b"
> (0) Acct-Session-Id = "4AF926FF85930522"
> (0) WLAN-Pairwise-Cipher = 1027076
> (0) WLAN-Group-Cipher = 1027076
> (0) WLAN-AKM-Suite = 1027073
> (0) Framed-MTU = 1400
> (0) EAP-Message = 0x02010019017365616e406b6574746c6573706163652e636f6d
And there we have it. As expected, the authentication is EAP, not PAP. So there's no User-Password attribute.
The later debug shows it's doing EAP-MD5. Which definitely doesn't have a User-Password attribute.
What you want to do is impossible.
FreeRADIUS is an authentication server. The REST API you're using is a database, not an authentication server. Have the REST API provide the cleartext password to FreeRADIUS. FreeRADIUS will then do the right thing.
More information about the Freeradius-Users