I altered my SQL to ClearText-Password with the ":=" operator and I now get authenticated. Thanks guys - the warning message was clear about what it was referring to but I wasn't clear on what config i needed to change - whether it was with mssql or pap.<div>
<br></div><div>Anyway, I still have the problem that I'm not having attributes returned. It's because my two stored procedures are not being run.</div><div><br></div><div>I have groupcheck_sp and groupreply_sp which used to get executed in my old 1.1.x setup in the authorize section but now that doesn't seem to happen.</div>
<div><br></div><div>I checked sql.conf and read_groups = yes.</div><div><br></div><div>Is there some change in 2.x i should be aware of? I saw a message relating to something similar I think here <a href="http://readlist.com/lists/lists.freeradius.org/freeradius-users/4/24364.html">http://readlist.com/lists/lists.freeradius.org/freeradius-users/4/24364.html</a> but I couldn't figure out a resolution.</div>
<div><br></div><div>My output is similar to my earlier email but without the warning....</div><div><br></div><div><div>Ready to process requests.</div><div>rad_recv: Access-Request packet from host 10.152.0.7 port 20001, id=43, length=168</div>
<div> NAS-IP-Address = 10.152.0.7</div><div> User-Name = "9999999999"</div><div> User-Password = "9999999999"</div><div> Service-Type = Login-User</div><div> NAS-Port-Type = Async</div>
<div> Calling-Station-Id = "1002"</div><div> Quintum-h323-conf-id = "h323-conf-id=34616632 66373463 31390038 00333300"</div><div> Quintum-AVPair = "h323-ivr-out=ACCESSCODE:990006"</div>
<div>+- entering group authorize {...}</div><div>++[preprocess] returns ok</div><div>++[chap] returns noop</div><div>[suffix] No '@' in User-Name = "9999999999", looking up realm NULL</div><div>[suffix] No such realm "NULL"</div>
<div>++[suffix] returns noop</div><div>[eap] No EAP-Message, not doing EAP</div><div>++[eap] returns noop</div><div>++[unix] returns notfound</div><div>++[files] returns noop</div><div>[sql] expand: %{User-Name} -> 9999999999</div>
<div>[sql] sql_set_user escaped user --> '9999999999'</div><div>rlm_sql (sql): Reserving sql socket id: 4</div><div>[sql] expand: SELECT [id], UserName, Attribute, [Value], op FROM dbo.Rad_Authorize_User_Check('%{SQL-User-Name}') -> SELECT [id], UserName, Attribute, [Value], op FROM dbo.Rad_Authorize_User_Check('0498666931')</div>
<div>query: SELECT [id], UserName, Attribute, [Value], op FROM dbo.Rad_Authorize_User_Check('9999999999')</div><div>[sql] User found in radcheck table</div><div>rlm_sql (sql): Released sql socket id: 4</div><div>
++[sql] returns ok</div><div>++[expiration] returns noop</div><div>++[logintime] returns noop</div><div>++[pap] returns updated</div><div>Found Auth-Type = PAP</div><div>+- entering group PAP {...}</div><div>[pap] login attempt with password "9999999999"</div>
<div>[pap] Using clear text password "9999999999"</div><div>[pap] User authenticated successfully</div><div>++[pap] returns ok</div><div>Login OK: [0498666931] (from client 10.152.0.7 port 0 cli 1002)</div><div>
+- entering group post-auth {...}</div><div>[sql] expand: %{User-Name} -> 9999999999</div><div>[sql] sql_set_user escaped user --> '9999999999'</div><div>++[sql] returns noop</div><div>++[exec] returns noop</div>
<div>Sending Access-Accept of id 43 to 10.152.0.7 port 20001</div><div>Finished request 0.</div></div><div><br></div><div>Thanks,</div><div><br></div><div>Rob<br><br><div class="gmail_quote">2009/10/27 Bjørn Mork <span dir="ltr"><<a href="mailto:bjorn@mork.no">bjorn@mork.no</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div class="im">Robert White <<a href="mailto:rwhite@globalgossip.net">rwhite@globalgossip.net</a>> writes:<br>
<br>
> I'm trying to upgrade my setup from freeradius 1 to freeradius 2.<br>
><br>
> I've been making little changes to the config as suggested in the doc and I<br>
> managed to get my setup connecting to my mssql backend. However, when I try<br>
> and authorize with a user/pass, I get an error - actually more of a warning.<br>
> I've Googled about but although others have had this error I haven't really<br>
> seen a good explanation of why it occurs let alone how to solve.<br>
<br>
</div>I believe the rlm_pap(5) man page explains the different password<br>
attribute and their usage pretty well.<br>
<br>
The point the server is trying to make you aware of is that you can't<br>
really do an equality check on the User-Password. The attribute<br>
received from the other end is encrypted:<br>
<a href="http://freeradius.org/rfc/rfc2865.html#User-Password" target="_blank">http://freeradius.org/rfc/rfc2865.html#User-Password</a><br>
<br>
That's why<br>
<br>
luser User-Password == "foo"<br>
<br>
is wrong. Don't do it.<br>
<br>
When you configure a user account, you will instead *set* another server<br>
configuration attribute which may be used by the authentication modules<br>
to verify the received User-Password. So you'll do<br>
<br>
luser Cleartext-Password := "foo"<br>
<br>
and the rlm_pap module will see both the Cleartext-Password you set and<br>
the User-Password the NAS sent and do whatever it needs to verify that<br>
they match. This concept might be even clearer if you instead configure<br>
<br>
luser Crypt-Password := "aaKNIEDOaueR6"<br>
<br>
The rlm_pap will still be able to verify the received password.<br>
<div class="im"><br>
<br>
<br>
> Sending Access-Accept of id 16 to 10.152.0.7 port 20001<br>
<br>
</div>Looks like your 2.x config doesn't have any reply attributes.<br>
<div class="im"><br>
> Sending Access-Accept of id 31 to 10.152.0.7 port 20001<br>
> h323-return-code = "h323-return-code=0"<br>
> h323-billing-model = "h323-billing-model=0"<br>
> h323-credit-amount = "h323-credit-amount=76.15"<br>
> h323-currency = "h323-currency=AUD"<br>
<br>
</div>while the 1.x config sends a number of them. Maybe that's why your NAS<br>
doesn't do what you expect, even if it gets an accept in both cases?<br>
<font color="#888888"><br>
<br>
Bjørn<br>
</font><div><div></div><div class="h5"><br>
-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a></div></div></blockquote></div><br><br clear="all"><br>-- <br>Rob White<br>
Assistant IT Manager<br>Core Infrastructure & System Development<br>Global Gossip Group<br>Address: 14 Wentworth Avenue, Sydney NSW 2010<br>Telephone: +61 292 630 460<br>Fax: +61 292 630 404<br>Mobile: +61 410 700 733<br>
Email: <a href="mailto:rwhite@globalgossip.net">rwhite@globalgossip.net</a><br>Skype: robwhite83<br>
</div>