Hi,
Hi,
On Tue, Apr 15, 2014 at 10:26:22AM +0200, Stefan Winter wrote:
In FreeRADIUS 3, I retained this, NT-Passwords are found, pap returns noop(?), authorize returns ok, and then I see
Auth-Type = Accept, accepting the user
*regardless of his password* ? Can't reproduce it here. Have you got a minimal config that creates it?
Sorry, limited time to work on this today. Maybe tomorrow.
The pap module returns noop without printing output in only a very few cases, the only ones really is if it can't find a password and you're proxying or some eap types are set.
As you see, no proxying (no suffix module at all) nor EAP-Message in the debug log.
The only case I can see is if the dictionary lookup for the module name fails, and it can't set the auth-type name correctly. But even then it sets Auth-Type to 0, not 254 (Accept).
I have looked at other occasions where NT-Password gets used (e.g. we have a vserver which pulls it out of SQL). I guess I should be seeing that normify() outputs something in the debug output I sent - but not at all. It is hex-encoded though, so the RDEBUG2 inside normify can't possibly be silent. This makes me believe that the NT-Password is not actually evaluated . But then again, the log also says that the line matched, so it should really get going. Wondering about inst->normify - that's inside an if. Maybe it is false, so pw_found is set to true, but the normifying is never done? I also see that instantiate() does not set inst->normify. Does it have to? Not good enough in C to answer this. I should also note that other clients are mapped to the same virtual server - and check the password correctly. It only fails deterministically for two clients of that virtual server. Greetings, Stefan Winter
...
(11) [mschap] = noop (11) [eap-staff] = noop (11) [pap] = noop (11) if ( "%{Packet-Src-IP-Address}" == "158.64.1.229" ) (11) EXPAND %{Packet-Src-IP-Address} (11) --> 158.64.1.65 (11) if ( "%{Packet-Src-IP-Address}" == "158.64.1.229" ) -> FALSE (11) } # authorize = ok (11) Auth-Type = Accept, accepting the user ...
Are you sure it's definitely the pap module that's setting Auth-Type? If you comment it out, does the blank password still authenticate?
If so, a binary chop on your config to find the culprit may be helpful.
Matthew