On Mon, Nov 28, 2011 at 9:40 AM, Bogi Aditya <bogi@imtelkom.ac.id> wrote:
thanks Fajar
I've tried : # radtest -t mschap usertest passtest localhost:1812 0 testing123 Sending Access-Request of id 13 to 127.0.0.1 port 1812 User-Name = "usertest" NAS-IP-Address = 10.1.1.28 NAS-Port = 0 MS-CHAP-Challenge = 0x7effa6d1eaf313a9 MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000d21d03024f55ebcf8c36dc84 d85ab07e2b6c828184d3f151 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=13,
Weird. I just tested similar thing on my setup (FR-2.1.12), and got Access-Reject for both pap and mschap :)
then I change my radcheck table : mysql> select * from radcheck; +----+----------+--------------------+----+----------+ | id | username | attribute | op | value | +----+----------+--------------------+----+----------+ | 1 | usertest | Cleartext-Password | := | passtest | +----+----------+--------------------+----+----------+
and tried : # radtest -t mschap usertest passtest localhost:1812 0 testing123 Sending Access-Request of id 149 to 127.0.0.1 port 1812 User-Name = "usertest" NAS-IP-Address = 10.1.1.28 NAS-Port = 0 MS-CHAP-Challenge = 0xf13ba049100393c3 MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000733c2565a50ac6d4c28569b9 59eca8a14ef7951536c66172 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=149, length=108
At least with Cleartext-Password and ":=" we got the same result
should I change it to "Cleartext-Password" and op=":=" when it still work with "password" and op="==" ?
Definitely. My best guess at this point is your FR version is old enough to permit "password" and "==" and activate some kind of compatibility code, which didn't exist in my version. Cleartext-Password and ":=" is the correct way to specify plain text user password in current and future versions of FR. If you don't want future upgrades to break your setup, better use Cleartext-Password and ":=" Running in debug mode (radiusd -X) should help in finding out why your setup works (when it shouldn't). In my test (I'm using files instead of db), I got these WARNING: Found User-Password == "...". WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See "man rlm_pap" for more information. [files] users: Matched entry testuser at line 5 ++[files] returns ok [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Login incorrect: [testuser] (from client localhost port 0) Here
and why the default value is set to "==" when it suppose to be ":=" ?
"==" is useful in certain cases. For example, if you want the user to ONLY be able to login from a NAS with IP address = 10.0.0.1, you could use something like this: usertest | Cleartext-Password | := | passtest | usertest | NAS-IP-Address | == | 10.0.0.1 |
so sorry, this is the first time I used FreeRADIUS
No problem
(all this time I use OpenLDAP for authentication)
Did you know you can use LDAP as backend for FR, thus allowing your users to use the same user/password combination whether they're using FR or LDAP directly? :D -- Fajar