Hello, Alan. As I understand I need two sites for authorizing clients via wifi and ethernet. I made a different site, and I wrote a rule to redirect users. But. When I'm checking this solution I can't understand why freeradius expecting Cleartext-Password instead MD5-password (Please see log below): (9) Received Access-Request Id 143 from 127.0.0.1:45799 to 127.0.0.1:1812 length 72 (9) User-Name = “testier" (9) User-Password = “password" (9) NAS-IP-Address = 127.0.0.1 (9) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (9) authorize { (9) if (!control:Cleartext-Password && &User-Password) { (9) if (!control:Cleartext-Password && &User-Password) -> TRUE (9) if (!control:Cleartext-Password && &User-Password) { (9) update control { (9) EXPAND %{control:User-Password} (9) --> (9) Password-With-Header := (9) EXPAND %{control:User-Password} (9) --> (9) control:Cleartext-Password := (9) User-Password := "" (9) } # update control = noop (9) update reply { (9) EXPAND %{control:User-Password} (9) --> (9) User-Password -= (9) } # update reply = noop (9) } # if (!control:Cleartext-Password && &User-Password) = noop (9) if (config:User-Password && config:Cleartext-Password) { (9) if (config:User-Password && config:Cleartext-Password) -> TRUE (9) if (config:User-Password && config:Cleartext-Password) { (9) update config { (9) User-Password !* ANY (9) } # update config = noop (9) } # if (config:User-Password && config:Cleartext-Password) = noop (9) [preprocess] = ok (9) [chap] = noop (9) [mschap] = noop (9) suffix: Checking for suffix after "@" (9) suffix: No '@' in User-Name = "testuser", looking up realm NULL (9) suffix: No such realm "NULL" (9) [suffix] = noop (9) update control { (9) Proxy-To-Realm := LOCAL (9) } # update control = noop (9) eap: No EAP-Message, not doing EAP (9) [eap] = noop (9) if (NAS-IP-Address == 127.0.0.1) { (9) if (NAS-IP-Address == 127.0.0.1) -> TRUE (9) if (NAS-IP-Address == 127.0.0.1) { (9) sql-wifi-ethernet: EXPAND %{User-Name} (9) sql-wifi-ethernet: --> testuser (9) sql-wifi-ethernet: SQL-User-Name set to 'testuser' rlm_sql (sql-wifi-ethernet): Reserved connection (13) (9) sql-wifi-ethernet: EXPAND SELECT wifi_id as id, username, 'MD5-Password' as attribute, md5_hash, ':=' as op FROM wifiusers WHERE username = '%{SQL-User-Name}' ORDER BY id (9) sql-wifi-ethernet: --> SELECT wifi_id as id, username, 'MD5-Password' as attribute, md5_hash, ':=' as op FROM wifiusers WHERE username = 'testuser' ORDER BY id (9) sql-wifi-ethernet: Executing select query: SELECT wifi_id as id, username, 'MD5-Password' as attribute, md5_hash, ':=' as op FROM wifiusers WHERE username = 'testuser' ORDER BY id (9) sql-wifi-ethernet: User found in radcheck table (9) sql-wifi-ethernet: Conditional check items matched, merging assignment check items (9) sql-wifi-ethernet: MD5-Password := 0x6c375752517179667431416e4c4f6462714d365679413d3d (9) sql-wifi-ethernet: EXPAND SELECT id, UserName, Attribute, Value, op FROM msk_wifi_attrs WHERE username = '%{SQL-User-Name}' ORDER BY id (9) sql-wifi-ethernet: --> SELECT id, UserName, Attribute, Value, op FROM msk_wifi_attrs WHERE username = 'testuser' ORDER BY id (9) sql-wifi-ethernet: Executing select query: SELECT id, UserName, Attribute, Value, op FROM msk_wifi_attrs WHERE username = 'testuser' ORDER BY id (9) sql-wifi-ethernet: EXPAND SELECT 'Officewifi' as GroupName FROM wifiusers WHERE UserName='%{SQL-User-Name}' (9) sql-wifi-ethernet: --> SELECT 'Officewifi' as GroupName FROM wifiusers WHERE UserName='testuser' (9) sql-wifi-ethernet: Executing select query: SELECT 'Officewifi' as GroupName FROM wifiusers WHERE UserName='testuser' (9) sql-wifi-ethernet: User found in the group table (9) sql-wifi-ethernet: EXPAND SELECT wifi_id as id, 'Officewifi' as GroupName, 'MD5-Password' as attribute, md5_hash, ':=' as op FROM wifiusers WHERE Username = '%{SQL-User-Name}' ORDER BY id (9) sql-wifi-ethernet: --> SELECT wifi_id as id, 'Officewifi' as GroupName, 'MD5-Password' as attribute, md5_hash, ':=' as op FROM wifiusers WHERE Username = 'testuser' ORDER BY id (9) sql-wifi-ethernet: Executing select query: SELECT wifi_id as id, 'Officewifi' as GroupName, 'MD5-Password' as attribute, md5_hash, ':=' as op FROM wifiusers WHERE Username = 'testuser' ORDER BY id (9) sql-wifi-ethernet: Group "Officewifi": Conditional check items matched (9) sql-wifi-ethernet: Group "Officewifi": Merging assignment check items (9) sql-wifi-ethernet: MD5-Password := 0x6c375752517179667431416e4c4f6462714d365679413d3d (9) sql-wifi-ethernet: EXPAND SELECT wifi_id as id, 'Officewifi' as GroupName, 'MD5-Password' as attribute, md5_hash, ':=' as op FROM wifiusers WHERE Username = '%{SQL-User-Name}' ORDER BY id (9) sql-wifi-ethernet: --> SELECT wifi_id as id, 'Officewifi' as GroupName, 'MD5-Password' as attribute, md5_hash, ':=' as op FROM wifiusers WHERE Username = 'testuser' ORDER BY id (9) sql-wifi-ethernet: Executing select query: SELECT wifi_id as id, 'Officewifi' as GroupName, 'MD5-Password' as attribute, md5_hash, ':=' as op FROM wifiusers WHERE Username = 'testuser' ORDER BY id (9) sql-wifi-ethernet: Group "Officewifi": Merging reply items (9) sql-wifi-ethernet: MD5-Password := 0x6c375752517179667431416e4c4f6462714d365679413d3d rlm_sql (sql-wifi-ethernet): Released connection (13) (9) [sql-wifi-ethernet] = ok (9) } # if (NAS-IP-Address == 127.0.0.1) = ok (9) ... skipping else: Preceding "if" was taken (9) [files] = noop (9) [expiration] = noop (9) [logintime] = noop (9) pap: WARNING: Config already contains a "known good" password (&control:Cleartext-Password). Ignoring &config:Password-With-Header (9) pap: Normalizing MD5-Password from base64 encoding, 24 bytes -> 16 bytes (9) [pap] = updated (9) } # authorize = updated (9) Found Auth-Type = PAP (9) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (9) Auth-Type PAP { (9) pap: Login attempt with password (9) pap: Comparing with "known good" Cleartext-Password (9) pap: ERROR: Cleartext password does not match "known good" password (9) pap: Passwords don't match (9) [pap] = reject (9) } # Auth-Type PAP = reject (9) Failed to authenticate the user (9) Using Post-Auth-Type Reject (9) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (9) Post-Auth-Type REJECT { (9) attr_filter.access_reject: EXPAND %{User-Name} (9) attr_filter.access_reject: --> testuser (9) attr_filter.access_reject: Matched entry DEFAULT at line 11 (9) [attr_filter.access_reject] = updated (9) } # Post-Auth-Type REJECT = updated I wish you Happy New Year. Thanks for the future answer. сб, 22 дек. 2018 г. в 13:43, Alan DeKok <aland@deployingradius.com>:
On Dec 21, 2018, at 6:28 PM, Anton Kiryushkin <swood@fotofor.biz> wrote:
Thank you very much for your explanation. I fixed one of my problems. But there is one more, unfortunately. Could you please tell me why some
clients
still can't log in:
The debug messages are clear...
(100) eap: Peer sent packet with method EAP MD5 (4) (100) eap: Calling submodule eap_md5 to process data (100) eap_md5: ERROR: Cleartext-Password is required for EAP-MD5 authentication
You need a Cleartext-Password to do EAP-MD5.
The rest of the debug messages make it clear that the EAP-MD5 method is being used *inside* of PEAP.
I suppose, the main problem from this string:
(100) eap_peap: EAP method MD5 (4)
But, I haven't enabled this type of authorization:
Yes, you have. You've listed "md5" inside of the "eap" module configuration. If you didn't list "md5" there, then FreeRADIUS would complain that EAP-MD5 wasn't permitted. Instead, it runs EAP-MD5.
Probably I should have two versions of hashes for wifi and ethernet authorization?
The debug log says you need the Cleartext-Password, not a hashed password. And once you have that, FreeRADIUS can do PEAP/MS-CHAP, too.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Best regards, Anton Kiryushkin