I altered my SQL to ClearText-Password with the ":=" operator and I now get authenticated. Thanks guys - the warning message was clear about what it was referring to but I wasn't clear on what config i needed to change - whether it was with mssql or pap. Anyway, I still have the problem that I'm not having attributes returned. It's because my two stored procedures are not being run. I have groupcheck_sp and groupreply_sp which used to get executed in my old 1.1.x setup in the authorize section but now that doesn't seem to happen. I checked sql.conf and read_groups = yes. Is there some change in 2.x i should be aware of? I saw a message relating to something similar I think here http://readlist.com/lists/lists.freeradius.org/freeradius-users/4/24364.html... I couldn't figure out a resolution. My output is similar to my earlier email but without the warning.... Ready to process requests. rad_recv: Access-Request packet from host 10.152.0.7 port 20001, id=43, length=168 NAS-IP-Address = 10.152.0.7 User-Name = "9999999999" User-Password = "9999999999" Service-Type = Login-User NAS-Port-Type = Async Calling-Station-Id = "1002" Quintum-h323-conf-id = "h323-conf-id=34616632 66373463 31390038 00333300" Quintum-AVPair = "h323-ivr-out=ACCESSCODE:990006" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [suffix] No '@' in User-Name = "9999999999", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop [sql] expand: %{User-Name} -> 9999999999 [sql] sql_set_user escaped user --> '9999999999' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: SELECT [id], UserName, Attribute, [Value], op FROM dbo.Rad_Authorize_User_Check('%{SQL-User-Name}') -> SELECT [id], UserName, Attribute, [Value], op FROM dbo.Rad_Authorize_User_Check('0498666931') query: SELECT [id], UserName, Attribute, [Value], op FROM dbo.Rad_Authorize_User_Check('9999999999') [sql] User found in radcheck table rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password "9999999999" [pap] Using clear text password "9999999999" [pap] User authenticated successfully ++[pap] returns ok Login OK: [0498666931] (from client 10.152.0.7 port 0 cli 1002) +- entering group post-auth {...} [sql] expand: %{User-Name} -> 9999999999 [sql] sql_set_user escaped user --> '9999999999' ++[sql] returns noop ++[exec] returns noop Sending Access-Accept of id 43 to 10.152.0.7 port 20001 Finished request 0. Thanks, Rob 2009/10/27 Bjørn Mork <bjorn@mork.no>
Robert White <rwhite@globalgossip.net> writes:
I'm trying to upgrade my setup from freeradius 1 to freeradius 2.
I've been making little changes to the config as suggested in the doc and I managed to get my setup connecting to my mssql backend. However, when I try and authorize with a user/pass, I get an error - actually more of a warning. I've Googled about but although others have had this error I haven't really seen a good explanation of why it occurs let alone how to solve.
I believe the rlm_pap(5) man page explains the different password attribute and their usage pretty well.
The point the server is trying to make you aware of is that you can't really do an equality check on the User-Password. The attribute received from the other end is encrypted: http://freeradius.org/rfc/rfc2865.html#User-Password
That's why
luser User-Password == "foo"
is wrong. Don't do it.
When you configure a user account, you will instead *set* another server configuration attribute which may be used by the authentication modules to verify the received User-Password. So you'll do
luser Cleartext-Password := "foo"
and the rlm_pap module will see both the Cleartext-Password you set and the User-Password the NAS sent and do whatever it needs to verify that they match. This concept might be even clearer if you instead configure
luser Crypt-Password := "aaKNIEDOaueR6"
The rlm_pap will still be able to verify the received password.
Sending Access-Accept of id 16 to 10.152.0.7 port 20001
Looks like your 2.x config doesn't have any reply attributes.
Sending Access-Accept of id 31 to 10.152.0.7 port 20001 h323-return-code = "h323-return-code=0" h323-billing-model = "h323-billing-model=0" h323-credit-amount = "h323-credit-amount=76.15" h323-currency = "h323-currency=AUD"
while the 1.x config sends a number of them. Maybe that's why your NAS doesn't do what you expect, even if it gets an accept in both cases?
Bjørn
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Rob White Assistant IT Manager Core Infrastructure & System Development Global Gossip Group Address: 14 Wentworth Avenue, Sydney NSW 2010 Telephone: +61 292 630 460 Fax: +61 292 630 404 Mobile: +61 410 700 733 Email: rwhite@globalgossip.net Skype: robwhite83