I altered my SQL to ClearText-Password with the ":=" operator and I now get authenticated.  Thanks guys - the warning message was clear about what it was referring to but I wasn't clear on what config i needed to change - whether it was with mssql or pap.

Anyway, I still have the problem that I'm not having attributes returned.  It's because my two stored procedures are not being run.

I have groupcheck_sp and groupreply_sp which used to get executed in my old 1.1.x setup in the authorize section but now that doesn't seem to happen.

I checked sql.conf and read_groups = yes.

Is there some change in 2.x i should be aware of?  I saw a message relating to something similar I think here http://readlist.com/lists/lists.freeradius.org/freeradius-users/4/24364.html but I couldn't figure out a resolution.

My output is similar to my earlier email but without the warning....

Ready to process requests.
rad_recv: Access-Request packet from host 10.152.0.7 port 20001, id=43, length=168
        NAS-IP-Address = 10.152.0.7
        User-Name = "9999999999"
        User-Password = "9999999999"
        Service-Type = Login-User
        NAS-Port-Type = Async
        Calling-Station-Id = "1002"
        Quintum-h323-conf-id = "h323-conf-id=34616632 66373463 31390038 00333300"
        Quintum-AVPair = "h323-ivr-out=ACCESSCODE:990006"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[suffix] No '@' in User-Name = "9999999999", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
[sql]   expand: %{User-Name} -> 9999999999
[sql] sql_set_user escaped user --> '9999999999'
rlm_sql (sql): Reserving sql socket id: 4
[sql]   expand: SELECT [id], UserName, Attribute, [Value], op FROM dbo.Rad_Authorize_User_Check('%{SQL-User-Name}') -> SELECT [id], UserName, Attribute, [Value], op FROM dbo.Rad_Authorize_User_Check('0498666931')
query:  SELECT [id], UserName, Attribute, [Value], op FROM dbo.Rad_Authorize_User_Check('9999999999')
[sql] User found in radcheck table
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "9999999999"
[pap] Using clear text password "9999999999"
[pap] User authenticated successfully
++[pap] returns ok
Login OK: [0498666931] (from client 10.152.0.7 port 0 cli 1002)
+- entering group post-auth {...}
[sql]   expand: %{User-Name} -> 9999999999
[sql] sql_set_user escaped user --> '9999999999'
++[sql] returns noop
++[exec] returns noop
Sending Access-Accept of id 43 to 10.152.0.7 port 20001
Finished request 0.

Thanks,

Rob

2009/10/27 Bjørn Mork <bjorn@mork.no>
Robert White <rwhite@globalgossip.net> writes:

> I'm trying to upgrade my setup from freeradius 1 to freeradius 2.
>
> I've been making little changes to the config as suggested in the doc and I
> managed to get my setup connecting to my mssql backend.  However, when I try
> and authorize with a user/pass, I get an error - actually more of a warning.
>  I've Googled about but although others have had this error I haven't really
> seen a good explanation of why it occurs let alone how to solve.

I believe the rlm_pap(5) man page explains the different password
attribute and their usage pretty well.

The point the server is trying to make you aware of is that you can't
really do an equality check on the User-Password.  The attribute
received from the other end is encrypted:
 http://freeradius.org/rfc/rfc2865.html#User-Password

That's why

 luser   User-Password == "foo"

is wrong.  Don't do it.

When you configure a user account, you will instead *set* another server
configuration attribute which may be used by the authentication modules
to verify the received User-Password.  So you'll do

 luser   Cleartext-Password := "foo"

and the rlm_pap module will see both the Cleartext-Password you set and
the User-Password the NAS sent and do whatever it needs to verify that
they match.  This concept might be even clearer if you instead configure

 luser   Crypt-Password := "aaKNIEDOaueR6"

The rlm_pap will still be able to verify the received password.



> Sending Access-Accept of id 16 to 10.152.0.7 port 20001

Looks like your 2.x config doesn't have any reply attributes.

> Sending Access-Accept of id 31 to 10.152.0.7 port 20001
>         h323-return-code = "h323-return-code=0"
>         h323-billing-model = "h323-billing-model=0"
>         h323-credit-amount = "h323-credit-amount=76.15"
>         h323-currency = "h323-currency=AUD"

while the 1.x config sends a number of them.  Maybe that's why your NAS
doesn't do what you expect, even if it gets an accept in both cases?


Bjørn

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



--
Rob White
Assistant IT Manager
Core Infrastructure & System Development
Global Gossip Group
Address: 14 Wentworth Avenue, Sydney NSW 2010
Telephone: +61 292 630 460
Fax: +61 292 630 404
Mobile: +61 410 700 733
Email: rwhite@globalgossip.net
Skype: robwhite83