OK, you replaced the operator. Why didn't you replace User-Password with Cleartext-Password as debug so clearly suggests (and so did someone else on the list; I was under impression that you have done that)? As for 2 requests - they seem to be 120 requests apart. NAS usually sends a new request about 2 seconds after sending the first one (if it gets no response). If you have 120 requests in 2 seconds it's likely that your database is having hard time coping. Where are all those requests coming from? Ivan Kalik Kalik Informatika ISP Dana 31/1/2008, "Andrew Long" <fursink@gmail.com> piše:
With attribute `User-Password' and op = `==' we get this:
rlm_sql (sql): Reserving sql socket id: 4 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'mainaroma_cn3200' ORDER BY id WARNING: Found User-Password == "...". WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See "man rlm_pap" for more information. rlm_sql (sql): User found in radcheck table
mysql> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'mainaroma_cn3200' ORDER BY id; +-----+------------------+---------------+-------------+----+ | id | username | attribute | value | op | +-----+------------------+---------------+-------------+----+ | 409 | mainaroma_cn3200 | User-Password | nicepassword | == | +-----+------------------+---------------+-------------+----+ 1 row in set (0.01 sec)
========
Now, with `op' = `:=' rather than `==' as Ivan suggests : we see the same error...
rad_check_password: Found Auth-Type CHAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! auth: type "CHAP" +- entering group CHAP rlm_chap: login attempt by "mainaroma_cn3200" with CHAP password rlm_chap: Using clear text password "aromaescape" for user mainaroma_cn3200 authentication. rlm_chap: chap user mainaroma_cn3200 authenticated succesfully ++[chap] returns ok
The only difference is that when I use `:=' there are two access-requests from the host and two access-accepts: access-request id 40 --> access-accept id 40 and then immediately access-request id 160 --> access-accept id 160.
None of this is in users file; we pass the info from sql.
Andrew EWS Solutions
======================================================= On Jan 30, 2008 5:21 PM, Kevin Bonner <keb@pa.net> wrote:
On Wednesday 30 January 2008 15:31:51 Andrew Long wrote:
If I change the attribute to `Cleartext-Password', authentication fails and I see:
rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop rad_check_password: Found Auth-Type CHAP auth: type "CHAP" +- entering group CHAP rlm_chap: login attempt by "elmaroma_cn3000" with CHAP password rlm_chap: Cleartext-Password is required for authentication ++[chap] returns invalid auth: Failed to validate the user. Login incorrect (rlm_chap: Clear text password not available): [elmaroma_cn3000/<CHAP-Password>] (from client cn3000_aroma port 0 cli 00-02-6F-xx-xx-92)
Thanks muchly, Andrew Long EWS
2008/1/30 Ivan Kalik <tnt@kalik.net>:
Can you post users entry in the database. it's quite likely that you left == as the operator instead of using :=.
Ivan Kalik Kalik Informatika ISP
Dana 30/1/2008, "Andrew Long" <fursink@gmail.com> piše:
When I have (radcheck) attribute `User-Password', authentication succeeds but we see the following:
rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type CHAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! auth: type "CHAP" +- entering group CHAP rlm_chap: login attempt by "elmaroma_cn3000" with CHAP password rlm_chap: Using clear text password "aromaescape" for user elmaroma_cn3000 authentication. rlm_chap: chap user elmaroma_cn3000 authenticated succesfully ++[chap] returns ok
If I change the attribute to `Cleartext-Password', authentication fails and I see:
rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop rad_check_password: Found Auth-Type CHAP auth: type "CHAP" +- entering group CHAP rlm_chap: login attempt by "elmaroma_cn3000" with CHAP password rlm_chap: Cleartext-Password is required for authentication ++[chap] returns invalid auth: Failed to validate the user. Login incorrect (rlm_chap: Clear text password not available): [elmaroma_cn3000/<CHAP-Password>] (from client cn3000_aroma port 0 cli 00-02-6F-xx-xx-92)
The "users" file ---------------------- DEFAULT Fall-Through = 1 DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP --------------------- authorize { preprocess chap mschap suffix unix files sql expiration logintime noresetcounter dailycounter monthlycounter daypasscounter pap} authenticate { pap chap mschap}
Thanks muchly,
Andrew Long EWS - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/usershtml
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html