On Nov 19, 2015, at 4:49 PM, Alan Batie <alan@peak.org> wrote:
I'm trying to get v3.0.9 working and running into something that seems mutually exclusive: PAP seems to require Cleartext-Password and then complain that it's not getting User-Password? Also, and probably more important, it seems to be ignoring my Auth-Type Local configuration....
Because you shouldn't have Auth-Type Local. The default configuration doesn't have it. It's not needed.
excerpt from site file:
So... why did you edit it to add Auth-Type Local?
With Cleartext-Password and Auth-Type Local:
And.... you don't show the *relevant* portions of the debug output. i.e. the portions where it shows the incoming packet.
(0) [sql] = ok (0) [expiration] = noop (0) [logintime] = noop (0) pap: WARNING: Auth-Type already set. Not setting to PAP (0) [pap] = noop (0) } # authorize = ok (0) Found Auth-Type = Local
You're forcing Auth-Type = Local. Why? Don't do that. It's wrong. The default configuration doesn't have it. It's not needed.
(0) Auth-Type sub-section not found. Ignoring.
With Cleartext-Password and Auth-Type PAP:
(1) [sql] = ok (1) [expiration] = noop (1) [logintime] = noop (1) pap: WARNING: Auth-Type already set. Not setting to PAP
The automatic system isn't working ...
(1) [pap] = noop (1) } # authorize = ok (1) Found Auth-Type = PAP
... because *you* forced Auth-Type = PAP. Why?
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/peak (1) Auth-Type PAP { (1) pap: ERROR: You set 'Auth-Type = PAP' for a request that does not contain a User-Password attribute!
Again, *you* broke the server. Don't do that.
(1) [pap] = invalid (1) } # Auth-Type PAP = invalid (1) Failed to authenticate the user (1) Using Post-Auth-Type Reject
With User-Password and Auth-Type PAP:
(4) [sql] = ok (4) [expiration] = noop (4) [logintime] = noop (4) pap: WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! (4) pap: WARNING: !!! Ignoring control:User-Password. Update your !!! (4) pap: WARNING: !!! configuration so that the "known good" clear text !!! (4) pap: WARNING: !!! password is in Cleartext-Password and NOT in !!! (4) pap: WARNING: !!! User-Password. !!! (4) pap: WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
That should be pretty clear. Why not follow the instructions that are in front of you? a) don't force Auth-Type. It's almost always wrong. b) delete the "Auth-Type Local" block. c) yes, DON'T FORCE AUTH-TYPE. Delete it from ALL databases, configurations, etc. d) follow the instructions in the big warnings for packet (4) above. It shouldn't be hard. Put the "known good" password into control:Cleartext-Password. Change almost nothing else. The server *will* figure out how to authenticate the user. It looks like you've followed some crappy third-party guide from 2005. Don't do that. Nearly all of them are wrong and outdated. The default configuration *works*. PLEASE don't destroy it unless you know what you're doing. Alan DeKok.