Keith Woodworth wrote:
Try this again, I hope someone can answer these or at least shed some light.
Been trying to do PAP authentication with the crypt'd password stored in mysql. We, unfortunately have to do PAP.
This has been done for the most part and works, but I had to go against what deployingradius.com said w/regards to using Auth-Type as I have not found an alternative that seems to work right.
In current versions of the server, the "pap" module does not run in authorize, and does not set Auth-Type correctly to itself, so this is one of the FEW circumstances in which setting Auth-Type is correct in I think. Later versions of the server (i.e. CVS) perform "correctly" in this regard, which is much more consistent. Many people leave the Auth-Type at the default of "Local", which confusingly does similar but not identical things to the "pap" module, and hence don't see this problem with their PAP requests.
I'm using stock radiusd.conf that comes with 1.1.2, except proxy is set to no.
You can't possibly be, since sql is commented out in that! Even slight differences can be important.
To make this work I added a user to radcheck with a crypt'd password:
+----+------------+----------------+----+---------------+ | id | UserName | Attribute | op | Value | +----+------------+----------------+----+---------------+ | 1 | bob | Password | == | test | | 4 | tester | Crypt-Password | == | gmxwp4dfOcHAI | +----+------------+----------------+----+---------------+
Your "op" should be :=
In radgroupcheck:
+----+-----------+-----------+----+-------+ | id | GroupName | Attribute | op | Value | +----+-----------+-----------+----+-------+ | 1 | default | Auth-Type | := | PAP | | 2 | admin | Auth-Type | := | PAP | +----+-----------+-----------+----+-------+
In radgroupreply:
+----+-----------+--------------------+----+---------------------+------+ | id | GroupName | Attribute | op | Value | prio | +----+-----------+--------------------+----+---------------------+------+ | 1 | default | Service-Type | := | Framed-User | 0 | | 2 | default | Framed-Protocol | := | PPP | 0 | | 3 | default | Framed-Compression | := | Van-Jacobsen-TCP-IP | 0 | | 4 | default | Framed-MTU | := | 1500 | 0 | | 5 | admin | Service-Type | := | Administrative-User | 0 | | 6 | default | Framed-Routing | := | None | 0 | | 7 | default | Framed-IP-Netmask | := | 255.255.255.255 | 0 | +----+-----------+--------------------+----+---------------------+------+
and the usergroup table:
+----+------------+-----------+ | id | UserName | GroupName | +----+------------+-----------+ | 5 | bob | admin | | 10 | tester | default | +----+------------+-----------+
With this setup user tester can dialup, login and setup a ppp connection and it works.
The one main issue is that the user has to be both in the usergroup table and the radcheck table for this to work. Is there a way to just have the username in just radcheck for example? What is needed to setup a default profile for all users to authenticate via PAP w/o having to set auth-type=pap? Is that possible?
Not if you're using the "pap" module on the current server version.