On Tue, 22 Aug 2006, Alan DeKok wrote: |->Keith Woodworth <kwoody@citytel.net> wrote: |->> One of the things I did try was add PAP to the authorize section, but |->> radius failed to start when I did that. |-> |-> And the error message was...? Had to put this project a side for the last 2 weeks...Hate when I have to do that. Also this post has lots of debug output. Anyway here is the error: radiusd.conf: "PAP" modules aren't allowed in 'authorize' sections -- they have no such method. radiusd.conf[1569] Failed to parse authorize section. Here is where I put pap, with all the comments stripped: authorize { preprocess # auth_log # attr_filter ### KEITH pap chap mschap # digest # IPASS # ntdomain #eap files sql # etc_smbpasswd # ldap # daily # checkval } |->> Deployingradius.com did say there were very few circumstances to set |->> Auth-Type, but not which ones. Guess I found one? |-> |-> Possibly. Much of this is fixed in CVS head, which is currently |->planned to be 2.0 before Christmas. The PAP module does more there, |->and there are MANY fewer cases where you have to set Auth-Type. At the rate I'm going, it will be Christmas before I'm ready to go. |->> How stable is the current server version? Anyone using it in production? |-> |-> Yes. A number of people. There are 3 issues that need addressing |->before it's ready for an official 2.0, however. Would it be advisable to upgrade at this point or wait till its official? |->> Sounds like I might have to be using the CVS version to do what I want |->> properly of only having the user in one table and do PAP authentication |->> with the crypt password stored in sql. |-> |-> 1.1.2 can do it, it just takes a little more configuration. |->Basically, for every user who has a Crypt-Password attribute, you have |->to set "Auth-Type = Local". Not ":=", but "=". After having to put this aside for a few weeks I have finally done some testing. One. If the user has a crypt password in radcheck: 4 | tester | Crypt-Password | := | f3RCpSYQzT292 is listed in Usergroup: 14 | tester | default And default is in radgroupcheck: +----+-----------+-----------+----+-------+ | id | GroupName | Attribute | op | Value | +----+-----------+-----------+----+-------+ | 1 | default | Auth-Type | = | Local | This is the debug output: rad_recv: Access-Request packet from host 204.244.99.67:1645, id=92, length=76 NAS-Port-Type = Async User-Name = "tester" User-Password = "test" Service-Type = Framed-User Framed-Protocol = PPP Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 modcall[authorize]: module "files" returns notfound for request 0 radius_xlat: 'tester' rlm_sql (sql): sql_set_user escaped user --> 'tester' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'tester' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'tester' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'tester' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'tester' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module "sql" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type Local auth: type Local auth: user supplied User-Password does NOT match local User-Password auth: Failed to validate the user. Ok, so next change radgroupcheck so Auth-Type is PAP: +----+-----------+-----------+----+-------+ | id | GroupName | Attribute | op | Value | +----+-----------+-----------+----+-------+ | 1 | default | Auth-Type | := | PAP | and do another dialup try: rad_recv: Access-Request packet from host 204.244.99.67:1645, id=93, length=76 NAS-Port-Type = Async User-Name = "tester" User-Password = "test" Service-Type = Framed-User Framed-Protocol = PPP Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 modcall[authorize]: module "files" returns notfound for request 0 radius_xlat: 'tester' rlm_sql (sql): sql_set_user escaped user --> 'tester' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'tester' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'tester' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'tester' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'tester' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module "sql" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type PAP auth: type "PAP" Processing the authenticate section of radiusd.conf modcall: entering group PAP for request 0 rlm_pap: login attempt by "tester" with password test rlm_pap: Using password "f3RCpSYQzT292" for user tester authentication. rlm_pap: Using CRYPT encryption. rlm_pap: User authenticated succesfully modcall[authenticate]: module "pap" returns ok for request 0 modcall: leaving group PAP (returns ok) for request 0 Sending Access-Accept of id 93 to 204.244.99.67 port 1645 Service-Type := Framed-User Framed-Protocol := PPP Framed-Compression := Van-Jacobson-TCP-IP Framed-MTU := 1500 Framed-Routing := None Framed-IP-Netmask := 255.255.255.255 Finished request 0 I get authenticated, I get an IP and away I go. Now here is the main issue: I remove the user tester from the UserGroup table but leave Auth-Type := PAP rad_recv: Access-Request packet from host 204.244.99.67:1645, id=97, length=76 NAS-Port-Type = Async User-Name = "tester" User-Password = "test" Service-Type = Framed-User Framed-Protocol = PPP Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 modcall[authorize]: module "files" returns notfound for request 0 radius_xlat: 'tester' rlm_sql (sql): sql_set_user escaped user --> 'tester' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'tester' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'tester' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'tester' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'tester' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module "sql" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 auth: type Crypt Sending Access-Accept of id 97 to 204.244.99.67 port 1645 Finished request 0 And while Radius seems to send an Access-Accept, the dialup user gets an error 691 password invalid. So last change set Auth-Type = Local in radgroupcheck as per the suggestion above: 1 | default | Auth-Type | = | Local Debug output: rad_recv: Access-Request packet from host 204.244.99.67:1645, id=100, length=76 NAS-IP-Address = 204.244.98.67 NAS-Port = 23 NAS-Port-Type = Async User-Name = "tester" User-Password = "test" Service-Type = Framed-User Framed-Protocol = PPP Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 modcall[authorize]: module "files" returns notfound for request 1 radius_xlat: 'tester' rlm_sql (sql): sql_set_user escaped user --> 'tester' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'tester' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 3 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'tester' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'tester' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'tester' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 3 modcall[authorize]: module "sql" returns ok for request 1 modcall: leaving group authorize (returns ok) for request 1 auth: type Crypt Sending Access-Accept of id 100 to 204.244.99.67 port 1645 Finished request 1 Going to the next request Again I get Access-Accept, but a 691 password error on the client side. So as I see it with this: I have to have the user listed in UserGroup AND RadCheck with a Crypt-Password attribute and RadGroupCheck with Auth-Type := PAP for the user to authenticate and be able to get online. If the username is in UserGroup AND RadCheck with the Auth-Type = Local I see this: modcall[authorize]: module "sql" returns ok for request 5 modcall: leaving group authorize (returns ok) for request 5 rad_check_password: Found Auth-Type Local auth: type Local auth: user supplied User-Password does NOT match local User-Password auth: Failed to validate the user. So I guess I missed something completely or its not possible to have a username ONLY listed in Radcheck with Crypt-Password and authenticate that user? Does the username really need to be be in both the UserGroup table and Radcheck table for a crypt-password method to work? Sorry for the long post. Thanks, Keith
So I guess I missed something completely or its not possible to have a username ONLY listed in Radcheck with Crypt-Password and authenticate that user?
Does the username really need to be be in both the UserGroup table and Radcheck table for a crypt-password method to work?
No, it's got nothing to do with the specifics of the tables they're in, just the specific of what config items are added by the modules (in this case SQL). Obviously if you remove the user from the group which is setting Auth-Type to the right value, it will stop working. The user has to have Auth-Type set to an appropriate value to execute an appropriate module. The "Local" auth-type is effectively a kind of built-in pap module with some kind of odd heuristic guessing of what type of auth to do, where to get the passwords from, and so forth. You are much better off in my opinion using the pap module. Auth-Type being Local does not do that. Auth-Type being "PAP" and a section in authenticate like: authenticate { Auth-Type PAP { pap } } ...does
Keith Woodworth <kwoody@citytel.net> wrote:
Anyway here is the error:
radiusd.conf: "PAP" modules aren't allowed in 'authorize' sections -- they have no such method.
That's in 1.1.3. In 2.0, that is allowed.
Would it be advisable to upgrade at this point or wait till its official?
There are plenty of people using it in production environments.
And while Radius seems to send an Access-Accept, the dialup user gets an error 691 password invalid.
Because you're not sending the same reply attributes as in the previous example. Fix that.
Again I get Access-Accept, but a 691 password error on the client side.
Again because the replies are empty. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
On Sat, 9 Sep 2006, Alan DeKok wrote: |->Keith Woodworth <kwoody@citytel.net> wrote: |->> Anyway here is the error: |->> |->> radiusd.conf: "PAP" modules aren't allowed in 'authorize' sections -- they |->> have no such method. |-> |-> That's in 1.1.3. In 2.0, that is allowed. That error was from 1.1.2, now I'm running 1.1.3. |->> And while Radius seems to send an Access-Accept, the dialup user gets an |->> error 691 password invalid. |-> |-> Because you're not sending the same reply attributes as in the |->previous example. Fix that. |-> |->> Again I get Access-Accept, but a 691 password error on the client side. |-> |-> Again because the replies are empty. Which table do the replys come from? In the debug: radius_xlat: 'tester' rlm_sql (sql): sql_set_user escaped user --> 'tester' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'tester' ORDER BY id' Here is the select from radcheck, which has the user tester in it. rlm_sql (sql): Reserving sql socket id: 2 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'tester' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'tester' ORDER BY id' Radreply is populated, but the username tester is not listed there, so no match obvioiusly. radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'tester' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 2 modcall[authorize]: module "sql" returns ok for request 2 modcall: leaving group authorize (returns ok) for request 2 auth: type Crypt Sending Access-Accept of id 130 to 204.244.99.67 port 1645 So where to put the reply items? Should I not be using a default entry to reply to all users that authenticate?
|-> |->> And while Radius seems to send an Access-Accept, the dialup user gets an |->> error 691 password invalid. |-> |-> Because you're not sending the same reply attributes as in the |->previous example. Fix that. |-> |->> Again I get Access-Accept, but a 691 password error on the client side. |-> |-> Again because the replies are empty. Just testing a different way to do this I setup the users file with: DEFAULT Service-Type = Framed-User Framed-Protocol = PPP, Framed-Routing = None, Framed-IP-Netmask = 255.255.255.255, Framed-Compression = Van-Jacobsen-TCP-IP, Framed-MTU = 1500 Now when I try to login: rad_recv: Access-Request packet from host 204.244.99.67:1645, id=149, length=76 NAS-IP-Address = 204.244.98.67 NAS-Port = 27 NAS-Port-Type = Async User-Name = "tester" User-Password = "test" Service-Type = Framed-User Framed-Protocol = PPP Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "chap" returns noop for request 2 modcall[authorize]: module "mschap" returns noop for request 2 users: Matched entry DEFAULT at line 19 modcall[authorize]: module "files" returns ok for request 2 radius_xlat: 'tester' rlm_sql (sql): sql_set_user escaped user --> 'tester' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'tester' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 2 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'tester' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'tester' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'tester' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 2 modcall[authorize]: module "sql" returns ok for request 2 modcall: leaving group authorize (returns ok) for request 2 auth: type Crypt Sending Access-Accept of id 149 to 204.244.99.67 port 1645 Framed-Protocol = PPP Framed-Routing = None Framed-IP-Netmask = 255.255.255.255 Framed-Compression = Van-Jacobson-TCP-IP Framed-MTU = 1500 Finished request 2 Going to the next request Still get password rejected on client side though.
Keith Woodworth <kwoody@citytel.net> wrote:
Still get password rejected on client side though.
At least one of your configurations worked. Look at those replies, and see how they differ from the ones that don't work. If the replies are identical, then the NAS behavior will be identical. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
On Sat, 9 Sep 2006, Keith Woodworth wrote: |->|-> |->|->> And while Radius seems to send an Access-Accept, the dialup user gets an |->|->> error 691 password invalid. |->|-> |->|-> Because you're not sending the same reply attributes as in the |->|->previous example. Fix that. |->|-> |->|->> Again I get Access-Accept, but a 691 password error on the client side. |->|-> |->|-> Again because the replies are empty. |-> |->Just testing a different way to do this I setup the users file with: |-> |->DEFAULT Service-Type = Framed-User |-> Framed-Protocol = PPP, |-> Framed-Routing = None, |-> Framed-IP-Netmask = 255.255.255.255, |-> Framed-Compression = Van-Jacobsen-TCP-IP, |-> Framed-MTU = 1500 |-> |->Now when I try to login: |-> Again had to put this aside for a few days (really starting to grind on me, its a wonder I actually get any work done) Anyway so started in again on this. One thing overall I think that has confused me is that I was trying to do everything from SQL, which now I dont think I need to do. Basicall: Have a user and their crypted password stored in SQL, have radius query the database for that info, if its ok, start a PPP session. Only way I could get that to work was have the username in both the radcheck AND usergroup tables. I didnt want it to work that way as it would be extra work to populate the database from our current radius setup, which uses Auth-Type System. I think I have figured it out, though not sure if its the correct way. Use a combination of users(5) and SQL. Have the user and password in radcheck, auth-type=local in radgroupcheck and use the users(5) file to do the rest and it seems to finally work. My users file: DEFAULT Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Routing = None, Framed-IP-Netmask = 255.255.255.255, Framed-Compression = Van-Jacobsen-TCP-IP, Framed-MTU = 1500 Using it like this works. But as soon as I use it this way: DEFAULT Service-Type = Framed-User Framed-Protocol = PPP, Framed-Routing = None, Framed-IP-Netmask = 255.255.255.255, Framed-Compression = Van-Jacobsen-TCP-IP, Framed-MTU = 1500 Why does the top way work and the bottom way not? And is this an acceptable way to do it? Store the users and passwords in SQL and have the Users file supply the rest? Thanks, Keith
Keith Woodworth wrote:
My users file:
DEFAULT Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Routing = None, Framed-IP-Netmask = 255.255.255.255, Framed-Compression = Van-Jacobsen-TCP-IP, Framed-MTU = 1500
Using it like this works.
But as soon as I use it this way:
DEFAULT Service-Type = Framed-User Framed-Protocol = PPP, Framed-Routing = None, Framed-IP-Netmask = 255.255.255.255, Framed-Compression = Van-Jacobsen-TCP-IP, Framed-MTU = 1500
Why does the top way work and the bottom way not?
Expressions on the first line in a users file stanza are check items. Expressions on subsequent lines are reply items. You probably want to use the second method and replace "Service-Type = Framed-User" with the comparison "Service-Type == Framed-User". And is this an
acceptable way to do it? Store the users and passwords in SQL and have the Users file supply the rest?
If the check and reply items needed for your setup don't result in a users file that's unmanageable, it's acceptable. -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: james.wakefield@deakin.edu.au Website: http://www.deakin.edu.au
participants (4)
-
Alan DeKok -
James Wakefield -
Keith Woodworth -
Phil Mayers