Proxy Treatment of PAP/Chap Auth Types
Hi, Hope someone can give me a pointer on this matter. We have 2 RADIUS installations, thus: 1. FreeRADIUS/mysql Version 2.1.1, in whose radcheck, Password attribute is 'User-Password' 2. FreeRADIUS/mysql Version 2.1.10, in whose radcheck, Password attribute is 'Cleartext-Password' On both freeradius servers sql and perl modules are enabled in authorize and accounting groups, and both servers accept PAP and CHAP auth if queried directly Server 2 is configured to proxy requests for unknown users for certain prefixes/suffixes to server 1, if perl and sql return no user: authorize { preprocess chap mschap digest eap { ok = return } files expiration logintime sql perl if (notfound) { suffix hotspotUser } pap } Challenge is, on Server 2, testing with radtest (passing the attributes so: radtest -t <type> iS_u2h4gna a2uwv localhost 1812 secret) , local users are authed fine, but non-local users always return with a reject. Debug output of server 1, if I use CHAP to attempt auth with radtest on server 2, is always: ++[pap] returns noop Found Auth-Type = CHAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +- entering group CHAP {...} [chap] login attempt by "iS_u2h4gna" with CHAP password [chap] Using clear text password "uz3f9" for user iS_u2h4gna authentication. [chap] Password check failed ++[chap] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} If, I use PAP with radtest on server 2, server 1 returns ++[pap] returns updated Found Auth-Type = PAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +- entering group PAP {...} [pap] login attempt with password "a2uwv" [pap] Using clear text password "uz3f9" [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} I have tried changing the "known good" clear text password on server 1 as recommended in the warning to no effect. (Is this because User-Password and Cleartext-Password must necessarily be the unequal and co-related)? If so, How can i convert 1 to the other? Hopefully, JamesTM --
On Fri, May 03, 2013 at 04:46:27AM +0200, James T Mugauri wrote:
attributes so: radtest -t <type> iS_u2h4gna a2uwv localhost 1812 ... [chap] login attempt by "iS_u2h4gna" with CHAP password [chap] Using clear text password "uz3f9" for user iS_u2h4gna authentication. [chap] Password check failed ... +- entering group PAP {...} [pap] login attempt with password "a2uwv" [pap] Using clear text password "uz3f9" [pap] Passwords don't match
Have you tried testing it with the right password? Otherwise, you should post the *full* output of radiusd -X for the startup and test request going through both servers so we can see what's happening. A small section doesn't help much. You should use Cleartext-Password in place of User-Password in the config. There is no difference, and User-Password is deprecated and going away in 3.0. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Hi Matthew, I faced the same issue. I am using sql for storing user password. For solving issue I changed the password type from 'Cleartext-Password' to User-Password and it worked for me. But as you said, there is no difference and User-Password is deprecated. So what would be the reason for the above issue? ---- Thanks & Regards, Prashant ________________________________ From: Matthew Newton <mcn4@leicester.ac.uk> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Sent: Friday, 3 May 2013 6:21 PM Subject: Re: Proxy Treatment of PAP/Chap Auth Types On Fri, May 03, 2013 at 04:46:27AM +0200, James T Mugauri wrote:
attributes so: radtest -t <type> iS_u2h4gna a2uwv localhost 1812 ... [chap] login attempt by "iS_u2h4gna" with CHAP password [chap] Using clear text password "uz3f9" for user iS_u2h4gna authentication. [chap] Password check failed ... +- entering group PAP {...} [pap] login attempt with password "a2uwv" [pap] Using clear text password "uz3f9" [pap] Passwords don't match
Have you tried testing it with the right password? Otherwise, you should post the *full* output of radiusd -X for the startup and test request going through both servers so we can see what's happening. A small section doesn't help much. You should use Cleartext-Password in place of User-Password in the config. There is no difference, and User-Password is deprecated and going away in 3.0. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Prashant Abhang wrote:
I faced the same issue. I am using sql for storing user password. For solving issue I changed the password type from 'Cleartext-Password' to User-Password and it worked for me.
But as you said, there is no difference and User-Password is deprecated. So what would be the reason for the above issue?
Because you edited your configuration and broke it. The default configuration works with either User-Password or Cleartext-Password. As of version 3, User-Password will *not* work. It's been deprecated since 2007 for crying out loud. There is NO excuse to keep using it. Alan DeKok.
On Fri, May 03, 2013 at 09:19:40PM +0800, Prashant Abhang wrote:
I faced the same issue. I am using sql for storing user password. For solving issue I changed the password type from 'Cleartext-Password' to User-Password and it worked for me.
But as you said, there is no difference and User-Password is deprecated. So what would be the reason for the above issue?
radiusd -X? If you're using a password with a header (e.g. "{SHA1}...") then you should use Password-With-Header instead of Cleartext-Password. Otherwise it should work. See rlm_pap(5). Without full debug logs, it's impossible to tell much more. Matthew
________________________________ From: Matthew Newton <mcn4@leicester.ac.uk> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Sent: Friday, 3 May 2013 6:21 PM Subject: Re: Proxy Treatment of PAP/Chap Auth Types
On Fri, May 03, 2013 at 04:46:27AM +0200, James T Mugauri wrote:
attributes so: radtest -t <type> iS_u2h4gna a2uwv localhost 1812 ... [chap] login attempt by "iS_u2h4gna" with CHAP password [chap] Using clear text password "uz3f9" for user iS_u2h4gna authentication. [chap] Password check failed ... +- entering group PAP {...} [pap] login attempt with password "a2uwv" [pap] Using clear text password "uz3f9" [pap] Passwords don't match
Have you tried testing it with the right password?
Otherwise, you should post the *full* output of radiusd -X for the startup and test request going through both servers so we can see what's happening. A small section doesn't help much.
You should use Cleartext-Password in place of User-Password in the config. There is no difference, and User-Password is deprecated and going away in 3.0.
Matthew
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
James T Mugauri wrote:
We have 2 RADIUS installations, thus: 1. FreeRADIUS/mysql Version 2.1.1, in whose radcheck, Password attribute is 'User-Password'
Change that to Cleartext-Password.
2. FreeRADIUS/mysql Version 2.1.10, in whose radcheck, Password attribute is 'Cleartext-Password'
On both freeradius servers sql and perl modules are enabled in authorize and accounting groups, and both servers accept PAP and CHAP auth if queried directly
So that seems to work.
Server 2 is configured to proxy requests for unknown users for certain prefixes/suffixes to server 1, if perl and sql return no user:
authorize { preprocess chap mschap digest eap { ok = return } files expiration logintime sql perl if (notfound) { suffix hotspotUser } pap }
I'm presuming that "suffix" and/or "hotspotuser" sets Proxy-To-Realm. Do they actually do that?
Challenge is, on Server 2, testing with radtest (passing the attributes so: radtest -t <type> iS_u2h4gna a2uwv localhost 1812 secret) , local users are authed fine, but non-local users always return with a reject.
So *what* returns a reject? Server 2? Or server 1? Your statement isn't clear about that. Knowing that will help.
Debug output of server 1, if I use CHAP to attempt auth with radtest on server 2, is always:
<sigh> The point of running the server in debugging mode is to read the ENTIRE THING. If it's doing something wrong, you need to see if it's doing what you expect. i.e. proxying.
++[pap] returns noop Found Auth-Type = CHAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+- entering group CHAP {...} [chap] login attempt by "iS_u2h4gna" with CHAP password [chap] Using clear text password "uz3f9" for user iS_u2h4gna authentication. [chap] Password check failed
It's trying to authenticate the user locally. I thought you said that it didn't do that? Have you checked if it's proxying the user?
++[chap] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...}
If, I use PAP with radtest on server 2, server 1 returns
Please be careful with terminology. Use "home server" and "proxy", not "1" and "2". It's more descriptive, and easier to understand.
++[pap] returns updated Found Auth-Type = PAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+- entering group PAP {...} [pap] login attempt with password "a2uwv" [pap] Using clear text password "uz3f9" [pap] Passwords don't match
Which is a different access request. Please don't mix and match random traffic. You need to follow *one* packet through the system. Doing anything else is wasting your time.
I have tried changing the "known good" clear text password on server 1 as recommended in the warning to no effect. (Is this because User-Password and Cleartext-Password must necessarily be the unequal and co-related)?
Changing Cleartext-Password won't fix a broken proxy. You're changing something OTHER than the cause of the problem.
If so, How can i convert 1 to the other?
You don't. You *do* use industry standard terms, and you *do* post the full debug output. Once you do, I'll wager that the problem is pretty simple. Just reading the debug output solves 90% of common issues. Alan DeKok.
participants (4)
-
Alan DeKok -
James T Mugauri -
Matthew Newton -
Prashant Abhang