Try this again, I hope someone can answer these or at least shed some light. Been trying to do PAP authentication with the crypt'd password stored in mysql. We, unfortunately have to do PAP. This has been done for the most part and works, but I had to go against what deployingradius.com said w/regards to using Auth-Type as I have not found an alternative that seems to work right. I'm using stock radiusd.conf that comes with 1.1.2, except proxy is set to no. To make this work I added a user to radcheck with a crypt'd password: +----+------------+----------------+----+---------------+ | id | UserName | Attribute | op | Value | +----+------------+----------------+----+---------------+ | 1 | bob | Password | == | test | | 4 | tester | Crypt-Password | == | gmxwp4dfOcHAI | +----+------------+----------------+----+---------------+ In radgroupcheck: +----+-----------+-----------+----+-------+ | id | GroupName | Attribute | op | Value | +----+-----------+-----------+----+-------+ | 1 | default | Auth-Type | := | PAP | | 2 | admin | Auth-Type | := | PAP | +----+-----------+-----------+----+-------+ In radgroupreply: +----+-----------+--------------------+----+---------------------+------+ | id | GroupName | Attribute | op | Value | prio | +----+-----------+--------------------+----+---------------------+------+ | 1 | default | Service-Type | := | Framed-User | 0 | | 2 | default | Framed-Protocol | := | PPP | 0 | | 3 | default | Framed-Compression | := | Van-Jacobsen-TCP-IP | 0 | | 4 | default | Framed-MTU | := | 1500 | 0 | | 5 | admin | Service-Type | := | Administrative-User | 0 | | 6 | default | Framed-Routing | := | None | 0 | | 7 | default | Framed-IP-Netmask | := | 255.255.255.255 | 0 | +----+-----------+--------------------+----+---------------------+------+ and the usergroup table: +----+------------+-----------+ | id | UserName | GroupName | +----+------------+-----------+ | 5 | bob | admin | | 10 | tester | default | +----+------------+-----------+ With this setup user tester can dialup, login and setup a ppp connection and it works. The one main issue is that the user has to be both in the usergroup table and the radcheck table for this to work. Is there a way to just have the username in just radcheck for example? What is needed to setup a default profile for all users to authenticate via PAP w/o having to set auth-type=pap? Is that possible? Thanks for any replies. Keith
Keith Woodworth wrote:
Try this again, I hope someone can answer these or at least shed some light.
Been trying to do PAP authentication with the crypt'd password stored in mysql. We, unfortunately have to do PAP.
This has been done for the most part and works, but I had to go against what deployingradius.com said w/regards to using Auth-Type as I have not found an alternative that seems to work right.
In current versions of the server, the "pap" module does not run in authorize, and does not set Auth-Type correctly to itself, so this is one of the FEW circumstances in which setting Auth-Type is correct in I think. Later versions of the server (i.e. CVS) perform "correctly" in this regard, which is much more consistent. Many people leave the Auth-Type at the default of "Local", which confusingly does similar but not identical things to the "pap" module, and hence don't see this problem with their PAP requests.
I'm using stock radiusd.conf that comes with 1.1.2, except proxy is set to no.
You can't possibly be, since sql is commented out in that! Even slight differences can be important.
To make this work I added a user to radcheck with a crypt'd password:
+----+------------+----------------+----+---------------+ | id | UserName | Attribute | op | Value | +----+------------+----------------+----+---------------+ | 1 | bob | Password | == | test | | 4 | tester | Crypt-Password | == | gmxwp4dfOcHAI | +----+------------+----------------+----+---------------+
Your "op" should be :=
In radgroupcheck:
+----+-----------+-----------+----+-------+ | id | GroupName | Attribute | op | Value | +----+-----------+-----------+----+-------+ | 1 | default | Auth-Type | := | PAP | | 2 | admin | Auth-Type | := | PAP | +----+-----------+-----------+----+-------+
In radgroupreply:
+----+-----------+--------------------+----+---------------------+------+ | id | GroupName | Attribute | op | Value | prio | +----+-----------+--------------------+----+---------------------+------+ | 1 | default | Service-Type | := | Framed-User | 0 | | 2 | default | Framed-Protocol | := | PPP | 0 | | 3 | default | Framed-Compression | := | Van-Jacobsen-TCP-IP | 0 | | 4 | default | Framed-MTU | := | 1500 | 0 | | 5 | admin | Service-Type | := | Administrative-User | 0 | | 6 | default | Framed-Routing | := | None | 0 | | 7 | default | Framed-IP-Netmask | := | 255.255.255.255 | 0 | +----+-----------+--------------------+----+---------------------+------+
and the usergroup table:
+----+------------+-----------+ | id | UserName | GroupName | +----+------------+-----------+ | 5 | bob | admin | | 10 | tester | default | +----+------------+-----------+
With this setup user tester can dialup, login and setup a ppp connection and it works.
The one main issue is that the user has to be both in the usergroup table and the radcheck table for this to work. Is there a way to just have the username in just radcheck for example? What is needed to setup a default profile for all users to authenticate via PAP w/o having to set auth-type=pap? Is that possible?
Not if you're using the "pap" module on the current server version.
On Tue, 22 Aug 2006, Phil Mayers wrote: |->Keith Woodworth wrote: |->> |->> Been trying to do PAP authentication with the crypt'd password stored in |->> mysql. We, unfortunately have to do PAP. |->> |->> This has been done for the most part and works, but I had to go against |->> what deployingradius.com said w/regards to using Auth-Type as I have not |->> found an alternative that seems to work right. |-> |->In current versions of the server, the "pap" module does not run in |->authorize, and does not set Auth-Type correctly to itself, so this is |->one of the FEW circumstances in which setting Auth-Type is correct in I |->think. Later versions of the server (i.e. CVS) perform "correctly" in |->this regard, which is much more consistent. |-> |->Many people leave the Auth-Type at the default of "Local", which |->confusingly does similar but not identical things to the "pap" module, |->and hence don't see this problem with their PAP requests. One of the things I did try was add PAP to the authorize section, but radius failed to start when I did that. Deployingradius.com did say there were very few circumstances to set Auth-Type, but not which ones. Guess I found one? |->> I'm using stock radiusd.conf that comes with 1.1.2, except proxy is set to |->> no. |-> |->You can't possibly be, since sql is commented out in that! Even slight |->differences can be important. Bah, you are right. I forgot, I did set the SQL module. |->> To make this work I added a user to radcheck with a crypt'd password: |->> |->> +----+------------+----------------+----+---------------+ |->> | id | UserName | Attribute | op | Value | |->> +----+------------+----------------+----+---------------+ |->> | 1 | bob | Password | == | test | |->> | 4 | tester | Crypt-Password | == | gmxwp4dfOcHAI | |->> +----+------------+----------------+----+---------------+ |-> |->Your "op" should be := Ok thanks. |->> The one main issue is that the user has to be both in the usergroup table |->> and the radcheck table for this to work. Is there a way to just have the |->> username in just radcheck for example? What is needed to setup a default |->> profile for all users to authenticate via PAP w/o having to set |->> auth-type=pap? Is that possible? |-> |->Not if you're using the "pap" module on the current server version. How stable is the current server version? Anyone using it in production? Sounds like I might have to be using the CVS version to do what I want properly of only having the user in one table and do PAP authentication with the crypt password stored in sql. Thanks, Keith
Keith Woodworth <kwoody@citytel.net> wrote:
One of the things I did try was add PAP to the authorize section, but radius failed to start when I did that.
And the error message was...?
Deployingradius.com did say there were very few circumstances to set Auth-Type, but not which ones. Guess I found one?
Possibly. Much of this is fixed in CVS head, which is currently planned to be 2.0 before Christmas. The PAP module does more there, and there are MANY fewer cases where you have to set Auth-Type.
How stable is the current server version? Anyone using it in production?
Yes. A number of people. There are 3 issues that need addressing before it's ready for an official 2.0, however.
Sounds like I might have to be using the CVS version to do what I want properly of only having the user in one table and do PAP authentication with the crypt password stored in sql.
1.1.2 can do it, it just takes a little more configuration. Basically, for every user who has a Crypt-Password attribute, you have to set "Auth-Type = Local". Not ":=", but "=". And in 2.0, even that won't be necessary. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
participants (3)
-
Alan DeKok -
Keith Woodworth -
Phil Mayers