WARNING about auth-type = Local
Hi, I use a completely custom setup. Not using the "default" server at all. All is working fine, except for a warning. In the authorise section, I have rlm_sql that selects the cleartext password from a database. The query looks like this. authorize_check_query = "SELECT AccountID, Login, 'Cleartext-Password', Password, ':=' \ from Account WHERE Login = '%{SQL-User-Name}'" } This is the rlm_sql query defined. My authorise and authenticate section looks like this. authorize { authorisation_log chap mschap sql } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } } When a PAP request comes in, just after the sql selects the password and somewhere before authenticate, I get a warning. (Unsure if the warning will appear for CHAP/MSCHAP) --------------------------------------------- [sql] expand: SELECT AccountID, Login, 'Cleartext-Password', Password, ':=' from Account WHERE Login = '%{SQL-User-Name}' -> SELECT AccountID, Login, 'Cleartext-Password', Password, ':=' from Account WHERE Login = 'test@domain.co.za' [sql] User found in radcheck table rlm_sql (sql): Released sql socket id: 1 +++[sql] returns ok ++- else else returns ok WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. User-Password in the request is correct. # Executing section post-auth from file /etc/freeradius/sites-enabled/custom +- entering group post-auth {...} ------------------------------------------------------- Do I need to concern myself with the warning? All is working fine, I was just enquisitive as to why this happens. Thanks! -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 -------------------- Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html
On 21/09/11 17:11, Johan Meiring wrote:
--------------------------------------------- [sql] expand: SELECT AccountID, Login, 'Cleartext-Password', Password, ':=' [sql] User found in radcheck table rlm_sql (sql): Released sql socket id: 1 +++[sql] returns ok ++- else else returns ok WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. User-Password in the request is correct. # Executing section post-auth from file /etc/freeradius/sites-enabled/custom +- entering group post-auth {...} -------------------------------------------------------
You've trimmed the debug. Don't do that, it means we can't see what else happened.
Do I need to concern myself with the warning?
Possibly. Difficult to tell, since you trimmed the debug. It is concerning that the "authenticate {}" section doesn't appear to be run.
Johan Meiring wrote:
My authorise and authenticate section looks like this.
authorize { authorisation_log chap mschap sql
pap
}
You need the "pap" module last in the "authorize" section. It will set Auth-Type for you. In 3.0, the "Auth-Type = Local" warnings will likely go away, because the server *won't* set it. Instead, you'll just get "no Auth-Type"
Do I need to concern myself with the warning?
Yes. Use the "pap" module as noted above. See the default configuration file for why this is necessary. Alan DeKok.
On 2011/09/21 06:19 PM, Alan DeKok wrote:
Johan Meiring wrote:
My authorise and authenticate section looks like this.
authorize { authorisation_log chap mschap sql
pap
}
You need the "pap" module last in the "authorize" section. It will set Auth-Type for you.
In 3.0, the "Auth-Type = Local" warnings will likely go away, because the server *won't* set it. Instead, you'll just get "no Auth-Type"
Do I need to concern myself with the warning?
Yes. Use the "pap" module as noted above.
See the default configuration file for why this is necessary.
Hi, Thanks, makes perfect sense. Now it looks like this. ---------------------------------------------- [sql] User found in radcheck table rlm_sql (sql): Released sql socket id: 2 +++[sql] returns ok ++- else else returns ok ++[chap] returns noop ++[mschap] returns noop ++[pap] returns updated Found Auth-Type = PAP # Executing group from file /etc/freeradius/sites-enabled/custom +- entering group PAP {...} [pap] login attempt with password "password" [pap] Using clear text password "password" [pap] User authenticated successfully ++[pap] returns ok # Executing section post-auth from file /etc/freeradius/sites-enabled/custom +- entering group post-auth {...} ------------------------------------ What now interests me, is how authentication worked at all previously? An invalid password WAS actually rejected, without the "pap" module showing that it is running. The only reference in the debug that showed that the password was actually checked was one of the following: User-Password in the request is correct or User-Password in the request does NOT match "known good" password. Failed to authenticate the user. Is that the "local" module? Thanks again for super support! Even paid support cannot get close to this. Cheers, -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 -------------------- Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html
Johan Meiring wrote:
Thanks, makes perfect sense.
Good...
What now interests me, is how authentication worked at all previously?
Magic. :( The server core had hacks to work around legacy configurations from version 0.x. That's bad, and should be removed from the server.
Is that the "local" module?
No. It's internal hacks in the server core.
Thanks again for super support! Even paid support cannot get close to this.
Thanks. As always, good questions get good answers. Alan DeKok.
participants (3)
-
Alan DeKok -
Johan Meiring -
Phil Mayers