same username with different password mysql chap
I am in the process of setting up freeradius with mysql. I pretty much have everything working correctly except a issue that has come up. I am not sure if I did something wrong or this cannot be done. Here is my radcheck database +-----+----------+-----------+----+--------+-------+------------+ | id | username | attribute | op | value | PID | expires | +-----+----------+-----------+----+--------+-------+------------+ | 462 | 10295 | password | == | 912547 | 10295 | 2011-03-21 | | 463 | 10295 | password | == | 659320 | 10295 | 2011-03-21 | | 464 | 10295 | password | == | 322438 | 10295 | 2011-03-28 | | 465 | 10295 | password | == | 339410 | 10295 | 2011-04-04 | | 466 | 10295 | password | == | 987255 | 10295 | 2011-04-11 | | 467 | 10295 | password | == | 990160 | 10295 | 2011-04-18 | | 468 | 10295 | password | == | 373359 | 10295 | 2011-04-25 | | 469 | 10295 | password | == | 974781 | 10295 | 2011-05-02 | | 470 | 10295 | password | == | 121431 | 10295 | 2011-05-09 | | 471 | 10295 | password | == | 566703 | 10295 | 2011-05-16 | | 472 | 10295 | password | == | 430339 | 10295 | 2011-05-23 | +-----+----------+-----------+----+--------+-------+------------+ Here is the debug I get from radius -X using username 10295 and password 912547 Ready to process requests. rad_recv: Access-Request packet from host 192.168.99.175 port 48655, id=43, length=216 NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "00:13:E8:17:C9:09" Called-Station-Id = "test1" NAS-Port-Id = "ether2" User-Name = "10295" MS-CHAP-Domain = "test" NAS-Port = 2153775123 Acct-Session-Id = "80600013" Framed-IP-Address = 10.0.100.251 Mikrotik-Host-IP = 10.0.100.251 CHAP-Challenge = 0x9a7dde24641b743604ed531068ad4662 CHAP-Password = 0x1ac903f936a5ccd7efdf337e94bd4ba958 Service-Type = Login-User WISPr-Logoff-URL = "http://10.0.100.1/logout" NAS-Identifier = "Air2Data" NAS-IP-Address = 192.168.99.175 Mikrotik-Realm = "test" # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [chap] Setting 'Auth-Type := CHAP' ++[chap] returns ok ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "10295", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop [sql] expand: %{User-Name} -> 10295 [sql] sql_set_user escaped user --> '10295' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '10295' ORDER BY id WARNING: Found User-Password == "...". WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See "man rlm_pap" for more information. WARNING: Found User-Password == "...". WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See "man rlm_pap" for more information. WARNING: Found User-Password == "...". WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See "man rlm_pap" for more information. WARNING: Found User-Password == "...". WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See "man rlm_pap" for more information. WARNING: Found User-Password == "...". WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See "man rlm_pap" for more information. WARNING: Found User-Password == "...". WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See "man rlm_pap" for more information. WARNING: Found User-Password == "...". WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See "man rlm_pap" for more information. WARNING: Found User-Password == "...". WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See "man rlm_pap" for more information. WARNING: Found User-Password == "...". WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See "man rlm_pap" for more information. WARNING: Found User-Password == "...". WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See "man rlm_pap" for more information. WARNING: Found User-Password == "...". WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See "man rlm_pap" for more information. [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = '10295' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = '10295' ORDER BY priority rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = CHAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group CHAP {...} [chap] login attempt by "10295" with CHAP password [chap] Using clear text password "912547" for user 10295 authentication. [chap] Password check failed ++[chap] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> 10295 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 192.168.99.175 port 48655, id=43, length=216 Waiting to send Access-Reject to client hotspot port 48655 - ID: 43 Waking up in 0.6 seconds. rad_recv: Access-Request packet from host 192.168.99.175 port 48655, id=43, length=216 Waiting to send Access-Reject to client hotspot port 48655 - ID: 43 Waking up in 0.3 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 43 to 192.168.99.175 port 48655 Waking up in 4.9 seconds. Cleaning up request 0 ID 43 with timestamp +2 Ready to process requests. What am I missing in that the chap is failing the password even though it is in the mysql database? Thanks Brent
Hi,
+-----+----------+-----------+----+--------+-------+------------+ | id | username | attribute | op | value | PID | expires | +-----+----------+-----------+----+--------+-------+------------+ | 462 | 10295 | password | == | 912547 | 10295 | 2011-03-21 | ^^^^^^^^^ ^^^
thats wrong so is that the attribute should be 'Cleartext-Password' the operator should be := wonder what Doc or guide you are following? alan
Alan, I am apparently using a old guide. Made the updates to this. Still expierencing same issue +-----+----------+--------------------+----+--------+-------+------------+ | id | username | attribute | op | value | PID | expires | +-----+----------+--------------------+----+--------+-------+------------+ | 462 | 10295 | Cleartext-Password | := | 912547 | 10295 | 2011-03-21 | | 463 | 10295 | Cleartext-Password | := | 659320 | 10295 | 2011-03-21 | | 464 | 10295 | Cleartext-Password | := | 322438 | 10295 | 2011-03-28 | When I try to authenticate with any of the above the chap still ends up using the wrong username pw to verify against. Ready to process requests. rad_recv: Access-Request packet from host 192.168.99.175 port 35587, id=59, length=216 NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "00:13:E8:17:C9:09" Called-Station-Id = "test1" NAS-Port-Id = "ether2" User-Name = "10295" MS-CHAP-Domain = "test" NAS-Port = 2153775135 Acct-Session-Id = "8060001f" Framed-IP-Address = 10.0.100.251 Mikrotik-Host-IP = 10.0.100.251 CHAP-Challenge = 0x16869b7cab8761381fd3e2ea56fc674a CHAP-Password = 0xdb03b44fee89561ab0a0bfdbf383f19cd8 Service-Type = Login-User WISPr-Logoff-URL = "http://10.0.100.1/logout" NAS-Identifier = "a2dtest" NAS-IP-Address = 192.168.99.175 Mikrotik-Realm = "test" # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [chap] Setting 'Auth-Type := CHAP' ++[chap] returns ok ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "10295", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop [sql] expand: %{User-Name} -> 10295 [sql] sql_set_user escaped user --> '10295' rlm_sql (sql): Reserving sql socket id: 2 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '10295' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = '10295' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = '10295' ORDER BY priority rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = CHAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group CHAP {...} [chap] login attempt by "10295" with CHAP password [chap] Using clear text password "566703" for user 10295 authentication. [chap] Password check failed ++[chap] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> 10295 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 192.168.99.175 port 35587, id=59, length=216 Waiting to send Access-Reject to client hotspot port 35587 - ID: 59 Waking up in 0.6 seconds. rad_recv: Access-Request packet from host 192.168.99.175 port 35587, id=59, length=216 Waiting to send Access-Reject to client hotspot port 35587 - ID: 59 Waking up in 0.3 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 59 to 192.168.99.175 port 35587 Waking up in 4.9 seconds. Cleaning up request 1 ID 59 with timestamp +36 Ready to process requests. Thanks Brent Hi,
+-----+----------+-----------+----+--------+-------+------------+ | id | username | attribute | op | value | PID | expires | +-----+----------+-----------+----+--------+-------+------------+ | 462 | 10295 | password | == | 912547 | 10295 | 2011-03-21 | ^^^^^^^^^ ^^^
thats wrong so is that the attribute should be 'Cleartext-Password' the operator should be := wonder what Doc or guide you are following? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Brent Wilkinson wrote:
I am apparently using a old guide. Made the updates to this. Still expierencing same issue
+-----+----------+--------------------+----+--------+-------+------------+ | id | username | attribute | op | value | PID | expires | +-----+----------+--------------------+----+--------+-------+------------+ | 462 | 10295 | Cleartext-Password | := | 912547 | 10295 | 2011-03-21 | | 463 | 10295 | Cleartext-Password | := | 659320 | 10295 | 2011-03-21 | | 464 | 10295 | Cleartext-Password | := | 322438 | 10295 | 2011-03-28 |
This is very wrong. A user has one password, and only one password.
Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 192.168.99.175 port 35587, id=59, length=216 Waiting to send Access-Reject to client hotspot port 35587 - ID: 59 Waking up in 0.6 seconds. rad_recv: Access-Request packet from host 192.168.99.175 port 35587, id=59, length=216 Waiting to send Access-Reject to client hotspot port 35587 - ID: 59 Waking up in 0.3 seconds.
And this is very wrong, too. The RADIUS client shouldn't send another 2 retransmissions in the same second. It's broken, and needs to be fixed before it's usable in a real-world environment. Alan DeKok.
participants (3)
-
Alan Buxey -
Alan DeKok -
Brent Wilkinson