always received Access-Reject using mysql
dear Guru need your help on solving my problem with Authentication. I just install freeradius-server-2.1.10.tar.bz2 on FreeBSD 8.2 using MySQL 5.5 to store list of users. after I complete the installation, I tried to test it : # radtest usertest passtest localhost:1812 0 testing123 Sending Access-Request of id 180 to 127.0.0.1 port 1812 User-Name = "usertest" User-Password = "passtest" NAS-IP-Address = 10.1.1.28 NAS-Port = 0 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=180, length=20 these are my table's entry : mysql> select * from radcheck; +----+----------+--------------------+----+----------+ | id | username | attribute | op | value | +----+----------+--------------------+----+----------+ | 1 | usertest | Cleartext-Password | == | passtest | +----+----------+--------------------+----+----------+ mysql> select * from radusergroup; +----------+-----------+----------+ | username | groupname | priority | +----------+-----------+----------+ | usertest | dynamic | 1 | +----------+-----------+----------+ mysql> select * from radgroupreply; +----+-----------+--------------------+----+---------------------+ | id | groupname | attribute | op | value | +----+-----------+--------------------+----+---------------------+ | 1 | dynamic | Framed-Compression | = | Van-Jacobsen-TCP-IP | | 2 | dynamic | Framed-Protocol | = | PPP | | 3 | dynamic | Service-Type | = | Framed-User | | 4 | dynamic | Framed-MTU | = | 1500 | +----+-----------+--------------------+----+---------------------+ is there something wrong with my table's entry? ------------------------------- Bogi Aditya Sisfo - IMTelkom Telkom Institute of Management http://bogi.blog.imtelkom.ac.id
Hi,
after I complete the installation, I tried to test it : # radtest usertest passtest localhost:1812 0 testing123 Sending Access-Request of id 180 to 127.0.0.1 port 1812 User-Name = "usertest" User-Password = "passtest" NAS-IP-Address = 10.1.1.28 NAS-Port = 0 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=180, length=20
dont really care about this - the 'radiusd -X' output is what is needed for this list.
+----+----------+--------------------+----+----------+ | id | username | attribute | op | value | +----+----------+--------------------+----+----------+ | 1 | usertest | Cleartext-Password | == | passtest | +----+----------+--------------------+----+----------+
wrong 'op' value. change that to := rather than == alan
thanks Alan I found the problem was in the "attribute" field where I put "Cleartext-Password" based on the wiki : http://wiki.freeradius.org/SQL-HOWTO after I changed the value to just "password" it works fine now. note: I put "==" in "op" field because that was the default value mysql> desc radcheck; +-----------+------------------+------+-----+---------+----------------+ | Field | Type | Null | Key | Default | Extra | +-----------+------------------+------+-----+---------+----------------+ | id | int(11) unsigned | NO | PRI | NULL | auto_increment | | username | varchar(64) | NO | MUL | | | | attribute | varchar(64) | NO | | | | | op | char(2) | NO | | == | | | value | varchar(253) | NO | | | | +-----------+------------------+------+-----+---------+----------------+ just like the radgroupreply, where the default value is "=" mysql> desc radgroupreply; +-----------+------------------+------+-----+---------+----------------+ | Field | Type | Null | Key | Default | Extra | +-----------+------------------+------+-----+---------+----------------+ | id | int(11) unsigned | NO | PRI | NULL | auto_increment | | groupname | varchar(64) | NO | MUL | | | | attribute | varchar(64) | NO | | | | | op | char(2) | NO | | = | | | value | varchar(253) | NO | | | | +-----------+------------------+------+-----+---------+----------------+ thanks again Alan. On Sun, 27 Nov 2011 16:26:13 +0000, Alan Buxey wrote
Hi,
after I complete the installation, I tried to test it : # radtest usertest passtest localhost:1812 0 testing123 Sending Access-Request of id 180 to 127.0.0.1 port 1812 User-Name = "usertest" User-Password = "passtest" NAS-IP-Address = 10.1.1.28 NAS-Port = 0 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=180, length=20
dont really care about this - the 'radiusd -X' output is what is needed for this list.
+----+----------+--------------------+----+----------+ | id | username | attribute | op | value | +----+----------+--------------------+----+----------+ | 1 | usertest | Cleartext-Password | == | passtest | +----+----------+--------------------+----+----------+
wrong 'op' value. change that to := rather than ==
alan
------------------------------- Bogi Aditya Sisfo - IMTelkom Telkom Institute of Management http://bogi.blog.imtelkom.ac.id
On Mon, Nov 28, 2011 at 8:29 AM, Bogi Aditya <bogi@imtelkom.ac.id> wrote:
thanks Alan
I found the problem was in the "attribute" field where I put "Cleartext-Password" based on the wiki : http://wiki.freeradius.org/SQL-HOWTO
The example should be correct. From http://wiki.freeradius.org/SQL-HOWTO#Populating+SQL mysql> select * from radcheck; +----+----------------+--------------------+------------------+------+ | id | UserName | Attribute | Value | Op | +----+----------------+--------------------+------------------+------+ | 1 | fredf | Cleartext-Password | wilma | := | | 2 | barney | Cleartext-Password | betty | := | | 2 | dialrouter | Cleartext-Password | dialup | := | +----+----------------+--------------------+------------------+------+ 3 rows in set (0.01 sec) Note how it uses ":=" as op?
after I changed the value to just "password" it works fine now.
It has different meaning, actually. If you use Password (or User-Password) with op "==", you're basically comparing the attribute User-Password in user request to the one in the database. It SHOULD work if the request is using PAP, but it won't work if the request is using MS-CHAPv2 (or some other authentication protocol that does not send user password as plain text in User-Password attribute). You can test it with "radtest -t mschap" (available in newer versions of FR) I highly suggest you change it to Cleartext-Password and ":=" -- Fajar
thanks Fajar I've tried : # radtest -t mschap usertest passtest localhost:1812 0 testing123 Sending Access-Request of id 13 to 127.0.0.1 port 1812 User-Name = "usertest" NAS-IP-Address = 10.1.1.28 NAS-Port = 0 MS-CHAP-Challenge = 0x7effa6d1eaf313a9 MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000d21d03024f55ebcf8c36dc84 d85ab07e2b6c828184d3f151 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=13, length=108 Framed-Compression = Van-Jacobson-TCP-IP Framed-Protocol = PPP Service-Type = Framed-User Framed-MTU = 1500 MS-CHAP-MPPE-Keys = 0x1e3efc59fb2a7c971c0de9b6d1dfe2f56b3d7d1338e5c7ee0000000000000000 MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 then I change my radcheck table : mysql> select * from radcheck; +----+----------+--------------------+----+----------+ | id | username | attribute | op | value | +----+----------+--------------------+----+----------+ | 1 | usertest | Cleartext-Password | := | passtest | +----+----------+--------------------+----+----------+ and tried : # radtest -t mschap usertest passtest localhost:1812 0 testing123 Sending Access-Request of id 149 to 127.0.0.1 port 1812 User-Name = "usertest" NAS-IP-Address = 10.1.1.28 NAS-Port = 0 MS-CHAP-Challenge = 0xf13ba049100393c3 MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000733c2565a50ac6d4c28569b9 59eca8a14ef7951536c66172 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=149, length=108 Framed-Compression = Van-Jacobson-TCP-IP Framed-Protocol = PPP Service-Type = Framed-User Framed-MTU = 1500 MS-CHAP-MPPE-Keys = 0x1e3efc59fb2a7c971c0de9b6d1dfe2f56b3d7d1338e5c7ee0000000000000000 MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 should I change it to "Cleartext-Password" and op=":=" when it still work with "password" and op="==" ? and why the default value is set to "==" when it suppose to be ":=" ? so sorry, this is the first time I used FreeRADIUS (all this time I use OpenLDAP for authentication) On Mon, 28 Nov 2011 09:08:26 +0700, Fajar A. Nugraha wrote
On Mon, Nov 28, 2011 at 8:29 AM, Bogi Aditya <bogi@imtelkom.ac.id> wrote:
thanks Alan
I found the problem was in the "attribute" field where I put "Cleartext-Password" based on the wiki : http://wiki.freeradius.org/SQL-HOWTO
The example should be correct. From http://wiki.freeradius.org/SQL-HOWTO#Populating+SQL
mysql> select * from radcheck; +----+----------------+--------------------+----------------- -+------+ | id | UserName | Attribute | Value | Op | +----+----------------+--------------------+--- ---------------+------+ | 1 | fredf | Cleartext- Password | wilma | := | | 2 | barney | Cleartext-Password | betty | := | | 2 | dialrouter | Cleartext-Password | dialup | := | +----+----------------+--------------------+------------------+------ + 3 rows in set (0.01 sec)
Note how it uses ":=" as op?
after I changed the value to just "password" it works fine now.
It has different meaning, actually.
If you use Password (or User-Password) with op "==", you're basically comparing the attribute User-Password in user request to the one in the database. It SHOULD work if the request is using PAP, but it won't work if the request is using MS-CHAPv2 (or some other authentication protocol that does not send user password as plain text in User-Password attribute). You can test it with "radtest -t mschap" (available in newer versions of FR)
I highly suggest you change it to Cleartext-Password and ":="
-- Fajar
------------------------------- Bogi Aditya Sisfo - IMTelkom Telkom Institute of Management http://bogi.blog.imtelkom.ac.id
On Mon, Nov 28, 2011 at 9:40 AM, Bogi Aditya <bogi@imtelkom.ac.id> wrote:
thanks Fajar
I've tried : # radtest -t mschap usertest passtest localhost:1812 0 testing123 Sending Access-Request of id 13 to 127.0.0.1 port 1812 User-Name = "usertest" NAS-IP-Address = 10.1.1.28 NAS-Port = 0 MS-CHAP-Challenge = 0x7effa6d1eaf313a9 MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000d21d03024f55ebcf8c36dc84 d85ab07e2b6c828184d3f151 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=13,
Weird. I just tested similar thing on my setup (FR-2.1.12), and got Access-Reject for both pap and mschap :)
then I change my radcheck table : mysql> select * from radcheck; +----+----------+--------------------+----+----------+ | id | username | attribute | op | value | +----+----------+--------------------+----+----------+ | 1 | usertest | Cleartext-Password | := | passtest | +----+----------+--------------------+----+----------+
and tried : # radtest -t mschap usertest passtest localhost:1812 0 testing123 Sending Access-Request of id 149 to 127.0.0.1 port 1812 User-Name = "usertest" NAS-IP-Address = 10.1.1.28 NAS-Port = 0 MS-CHAP-Challenge = 0xf13ba049100393c3 MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000733c2565a50ac6d4c28569b9 59eca8a14ef7951536c66172 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=149, length=108
At least with Cleartext-Password and ":=" we got the same result
should I change it to "Cleartext-Password" and op=":=" when it still work with "password" and op="==" ?
Definitely. My best guess at this point is your FR version is old enough to permit "password" and "==" and activate some kind of compatibility code, which didn't exist in my version. Cleartext-Password and ":=" is the correct way to specify plain text user password in current and future versions of FR. If you don't want future upgrades to break your setup, better use Cleartext-Password and ":=" Running in debug mode (radiusd -X) should help in finding out why your setup works (when it shouldn't). In my test (I'm using files instead of db), I got these WARNING: Found User-Password == "...". WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See "man rlm_pap" for more information. [files] users: Matched entry testuser at line 5 ++[files] returns ok [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Login incorrect: [testuser] (from client localhost port 0) Here
and why the default value is set to "==" when it suppose to be ":=" ?
"==" is useful in certain cases. For example, if you want the user to ONLY be able to login from a NAS with IP address = 10.0.0.1, you could use something like this: usertest | Cleartext-Password | := | passtest | usertest | NAS-IP-Address | == | 10.0.0.1 |
so sorry, this is the first time I used FreeRADIUS
No problem
(all this time I use OpenLDAP for authentication)
Did you know you can use LDAP as backend for FR, thus allowing your users to use the same user/password combination whether they're using FR or LDAP directly? :D -- Fajar
On Mon, 28 Nov 2011 09:59:16 +0700, Fajar A. Nugraha wrote
Did you know you can use LDAP as backend for FR, thus allowing your users to use the same user/password combination whether they're using FR or LDAP directly? :D
yes, I'm fully aware of that :) but the data in OpenLDAP is based on the data in MySQL (using cron job to extract data from MySQL and add/modify the entry in OpenLDAP) so I prefer to connect freeRADIUS with MySQL directly. again, thanks Fajar ------------------------------- Bogi Aditya Sisfo - IMTelkom Telkom Institute of Management http://bogi.blog.imtelkom.ac.id
Hi,
Sending Access-Request of id 13 to 127.0.0.1 port 1812 User-Name = "usertest" NAS-IP-Address = 10.1.1.28 NAS-Port = 0 MS-CHAP-Challenge = 0x7effa6d1eaf313a9 MS-CHAP-Response =
once again, you are looking at trivial client output. look at the output of 'radiusd -X' - ie the server output and you will see. i expect you have an older version that still allows 'password ==' - which is deprecated. one day you will upgrade the server to a new version...or a work colleague will and things will just stop working. 'Cleartext-Password :=' is the correct way alan
participants (3)
-
Alan Buxey -
Bogi Aditya -
Fajar A. Nugraha