To all, I am finally attempting to upgrade from version 1.1.3 to 1.1.5 and have encountered an issue when attempting to use pap to authenticate users with the new auto_header feature. The Cisco NAS I have used over the past three years has always sent the user password to FreeRADIUS in clear-text, and then I would have encryption_scheme set to MD5 to compare the sent password to the MD5 value in the database. This no longer seems to work, as FreeRADIUS seems to be attempting to compare the clear-text password with the MD5 password returned from the database. I'm guessing it's an oversight on my end, and wanted to see if anyone on this list noticed anything. I have included portions of my radiusd.conf and users files which are pertinent to this issue. users //---------- DEFAULT NAS-IP-Address == "192.168.1.1", Autz-Type := sql1 DEFAULT NAS-IP-Address == "192.168.2.1", Autz-Type := sql2 radiusd.conf //---------- modules { pap { auto_header = yes } } authorize { preprocess autztype sql1 { sql } autztype sql2 { sql2 } files pap } authenticate { Auth-Type PAP { pap } } rad_recv: Access-Request packet from host 192.168.1.1:32805, id=3, length=70 User-Name = "test.user" User-Password = "testpassword" CVPN3000-Auth-Server-Priority = 2 NAS-IP-Address = 192.168.1.1 NAS-Port-Type = Virtual Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 users: Matched entry DEFAULT at line 151 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 Found Autz-Type sql1 Processing the authorize section of radiusd.conf modcall: entering group sql1 for request 0 radius_xlat: 'test.user' rlm_sql (sql): sql_set_user escaped user --> 'test.user' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE UserName = '265100' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 9 radius_xlat: '' radius_xlat: '' radius_xlat: '' rlm_sql (sql): Released sql socket id: 9 modcall[authorize]: module "sql" returns ok for request 0 modcall: leaving group sql1 (returns ok) for request 0 auth: type Local auth: user supplied User-Password does NOT match local User-Password auth: Failed to validate the user. Login incorrect: [test.user/testpassword] (from client 192.168.1.1 port 0) Delaying request 0 for 2 seconds Finished request 0 Thanks in advance, Chris DeRamus HQ VPN Administrator SAIC
Deramus, Chris wrote:
This no longer seems to work, as FreeRADIUS seems to be attempting to compare the clear-text password with the MD5 password returned from the database. I'm guessing it's an oversight on my end, and wanted to see if anyone on this list noticed anything. I have included portions of my radiusd.conf and users files which are pertinent to this issue.
Can you post what's in your SQL database? i.e. attribute name, operator, and value. I suspect that the contents of the User-Password are the MD5 hash, rather than the {md5} header followed by the MD5 hash. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Alan, Thanks so much for the response, I wasn't aware that the (md5) header needed to be in the database. The requested information is below: UserName Attribute Value op test.user Password c1dd8z473d9gf5c13b0d89b32d15333 := -----Original Message----- From: freeradius-users-bounces+chris.deramus=hq.doe.gov@lists.freeradius.org [mailto:freeradius-users-bounces+chris.deramus=hq.doe.gov@lists.freeradi us.org] On Behalf Of Alan DeKok Sent: Tuesday, March 20, 2007 5:43 AM To: FreeRadius users mailing list Subject: Re: Issues with rlm_pap Deramus, Chris wrote:
This no longer seems to work, as FreeRADIUS seems to be attempting to compare the clear-text password with the MD5 password returned from the database. I'm guessing it's an oversight on my end, and wanted to see if anyone on this list noticed anything. I have included portions of my radiusd.conf and users files which are pertinent to this issue.
Can you post what's in your SQL database? i.e. attribute name, operator, and value. I suspect that the contents of the User-Password are the MD5 hash, rather than the {md5} header followed by the MD5 hash. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Deramus, Chris wrote:
Thanks so much for the response, I wasn't aware that the (md5) header needed to be in the database.
See the README && the comments above the "pap" section in radiusd.conf. They say to read "man rlm_pap", which explains this. If you don't want to update the "value" field to add {md5}, you can change the attribute name to MD5-Password. If you don't want to do either, change the PAP configuration back to what you had in 1.1.3. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
participants (2)
-
Alan DeKok -
Deramus, Chris