Problem with MD5 Authentication and PAP
Hi, I am running Freeradius 1.1.4, MySQL, MD5, and PAP. For some reason, I cannot get authenticated using MD5 and PAP. The logins keep failing, and the logs says that I do not have a password set. When I use crypt and clear as the encryption schemes, I am able to get authenticated. The problem is that I am getting an md5 feed, so I have to use MD5. Can someone please help me figure out what I am doing wrong? Please let me know if other information is needed. Another weird thing is when I have PAP and MD5 set, and I do not have a radgroupcheck entry for my group, I can get authenticated by putting the MD5 Hash as my password. For example, if my MD5 hash was "abcd…", I would have to use "abcd…" as my password, and I would get an access-accept. #######Radiusd.conf######### modules{ pap { encryption_scheme = md5 } } authorize { preprocess auth_log sql } authenticate { Auth-Type PAP { pap } } ####### radcheck table entry ######### +----+----------+-----------+----+----------------------------------+ | id | UserName | Attribute | op | Value | +----+----------+-----------+----+----------------------------------+ | 36 | stryker8 | Password | := | 5f4dcc3b5aa765d61d8327deb882cf99 | +----+----------+-----------+----+----------------------------------+ ####### radreply table entry ######### +----+----------+-----------+----+----------------+ | id | UserName | Attribute | op | Value | +----+----------+-----------+----+----------------+ | 36 | stryker8 | Class | = | OU=utnet-staff | +----+----------+-----------+----+----------------+ ####### radgroupcheck table entry ######### +----+-------------+-----------+----+-------+ | id | GroupName | Attribute | op | Value | +----+-------------+-----------+----+-------+ | 8 | utnet-staff | Auth-Type | := | PAP | +----+-------------+-----------+----+-------+ ####### radiusd –X log ######### rad_recv: Access-Request packet from host 128.83.135.171:3335, id=5, length=48 User-Name = "stryker8" User-Password = "password" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 radius_xlat: '/var/log/radius/radacct/128.83.135.171/auth-detail-20071109' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/128.83.135.171/auth-detail-20071109 modcall[authorize]: module "auth_log" returns ok for request 1 radius_xlat: 'stryker8' rlm_sql (sql): sql_set_user escaped user --> 'stryker8' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'stryker8' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 3 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'stryker8' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'stryker8' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'stryker8' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'stryker8' ORDER BY id' rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'stryker8' ORDER BY id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'stryker8' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'stryker8' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): Released sql socket id: 3 modcall[authorize]: module "sql" returns ok for request 1 rlm_pap: Found existing Auth-Type, not changing it. modcall[authorize]: module "pap" returns noop for request 1 modcall: group authorize returns ok for request 1 rad_check_password: Found Auth-Type PAP auth: type "PAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 1 rlm_pap: login attempt with password password rlm_pap: No password configured for the user. Cannot do authentication modcall[authenticate]: module "pap" returns fail for request 1 modcall: group Auth-Type returns fail for request 1 auth: Failed to validate the user. Login incorrect: [stryker8] (from client JW-Client port 0) -------- Also, since I am running 1.1.4, I tried using the auto-header in PAP, instead of the encryption_scheme. I set auto_header = yes in the pap module in radiusd.conf I set my Attribute to "MD5-Password" in the radcheck table. I added "pap" to the end of the Authorize Module in radiusd.conf I get the following error: radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'stryker8' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 2 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'stryker8' ORDER BY id rlm_sql: Failed to create the pair: Unknown attribute "MD5-Password" rlm_sql (sql): Error getting data from database rlm_sql (sql): SQL query error; rejecting user rlm_sql (sql): Released sql socket id: 2 modcall[authorize]: module "sql" returns fail for request 2 modcall: group authorize returns fail for request 2 There was no response configured: rejecting request 2 Server rejecting request 2. Thanks for your help in advance! Jonathan
Jonathan Wong wrote:
I am running Freeradius 1.1.4, MySQL, MD5, and PAP.
Upgrade to 1.1.7.
Another weird thing is when I have PAP and MD5 set, and I do not have a radgroupcheck entry for my group, I can get authenticated by putting the MD5 Hash as my password. For example, if my MD5 hash was "abcd…", I would have to use "abcd…" as my password, and I would get an access-accept.
Because it's not processing the password as an MD5 hash. It's processing the password as a text string. Upgrade to 1.1.7, and make sure you have the *correct* configuration for the "pap" module. There are some new configuration items, so go read the comments in radiusd.conf. Also make sure that "pap" is listed *last* in the "authorize" section, just like with the default radiusd.conf in 1.1.7. Then, update your DB:
+----+----------+-----------+----+----------------------------------+
| 36 | stryker8 | Password | := | 5f4dcc3b5aa765d61d8327deb882cf99 |
+----+----------+-----------+----+----------------------------------+
Change "Password" to "MD5-Password".
rlm_sql: Failed to create the pair: Unknown attribute "MD5-Password"
You upgraded to 1.1.4 from an older version, and aren't using the new dictionaries. Alan DeKok.
Thanks for the fast reply. Out of curiosity, why is it processing the password as a text string and not an MD5 hash? Was my radiusd.conf setting misconfigured? Or was there a bug in the 1.1.4 release? In any case, I will upgrade my version and my dictionaries. Thanks! Jonathan -----Original Message----- From: freeradius-users-bounces@lists.freeradius.org [mailto:freeradius-users-bounces@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Saturday, November 10, 2007 12:37 AM To: FreeRadius users mailing list Subject: Re: Problem with MD5 Authentication and PAP Jonathan Wong wrote:
I am running Freeradius 1.1.4, MySQL, MD5, and PAP.
Upgrade to 1.1.7.
Another weird thing is when I have PAP and MD5 set, and I do not have a radgroupcheck entry for my group, I can get authenticated by putting the MD5 Hash as my password. For example, if my MD5 hash was "abcd...", I would have to use "abcd..." as my password, and I would get an access-accept.
Because it's not processing the password as an MD5 hash. It's processing the password as a text string. Upgrade to 1.1.7, and make sure you have the *correct* configuration for the "pap" module. There are some new configuration items, so go read the comments in radiusd.conf. Also make sure that "pap" is listed *last* in the "authorize" section, just like with the default radiusd.conf in 1.1.7. Then, update your DB:
+----+----------+-----------+----+----------------------------------+
| 36 | stryker8 | Password | := | 5f4dcc3b5aa765d61d8327deb882cf99 |
+----+----------+-----------+----+----------------------------------+
Change "Password" to "MD5-Password".
rlm_sql: Failed to create the pair: Unknown attribute "MD5-Password"
You upgraded to 1.1.4 from an older version, and aren't using the new dictionaries. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Wong, Jonathan wrote:
Thanks for the fast reply. Out of curiosity, why is it processing the password as a text string and not an MD5 hash?
No idea, sorry. I don't spend a lot of time on configurations that don't work. The default configuration works, so I use it.
Was my radiusd.conf setting misconfigured? Or was there a bug in the 1.1.4 release? In any case, I will upgrade my version and my dictionaries.
In 1.1.4 and later, the "pap" module should not be used with "encryption_scheme". See "man rlm_pap" for details. Alan DeKok.
participants (3)
-
Alan DeKok -
Jonathan Wong -
Wong, Jonathan