I set up FreeRadius/MySQL and ChilliSpot and created a test user with the included DialupAdmin. I then connected to the server radius nic and was directed to the login page and typed my username and password and was rejected. I then went to the DialupAdmin user edit and checked the password and it failed, so I changed the password and the PW check failed again. I even tried a new user and had the same problem. Everything else seems to be working correctly. What could the problem be? Could the password DB be missing in MySQL? How do I check? I'm a noob to all of this (FreeRadius, MySQL) but not to linux. I have it installed on gentoo if that makes any difference. I also tried directly inserting a user into the DB with mysql> INSERT INTO radcheck (UserName, Attribute, Value) VALUES ('lawrence', 'Password', 'le'); Query OK, 1 row affected (0.00 sec) and had the same problem Thanks for your help, Lawrence Shafer
Lawrence Shafer <detroit371@gmail.com> wrote:
Everything else seems to be working correctly. What could the problem be?
Run the server in debugging mode as suggested in the FAQ, README, INSTALL, and pretty much daily on this list. Alan DeKok.
Here is the last part of the debug. If you need it all let me know I don't see anything wrong, but maybe you do. Am I using the wrong kind of authentication (rlm_chap: Setting 'Auth-Type := CHAP')? Thanks! Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:32776, id=0, length=221 User-Name = "DieselPower" CHAP-Challenge = 0x8a48d3d9bdb659ba0bed5f031c365f74 CHAP-Password = 0x00337bb6643f5c92261d9a81ecf5d77bd0 NAS-IP-Address = 0.0.0.0 Service-Type = Login-User Framed-IP-Address = 192.168.182.4 Calling-Station-Id = "00-30-18-A9-76-D4" Called-Station-Id = "00-30-48-11-5C-7A" NAS-Identifier = "nas01" Acct-Session-Id = "44bfa66700000000" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 Message-Authenticator = 0x761aa662eaf93c4e3084eb64fd1ccbf7 WISPr-Logoff-URL = "http://192.168.182.1:3990/logoff" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module "chap" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "DieselPower", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 0 radius_xlat: 'DieselPower' rlm_sql (sql): sql_set_user escaped user --> 'DieselPower' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'DieselPower' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'DieselPower' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'DieselPower' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'DieselPower' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module "sql" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type CHAP auth: type "CHAP" Processing the authenticate section of radiusd.conf modcall: entering group CHAP for request 0 rlm_chap: login attempt by "DieselPower" with CHAP password rlm_chap: Using clear text password $1$Ly5C4QTC$dnbsOEpNSMzGQA8XPNi/B/ for user DieselPower authentication. rlm_chap: Pasword check failed modcall[authenticate]: module "chap" returns reject for request 0 modcall: leaving group CHAP (returns reject) for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... rad_recv: Access-Request packet from host 127.0.0.1:32776, id=0, length=221 Sending Access-Reject of id 0 to 127.0.0.1 port 32776 Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 0 with timestamp 44bfa6a1 Nothing to do. Sleeping until we see a request. Alan DeKok wrote:
Lawrence Shafer <detroit371@gmail.com> wrote:
Everything else seems to be working correctly. What could the problem be?
Run the server in debugging mode as suggested in the FAQ, README, INSTALL, and pretty much daily on this list.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Lawrence Shafer <detroit371@gmail.com> wrote:
Here is the last part of the debug. If you need it all let me know I don't see anything wrong, but maybe you do. Am I using the wrong kind of authentication (rlm_chap: Setting 'Auth-Type := CHAP')? Thanks!
No. You have crypt'd passwords, and haven't told the server they're crypted passwords. On top of that, you're using CHAP with crypted passwords. So even if you *did* tell the server they were crypted, it would be impossible to authenticate the user. Alan DeKok.
Sorry for being such a noob, but what type of auth should I use? I'm going to go read the man to find out how to tell it to use crypted passwords... unless anyone feels like giving me a pointer:) The howto I used must have been a bad one. Thanks -- View this message in context: http://www.nabble.com/Password--Problem-tf1975280.html#a5438460 Sent from the FreeRadius - User forum at Nabble.com.
Alan DeKok wrote:
Lawrence Shafer <detroit371@gmail.com> wrote:
Here is the last part of the debug. If you need it all let me know I don't see anything wrong, but maybe you do. Am I using the wrong kind of authentication (rlm_chap: Setting 'Auth-Type := CHAP')? Thanks!
No. You have crypt'd passwords, and haven't told the server they're crypted passwords.
On top of that, you're using CHAP with crypted passwords. So even if you *did* tell the server they were crypted, it would be impossible to authenticate the user.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I Do not understand how to set this up for chillispot. How do I tell the server the passwords are crypted? And if I shouldn't use CHAP, what should I use, and how do I change it? I can't seem to get my head wrapped around the man at the minute. Sorry for being a noob, but this is my first adventure with any kind of radius... Thanks, Lawrence Shafer
Lawrence Shafer <detroit371@gmail.com> wrote:
I Do not understand how to set this up for chillispot. How do I tell the server the passwords are crypted?
You already have. And that makes CHAP impossible.
And if I shouldn't use CHAP, what should I use, and how do I change it? I can't seem to get my head wrapped around the man at the minute.
The client chooses CHAP. If the client is chillispot, maybe you can fix it. If the client is a desktop, it's probably very difficult to fix it. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Alan DeKok wrote:
Lawrence Shafer <detroit371@gmail.com> wrote:
I Do not understand how to set this up for chillispot. How do I tell the server the passwords are crypted?
You already have. And that makes CHAP impossible.
And if I shouldn't use CHAP, what should I use, and how do I change it? I can't seem to get my head wrapped around the man at the minute.
The client chooses CHAP. If the client is chillispot, maybe you can fix it. If the client is a desktop, it's probably very difficult to fix it.
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I think it is not chillispot, because I can change the password in dialupadmin, and then check password (in dialupadmin) and it says "NO It is wrong". How can I change the system to clear-text passwords? Or does it sound like a MySQL problem? Thanks, Lawrence Shafer
Lawrence Shafer <detroit371@gmail.com> wrote:
I think it is not chillispot, because I can change the password in dialupadmin, and then check password (in dialupadmin) and it says "NO It is wrong". How can I change the system to clear-text passwords? Or does it sound like a MySQL problem?
It sounds like dialupadmin is configured to store crypt'd passwords. Change that, and then delete & re-enter all of the passwords. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Alan DeKok wrote:
Lawrence Shafer <detroit371@gmail.com> wrote:
I think it is not chillispot, because I can change the password in dialupadmin, and then check password (in dialupadmin) and it says "NO It is wrong". How can I change the system to clear-text passwords? Or does it sound like a MySQL problem?
It sounds like dialupadmin is configured to store crypt'd passwords.
Change that, and then delete & re-enter all of the passwords.
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cool!! That fixed the problem in dialupadmin! Thanks! But now it is trying to use auth: type "System" instead of "sql" when I try to log in through chillispots web interface. So off to more problem chasing!
I Do not understand how to set this up for chillispot. How do I tell the server the passwords are crypted? And if I shouldn't use CHAP, what should I use, and how do I change it? I can't seem to get my head wrapped around the man at the minute. Sorry for being a noob, but this is my first adventure with any kind of radius... Speaking as another noob, I have just got Chillispot running on a WRT54G accessing Freeradius and MySQL. Everything is fairly default, but some things to check :- 1. In the MySQL database do you have the Attribute set to Password and not something else, for example "11 usernamehere PASSWORD == passwordhere" 2. In Freeradius users file DEFAULT Auth-Type := Local 3. This bit of your debug suggests a formatting issue :- "rlm_realm: No '@' in User-Name = "DieselPower", looking up realm NULL rlm_realm: No such realm "NULL" " 4. A succesful output from my FreeRADIUS responding to a Chillispot request is below (I commented out some of the group checking stuff while debugging so there are some non-relevant errors below. HTH) Phil --------- Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 10.0.0.30:2053, id=0, length=215 User-Name = "scary" CHAP-Challenge = ")`\0350\2457`\247\345F3JZ\n\215\270" CHAP-Password = 0x002f73a3f12fbe98bfc3f9dacdf3743ebc NAS-IP-Address = 0.0.0.0 Service-Type = Login-User Framed-IP-Address = 192.168.182.6 Calling-Station-Id = "00-11-50-14-FF-73" Called-Station-Id = "00-16-B6-18-4C-14" NAS-Identifier = "nas01" Acct-Session-Id = "386e3c4800000000" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 Message-Authenticator = 0xdd47eea55b9dd9461970ca8444f074c8 Attr-925499395 = "http://192.168.182.1:3990/logoff" modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "suffix" returns ok radius_xlat: 'scary' sql_escape in: 'scary' sql_escape out: 'scary' sql_set_user: escaped user --> 'scary' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'scary' ORDER BY id' rlm_sql: Reserving sql socket id: 4 radius_xlat: '' MYSQL Error: Cannot get result MYSQL Error: Query was empty rlm_sql_getvpdata: database query error radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'scary' ORDER BY id' radius_xlat: '' MYSQL Error: Cannot get result MYSQL Error: Query was empty rlm_sql_getvpdata: database query error radius_xlat: 'SELECT Value,Attribute FROM radcheck WHERE UserName = 'scary' AND ( Attribute = 'User-Password' OR Attribute = 'Password' OR Attribute = 'Crypt-Password' ) ORDER BY Attribute DESC' rlm_sql: Released sql socket id: 4 modcall[authorize]: module "sql" returns ok users: Matched DEFAULT at 152 modcall[authorize]: module "files" returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type Local auth: type Local auth: user supplied CHAP-Password matches local User-Password Sending Access-Accept of id 0 to 10.0.0.30:2053 Finished request 17 Going to the next request ----- a bit to do, I got it working first and learned about it, so will move to the current version whenI rebuild it properly. it does at least authenticate :-) I found dialupadmin to cause more problems than solutions the first time, so I went for pHpMyAdmin to put values into the tables, I'm aware that some of them are blank and generating warnings. Phil -- View this message in context: http://www.nabble.com/Password--Problem-tf1975280.html#a5647072 Sent from the FreeRadius - User forum at Nabble.com.
PhilT <phil@yarwell.demon.co.uk> wrote:
1. In the MySQL database do you have the Attribute set to Password and not something else, for example "11 usernamehere PASSWORD == passwordhere" 2. In Freeradius users file DEFAULT Auth-Type := Local
NO. Do NOT SET THAT. It's NOT NECESSARY. That point has been repeated again and again on this list. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Alan DeKok wrote:
PhilT <phil@yarwell.demon.co.uk> wrote:
1. In the MySQL database do you have the Attribute set to Password and not something else, for example "11 usernamehere PASSWORD == passwordhere" 2. In Freeradius users file DEFAULT Auth-Type := Local
NO. Do NOT SET THAT. It's NOT NECESSARY.
That point has been repeated again and again on this list.
So many times in fact that I reckon you should add a config item that has to be set to a particular value: yes_i_understand_auth_type_and_am_prepared_to_accept_the = consequences </irony>
Phil Mayers <p.mayers@imperial.ac.uk> wrote:
So many times in fact that I reckon you should add a config item that has to be set to a particular value:
yes_i_understand_auth_type_and_am_prepared_to_accept_the = consequences
<g> Or, in 2.0, simply re-name it to something else, and don't include a definition for Auth-Type at all. That's *horribly* unfriendly to people, but it's a thought. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
I've got <mssql.conf> read_groups = yes but the rlm_sql module does not process the groups. The user is found in radcheck and the check items (password) does match... and I do NOT have "Fall-Through" = yes in the radreply ... as per docs... (3d) 3. Group processing then begins if any of the following conditions are met: a. The user IS NOT found in radcheck b. The user IS found in radcheck, but the check items don't match c. The user IS found in radcheck, the check items DO match AND Fall-Through is set in the radreply table d. The user IS found in radcheck, the check items DO match AND the read_groups directive is set to 'yes' Am I doing something wrong here? If I have Fall-Through = yes then everything works as per docs (3c) But 3d does not say that Fall-Through has to be yes Alan?
participants (7)
-
Alan DeKok -
Alan DeKok -
DieselPower -
Duane Cox -
Lawrence Shafer -
Phil Mayers -
PhilT