Cleartext-Password with rlm_sql problem
Hi, I just upgraded my freeradius 1.1.3 to 1.1.5, which I am using with a MySQL db for storing users password. I did a diff from original 1.1.3 raddb vs my modified raddb and applied it to 1.1.5 raddb. All worked fine. After that I see in the users file that User-Password was replaced with Cleartext-Password, so I replaced in the radcheck all "User-Password" with "Cleartext-Password": after doing that, my users can't no more authenticate. I get this in radius.log: Tue Apr 3 12:29:35 2007 : Info: rlm_sql (sql_main): No matching entry in the database for request from user [user1] Tue Apr 3 12:29:35 2007 : Info: rlm_eap_mschapv2: Issuing Challenge Tue Apr 3 12:29:35 2007 : Info: rlm_sql (sql_main): No matching entry in the database for request from user [user1] Tue Apr 3 12:29:35 2007 : Auth: Login incorrect: [user1@mydomain] (from client localhost port 29) Tue Apr 3 12:29:35 2007 : Auth: Login incorrect: [user1@mydomain] (from client ap-1 port 29) Backing to "User-Password" worked again. What wrong? Is it correct to replace "User-Password" to "Cleartext-Password" with users in a MySQL db, as done in users file? Thanks
Fabio Pedretti wrote:
After that I see in the users file that User-Password was replaced with Cleartext-Password, so I replaced in the radcheck all "User-Password" with "Cleartext-Password": after doing that, my users can't no more authenticate. I get this in radius.log:
You should check the operator, too. Change it to ":=".
What wrong? Is it correct to replace "User-Password" to "Cleartext-Password" with users in a MySQL db, as done in users file?
Yes, it's correct, but you have to use ":=". Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Thanks, it works fine, now. May ask you what is the rationale behind the change from "==" to ":="? Wasn't ":=" used for _setting_ something, while "==" for _checking_ parameters? Thanks, Fabio Citando Alan DeKok <aland@deployingradius.com>:
Fabio Pedretti wrote:
After that I see in the users file that User-Password was replaced with Cleartext-Password, so I replaced in the radcheck all "User-Password" with "Cleartext-Password": after doing that, my users can't no more authenticate. I get this in radius.log:
You should check the operator, too. Change it to ":=".
What wrong? Is it correct to replace "User-Password" to "Cleartext-Password" with users in a MySQL db, as done in users file?
Yes, it's correct, but you have to use ":=".
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fabio Pedretti wrote:
Thanks, it works fine, now.
May ask you what is the rationale behind the change from "==" to ":="? Wasn't ":=" used for _setting_ something, while "==" for _checking_ parameters?
Yes and no. See "man users" for details. "==" is comparing. Since there's no Cleartext-Password in the request, you can't use "==". Also, in CHAP, MS-CHAP, and EAP, there's no User-Password either, so you can't use "User-Password == ..." The solution is to use "Cleartext-Password := ..." That says "remember that the known good password is ...". The server then figures out how to use that known good password to authenticate users. See "man rlm_pap". It's pointed to from the README and elsewhere. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
participants (2)
-
Alan DeKok -
Fabio Pedretti