v3, passwords, and auth-type
I'm trying to get v3.0.9 working and running into something that seems mutually exclusive: PAP seems to require Cleartext-Password and then complain that it's not getting User-Password? Also, and probably more important, it seems to be ignoring my Auth-Type Local configuration.... excerpt from site file: authenticate { # # PAP authentication, when a back-end database listed # in the 'authorize' section supplies a password. The # password can be clear-text, or encrypted. Auth-Type PAP { pap } Auth-Type Local { pap } Relevant sections from debug output in the different cases: With Cleartext-Password and Auth-Type Local: (0) [sql] = ok (0) [expiration] = noop (0) [logintime] = noop (0) pap: WARNING: Auth-Type already set. Not setting to PAP (0) [pap] = noop (0) } # authorize = ok (0) Found Auth-Type = Local (0) Auth-Type sub-section not found. Ignoring. With Cleartext-Password and Auth-Type PAP: (1) [sql] = ok (1) [expiration] = noop (1) [logintime] = noop (1) pap: WARNING: Auth-Type already set. Not setting to PAP (1) [pap] = noop (1) } # authorize = ok (1) Found Auth-Type = PAP (1) # Executing group from file /usr/local/etc/raddb/sites-enabled/peak (1) Auth-Type PAP { (1) pap: ERROR: You set 'Auth-Type = PAP' for a request that does not contain a User-Password attribute! (1) [pap] = invalid (1) } # Auth-Type PAP = invalid (1) Failed to authenticate the user (1) Using Post-Auth-Type Reject With User-Password and Auth-Type PAP: (4) [sql] = ok (4) [expiration] = noop (4) [logintime] = noop (4) pap: WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! (4) pap: WARNING: !!! Ignoring control:User-Password. Update your !!! (4) pap: WARNING: !!! configuration so that the "known good" clear text !!! (4) pap: WARNING: !!! password is in Cleartext-Password and NOT in !!! (4) pap: WARNING: !!! User-Password. !!! (4) pap: WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! (4) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (4) pap: WARNING: Authentication will fail unless a "known good" password is available (4) [pap] = noop (4) } # authorize = ok (4) Found Auth-Type = PAP (4) # Executing group from file /usr/local/etc/raddb/sites-enabled/peak (4) Auth-Type PAP { (4) pap: Login attempt with password (4) pap: No password configured for the user. Cannot do authentication (4) [pap] = fail (4) } # Auth-Type PAP = fail (4) Failed to authenticate the user (4) Using Post-Auth-Type Reject
On 19 Nov 2015, at 16:49, Alan Batie <alan@peak.org> wrote:
I'm trying to get v3.0.9 working and running into something that seems mutually exclusive: PAP seems to require Cleartext-Password and then complain that it's not getting User-Password?
That's request:User-Password, and control:Cleartext-Password. i.e. User-Password must be present in the request, and Cleartext-Password must be present in the control list, looked up from something like the users file or sql. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
On 11/19/15 1:52 PM, Arran Cudbard-Bell wrote:
That's request:User-Password, and control:Cleartext-Password.
i.e. User-Password must be present in the request, and Cleartext-Password must be present in the control list, looked up from something like the users file or sql.
Thanks, that got it working with Auth-Type PAP, though I'm still puzzled why it didn't think I had an Auth-Type Local...but whatever works ;-)
On Nov 19, 2015, at 4:49 PM, Alan Batie <alan@peak.org> wrote:
I'm trying to get v3.0.9 working and running into something that seems mutually exclusive: PAP seems to require Cleartext-Password and then complain that it's not getting User-Password? Also, and probably more important, it seems to be ignoring my Auth-Type Local configuration....
Because you shouldn't have Auth-Type Local. The default configuration doesn't have it. It's not needed.
excerpt from site file:
So... why did you edit it to add Auth-Type Local?
With Cleartext-Password and Auth-Type Local:
And.... you don't show the *relevant* portions of the debug output. i.e. the portions where it shows the incoming packet.
(0) [sql] = ok (0) [expiration] = noop (0) [logintime] = noop (0) pap: WARNING: Auth-Type already set. Not setting to PAP (0) [pap] = noop (0) } # authorize = ok (0) Found Auth-Type = Local
You're forcing Auth-Type = Local. Why? Don't do that. It's wrong. The default configuration doesn't have it. It's not needed.
(0) Auth-Type sub-section not found. Ignoring.
With Cleartext-Password and Auth-Type PAP:
(1) [sql] = ok (1) [expiration] = noop (1) [logintime] = noop (1) pap: WARNING: Auth-Type already set. Not setting to PAP
The automatic system isn't working ...
(1) [pap] = noop (1) } # authorize = ok (1) Found Auth-Type = PAP
... because *you* forced Auth-Type = PAP. Why?
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/peak (1) Auth-Type PAP { (1) pap: ERROR: You set 'Auth-Type = PAP' for a request that does not contain a User-Password attribute!
Again, *you* broke the server. Don't do that.
(1) [pap] = invalid (1) } # Auth-Type PAP = invalid (1) Failed to authenticate the user (1) Using Post-Auth-Type Reject
With User-Password and Auth-Type PAP:
(4) [sql] = ok (4) [expiration] = noop (4) [logintime] = noop (4) pap: WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! (4) pap: WARNING: !!! Ignoring control:User-Password. Update your !!! (4) pap: WARNING: !!! configuration so that the "known good" clear text !!! (4) pap: WARNING: !!! password is in Cleartext-Password and NOT in !!! (4) pap: WARNING: !!! User-Password. !!! (4) pap: WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
That should be pretty clear. Why not follow the instructions that are in front of you? a) don't force Auth-Type. It's almost always wrong. b) delete the "Auth-Type Local" block. c) yes, DON'T FORCE AUTH-TYPE. Delete it from ALL databases, configurations, etc. d) follow the instructions in the big warnings for packet (4) above. It shouldn't be hard. Put the "known good" password into control:Cleartext-Password. Change almost nothing else. The server *will* figure out how to authenticate the user. It looks like you've followed some crappy third-party guide from 2005. Don't do that. Nearly all of them are wrong and outdated. The default configuration *works*. PLEASE don't destroy it unless you know what you're doing. Alan DeKok.
participants (3)
-
Alan Batie -
Alan DeKok -
Arran Cudbard-Bell