huntgroups are failing auth - missing Chap Password
FreeRADIUS Version 1.1.7 I am using the FreeRADIUS.net Windows version of the software. at least for the time being. I am trying to set up a very basic single user account for a very specific purpose and have created the account as follows. hunttest User-Password == "hunttest", Huntgroup-Name == "hunttest" My huntgroups file has a huntgroup called hunttest with a single NAS IP Address listed as follows. public NAS-IP-Address == 10.252.9.2 when the user huntest attempts to authenticate it fails. My RADIUS Log shows the following entry. Wed May 7 15:07:25 2008 : Auth: Login incorrect (rlm_chap: Clear text password not available): [hunttest/<CHAP-Password>] (from client NAS04 port 5 cli 00-1E-8C-0E-8E-70) Wed May 7 15:07:25 2008 : Auth: Login incorrect (rlm_chap: Clear text password not available): [hunttest/<CHAP-Password>] (from client NAS04 port 5 cli 00-1E-8C-0E-8E-70) Can some one tell me what is wrong. I am simply trying to create a config that will allow the user hunttest to authenticate only if the request comes from the client NAS04. Perhaps a huntgroup is not the best way to do this.
Read instructions in users file about which password attribute should you be using. User-Password is wrong for 1.1.7. Ivan Kalik Kalik Informatika ISP Dana 14/9/2007, "Terry Pelley" <Terry.Pelley@ocdsb.ca> piše:
FreeRADIUS Version 1.1.7
I am using the FreeRADIUS.net Windows version of the software. at least for the time being.
I am trying to set up a very basic single user account for a very specific purpose and have created the account as follows.
hunttest User-Password == "hunttest", Huntgroup-Name == "hunttest"
My huntgroups file has a huntgroup called hunttest with a single NAS IP Address listed as follows.
public NAS-IP-Address == 10.252.9.2
when the user huntest attempts to authenticate it fails. My RADIUS Log shows the following entry.
Wed May 7 15:07:25 2008 : Auth: Login incorrect (rlm_chap: Clear text password not available): [hunttest/<CHAP-Password>] (from client NAS04 port 5 cli 00-1E-8C-0E-8E-70) Wed May 7 15:07:25 2008 : Auth: Login incorrect (rlm_chap: Clear text password not available): [hunttest/<CHAP-Password>] (from client NAS04 port 5 cli 00-1E-8C-0E-8E-70)
Can some one tell me what is wrong. I am simply trying to create a config that will allow the user hunttest to authenticate only if the request comes from the client NAS04. Perhaps a huntgroup is not the best way to do this.
Hi everybody: I am installing a lab test server with Freeradius 2.0.4 with all the authentication installed: CHAP, PAP, EAP and authorization over MySQL, users, system, and LDAP. I installed it in the few last days and I have everything working now, but as I was testing it, I could notice a bug. I created users in every DB and file all of them with own password and user entries. When I was testing with radtest ALL worked fine, but I noticed that ONLY with PAP authentication and MySQL user it doesn't matter if I put a clear password in radtest larger than the original one I get an Access-Accept message. Example: radtest papsqluser papsecret localhost 0 testing123 Access-Accept radtest papsqluser papsecret43343 localhost 0 testing123 Access-Accept
radiusd -X Ivan Kalik Kalik Informatika ISP Dana 9/5/2008, "Yago Fdez. Hansen" <sti@soportec.com> piše:
Hi everybody:
I am installing a lab test server with Freeradius 2.0.4 with all the authentication installed: CHAP, PAP, EAP and authorization over MySQL, users, system, and LDAP.
I installed it in the few last days and I have everything working now, but as I was testing it, I could notice a bug. I created users in every DB and file all of them with own password and user entries. When I was testing with radtest ALL worked fine, but I noticed that ONLY with PAP authentication and MySQL user it doesn't matter if I put a clear password in radtest larger than the original one I get an Access-Accept message.
Example:
radtest papsqluser papsecret localhost 0 testing123 Access-Accept
radtest papsqluser papsecret43343 localhost 0 testing123 Access-Accept
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Yes sorry: With debug I noticed I was not very exact in my explanation. It was Crypt-Password algorithm problem: First authentication: root@radius1:~# radtest papsqluser papsecret localhost 0 testing123 Sending Access-Request of id 144 to 127.0.0.1 port 1812 User-Name = "papsqluser" User-Password = "papsecret" NAS-IP-Address = 192.168.1.100 NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=144, length=20 root@radius1:~# freeradius -X FreeRADIUS Version 2.0.4, for host i486-pc-linux-gnu, built on May 8 2008 at 09:16:48 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including configuration file /etc/freeradius/snmp.conf including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/sql.conf including configuration file /etc/freeradius/sql/mysql/dialup.conf including configuration file /etc/freeradius/sql/mysql/counter.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/inner-tunnel including configuration file /etc/freeradius/sites-enabled/default including dictionary file /etc/freeradius/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/var/run/freeradius/freeradius.pid" user = "freerad" group = "freerad" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { require_message_authenticator = no secret = "testing123" shortname = "localhost" nastype = "other" } client 192.168.1.0 { require_message_authenticator = no secret = "testing123" shortname = "labs" nastype = "other" } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_check = "none" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = yes input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/etc/freeradius/certs/masterCA/crl" pem_file_type = yes private_key_file = "/etc/certs/server/radius1_keycert.pem" certificate_file = "/etc/certs/server/radius1_keycert.pem" CA_file = "/etc/freeradius/certs/masterCA/cacert.pem" private_key_password = "misecreto" dh_file = "/etc/freeradius/certs/dh" random_file = "/etc/freeradius/certs/random" fragment_size = 1024 include_length = yes check_crl = yes cipher_list = "DEFAULT" } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" } } } server { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_ldap Module: Instantiating ldap ldap { server = "ldap1.midominio.loc" port = 389 password = "misecreto" identity = "cn=admin,dc=midominio,dc=loc" net_timeout = 1 timeout = 4 timelimit = 3 tls_mode = no start_tls = no tls_require_cert = "allow" tls { start_tls = no require_cert = "allow" } basedn = "dc=midominio,dc=loc" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" auto_header = no access_attr_used_for_allow = yes groupname_attribute = "cn" groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" dictionary_mapping = "/etc/freeradius/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 5 compare_check_items = no do_xlat = yes edir_account_policy_check = no set_auth_type = yes } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap<->radius mappings from file /etc/freeradius/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message conns: 0x817f160 Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_sql Module: Instantiating sql sql { driver = "rlm_sql_mysql" server = "localhost" port = "" login = "radius" password = "mysqlsecret" radius_db = "radius" read_groups = yes sqltrace = no sqltracefile = "/var/log/freeradius/sqltrace.sql" readclients = no deletestalesessions = yes num_sql_socks = 5 sql_user_name = "%{User-Name}" default_user_profile = "" nas_query = "SELECT id, nasname, shortname, type, secret FROM nas" authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id" authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id" accounting_onoff_query = " UPDATE radacct SET acctstoptime = '%S', acctsessiontime = unix_timestamp('%S') - unix_timestamp(acctstarttime), acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = %{%{Acct-Delay-Time}:-0} WHERE acctstoptime = NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= '%S'" accounting_update_query = " UPDATE radacct SET framedipaddress = '%{Framed-IP-Address}', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'" accounting_update_query_alt = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctsessiontime, acctauthentic, connectinfo_start, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, servicetype, framedprotocol, framedipaddress, acctstartdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{%{Acct-Session-Time}:-0} + %{%{Acct-Delay-Time}:-0}) SECOND), '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{X-Ascend-Session-Svr-Key}')" accounting_start_query = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{%{Acct-Delay-Time}:-0}', '0', '%{X-Ascend-Session-Svr-Key}')" accounting_start_query_alt = " UPDATE radacct SET acctstarttime = '%S', acctstartdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_start = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'" accounting_stop_query = " UPDATE radacct SET acctstoptime = '%S', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_stop = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'" accounting_stop_query_alt = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{%{Acct-Session-Time}:-0} + %{%{Acct-Delay-Time}:-0}) SECOND), '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Connect-Info}', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{%{Acct-Delay-Time}:-0}')" group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority" connect_failure_retry_delay = 60 simul_count_query = "" simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime = NULL" postauth_query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')" safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" } rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql): Attempting to connect to radius@localhost:/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 rlm_sql_mysql: Starting connect to MySQL server for #0 rlm_sql (sql): Connected new DB handle, #0 rlm_sql (sql): starting 1 rlm_sql (sql): Attempting to connect rlm_sql_mysql #1 rlm_sql_mysql: Starting connect to MySQL server for #1 rlm_sql (sql): Connected new DB handle, #1 rlm_sql (sql): starting 2 rlm_sql (sql): Attempting to connect rlm_sql_mysql #2 rlm_sql_mysql: Starting connect to MySQL server for #2 rlm_sql (sql): Connected new DB handle, #2 rlm_sql (sql): starting 3 rlm_sql (sql): Attempting to connect rlm_sql_mysql #3 rlm_sql_mysql: Starting connect to MySQL server for #3 rlm_sql (sql): Connected new DB handle, #3 rlm_sql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_mysql #4 rlm_sql_mysql: Starting connect to MySQL server for #4 rlm_sql (sql): Connected new DB handle, #4 Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } } radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } main { snmp = no smux_password = "" snmp_write_access = no } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 60121, id=144, length=62 User-Name = "papsqluser" User-Password = "papsecret" NAS-IP-Address = 192.168.1.100 NAS-Port = 0 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "papsqluser", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop expand: %{User-Name} -> papsqluser rlm_sql (sql): sql_set_user escaped user --> 'papsqluser' rlm_sql (sql): Reserving sql socket id: 4 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'papsqluser' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'papsqluser' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'papsqluser' ORDER BY priority rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok rlm_ldap: - authorize rlm_ldap: performing user authorization for papsqluser WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=papsqluser) expand: dc=midominio,dc=loc -> dc=midominio,dc=loc rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap1.midominio.loc:389, authentication 0 rlm_ldap: bind as cn=admin,dc=midominio,dc=loc/misecreto to ldap1.midominio.loc:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=midominio,dc=loc, with filter (uid=papsqluser) rlm_ldap: object not found or got ambiguous search result rlm_ldap: searcch failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns notfound ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type Crypt-Local auth: type Crypt Login OK: [papsqluser/papsecret] (from client localhost port 0) +- entering group post-auth ++[exec] returns noop Sending Access-Accept of id 144 to 127.0.0.1 port 60121 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 144 with timestamp +4 Ready to process requests. ----------------------------------------------------------------------------------------------------------------------- Seccond auth: rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=144, length=20 root@radius1:~# root@radius1:~# radtest papsqluser papsecret1233323 localhost 0 testing123 Sending Access-Request of id 167 to 127.0.0.1 port 1812 User-Name = "papsqluser" User-Password = "papsecret1233323" NAS-IP-Address = 192.168.1.100 NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=167, length=20 rad_recv: Access-Request packet from host 127.0.0.1 port 53931, id=167, length=62 User-Name = "papsqluser" User-Password = "papsecret1233323" NAS-IP-Address = 192.168.1.100 NAS-Port = 0 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "papsqluser", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop expand: %{User-Name} -> papsqluser rlm_sql (sql): sql_set_user escaped user --> 'papsqluser' rlm_sql (sql): Reserving sql socket id: 4 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'papsqluser' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'papsqluser' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'papsqluser' ORDER BY priority rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok rlm_ldap: - authorize rlm_ldap: performing user authorization for papsqluser WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=papsqluser) expand: dc=midominio,dc=loc -> dc=midominio,dc=loc rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap1.midominio.loc:389, authentication 0 rlm_ldap: bind as cn=admin,dc=midominio,dc=loc/misecreto to ldap1.midominio.loc:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=midominio,dc=loc, with filter (uid=papsqluser) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns notfound ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type Crypt-Local auth: type Crypt Login OK: [papsqluser/papsecret1233323] (from client localhost port 0) +- entering group post-auth ++[exec] returns noop Sending Access-Accept of id 167 to 127.0.0.1 port 53931 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 167 with timestamp +9 Ready to process requests. ------------------------------------------------------------------------------------------------------------ mysql> select * from radcheck -> ; +----+-------------+----------------+----+---------------+ | id | username | attribute | op | value | +----+-------------+----------------+----+---------------+ | 1 | Chapsqluser | User-Password | == | chapsecret | | 2 | Chapsqluser | Auth-Type | := | Local | | 3 | Papsqluser | Crypt-Password | == | /gTPHauHkNjWE | | 4 | Papsqluser | Auth-Type | := | Crypt-Local | +----+-------------+----------------+----+---------------+ 4 rows in set (0.00 sec) ----- Original Message ----- From: "Ivan Kalik" <tnt@kalik.net> To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Sent: Friday, May 09, 2008 7:58 PM Subject: Re: PAP Authentication User-Password not working properly radiusd -X Ivan Kalik Kalik Informatika ISP Dana 9/5/2008, "Yago Fdez. Hansen" <sti@soportec.com> piše:
Hi everybody:
I am installing a lab test server with Freeradius 2.0.4 with all the authentication installed: CHAP, PAP, EAP and authorization over MySQL, users, system, and LDAP.
I installed it in the few last days and I have everything working now, but as I was testing it, I could notice a bug. I created users in every DB and file all of them with own password and user entries. When I was testing with radtest ALL worked fine, but I noticed that ONLY with PAP authentication and MySQL user it doesn't matter if I put a clear password in radtest larger than the original one I get an Access-Accept message.
Example:
radtest papsqluser papsecret localhost 0 testing123 Access-Accept
radtest papsqluser papsecret43343 localhost 0 testing123 Access-Accept
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __________ Información de NOD32, revisión 3089 (20080509) __________ Este mensaje ha sido analizado con NOD32 antivirus system http://www.nod32.com
mysql> select * from radcheck -> ; +----+-------------+----------------+----+---------------+ | id | username | attribute | op | value | +----+-------------+----------------+----+---------------+ | 1 | Chapsqluser | User-Password | == | chapsecret | | 2 | Chapsqluser | Auth-Type | := | Local | | 3 | Papsqluser | Crypt-Password | == | /gTPHauHkNjWE | | 4 | Papsqluser | Auth-Type | := | Crypt-Local | +----+-------------+----------------+----+---------------+ 4 rows in set (0.00 sec)
Don't force Auth-Type. Remove Auth-Type Crypt-Local from the database entry. Let pap module sort it out. And entry for Chapsqluser is also wrong. Remove Auth-Type, replace password attribute with Cleartext-Password and op with :=. Server documentation clearly states: - don't use Auth-Type - use Cleartext-Password (not User-Password) for clear text passwords. Ivan Kalik Kalik Inormatika ISP
Thank you Ivan Kalik: Great work in the mailing list for you and also Alan DeKok. I'll try the recomendations. There is much documentation in the Freeradius Wiki and in many other articles and forums. But one have to learn wrong things from wrong articles and I'ts sometimes difficult to guess the right information. Bye all. ----- Original Message ----- From: "Ivan Kalik" <tnt@kalik.net> To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Sent: Friday, May 09, 2008 10:59 PM Subject: Re: PAP Authentication User-Password not working properly
mysql> select * from radcheck -> ; +----+-------------+----------------+----+---------------+ | id | username | attribute | op | value | +----+-------------+----------------+----+---------------+ | 1 | Chapsqluser | User-Password | == | chapsecret | | 2 | Chapsqluser | Auth-Type | := | Local | | 3 | Papsqluser | Crypt-Password | == | /gTPHauHkNjWE | | 4 | Papsqluser | Auth-Type | := | Crypt-Local | +----+-------------+----------------+----+---------------+ 4 rows in set (0.00 sec)
Don't force Auth-Type. Remove Auth-Type Crypt-Local from the database entry. Let pap module sort it out. And entry for Chapsqluser is also wrong. Remove Auth-Type, replace password attribute with Cleartext-Password and op with :=. Server documentation clearly states:
- don't use Auth-Type
- use Cleartext-Password (not User-Password) for clear text passwords.
Ivan Kalik Kalik Inormatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__________ Información de NOD32, revisión 3090 (20080509) __________
Este mensaje ha sido analizado con NOD32 antivirus system http://www.nod32.com
On Fri, May 09, 2008 at 08:17:25PM +0100, Yago Fdez. Hansen wrote:
Dana 9/5/2008, "Yago Fdez. Hansen" <sti@soportec.com> piše:
Hi everybody:
I am installing a lab test server with Freeradius 2.0.4 with all the authentication installed: CHAP, PAP, EAP and authorization over MySQL, users, system, and LDAP.
I installed it in the few last days and I have everything working now, but as I was testing it, I could notice a bug. I created users in every DB and file all of them with own password and user entries. When I was testing with radtest ALL worked fine, but I noticed that ONLY with PAP authentication and MySQL user it doesn't matter if I put a clear password in radtest larger than the original one I get an Access-Accept message.
Example:
radtest papsqluser papsecret localhost 0 testing123 Access-Accept
radtest papsqluser papsecret43343 localhost 0 testing123 Access-Accept
mysql> select * from radcheck -> ; +----+-------------+----------------+----+---------------+ | id | username | attribute | op | value | +----+-------------+----------------+----+---------------+ | 1 | Chapsqluser | User-Password | == | chapsecret | | 2 | Chapsqluser | Auth-Type | := | Local | | 3 | Papsqluser | Crypt-Password | == | /gTPHauHkNjWE | | 4 | Papsqluser | Auth-Type | := | Crypt-Local | +----+-------------+----------------+----+---------------+ 4 rows in set (0.00 sec)
The DES crypt algorithm only deals with the first 8 characters of the password. No bug, working as designed. -- Scott Lambert KC5MLE Unix SysAdmin lambert@lambertfam.org
participants (4)
-
Ivan Kalik -
Scott Lambert -
Terry Pelley -
Yago Fdez. Hansen