Fwd: upgrade to freeradius 3.0.15 and problem with authorization
Hello. I've upgraded to 3.0.15 from 2.X and now I have a problem with pap authorization. My users saved in a MySQL with an attribute md5. But, from Cisco ASA I receive header User-Password. In a source code I've found next strings: case PW_USER_PASSWORD: /* deprecated */ RWDEBUG("!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); RWDEBUG("!!! Ignoring control:User-Password. Update your !!!"); RWDEBUG("!!! configuration so that the \"known good\" clear text !!!"); RWDEBUG("!!! password is in Cleartext-Password and NOT in !!!"); RWDEBUG("!!! User-Password. !!!"); RWDEBUG("!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); break; Okay. I've found a workaround with unlang and paste it to "authorize" section: if (!control:Cleartext-Password && control:User-Password) { update control { Cleartext-Password := "%{control:User-Password}" } } But it doesn't work. How can I save an encrypted password in MySQL and delete header User-Password which I receive from Cisco ASA (I can't modify software on the Cisco side)? -- Best regards, Anton Kiryushkin
post debug. if NAS is sending that, its fine - its what FR knows/handles that matters - the warnings you worry about are probably due to mysql syntax you've ported :/ On 18 September 2017 at 13:22, Anton Kiryushkin <swood@fotofor.biz> wrote:
Hello.
I've upgraded to 3.0.15 from 2.X and now I have a problem with pap authorization.
My users saved in a MySQL with an attribute md5. But, from Cisco ASA I receive header User-Password. In a source code I've found next strings:
case PW_USER_PASSWORD: /* deprecated */ RWDEBUG("!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); RWDEBUG("!!! Ignoring control:User-Password. Update your !!!"); RWDEBUG("!!! configuration so that the \"known good\" clear text !!!"); RWDEBUG("!!! password is in Cleartext-Password and NOT in !!!"); RWDEBUG("!!! User-Password. !!!"); RWDEBUG("!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); break;
Okay. I've found a workaround with unlang and paste it to "authorize" section:
if (!control:Cleartext-Password && control:User-Password) { update control { Cleartext-Password := "%{control:User-Password}" } }
But it doesn't work.
How can I save an encrypted password in MySQL and delete header User-Password which I receive from Cisco ASA (I can't modify software on the Cisco side)?
-- Best regards, Anton Kiryushkin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thank's for answered. I've changed a config of SQL module from: authorize_check_query = "SELECT vpn_id as id, vpn_username as UserName, 'User-Password' as attribute, pass as value, ':=' as op \ FROM ${authcheck_table} \ WHERE (vpn_username = '%{SQL-User-Name}' AND msk='1') \ ORDER BY id" to: authorize_check_query = "SELECT vpn_id as id, vpn_username as UserName, 'MD5-Password' as attribute, pass as value, ':=' as op \ FROM ${authcheck_table} \ WHERE (vpn_username = '%{SQL-User-Name}' AND msk='1') \ ORDER BY id" And after that, I changed a value of password in a database from "{MD5}hash" to "hash". And it's work for me. 2017-09-18 15:56 GMT+03:00 Alan Buxey <alan.buxey@gmail.com>:
post debug. if NAS is sending that, its fine - its what FR knows/handles that matters - the warnings you worry about are probably due to mysql syntax you've ported :/
Hello.
I've upgraded to 3.0.15 from 2.X and now I have a problem with pap authorization.
My users saved in a MySQL with an attribute md5. But, from Cisco ASA I receive header User-Password. In a source code I've found next strings:
case PW_USER_PASSWORD: /* deprecated */ RWDEBUG("!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); RWDEBUG("!!! Ignoring control:User-Password. Update your !!!"); RWDEBUG("!!! configuration so that the \"known good\" clear text !!!"); RWDEBUG("!!! password is in Cleartext-Password and NOT in !!!"); RWDEBUG("!!! User-Password. !!!"); RWDEBUG("!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); break;
Okay. I've found a workaround with unlang and paste it to "authorize" section:
if (!control:Cleartext-Password && control:User-Password) { update control { Cleartext-Password := "%{control:User-Password}" } }
But it doesn't work.
How can I save an encrypted password in MySQL and delete header User-Password which I receive from Cisco ASA (I can't modify software on the Cisco side)?
-- Best regards, Anton Kiryushkin - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
On 18 September 2017 at 13:22, Anton Kiryushkin <swood@fotofor.biz> wrote: - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
-- Best regards, Anton Kiryushkin
On Sep 18, 2017, at 8:59 AM, Anton Kiryushkin <swood@fotofor.biz> wrote:
Thank's for answered.
I've changed a config of SQL module from:
authorize_check_query = "SELECT vpn_id as id, vpn_username as UserName, 'User-Password' as attribute, pass as value, ':=' as op \
Having "User-Password" here has been not recommended for a decade.
FROM ${authcheck_table} \ WHERE (vpn_username = '%{SQL-User-Name}' AND msk='1') \ ORDER BY id"
to:
authorize_check_query = "SELECT vpn_id as id, vpn_username as UserName, 'MD5-Password' as attribute, pass as value, ':=' as op \ FROM ${authcheck_table} \ WHERE (vpn_username = '%{SQL-User-Name}' AND msk='1') \ ORDER BY id"
And after that, I changed a value of password in a database from "{MD5}hash" to "hash".
Please use "Password-With-Header" instead of MD5-Password. And leave the headers on the passwords. The server will figure it out. Alan DeKok.
participants (3)
-
Alan Buxey -
Alan DeKok -
Anton Kiryushkin