All password checks disbaled... ugh
Matthew Newton
mcn4 at leicester.ac.uk
Tue Apr 15 13:36:13 CEST 2014
Hi,
On Tue, Apr 15, 2014 at 10:26:22AM +0200, Stefan Winter wrote:
> In FreeRADIUS 3, I retained this, NT-Passwords are found, pap
> returns noop(?), authorize returns ok, and then I see
>
> Auth-Type = Accept, accepting the user
>
> *regardless of his password* ?
Can't reproduce it here. Have you got a minimal config that
creates it?
The pap module returns noop without printing output in only a very
few cases, the only ones really is if it can't find a password and
you're proxying or some eap types are set.
The only case I can see is if the dictionary lookup for the module
name fails, and it can't set the auth-type name correctly. But
even then it sets Auth-Type to 0, not 254 (Accept).
...
> (11) [mschap] = noop
> (11) [eap-staff] = noop
> (11) [pap] = noop
> (11) if ( "%{Packet-Src-IP-Address}" == "158.64.1.229" )
> (11) EXPAND %{Packet-Src-IP-Address}
> (11) --> 158.64.1.65
> (11) if ( "%{Packet-Src-IP-Address}" == "158.64.1.229" ) -> FALSE
> (11) } # authorize = ok
> (11) Auth-Type = Accept, accepting the user
...
Are you sure it's definitely the pap module that's setting
Auth-Type? If you comment it out, does the blank password still
authenticate?
If so, a binary chop on your config to find the culprit may be
helpful.
Matthew
--
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
More information about the Freeradius-Devel
mailing list