PAP questions.

Phil Mayers p.mayers at imperial.ac.uk
Tue Aug 22 12:11:34 CEST 2006 

Keith Woodworth wrote:
> Try this again, I hope someone can answer these or at least shed some
> light.
> 
> Been trying to do PAP authentication with the crypt'd password stored in
> mysql. We, unfortunately have to do PAP.
> 
> This has been done for the most part and works, but I had to go against
> what deployingradius.com said w/regards to using Auth-Type as I have not
> found an alternative that seems to work right.

In current versions of the server, the "pap" module does not run in 
authorize, and does not set Auth-Type correctly to itself, so this is 
one of the FEW circumstances in which setting Auth-Type is correct in I 
think. Later versions of the server (i.e. CVS) perform "correctly" in 
this regard, which is much more consistent.

Many people leave the Auth-Type at the default of "Local", which 
confusingly does similar but not identical things to the "pap" module, 
and hence don't see this problem with their PAP requests.

> 
> I'm using stock radiusd.conf that comes with 1.1.2, except proxy is set to
> no.

You can't possibly be, since sql is commented out in that! Even slight 
differences can be important.

> 
> To make this work I added a user to radcheck with a crypt'd password:
> 
> +----+------------+----------------+----+---------------+
> | id | UserName   | Attribute      | op | Value         |
> +----+------------+----------------+----+---------------+
> |  1 | bob        | Password       | == | test          |
> |  4 | tester     | Crypt-Password | == | gmxwp4dfOcHAI |
> +----+------------+----------------+----+---------------+

Your "op" should be :=

> 
> In radgroupcheck:
> 
> +----+-----------+-----------+----+-------+
> | id | GroupName | Attribute | op | Value |
> +----+-----------+-----------+----+-------+
> |  1 | default   | Auth-Type | := | PAP   |
> |  2 | admin     | Auth-Type | := | PAP   |
> +----+-----------+-----------+----+-------+
> 
> In radgroupreply:
> 
> +----+-----------+--------------------+----+---------------------+------+
> | id | GroupName | Attribute          | op | Value               | prio |
> +----+-----------+--------------------+----+---------------------+------+
> |  1 | default   | Service-Type       | := | Framed-User         |    0 |
> |  2 | default   | Framed-Protocol    | := | PPP                 |    0 |
> |  3 | default   | Framed-Compression | := | Van-Jacobsen-TCP-IP |    0 |
> |  4 | default   | Framed-MTU         | := | 1500                |    0 |
> |  5 | admin     | Service-Type       | := | Administrative-User |    0 |
> |  6 | default   | Framed-Routing     | := | None                |    0 |
> |  7 | default   | Framed-IP-Netmask  | := | 255.255.255.255     |    0 |
> +----+-----------+--------------------+----+---------------------+------+
> 
> and the usergroup table:
> 
> +----+------------+-----------+
> | id | UserName   | GroupName |
> +----+------------+-----------+
> |  5 | bob        | admin     |
> | 10 | tester     | default   |
> +----+------------+-----------+
> 
> With this setup user tester can dialup, login and setup a ppp connection
> and it works.
> 
> The one main issue is that the user has to be both in the usergroup table
> and the radcheck table for this to work. Is there a way to just have the
> username in just radcheck for example? What is needed to setup a default
> profile for all users to authenticate via PAP w/o having to set
> auth-type=pap? Is that possible?

Not if you're using the "pap" module on the current server version.

More information about the Freeradius-Users mailing list