PAP questions.

[Keith Woodworth]

On Tue, 22 Aug 2006, Phil Mayers wrote:

|->Keith Woodworth wrote:
|->>
|->> Been trying to do PAP authentication with the crypt'd password stored in
|->> mysql. We, unfortunately have to do PAP.
|->>
|->> This has been done for the most part and works, but I had to go against
|->> what deployingradius.com said w/regards to using Auth-Type as I have not
|->> found an alternative that seems to work right.
|->
|->In current versions of the server, the "pap" module does not run in
|->authorize, and does not set Auth-Type correctly to itself, so this is
|->one of the FEW circumstances in which setting Auth-Type is correct in I
|->think. Later versions of the server (i.e. CVS) perform "correctly" in
|->this regard, which is much more consistent.
|->
|->Many people leave the Auth-Type at the default of "Local", which
|->confusingly does similar but not identical things to the "pap" module,
|->and hence don't see this problem with their PAP requests.

One of the things I did try was add PAP to the authorize section, but
radius failed to start when I did that.

Deployingradius.com did say there were very few circumstances to set
Auth-Type, but not which ones. Guess I found one?

|->> I'm using stock radiusd.conf that comes with 1.1.2, except proxy is set to
|->> no.
|->
|->You can't possibly be, since sql is commented out in that! Even slight
|->differences can be important.

Bah, you are right. I forgot, I did set the SQL module.

|->> To make this work I added a user to radcheck with a crypt'd password:
|->>
|->> +----+------------+----------------+----+---------------+
|->> | id | UserName   | Attribute      | op | Value         |
|->> +----+------------+----------------+----+---------------+
|->> |  1 | bob        | Password       | == | test          |
|->> |  4 | tester     | Crypt-Password | == | gmxwp4dfOcHAI |
|->> +----+------------+----------------+----+---------------+
|->
|->Your "op" should be :=

Ok thanks.

|->> The one main issue is that the user has to be both in the usergroup table
|->> and the radcheck table for this to work. Is there a way to just have the
|->> username in just radcheck for example? What is needed to setup a default
|->> profile for all users to authenticate via PAP w/o having to set
|->> auth-type=pap? Is that possible?
|->
|->Not if you're using the "pap" module on the current server version.

How stable is the current server version? Anyone using it in production?
Sounds like I might have to be using the CVS version to do what I want
properly of only having the user in one table and do PAP authentication
with the crypt password stored in sql.

Thanks,
Keith