Please HELP!!! Any ideas??? MySQL and users file... Difference???

Alan DeKok aland at
Sat Feb 25 22:01:17 CET 2006

"Alex Savguira" <savguira at> wrote:
> Alan, please, you asked me to try := instead of == . I did and it does not work.
> Somehow I needed to inform you it did not.

  You need to post the debug log of it using the "users" file entry
after you changed == to :=/

>  I did in my first post. Would you please explain me, why freeradius
> only process one record, when it does process both while using users
> file?

  I have no idea.  And the debug log you posted was BEFORE you made
the change, so it's not that helpful.

> Is it possible perhaps to make the PAP module understand both CRYPT
> and plaintext passwords (perhaps by  defining two instances of
> module)?

  The server already handles crypt'd passwords.  You shouldn't have to
do anything.

> I can in this case keep one record per user, and it will be cleartext
> for PAP and MS-CHAPv2 when the user is granted services requiring
> MS-CHAPv2 and CRYPT for all existing users otherwise.

  That's what I've been trying to say.  A number of times.  DO THAT.

> >Then those users can't do MS-CHAP.
> C'mon. This is not an answer... I can't just ignore all of my existing
> users and I can't make all of them to change their passwords and,  as
> far as I know, I can't extract their passwords from the crypt hash.

  Yes, I understand.  However, it's IMPOSSIBLE to use crypted
passwords with MS-CHAP.  If you have a crypt'd password, then the user
can't do MS-CHAP.

  For pete's sake, what do I have to do to convince people that it's

  Stop arguing and accept it.  Yes, it's unfriendly to your users.
Tough.  You shouldn't have stored the passwords in crypt'd form in the
first place.  That choice made MS-CHAP impossible for those users.

  Don't complain to me about it.  I didn't create your local config,
the crypt algorithm or the MS-CHAP algorithm.

> I really do not want to start hacking freeradius code, but on the
> other side I really do need to make the new services available to
> these users.

  Great.  I'll give you a million dollars if you can make FreeRADIUS
authenticate MS-CHAP when it has nothing more than the crypt'd

  Did I mention it was impossible?

> Why does it work perfectly as expected when I am doing it in users file?
> Should not the SQL module perform the same?

  No.  The "users" file is processed to bottom.  The SQL module grabs
the first matching entry.

  Didn't you read the previous response that explained this?

  Alan DeKok.

More information about the Freeradius-Users mailing list