Problem about "Chap-Password" and "User-Password"

Stefan Winter stefan.winter at restena.lu
Fri Jun 30 09:49:00 CEST 2006


Hello!

It seems that your client is using a quite unusual character in his password. 
That leads to encoding problems with your database backend. The solution is 
to either list that character in safe_characters for the database (I don't 
really recommend that, given that \240 is a bit too unusual) or store the 
password not literal in the database, but properly encoded. the rlm_sql 
module will then take the user's password, encode it, and check it against 
the same-encoded string in the database.

Of course, the problem might also be that your shared secret for this client 
isn't correct, as the end of the failed attempt suggests. But given that all 
but one character in the password are nicely printable, my guess is that it's 
really just a weird character in the password. In any case, you can verify 
that using a more straightforward password and see it that works.

Greetings,

Stefan Winter

Am Freitag, 30. Juni 2006 09:37 schrieb Kun Niu:
> Dear all,
>
> I've just installed freeradius 1.0.2 on my debian3.1 system.
> I've got two radius clients.
> One can be authorized normally and the other one failed to be authorized.
>
> Here's my log.
> Would anyone be kind enough to analyze it for me?
> Thanks in advance and any help would be appreciated.
>
> The failing one:
>
> rad_recv: Access-Request packet from host 192.168.1.2:1026, id=199,
> length=239 User-Name = "abc"
> 	Service-Type = Login-User
> 	NAS-Port-Type = Ethernet
> 	NAS-IP-Address = 192.168.1.2
> 	WISPr-Logoff-URL = "https://10.10.10.1/logout.user"
> 	WISPr-Location-Name = "GEMTEK_SYSTEMS,Terminal_Worldwide"
> 	WISPr-Location-ID = "isocc=us,cc=1,ac=408,network=GEMTEK_SYSTEMS"
> 	Framed-IP-Address = 10.10.10.10
> 	Calling-Station-Id = "0060B325AB48"
> 	Called-Station-Id = "00904BBDFAD0"
> 	Acct-Session-Id = "44A4C9148546"
> 	User-Password = "Ye~\2409"
>   Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 1
>   modcall[authorize]: module "preprocess" returns ok for request 1
>   modcall[authorize]: module "chap" returns noop for request 1
>   modcall[authorize]: module "mschap" returns noop for request 1
>     rlm_realm: No '@' in User-Name = "abc", looking up realm NULL
>     rlm_realm: No such realm "NULL"
>   modcall[authorize]: module "suffix" returns noop for request 1
>   rlm_eap: No EAP-Message, not doing EAP
>   modcall[authorize]: module "eap" returns noop for request 1
>     users: Matched entry DEFAULT at line 152
>   modcall[authorize]: module "files" returns ok for request 1
> radius_xlat:  'abc'
> rlm_sql (sql): sql_set_user escaped user --> 'abc'
> radius_xlat:  'SELECT id,UserName,Attribute,Value,op FROM radcheck
> WHERE Username = 'abc' ORDER BY id'
> rlm_sql (sql): Reserving sql socket id: 3
> radius_xlat:  'SELECT
> radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupch
>eck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
> usergroup.Username = 'abc' AND usergroup.GroupName =
> radgroupcheck.GroupName ORDER BY
> radgroupcheck.id'
> radius_xlat:  'SELECT id,UserName,Attribute,Value,op FROM radreply
> WHERE Username = 'abc' ORDER BY id'
> radius_xlat:  'SELECT
> radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupre
>ply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
> usergroup.Username = 'abc' AND usergroup.GroupName =
> radgroupreply.GroupName ORDER BY
> radgroupreply.id'
> rlm_sql (sql): No matching entry in the database for request from user
> [abc] rlm_sql (sql): Released sql socket id: 3
>   modcall[authorize]: module "sql" returns notfound for request 1
> modcall: group authorize returns ok for request 1
>   rad_check_password:  Found Auth-Type System
> auth: type "System"
>   Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 1
>   modcall[authenticate]: module "unix" returns notfound for request 1
> modcall: group authenticate returns notfound for request 1
> auth: Failed to validate the user.
>   WARNING: Unprintable characters in the password. ?  Double-check the
> shared secret on the server and the NAS!
> Delaying request 1 for 1 seconds
> Finished request 1
>
> The successful one:
>
> rad_recv: Access-Request packet from host 192.168.1.1:32812, id=0,
> length=84 User-Name = "abc"
> 	CHAP-Password = 0x04f97271e7e12220a7f6397cc15a62f7e2
> 	NAS-IP-Address = 192.168.1.1
> 	Acct-Session-Id = "5b010000"
> 	NAS-Port = 3
> 	CHAP-Challenge = 0x00ac45bdd7e79c6af29ee0b413c874a8
>   Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 2
>   modcall[authorize]: module "preprocess" returns ok for request 2
>   rlm_chap: Setting 'Auth-Type := CHAP'
>   modcall[authorize]: module "chap" returns ok for request 2
>   modcall[authorize]: module "mschap" returns noop for request 2
>     rlm_realm: No '@' in User-Name = "abc", looking up realm NULL
>     rlm_realm: No such realm "NULL"
>   modcall[authorize]: module "suffix" returns noop for request 2
>   rlm_eap: No EAP-Message, not doing EAP
>   modcall[authorize]: module "eap" returns noop for request 2
>     users: Matched entry DEFAULT at line 152
>   modcall[authorize]: module "files" returns ok for request 2
> radius_xlat:  'abc'
> rlm_sql (sql): sql_set_user escaped user --> 'abc'
> radius_xlat:  'SELECT id,UserName,Attribute,Value,op FROM radcheck
> WHERE Username = 'abc' ORDER BY id'
> rlm_sql (sql): Reserving sql socket id: 2
> radius_xlat:  'SELECT
> radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupch
>eck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
> usergroup.Username = 'abc' AND usergroup.GroupName =
> radgroupcheck.GroupName ORDER BY
> radgroupcheck.id'
> radius_xlat:  'SELECT id,UserName,Attribute,Value,op FROM radreply
> WHERE Username = 'abc' ORDER BY id'
> radius_xlat:  'SELECT
> radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupre
>ply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
> usergroup.Username = 'abc' AND usergroup.GroupName =
> radgroupreply.GroupName ORDER BY
> radgroupreply.id'
> rlm_sql (sql): Released sql socket id: 2
>   modcall[authorize]: module "sql" returns ok for request 2
> modcall: group authorize returns ok for request 2
>   rad_check_password:  Found Auth-Type Local
> auth: type Local
> auth: user supplied CHAP-Password matches local User-Password
>   Processing the post-auth section of radiusd.conf
> modcall: entering group post-auth for request 2
> rlm_sql (sql): Processing sql_postauth
> radius_xlat:  'abc'
> rlm_sql (sql): sql_set_user escaped user --> 'abc'
> radius_xlat:  'INSERT into radpostauth (id, user, pass, reply, date)
> values ('', 'abc', 'Chap-Password', 'Access-Accept', NOW())'
> rlm_sql (sql) in sql_postauth: query is INSERT into radpostauth (id,
> user, pass, reply, date) values ('', 'abc', 'Chap-Password',
> 'Access-Accept', NOW())
> rlm_sql (sql): Reserving sql socket id: 1
> rlm_sql (sql): Released sql socket id: 1
>   modcall[post-auth]: module "sql" returns ok for request 2
> modcall: group post-auth returns ok for request 2
> Sending Access-Accept of id 0 to 192.168.1.1:32812
> 	NAS-IP-Address := 255.255.255.255
> Finished request 2
>
> Sincerely,
> Kun
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

-- 
Stefan WINTER

Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de 
la Recherche
Ingenieur Forschung & Entwicklung

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
E-Mail: stefan.winter at restena.lu     Tel.:     +352 424409-1
http://www.restena.lu                Fax:      +352 422473
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060630/d7d431ac/attachment.pgp>


More information about the Freeradius-Users mailing list