empty password / dhcpd

Wed Jun 20 21:25:24 CEST 2007

Hi again...

I am now trying to authenticate a DHCPd request from a mikrotik box.
My freeradius server says that there is a problem with user's password.
How can I tell him (PAP) that this should be ok?

Something strange that I noticed is that the calling station id got 
changed from the original mac address value. Anyway, I just put this as 
a calling-station id attribute on radcheck.

mysql> SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE 
Username = '00:0B:CD:EC:63:50' ORDER BY id;
+------+-------------------+--------------------+-------------------+----+
| id   | UserName          | Attribute          | Value             | op |
+------+-------------------+--------------------+-------------------+----+
| 2047 | 00:0B:CD:EC:63:50 | Calling-Station-Id | 1:0:b:cd:ec:63:50 | := |
| 2050 | 00:0B:CD:EC:63:50 | User-Password      |                   | := |
+------+-------------------+--------------------+-------------------+----+
2 rows in set (0.00 sec)

SELECT 
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op  
FROM radgroupcheck,usergroup WHERE usergroup.Username = 
'00:0B:CD:EC:63:50' AND usergroup.GroupName = radgroupcheck.GroupName 
ORDER BY radgroupcheck.id;
Empty set (0.00 sec)

mysql> SELECT id,UserName,Attribute,Value,op FROM radreply WHERE 
Username = '00:0B:CD:EC:63:50' ORDER BY id;
+----+-------------------+-------------------+-----------------+----+
| id | UserName          | Attribute         | Value           | op |
+----+-------------------+-------------------+-----------------+----+
| 42 | 00:0B:CD:EC:63:50 | Framed-IP-Address | 192.168.254.101 | == |
| 43 | 00:0B:CD:EC:63:50 | Framed-IP-Netmask | 255.255.255.0   | == |
+----+-------------------+-------------------+-----------------+----+
2 rows in set (0.00 sec)

SELECT 
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op  
FROM radgroupreply,usergroup WHERE usergroup.Username = 
'00:0B:CD:EC:63:50' AND usergroup.GroupName = radgroupreply.GroupName 
ORDER BY radgroupreply.id;
Empty set (0.00 sec)

Ready to process requests.
rad_recv: Access-Request packet from host 172.16.3.5:32768, id=71, 
length=113
        NAS-Port-Type = Ethernet
        NAS-Port = 2205155400
        Calling-Station-Id = "1:0:b:cd:ec:63:50"
        Called-Station-Id = "server1"
        User-Name = "00:0B:CD:EC:63:50"
        User-Password = ""
        NAS-Identifier = "MikroTik"
        NAS-IP-Address = 172.16.3.5
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
    rlm_realm: No '@' in User-Name = "00:0B:CD:EC:63:50", looking up 
realm NULL
    rlm_realm: Found realm "NULL"
    rlm_realm: Adding Stripped-User-Name = "00:0B:CD:EC:63:50"
    rlm_realm: Proxying request from user 00:0B:CD:EC:63:50 to realm NULL
    rlm_realm: Adding Realm = "NULL"
    rlm_realm: Authentication realm is LOCAL.
  modcall[authorize]: module "suffix" returns noop for request 0
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 0
    users: Matched entry DEFAULT at line 174
  modcall[authorize]: module "files" returns ok for request 0
radius_xlat:  '00:0B:CD:EC:63:50'
rlm_sql (sql): sql_set_user escaped user --> '00:0B:CD:EC:63:50'
radius_xlat:  'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE 
Username = '00:0B:CD:EC:63:50' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 4
radius_xlat:  'SELECT 
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op  
FROM radgroupcheck,usergroup WHERE usergroup.Username = 
'00:0B:CD:EC:63:50' AND usergroup.GroupName = radgroupcheck.GroupName 
ORDER BY radgroupcheck.id'
radius_xlat:  'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE 
Username = '00:0B:CD:EC:63:50' ORDER BY id'
radius_xlat:  'SELECT 
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op  
FROM radgroupreply,usergroup WHERE usergroup.Username = 
'00:0B:CD:EC:63:50' AND usergroup.GroupName = radgroupreply.GroupName 
ORDER BY radgroupreply.id'
rlm_sql (sql): Released sql socket id: 4
  modcall[authorize]: module "sql" returns ok for request 0
rlm_pap: Found existing Auth-Type, not changing it.
  modcall[authorize]: module "pap" returns noop for request 0
modcall: leaving group authorize (returns ok) for request 0
******************************************************************************
  rad_check_password:  Found Auth-Type PAP
auth: type "PAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group PAP for request 0
  modcall[authenticate]: module "pap" returns invalid for request 0
modcall: leaving group PAP (returns invalid) for request 0
******************************************************************************
auth: Failed to validate the user.
Login incorrect (rlm_pap: empty password supplied): [00:0B:CD:EC:63:50/] 
(from client mikrotik port 2205155400 cli 1:0:b:cd:ec:63:50)
rad_lowerpair:  Stripped-User-Name now '00:0b:cd:ec:63:50'
rad_lowerpair:  User-Password now ''
rad_rmspace_pair:  Stripped-User-Name now '00:0b:cd:ec:63:50'
rad_rmspace_pair:  User-Password now ''
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
    rlm_realm: Request already proxied.  Ignoring.
  modcall[authorize]: module "suffix" returns noop for request 0

Thank you,

Felipe