Problem with MD5 Authentication and PAP
Jonathan Wong
j.wong888 at gmail.com
Sat Nov 10 02:25:53 CET 2007
Hi,
I am running Freeradius 1.1.4, MySQL, MD5, and PAP. For some reason,
I cannot get authenticated using MD5 and PAP. The logins keep
failing, and the logs says that I do not have a password set. When I
use crypt and clear as the encryption schemes, I am able to get
authenticated. The problem is that I am getting an md5 feed, so I
have to use MD5. Can someone please help me figure out what I am
doing wrong? Please let me know if other information is needed.
Another weird thing is when I have PAP and MD5 set, and I do not have
a radgroupcheck entry for my group, I can get authenticated by putting
the MD5 Hash as my password. For example, if my MD5 hash was "abcd…",
I would have to use "abcd…" as my password, and I would get an
access-accept.
#######Radiusd.conf#########
modules{
pap {
encryption_scheme = md5
}
}
authorize {
preprocess
auth_log
sql
}
authenticate {
Auth-Type PAP {
pap
}
}
####### radcheck table entry #########
+----+----------+-----------+----+----------------------------------+
| id | UserName | Attribute | op | Value |
+----+----------+-----------+----+----------------------------------+
| 36 | stryker8 | Password | := | 5f4dcc3b5aa765d61d8327deb882cf99 |
+----+----------+-----------+----+----------------------------------+
####### radreply table entry #########
+----+----------+-----------+----+----------------+
| id | UserName | Attribute | op | Value |
+----+----------+-----------+----+----------------+
| 36 | stryker8 | Class | = | OU=utnet-staff |
+----+----------+-----------+----+----------------+
####### radgroupcheck table entry #########
+----+-------------+-----------+----+-------+
| id | GroupName | Attribute | op | Value |
+----+-------------+-----------+----+-------+
| 8 | utnet-staff | Auth-Type | := | PAP |
+----+-------------+-----------+----+-------+
####### radiusd –X log #########
rad_recv: Access-Request packet from host 128.83.135.171:3335, id=5, length=48
User-Name = "stryker8"
User-Password = "password"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
radius_xlat: '/var/log/radius/radacct/128.83.135.171/auth-detail-20071109'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/128.83.135.171/auth-detail-20071109
modcall[authorize]: module "auth_log" returns ok for request 1
radius_xlat: 'stryker8'
rlm_sql (sql): sql_set_user escaped user --> 'stryker8'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck
WHERE Username = 'stryker8' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM
radcheck WHERE Username = 'stryker8' ORDER BY id
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'stryker8'
AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY
radgroupcheck.id'
rlm_sql_mysql: query: SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'stryker8'
AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY
radgroupcheck.id
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply
WHERE Username = 'stryker8' ORDER BY id'
rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM
radreply WHERE Username = 'stryker8' ORDER BY id
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = 'stryker8'
AND usergroup.GroupName = radgroupreply.GroupName ORDER BY
radgroupreply.id'
rlm_sql_mysql: query: SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = 'stryker8'
AND usergroup.GroupName = radgroupreply.GroupName ORDER BY
radgroupreply.id
rlm_sql (sql): Released sql socket id: 3
modcall[authorize]: module "sql" returns ok for request 1
rlm_pap: Found existing Auth-Type, not changing it.
modcall[authorize]: module "pap" returns noop for request 1
modcall: group authorize returns ok for request 1
rad_check_password: Found Auth-Type PAP
auth: type "PAP"
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 1
rlm_pap: login attempt with password password
rlm_pap: No password configured for the user. Cannot do authentication
modcall[authenticate]: module "pap" returns fail for request 1
modcall: group Auth-Type returns fail for request 1
auth: Failed to validate the user.
Login incorrect: [stryker8] (from client JW-Client port 0)
--------
Also, since I am running 1.1.4, I tried using the auto-header in PAP,
instead of the encryption_scheme.
I set auto_header = yes in the pap module in radiusd.conf
I set my Attribute to "MD5-Password" in the radcheck table.
I added "pap" to the end of the Authorize Module in radiusd.conf
I get the following error:
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck
WHERE Username = 'stryker8' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM
radcheck WHERE Username = 'stryker8' ORDER BY id
rlm_sql: Failed to create the pair: Unknown attribute "MD5-Password"
rlm_sql (sql): Error getting data from database
rlm_sql (sql): SQL query error; rejecting user
rlm_sql (sql): Released sql socket id: 2
modcall[authorize]: module "sql" returns fail for request 2
modcall: group authorize returns fail for request 2
There was no response configured: rejecting request 2
Server rejecting request 2.
Thanks for your help in advance!
Jonathan
More information about the Freeradius-Users
mailing list