rlm_passwd and EAP-MD5
Kolbjørn Barmen
kolbjorn.barmen at uninett.no
Wed Nov 28 22:51:10 CET 2007
Can rlm_passwd be used together with EAP-MD5?
If I in the users file set "Password == blabla" for a user test-user
and then connects using radeapclient as described in the manual with
"EAP-MD5-Password = blabla" it works fine. However, I want to use an
external clear-text password instead of having the password in users,
since I want to change the password for each and every test, and do
not want to HUP radiusd all the time.
Is this at all possible?
More details...
On the same server I use rlm_passwd already for authenticate certain
clients against a TACACS passwd file, and for those clients I have in
users file entires like this:
DEFAULT Auth-Type := PAP, Client-IP-Address == "w.x.y.z"
which (if I have grasped things right) enforces those to use PAP,
and this works excellent with module
passwd tacacs {
filename = /local/etc/tacpasswd
format = "*User-Name:Crypt-Password:::::"
delimiter = ":"
hashsize = 100
ignorenislike = yes
ignoreempty = yes
allowmultiplekeys = no
}
Now, what I want is another passwd-module as above:
passwd mypw {
filename = ${confdir}/mypasswd
format = "*User-Name:Cleartext-Password"
delimiter = ":"
hashsize = 100
ignorenislike = yes
ignoreempty = yes
allowmultiplekeys = no
}
and mypasswd being in the form "test-user:cleartextpassword" and in users
instead of:
test-user Password == "blabla", NAS-Identifier == "mytest-NAS"
Reply-Message = "myradius.somewhere.no: OK"
which works just fine, I have
test-user NAS-Identifier == "mytest-NAS"
Reply-Message = "myradius.somewhere.no: OK"
and have EAP-MD5 work with this.
My radeapclient sends:
User-Name = test-user at test-realm.no
NAS-Identifier = mytest-NAS
EAP-MD5-Password = blabla
EAP-Code = Response
EAP-Id = 210
EAP-Type-Identity = test-user at test-realm.no
Message-Authenticator = 0x00
NAS-Port = 0
With the above I get in the log:
Info: rlm_eap_md5: User-Password is required for EAP-MD5 authentication
Auth: Login incorrect: [test-user] (from client blabla.somewhere.no port 0)
And with debug (-X) I see this:
modcall[authorize]: module "eap" returns updated for request 5
users: Matched entry test-user at line 7
Yay!
modcall[authorize]: module "files" returns ok for request 5
modcall[authorize]: module "tacacs" returns notfound for request 5
modcall[authorize]: module "mypw" returns notfound for request 5
Sob.. why?
rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this.
modcall[authorize]: module "pap" returns noop for request 5
modcall: leaving group authorize (returns updated) for request 5
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
rlm_eap: Request found, released from the list
rlm_eap: EAP/md5
rlm_eap: processing type md5
rlm_eap_md5: User-Password is required for EAP-MD5 authentication
rlm_eap: Handler failed in EAP/md5
rlm_eap: Failed in EAP select
modcall[authenticate]: module "eap" returns invalid for request 5
modcall: leaving group authenticate (returns invalid) for request 5
auth: Failed to validate the user.
Login incorrect: [test-user] (from client foo.somewhere.no port 0)
Anyone got a tip on how I might do this?
As for "Why EAP-MD5?", I just need some EAP-method for which
I can easily generate requests with radeapclient.
Thanks! :)
--
Kolbjørn Barmen
UNINETT Driftsenter
More information about the Freeradius-Users
mailing list