Freeradius doesn't detect EAP when authenticating against MySQL

preem primski at
Mon Oct 22 20:46:15 CEST 2007

Sorry if this has been posted more than once, mailing list rejected message


I have a simillar problem with EAP-MD5 authenticating against MySQL

Whatever i do, it won't accept password, which is stored in the MySQL db
using MD5('') function. However, if i send a password's hash as password it
accepts it, which indicates something is not hashing password before
comparing to the hash in the db.

I have done pretty much all mentioned in this mailing conversation, even
upgraded to Ubuntu Gutsy, which has 1.1.6 version on FreeRadius. I had
Feisty before, which has 1.1.3, haven't tried compiling though, to latest

I do not understand, should the Windows XP's supplicant encrypt password
prior to sending, or does it send it in cleartext and the radius encrypts
before comparing? Windows doesn't have any extra option about this, so I'm
thinking should i change the supplicant software, perhaps w2secure, although
I'm setting up a LAN authentication for 250 users, and pretty much all use
windows and would like to avoid installing extra supplicant?

Any thoughts are appreciated.


Andrew Rowson wrote:
> Phil Mayers wrote:
>> Sigh.
>> Don't set the Auth-Type AT ALL. The only legitimate uses are:
>>  * setting it to Accept for PAP requests
>>  * setting it to Reject
>>  * setting it to the name of a specific instance where there are >1 of
>> the same type of auth module with different configs (e.g. 2 different
>> LDAPs or 2 different mschap)
>> The "eap" module will itself detect the request is eap and (assuming the
>> server is configured correctly, as it is by default) set the Auth-Type.
>> By forcing it manually, you are guaranteeing that certain authentication
>> configurations will fail.
> I know all this now, I didn't before. I set this server up a while back 
> to handle my cisco device logins, I can't remember why I'd put that in 
> radgroupcheck. It's not removed.
>>> and seems to issue the attributes (my cisco priv ones are there) ok. My 
>>> laptop still doesn't get an IP address, but this may now be an issue 
>>> with the AP.
>>> Can I safely now say that freeradius is behaving correctly and the issue 
>>> is now with the AP, or does the above output still point to a freeradius 
>>> issue?
>> I don't know why you're returning:
>> Cisco-AVPair = "shell:priv-lvl=15"
>> Service-Type = Administrative-User
>> an access point EAP session; neither make any sense, and I
>> suppose could be mucking things up, but most likely the problem lies
>> with the supplicant rather than the AP. It may not like the SSL server
>> certificate, though from what I can see it's not getting that far. Is
>> the supplicant configured to do EAP-TLS?
> I'm returning these because, as above, I want to use the same 
> credentials as those that I use for logging into my cisco routers, and I 
> want to pass those attributes when I log into a router. It's true they 
> could be confusing things for the AP, but is there a way to not return 
> them when the auth type is detected as EAP? Or do I have to use a 
> completely different set of credentials?
>> It's apparent you've done a serious amount of fiddling with the default
>> configs. I suggest doing a default/clean install, and starting from the
>> most basic - a user in the "users" file:
>> username	Cleartext-Password := "foobar"
>> Check if they can authenticate. Then setup the sql module, put the above
>> AND ONLY THE ABOVE entries in the database, and test again. Making once
>> change at a time will allow you to pin down the problem; at the moment,
>> there are lots of things it *could* be.
> I will do this.
>> -
>> List info/subscribe/unsubscribe? See
> -
> List info/subscribe/unsubscribe? See

View this message in context:
Sent from the FreeRadius - User mailing list archive at

More information about the Freeradius-Users mailing list