pap "Cleartext-Password", sql etc...

Andrew Long fursink at gmail.com
Thu Jan 31 02:32:47 CET 2008


With attribute `User-Password' and op = `==' we get this:

rlm_sql (sql): Reserving sql socket id: 4
        expand: SELECT id, username, attribute, value, op
		FROM radcheck WHERE username = '%{SQL-User-Name}'
		ORDER BY id ->
		SELECT id, username, attribute, value, op FROM radcheck WHERE
username = 'mainaroma_cn3200' ORDER BY id
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
rlm_sql (sql): User found in radcheck table

mysql> SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'mainaroma_cn3200' ORDER BY id;
+-----+------------------+---------------+-------------+----+
| id  | username         | attribute     | value       | op |
+-----+------------------+---------------+-------------+----+
| 409 | mainaroma_cn3200 | User-Password | nicepassword | == |
+-----+------------------+---------------+-------------+----+
1 row in set (0.01 sec)

========

Now, with `op' = `:=' rather than `==' as Ivan suggests :
we see the same error...

  rad_check_password:  Found Auth-Type CHAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!    Replacing User-Password in config items with Cleartext-Password.     !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good"               !!!
!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
auth: type "CHAP"
+- entering group CHAP
  rlm_chap: login attempt by "mainaroma_cn3200" with CHAP password
  rlm_chap: Using clear text password "aromaescape" for user
mainaroma_cn3200 authentication.
  rlm_chap: chap user mainaroma_cn3200 authenticated succesfully
++[chap] returns ok

The only difference is that when I use `:=' there are two
access-requests from the host and two access-accepts:
access-request id 40 --> access-accept id 40
and then immediately
access-request id 160 --> access-accept id 160.

None of this is in users file; we pass the info from sql.

Andrew
EWS Solutions

=======================================================
On Jan 30, 2008 5:21 PM, Kevin Bonner <keb at pa.net> wrote:
> On Wednesday 30 January 2008 15:31:51 Andrew Long wrote:
> > If I change the attribute to `Cleartext-Password', authentication
> > fails and I see:
> >
> > rlm_pap: WARNING! No "known good" password found for the user.
> > Authentication may fail because of this.
> > ++[pap] returns noop
> >   rad_check_password:  Found Auth-Type CHAP
> > auth: type "CHAP"
> > +- entering group CHAP
> >   rlm_chap: login attempt by "elmaroma_cn3000" with CHAP password
> >   rlm_chap: Cleartext-Password is required for authentication
> > ++[chap] returns invalid
> > auth: Failed to validate the user.
> > Login incorrect (rlm_chap: Clear text password not available):
> > [elmaroma_cn3000/<CHAP-Password>] (from client cn3000_aroma port 0 cli
> > 00-02-6F-xx-xx-92)
> >
> > Thanks muchly,
> > Andrew Long
> > EWS



2008/1/30 Ivan Kalik <tnt at kalik.net>:
> Can you post users entry in the database. it's quite likely that you
> left == as the operator instead of using :=.
>
> Ivan Kalik
> Kalik Informatika ISP
>
> Dana 30/1/2008, "Andrew Long" <fursink at gmail.com> piše:
>
>
> >When I have (radcheck) attribute `User-Password', authentication
> >succeeds but we see the following:
> >
> >rlm_pap: Found existing Auth-Type, not changing it.
> >++[pap] returns noop
> >  rad_check_password:  Found Auth-Type CHAP
> >!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> >!!!    Replacing User-Password in config items with Cleartext-Password.     !!!
> >!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> >!!! Please update your configuration so that the "known good"               !!!
> >!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
> >!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> >auth: type "CHAP"
> >+- entering group CHAP
> >  rlm_chap: login attempt by "elmaroma_cn3000" with CHAP password
> >  rlm_chap: Using clear text password "aromaescape" for user
> >elmaroma_cn3000 authentication.
> >  rlm_chap: chap user elmaroma_cn3000 authenticated succesfully
> >++[chap] returns ok
> >
> >If I change the attribute to `Cleartext-Password', authentication
> >fails and I see:
> >
> >rlm_pap: WARNING! No "known good" password found for the user.
> >Authentication may fail because of this.
> >++[pap] returns noop
> >  rad_check_password:  Found Auth-Type CHAP
> >auth: type "CHAP"
> >+- entering group CHAP
> >  rlm_chap: login attempt by "elmaroma_cn3000" with CHAP password
> >  rlm_chap: Cleartext-Password is required for authentication
> >++[chap] returns invalid
> >auth: Failed to validate the user.
> >Login incorrect (rlm_chap: Clear text password not available):
> >[elmaroma_cn3000/<CHAP-Password>] (from client cn3000_aroma port 0 cli
> >00-02-6F-xx-xx-92)
> >
> >The "users" file
> >----------------------
> >DEFAULT        Fall-Through = 1
> >DEFAULT        Service-Type == Framed-User
> >       Framed-IP-Address = 255.255.255.254,
> >       Framed-MTU = 576,
> >       Service-Type = Framed-User,
> >       Fall-Through = Yes
> >DEFAULT        Framed-Protocol == PPP
> >       Framed-Protocol = PPP,
> >       Framed-Compression = Van-Jacobson-TCP-IP
> >---------------------
> >authorize {
> >       preprocess
> >       chap
> >       mschap
> >       suffix
> >       unix
> >       files
> >       sql
> >       expiration
> >       logintime
> >       noresetcounter
> >       dailycounter
> >       monthlycounter
> >       daypasscounter
> >       pap}
> >authenticate {
> >       pap
> >       chap
> >       mschap}
> >
> >Thanks muchly,
> >
> >Andrew Long
> >EWS
> >-
> >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> >
> >
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>




More information about the Freeradius-Users mailing list