pap "Cleartext-Password", sql etc...

Ivan Kalik tnt at kalik.net
Thu Jan 31 11:46:18 CET 2008 

OK, you replaced the operator. Why didn't you replace User-Password with
Cleartext-Password as debug so clearly suggests (and so did someone else
on the list; I was under impression that you have done that)?

As for 2 requests - they seem to be 120 requests apart. NAS usually sends
a new request about 2 seconds after sending the first one (if it gets no
response). If you have 120 requests in 2 seconds it's likely that your
database is having hard time coping. Where are all those requests coming
from?

Ivan Kalik
Kalik Informatika ISP

Dana 31/1/2008, "Andrew Long" <fursink at gmail.com> piše:

>With attribute `User-Password' and op = `==' we get this:
>
>rlm_sql (sql): Reserving sql socket id: 4
>        expand: SELECT id, username, attribute, value, op
>		FROM radcheck WHERE username = '%{SQL-User-Name}'
>		ORDER BY id ->
>		SELECT id, username, attribute, value, op FROM radcheck WHERE
>username = 'mainaroma_cn3200' ORDER BY id
>WARNING: Found User-Password == "...".
>WARNING: Are you sure you don't mean Cleartext-Password?
>WARNING: See "man rlm_pap" for more information.
>rlm_sql (sql): User found in radcheck table
>
>mysql> SELECT id, username, attribute, value, op
>FROM radcheck WHERE username = 'mainaroma_cn3200' ORDER BY id;
>+-----+------------------+---------------+-------------+----+
>| id  | username         | attribute     | value       | op |
>+-----+------------------+---------------+-------------+----+
>| 409 | mainaroma_cn3200 | User-Password | nicepassword | == |
>+-----+------------------+---------------+-------------+----+
>1 row in set (0.01 sec)
>
>========
>
>Now, with `op' = `:=' rather than `==' as Ivan suggests :
>we see the same error...
>
>  rad_check_password:  Found Auth-Type CHAP
>!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>!!!    Replacing User-Password in config items with Cleartext-Password.     !!!
>!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>!!! Please update your configuration so that the "known good"               !!!
>!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
>!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>auth: type "CHAP"
>+- entering group CHAP
>  rlm_chap: login attempt by "mainaroma_cn3200" with CHAP password
>  rlm_chap: Using clear text password "aromaescape" for user
>mainaroma_cn3200 authentication.
>  rlm_chap: chap user mainaroma_cn3200 authenticated succesfully
>++[chap] returns ok
>
>The only difference is that when I use `:=' there are two
>access-requests from the host and two access-accepts:
>access-request id 40 --> access-accept id 40
>and then immediately
>access-request id 160 --> access-accept id 160.
>
>None of this is in users file; we pass the info from sql.
>
>Andrew
>EWS Solutions
>
>=======================================================
>On Jan 30, 2008 5:21 PM, Kevin Bonner <keb at pa.net> wrote:
>> On Wednesday 30 January 2008 15:31:51 Andrew Long wrote:
>> > If I change the attribute to `Cleartext-Password', authentication
>> > fails and I see:
>> >
>> > rlm_pap: WARNING! No "known good" password found for the user.
>> > Authentication may fail because of this.
>> > ++[pap] returns noop
>> >   rad_check_password:  Found Auth-Type CHAP
>> > auth: type "CHAP"
>> > +- entering group CHAP
>> >   rlm_chap: login attempt by "elmaroma_cn3000" with CHAP password
>> >   rlm_chap: Cleartext-Password is required for authentication
>> > ++[chap] returns invalid
>> > auth: Failed to validate the user.
>> > Login incorrect (rlm_chap: Clear text password not available):
>> > [elmaroma_cn3000/<CHAP-Password>] (from client cn3000_aroma port 0 cli
>> > 00-02-6F-xx-xx-92)
>> >
>> > Thanks muchly,
>> > Andrew Long
>> > EWS
>
>
>
>2008/1/30 Ivan Kalik <tnt at kalik.net>:
>> Can you post users entry in the database. it's quite likely that you
>> left == as the operator instead of using :=.
>>
>> Ivan Kalik
>> Kalik Informatika ISP
>>
>> Dana 30/1/2008, "Andrew Long" <fursink at gmail.com> piše:
>>
>>
>> >When I have (radcheck) attribute `User-Password', authentication
>> >succeeds but we see the following:
>> >
>> >rlm_pap: Found existing Auth-Type, not changing it.
>> >++[pap] returns noop
>> >  rad_check_password:  Found Auth-Type CHAP
>> >!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>> >!!!    Replacing User-Password in config items with Cleartext-Password.     !!!
>> >!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>> >!!! Please update your configuration so that the "known good"               !!!
>> >!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
>> >!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>> >auth: type "CHAP"
>> >+- entering group CHAP
>> >  rlm_chap: login attempt by "elmaroma_cn3000" with CHAP password
>> >  rlm_chap: Using clear text password "aromaescape" for user
>> >elmaroma_cn3000 authentication.
>> >  rlm_chap: chap user elmaroma_cn3000 authenticated succesfully
>> >++[chap] returns ok
>> >
>> >If I change the attribute to `Cleartext-Password', authentication
>> >fails and I see:
>> >
>> >rlm_pap: WARNING! No "known good" password found for the user.
>> >Authentication may fail because of this.
>> >++[pap] returns noop
>> >  rad_check_password:  Found Auth-Type CHAP
>> >auth: type "CHAP"
>> >+- entering group CHAP
>> >  rlm_chap: login attempt by "elmaroma_cn3000" with CHAP password
>> >  rlm_chap: Cleartext-Password is required for authentication
>> >++[chap] returns invalid
>> >auth: Failed to validate the user.
>> >Login incorrect (rlm_chap: Clear text password not available):
>> >[elmaroma_cn3000/<CHAP-Password>] (from client cn3000_aroma port 0 cli
>> >00-02-6F-xx-xx-92)
>> >
>> >The "users" file
>> >----------------------
>> >DEFAULT        Fall-Through = 1
>> >DEFAULT        Service-Type == Framed-User
>> >       Framed-IP-Address = 255.255.255.254,
>> >       Framed-MTU = 576,
>> >       Service-Type = Framed-User,
>> >       Fall-Through = Yes
>> >DEFAULT        Framed-Protocol == PPP
>> >       Framed-Protocol = PPP,
>> >       Framed-Compression = Van-Jacobson-TCP-IP
>> >---------------------
>> >authorize {
>> >       preprocess
>> >       chap
>> >       mschap
>> >       suffix
>> >       unix
>> >       files
>> >       sql
>> >       expiration
>> >       logintime
>> >       noresetcounter
>> >       dailycounter
>> >       monthlycounter
>> >       daypasscounter
>> >       pap}
>> >authenticate {
>> >       pap
>> >       chap
>> >       mschap}
>> >
>> >Thanks muchly,
>> >
>> >Andrew Long
>> >EWS
>> >-
>> >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/usershtml
>> >
>> >
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>

More information about the Freeradius-Users mailing list