pap "Cleartext-Password", sql etc...

Andrew Long fursink at gmail.com
Thu Jan 31 13:37:45 CET 2008


Sorry about that. As you suggested, when I replace BOTH op and
attribute with ':=' and 'Cleartext-Password', the authentication
proceeds properly.

As to the duplicate requests, I did this test with only one host
configured to use this freeradius server and there were two requests
and two responses, like this and in this order with nothing in
between:

-Jan 31 08:08:13 debug   iprulesmgr  Sending RADIUS Access Request (id='14')
-rad_recv: Access-Request packet from host xxx.xxx.xxx.58 port 1024,
id=14, length=196
-Sending Access-Accept of id 14 to xxx.xxx.xxx.58 port 1024
-Jan 31 08:08:14 debug   iprulesmgr  Received RADIUS Access Accept (id='14')
-Jan 31 08:08:14 debug   iprulesmgr  Sending RADIUS Access Request (id='240')
-rad_recv: Access-Request packet from host xxx.xxx.xxx.58 port 1024,
id=240, length=196
-Sending Access-Accept of id 240 to xxx.xxx.xxx.58 port 1024
-Jan 31 08:08:14 debug   iprulesmgr  Received RADIUS Access Accept (id='240')

There were no intermediate requests sent from the client to any other
hosts, so I can only say that there is something in the client
(Colubris CN3200) which is not obeying the traffic laws by sending
consecutive requests so far apart in number...

Ivan, thank you.

Also, kudos to all developers for making the debug output so much more precise!

- Andrew Long
EWS Solutions

2008/1/31 Ivan Kalik <tnt at kalik.net>:
> OK, you replaced the operator. Why didn't you replace User-Password with
> Cleartext-Password as debug so clearly suggests (and so did someone else
> on the list; I was under impression that you have done that)?
>
> As for 2 requests - they seem to be 120 requests apart. NAS usually sends
> a new request about 2 seconds after sending the first one (if it gets no
> response). If you have 120 requests in 2 seconds it's likely that your
> database is having hard time coping. Where are all those requests coming
> from?
>
> Ivan Kalik
> Kalik Informatika ISP
>
> Dana 31/1/2008, "Andrew Long" <fursink at gmail.com> piše:
>
>
> >With attribute `User-Password' and op = `==' we get this:
> >
> >rlm_sql (sql): Reserving sql socket id: 4
> >        expand: SELECT id, username, attribute, value, op
> >               FROM radcheck WHERE username = '%{SQL-User-Name}'
> >               ORDER BY id ->
> >               SELECT id, username, attribute, value, op FROM radcheck WHERE
> >username = 'mainaroma_cn3200' ORDER BY id
> >WARNING: Found User-Password == "...".
> >WARNING: Are you sure you don't mean Cleartext-Password?
> >WARNING: See "man rlm_pap" for more information.
> >rlm_sql (sql): User found in radcheck table
> >
> >mysql> SELECT id, username, attribute, value, op
> >FROM radcheck WHERE username = 'mainaroma_cn3200' ORDER BY id;
> >+-----+------------------+---------------+-------------+----+
> >| id  | username         | attribute     | value       | op |
> >+-----+------------------+---------------+-------------+----+
> >| 409 | mainaroma_cn3200 | User-Password | nicepassword | == |
> >+-----+------------------+---------------+-------------+----+
> >1 row in set (0.01 sec)
> >
> >========
> >
> >Now, with `op' = `:=' rather than `==' as Ivan suggests :
> >we see the same error...
> >
> >  rad_check_password:  Found Auth-Type CHAP
> >!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> >!!!    Replacing User-Password in config items with Cleartext-Password.     !!!
> >!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> >!!! Please update your configuration so that the "known good"               !!!
> >!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
> >!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> >auth: type "CHAP"
> >+- entering group CHAP
> >  rlm_chap: login attempt by "mainaroma_cn3200" with CHAP password
> >  rlm_chap: Using clear text password "aromaescape" for user
> >mainaroma_cn3200 authentication.
> >  rlm_chap: chap user mainaroma_cn3200 authenticated succesfully
> >++[chap] returns ok
> >
> >The only difference is that when I use `:=' there are two
> >access-requests from the host and two access-accepts:
> >access-request id 40 --> access-accept id 40
> >and then immediately
> >access-request id 160 --> access-accept id 160.
> >
> >None of this is in users file; we pass the info from sql.
> >
> >Andrew
> >EWS Solutions
> >
> >=======================================================
> >On Jan 30, 2008 5:21 PM, Kevin Bonner <keb at pa.net> wrote:
> >> On Wednesday 30 January 2008 15:31:51 Andrew Long wrote:
> >> > If I change the attribute to `Cleartext-Password', authentication
> >> > fails and I see:
> >> >
> >> > rlm_pap: WARNING! No "known good" password found for the user.
> >> > Authentication may fail because of this.
> >> > ++[pap] returns noop
> >> >   rad_check_password:  Found Auth-Type CHAP
> >> > auth: type "CHAP"
> >> > +- entering group CHAP
> >> >   rlm_chap: login attempt by "elmaroma_cn3000" with CHAP password
> >> >   rlm_chap: Cleartext-Password is required for authentication
> >> > ++[chap] returns invalid
> >> > auth: Failed to validate the user.
> >> > Login incorrect (rlm_chap: Clear text password not available):
> >> > [elmaroma_cn3000/<CHAP-Password>] (from client cn3000_aroma port 0 cli
> >> > 00-02-6F-xx-xx-92)
> >> >
> >> > Thanks muchly,
> >> > Andrew Long
> >> > EWS
> >
> >
> >
> >2008/1/30 Ivan Kalik <tnt at kalik.net>:
> >> Can you post users entry in the database. it's quite likely that you
> >> left == as the operator instead of using :=.
> >>
> >> Ivan Kalik
> >> Kalik Informatika ISP
> >>
> >> Dana 30/1/2008, "Andrew Long" <fursink at gmail.com> piše:
> >>
> >>
> >> >When I have (radcheck) attribute `User-Password', authentication
> >> >succeeds but we see the following:
> >> >
> >> >rlm_pap: Found existing Auth-Type, not changing it.
> >> >++[pap] returns noop
> >> >  rad_check_password:  Found Auth-Type CHAP
> >> >!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> >> >!!!    Replacing User-Password in config items with Cleartext-Password.     !!!
> >> >!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> >> >!!! Please update your configuration so that the "known good"               !!!
> >> >!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
> >> >!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> >> >auth: type "CHAP"
> >> >+- entering group CHAP
> >> >  rlm_chap: login attempt by "elmaroma_cn3000" with CHAP password
> >> >  rlm_chap: Using clear text password "aromaescape" for user
> >> >elmaroma_cn3000 authentication.
> >> >  rlm_chap: chap user elmaroma_cn3000 authenticated succesfully
> >> >++[chap] returns ok
> >> >
> >> >If I change the attribute to `Cleartext-Password', authentication
> >> >fails and I see:
> >> >
> >> >rlm_pap: WARNING! No "known good" password found for the user.
> >> >Authentication may fail because of this.
> >> >++[pap] returns noop
> >> >  rad_check_password:  Found Auth-Type CHAP
> >> >auth: type "CHAP"
> >> >+- entering group CHAP
> >> >  rlm_chap: login attempt by "elmaroma_cn3000" with CHAP password
> >> >  rlm_chap: Cleartext-Password is required for authentication
> >> >++[chap] returns invalid
> >> >auth: Failed to validate the user.
> >> >Login incorrect (rlm_chap: Clear text password not available):
> >> >[elmaroma_cn3000/<CHAP-Password>] (from client cn3000_aroma port 0 cli
> >> >00-02-6F-xx-xx-92)
> >> >
> >> >The "users" file
> >> >----------------------
> >> >DEFAULT        Fall-Through = 1
> >> >DEFAULT        Service-Type == Framed-User
> >> >       Framed-IP-Address = 255.255.255.254,
> >> >       Framed-MTU = 576,
> >> >       Service-Type = Framed-User,
> >> >       Fall-Through = Yes
> >> >DEFAULT        Framed-Protocol == PPP
> >> >       Framed-Protocol = PPP,
> >> >       Framed-Compression = Van-Jacobson-TCP-IP
> >> >---------------------
> >> >authorize {
> >> >       preprocess
> >> >       chap
> >> >       mschap
> >> >       suffix
> >> >       unix
> >> >       files
> >> >       sql
> >> >       expiration
> >> >       logintime
> >> >       noresetcounter
> >> >       dailycounter
> >> >       monthlycounter
> >> >       daypasscounter
> >> >       pap}
> >> >authenticate {
> >> >       pap
> >> >       chap
> >> >       mschap}
> >> >
> >> >Thanks muchly,
> >> >
> >> >Andrew Long
> >> >EWS
> >> >-
> >> >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/usershtml
>
> >> >
> >> >
> >>
> >> -
> >> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> >>
> >
> >-
> >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> >
> >
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>




More information about the Freeradius-Users mailing list