Authentication using postfix user password
Tanya Muluw
tanya.muluw at gmail.com
Tue Sep 16 16:11:50 CEST 2008
Dear all.
I am trying to use Chillispot for captive portal with freeradius v
1.188.2.4.2.16 as the radius server. I am new to both Chillispot and
freeradius.
Since most users of our organization have mail account in our postfix
mail server, I tried to use postfix user password that stored in mysql
for authentication. Therefore there will be two types of user, i.e
users with postfix user password (encrypted password) and users with
cleartext password as normally created using voucher generator.
I inserted a user in radcheck with cleartext password, and a user from
postfix mysql mailbox table. So my radcheck is :
+-----+----------+---------------+----+------------------------------------+
| id | username | attribute | op | value |
+-----+----------+---------------+----+------------------------------------+
| 223 | testman | User-Password | := | 123456 |
| 225 | testman1 | User-Password | := | $1$bbf49e0f$MAcN54vB4L0wcKuYOCnQv/ |
+-----+----------+---------------+----+------------------------------------+
The usergroup table :
+----------+-----------+----------+
| username | groupname | priority |
+----------+-----------+----------+
| testman | voucher | 1 |
| testman1 | postfix | 1 |
+----------+-----------+----------+
Test for user with cleartext password was successful.
$ sudo radtest testman 123456 localhost 22 easyhotspot
Sending Access-Request of id 142 to 127.0.0.1 port 1812
User-Name = "testman"
User-Password = "123456"
NAS-IP-Address = 255.255.255.255
NAS-Port = 22
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=142, length=20
Test for user with postfix user password was unsuccessful
$ sudo radtest testman1 123456 localhost 22 easyhotspot
Sending Access-Request of id 161 to 127.0.0.1 port 1812
User-Name = "testman1"
User-Password = "123456"
NAS-IP-Address = 255.255.255.255
NAS-Port = 22
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=161, length=20
from debugging :
rad_recv: Access-Request packet from host 127.0.0.1:32817, id=161, length=60
User-Name = "testman1"
User-Password = "123456"
NAS-IP-Address = 255.255.255.255
NAS-Port = 22
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 11
modcall[authorize]: module "preprocess" returns ok for request 11
radius_xlat: 'testman1'
rlm_sql (sql): sql_set_user escaped user --> 'testman1'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op
FROM radcheck WHERE Username = 'testman1' ORDER BY
id'
rlm_sql (sql): Reserving sql socket id: 0
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'testman1'
AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY
radgroupcheck.id'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op
FROM radreply WHERE Username = 'testman1' ORDER BY
id'
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = 'testman1'
AND usergroup.GroupName = radgroupreply.GroupName ORDER BY
radgroupreply.id'
rlm_sql (sql): Released sql socket id: 0
modcall[authorize]: module "sql" returns ok for request 11
modcall: leaving group authorize (returns ok) for request 11
auth: type Local
auth: user supplied User-Password does NOT match local User-Password
auth: Failed to validate the user.
Delaying request 11 for 1 seconds
Finished request 11
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 161 to 127.0.0.1 port 32817
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 11 ID 161 with timestamp 48ced6ba
Then I put Auth-Type:=PAP in radgroupcheck table
+----+-----------+-----------+----+-------+
| id | groupname | attribute | op | value |
+----+-----------+-----------+----+-------+
| 21 | postfix | Auth-Type | == | PAP |
+----+-----------+-----------+----+-------+
However user with postfix user password still fail to authenticate
$ sudo radtest testman1 123456 localhost 22 easyhotspot
Sending Access-Request of id 157 to 127.0.0.1 port 1812
User-Name = "testman1"
User-Password = "123456"
NAS-IP-Address = 255.255.255.255
NAS-Port = 22
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=157, length=20
from debugging :
rad_recv: Access-Request packet from host 127.0.0.1:32816, id=157, length=60
User-Name = "testman1"
User-Password = "123456"
NAS-IP-Address = 255.255.255.255
NAS-Port = 22
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 10
modcall[authorize]: module "preprocess" returns ok for request 10
radius_xlat: 'testman1'
rlm_sql (sql): sql_set_user escaped user --> 'testman1'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op
FROM radcheck WHERE Username = 'testman1' ORDER BY
id'
rlm_sql (sql): Reserving sql socket id: 1
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'testman1'
AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY
radgroupcheck.id'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op
FROM radreply WHERE Username = 'testman1' ORDER BY
id'
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = 'testman1'
AND usergroup.GroupName = radgroupreply.GroupName ORDER BY
radgroupreply.id'
rlm_sql (sql): Released sql socket id: 1
modcall[authorize]: module "sql" returns ok for request 10
modcall: leaving group authorize (returns ok) for request 10
rad_check_password: Found Auth-Type PAP
auth: type "PAP"
Processing the authenticate section of radiusd.conf
modcall: entering group PAP for request 10
rlm_pap: login attempt with password 123456
rlm_pap: Using clear text password "$1$bbf49e0f$MAcN54vB4L0wcKuYOCnQv/".
rlm_pap: Passwords don't match
modcall[authenticate]: module "pap" returns reject for request 10
modcall: leaving group PAP (returns reject) for request 10
auth: Failed to validate the user.
Delaying request 10 for 1 seconds
Finished request 10
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 157 to 127.0.0.1 port 32816
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 10 ID 157 with timestamp 48ced617
Nothing to do. Sleeping until we see a request.
Radiusd.conf was unchanged.
Is there any method to use user password of postfix mysql mailbox data
to authenticate freeradius user?
Thanks in advance, and sorry for my bad English.
Best regards
TM
More information about the Freeradius-Users
mailing list