Upgrade From 1 to 2 - problem with authorize

Robert White rwhite at globalgossip.net
Thu Nov 5 07:16:11 CET 2009 

I altered my SQL to ClearText-Password with the ":=" operator and I now get
authenticated.  Thanks guys - the warning message was clear about what it
was referring to but I wasn't clear on what config i needed to change -
whether it was with mssql or pap.

Anyway, I still have the problem that I'm not having attributes returned.
 It's because my two stored procedures are not being run.

I have groupcheck_sp and groupreply_sp which used to get executed in my old
1.1.x setup in the authorize section but now that doesn't seem to happen.

I checked sql.conf and read_groups = yes.

Is there some change in 2.x i should be aware of?  I saw a message relating
to something similar I think here
http://readlist.com/lists/lists.freeradius.org/freeradius-users/4/24364.htmlbut
I couldn't figure out a resolution.

My output is similar to my earlier email but without the warning....

Ready to process requests.
rad_recv: Access-Request packet from host 10.152.0.7 port 20001, id=43,
length=168
        NAS-IP-Address = 10.152.0.7
        User-Name = "9999999999"
        User-Password = "9999999999"
        Service-Type = Login-User
        NAS-Port-Type = Async
        Calling-Station-Id = "1002"
        Quintum-h323-conf-id = "h323-conf-id=34616632 66373463 31390038
00333300"
        Quintum-AVPair = "h323-ivr-out=ACCESSCODE:990006"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[suffix] No '@' in User-Name = "9999999999", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
[sql]   expand: %{User-Name} -> 9999999999
[sql] sql_set_user escaped user --> '9999999999'
rlm_sql (sql): Reserving sql socket id: 4
[sql]   expand: SELECT [id], UserName, Attribute, [Value], op FROM
dbo.Rad_Authorize_User_Check('%{SQL-User-Name}') -> SELECT [id], UserName,
Attribute, [Value], op FROM dbo.Rad_Authorize_User_Check('0498666931')
query:  SELECT [id], UserName, Attribute, [Value], op FROM
dbo.Rad_Authorize_User_Check('9999999999')
[sql] User found in radcheck table
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "9999999999"
[pap] Using clear text password "9999999999"
[pap] User authenticated successfully
++[pap] returns ok
Login OK: [0498666931] (from client 10.152.0.7 port 0 cli 1002)
+- entering group post-auth {...}
[sql]   expand: %{User-Name} -> 9999999999
[sql] sql_set_user escaped user --> '9999999999'
++[sql] returns noop
++[exec] returns noop
Sending Access-Accept of id 43 to 10.152.0.7 port 20001
Finished request 0.

Thanks,

Rob

2009/10/27 Bjørn Mork <bjorn at mork.no>

> Robert White <rwhite at globalgossip.net> writes:
>
> > I'm trying to upgrade my setup from freeradius 1 to freeradius 2.
> >
> > I've been making little changes to the config as suggested in the doc and
> I
> > managed to get my setup connecting to my mssql backend.  However, when I
> try
> > and authorize with a user/pass, I get an error - actually more of a
> warning.
> >  I've Googled about but although others have had this error I haven't
> really
> > seen a good explanation of why it occurs let alone how to solve.
>
> I believe the rlm_pap(5) man page explains the different password
> attribute and their usage pretty well.
>
> The point the server is trying to make you aware of is that you can't
> really do an equality check on the User-Password.  The attribute
> received from the other end is encrypted:
>  http://freeradius.org/rfc/rfc2865.html#User-Password
>
> That's why
>
>  luser   User-Password == "foo"
>
> is wrong.  Don't do it.
>
> When you configure a user account, you will instead *set* another server
> configuration attribute which may be used by the authentication modules
> to verify the received User-Password.  So you'll do
>
>  luser   Cleartext-Password := "foo"
>
> and the rlm_pap module will see both the Cleartext-Password you set and
> the User-Password the NAS sent and do whatever it needs to verify that
> they match.  This concept might be even clearer if you instead configure
>
>  luser   Crypt-Password := "aaKNIEDOaueR6"
>
> The rlm_pap will still be able to verify the received password.
>
>
>
> > Sending Access-Accept of id 16 to 10.152.0.7 port 20001
>
> Looks like your 2.x config doesn't have any reply attributes.
>
> > Sending Access-Accept of id 31 to 10.152.0.7 port 20001
> >         h323-return-code = "h323-return-code=0"
> >         h323-billing-model = "h323-billing-model=0"
> >         h323-credit-amount = "h323-credit-amount=76.15"
> >         h323-currency = "h323-currency=AUD"
>
> while the 1.x config sends a number of them.  Maybe that's why your NAS
> doesn't do what you expect, even if it gets an accept in both cases?
>
>
> Bjørn
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>



-- 
Rob White
Assistant IT Manager
Core Infrastructure & System Development
Global Gossip Group
Address: 14 Wentworth Avenue, Sydney NSW 2010
Telephone: +61 292 630 460
Fax: +61 292 630 404
Mobile: +61 410 700 733
Email: rwhite at globalgossip.net
Skype: robwhite83
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20091105/11984fd7/attachment.html>

More information about the Freeradius-Users mailing list