Upgrade From 1 to 2 - problem with authorize
Bjørn Mork
bjorn at mork.no
Tue Oct 27 10:42:54 CET 2009
Robert White <rwhite at globalgossip.net> writes:
> I'm trying to upgrade my setup from freeradius 1 to freeradius 2.
>
> I've been making little changes to the config as suggested in the doc and I
> managed to get my setup connecting to my mssql backend. However, when I try
> and authorize with a user/pass, I get an error - actually more of a warning.
> I've Googled about but although others have had this error I haven't really
> seen a good explanation of why it occurs let alone how to solve.
I believe the rlm_pap(5) man page explains the different password
attribute and their usage pretty well.
The point the server is trying to make you aware of is that you can't
really do an equality check on the User-Password. The attribute
received from the other end is encrypted:
http://freeradius.org/rfc/rfc2865.html#User-Password
That's why
luser User-Password == "foo"
is wrong. Don't do it.
When you configure a user account, you will instead *set* another server
configuration attribute which may be used by the authentication modules
to verify the received User-Password. So you'll do
luser Cleartext-Password := "foo"
and the rlm_pap module will see both the Cleartext-Password you set and
the User-Password the NAS sent and do whatever it needs to verify that
they match. This concept might be even clearer if you instead configure
luser Crypt-Password := "aaKNIEDOaueR6"
The rlm_pap will still be able to verify the received password.
> Sending Access-Accept of id 16 to 10.152.0.7 port 20001
Looks like your 2.x config doesn't have any reply attributes.
> Sending Access-Accept of id 31 to 10.152.0.7 port 20001
> h323-return-code = "h323-return-code=0"
> h323-billing-model = "h323-billing-model=0"
> h323-credit-amount = "h323-credit-amount=76.15"
> h323-currency = "h323-currency=AUD"
while the 1.x config sends a number of them. Maybe that's why your NAS
doesn't do what you expect, even if it gets an accept in both cases?
Bjørn
More information about the Freeradius-Users
mailing list