Radius, MySQL and encrypted passwords

retroneo retroisneo at gmail.com
Tue Sep 1 14:42:02 CEST 2009


Hello all,

I'm trying to get Radius to work with encrypted passwords in the MySQL database.

My setup :
FreeRADIUS 2.1.0 + MySQL + Dialup Admin installed via Ubuntu 9.04's
official packages
I posted my full config files here (please tell me if you need more info) :
http://pastebin.com/f529d2cce

If I leave "sql_password_attribute: Crypt-Password" in
/etc/freeradius-dialupadmin/admin.conf
After creating a user, I get this in the database :
5 | test1 | User-Password | := | $1$B0q/wVK4$2bxfP9RJMfqBbi/APaxa2

And here is the error I get :
rad_recv: Access-Request packet from host x.x.x.x port 32769, id=175, length=57
	User-Name = "test1"
	User-Password = "testing"
	NAS-IP-Address = x.x.x.x
	NAS-Port = 1812
+- entering group authorize {...}
++[preprocess] returns ok
[suffix] No '@' in User-Name = "test1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
	expand: %{User-Name} -> test1
[sql] sql_set_user escaped user --> 'test1'
rlm_sql (sql): Reserving sql socket id: 4
	expand: SELECT id, username, attribute, value, op           FROM
radcheck           WHERE username = '%{SQL-User-Name}'           ORDER
BY id -> SELECT id, username, attribute, value, op           FROM
radcheck           WHERE username = 'test1'           ORDER BY id
rlm_sql_mysql: query:  SELECT id, username, attribute, value, op
    FROM radcheck           WHERE username = 'test1'           ORDER
BY id
[sql] User found in radcheck table
	expand: SELECT id, username, attribute, value, op           FROM
radreply           WHERE username = '%{SQL-User-Name}'           ORDER
BY id -> SELECT id, username, attribute, value, op           FROM
radreply           WHERE username = 'test1'           ORDER BY id
rlm_sql_mysql: query:  SELECT id, username, attribute, value, op
    FROM radreply           WHERE username = 'test1'           ORDER
BY id
	expand: SELECT groupname           FROM radusergroup           WHERE
username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT
groupname           FROM radusergroup           WHERE username =
'test1'           ORDER BY priority
rlm_sql_mysql: query:  SELECT groupname           FROM radusergroup
       WHERE username = 'test1'           ORDER BY priority
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!    Replacing User-Password in config items with Cleartext-Password.     !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good"               !!!
!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+- entering group PAP {...}
[pap] login attempt with password "testing"
[pap] Using clear text password "$1$B0q/wVK4$2bxfP9RJMfqBbi/APaxa2/"
[pap] Passwords don't match
++[pap] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
	expand: %{User-Name} -> test1
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 175 to x.x.x.x port 32769


But when I set "sql_password_attribute: Crypt-Password"  and add
"encryption_scheme = crypt" in "modules/pap"
I then re-create a new user via dialupadmin, and get this in the database :
4 | test1 | Crypt-Password | := | $1$G/t7x3UX$GcfvNdGecUt6TJDyywOcZ0

I still get a Access-Reject, and this is the debug info :
rad_recv: Access-Request packet from host x.x.x.x port 32769, id=230, length=57
	User-Name = "test1"
	User-Password = "testing"
	NAS-IP-Address = x.x.x.x
	NAS-Port = 1812
+- entering group authorize {...}
++[preprocess] returns ok
[suffix] No '@' in User-Name = "test1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
	expand: %{User-Name} -> test1
[sql] sql_set_user escaped user --> 'test1'
rlm_sql (sql): Reserving sql socket id: 4
	expand: SELECT id, username, attribute, value, op           FROM
radcheck           WHERE username = '%{SQL-User-Name}'           ORDER
BY id -> SELECT id, username, attribute, value, op           FROM
radcheck           WHERE username = 'test1'           ORDER BY id
rlm_sql_mysql: query:  SELECT id, username, attribute, value, op
    FROM radcheck           WHERE username = 'test1'           ORDER
BY id
[sql] User found in radcheck table
	expand: SELECT id, username, attribute, value, op           FROM
radreply           WHERE username = '%{SQL-User-Name}'           ORDER
BY id -> SELECT id, username, attribute, value, op           FROM
radreply           WHERE username = 'test1'           ORDER BY id
rlm_sql_mysql: query:  SELECT id, username, attribute, value, op
    FROM radreply           WHERE username = 'test1'           ORDER
BY id
	expand: SELECT groupname           FROM radusergroup           WHERE
username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT
groupname           FROM radusergroup           WHERE username =
'test1'           ORDER BY priority
rlm_sql_mysql: query:  SELECT groupname           FROM radusergroup
       WHERE username = 'test1'           ORDER BY priority
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "testing"
[pap] No password configured for the user.  Cannot do authentication
++[pap] returns fail
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
	expand: %{User-Name} -> test1
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 230 to x.x.x.x port 32769

For now I tried using crypt, but would like using SHA if possible.

Thank you



More information about the Freeradius-Users mailing list