Radius, MySQL and encrypted passwords
retroneo
retroisneo at gmail.com
Tue Sep 1 14:42:02 CEST 2009
Hello all,
I'm trying to get Radius to work with encrypted passwords in the MySQL database.
My setup :
FreeRADIUS 2.1.0 + MySQL + Dialup Admin installed via Ubuntu 9.04's
official packages
I posted my full config files here (please tell me if you need more info) :
http://pastebin.com/f529d2cce
If I leave "sql_password_attribute: Crypt-Password" in
/etc/freeradius-dialupadmin/admin.conf
After creating a user, I get this in the database :
5 | test1 | User-Password | := | $1$B0q/wVK4$2bxfP9RJMfqBbi/APaxa2
And here is the error I get :
rad_recv: Access-Request packet from host x.x.x.x port 32769, id=175, length=57
User-Name = "test1"
User-Password = "testing"
NAS-IP-Address = x.x.x.x
NAS-Port = 1812
+- entering group authorize {...}
++[preprocess] returns ok
[suffix] No '@' in User-Name = "test1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
expand: %{User-Name} -> test1
[sql] sql_set_user escaped user --> 'test1'
rlm_sql (sql): Reserving sql socket id: 4
expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER
BY id -> SELECT id, username, attribute, value, op FROM
radcheck WHERE username = 'test1' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'test1' ORDER
BY id
[sql] User found in radcheck table
expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER
BY id -> SELECT id, username, attribute, value, op FROM
radreply WHERE username = 'test1' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op
FROM radreply WHERE username = 'test1' ORDER
BY id
expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
groupname FROM radusergroup WHERE username =
'test1' ORDER BY priority
rlm_sql_mysql: query: SELECT groupname FROM radusergroup
WHERE username = 'test1' ORDER BY priority
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Replacing User-Password in config items with Cleartext-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good" !!!
!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+- entering group PAP {...}
[pap] login attempt with password "testing"
[pap] Using clear text password "$1$B0q/wVK4$2bxfP9RJMfqBbi/APaxa2/"
[pap] Passwords don't match
++[pap] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
expand: %{User-Name} -> test1
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 175 to x.x.x.x port 32769
But when I set "sql_password_attribute: Crypt-Password" and add
"encryption_scheme = crypt" in "modules/pap"
I then re-create a new user via dialupadmin, and get this in the database :
4 | test1 | Crypt-Password | := | $1$G/t7x3UX$GcfvNdGecUt6TJDyywOcZ0
I still get a Access-Reject, and this is the debug info :
rad_recv: Access-Request packet from host x.x.x.x port 32769, id=230, length=57
User-Name = "test1"
User-Password = "testing"
NAS-IP-Address = x.x.x.x
NAS-Port = 1812
+- entering group authorize {...}
++[preprocess] returns ok
[suffix] No '@' in User-Name = "test1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
expand: %{User-Name} -> test1
[sql] sql_set_user escaped user --> 'test1'
rlm_sql (sql): Reserving sql socket id: 4
expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER
BY id -> SELECT id, username, attribute, value, op FROM
radcheck WHERE username = 'test1' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'test1' ORDER
BY id
[sql] User found in radcheck table
expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER
BY id -> SELECT id, username, attribute, value, op FROM
radreply WHERE username = 'test1' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op
FROM radreply WHERE username = 'test1' ORDER
BY id
expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
groupname FROM radusergroup WHERE username =
'test1' ORDER BY priority
rlm_sql_mysql: query: SELECT groupname FROM radusergroup
WHERE username = 'test1' ORDER BY priority
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "testing"
[pap] No password configured for the user. Cannot do authentication
++[pap] returns fail
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
expand: %{User-Name} -> test1
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 230 to x.x.x.x port 32769
For now I tried using crypt, but would like using SHA if possible.
Thank you
More information about the Freeradius-Users
mailing list