Proxy not working properly with PAP

John Campbell john at johnrcampbell.ca
Mon Aug 30 00:06:09 CEST 2010


We are using FreeRADIUS Version 0.9.3 (I know - it's old).  We are
authenticating users on a network of wireless access controllers and are
trying to integrate a new type of access controller.  This controller can
only authenticate using PAP (I know - it's old and unsecure).  We use MySQL
for the user database.  We have built a custom application to manage user
passwords.  If an authentication attempt is not successful (no user account,
expired password, invalid password) then FreeRADIUS sends a proxy request to
the customer application to deal with the situation.

When we use PAP, FreeRADIUS is sending proxy requests to the custom
application in the case of:

User not in the MySQL database
User is in the MySQL database but the password has expired

The problem is that it is not (or at least does not appear to be) sending a
proxy request in the case of: 

User is in the MySQL database, there is a non-expired password but the
submitted password is incorrect.  

We have very detailed logging on the custom application starting with the
reception of a message on the port - here is a sample:

[10/08/29 16:26:54:567]C[PortThread         ]Received message on UDP port
15000.

However, in problem case we don't see anything - so it seems to me that
FreeRADIUS is not proxying this authentication request to the custom
application.  I have searched radius.conf and proxy.conf for some setting
that would manage this without luck.

Also it is important to note that this problem does not occur when we are
using MS-CHAPV2 which we do with other controllers we have integrated with -
it seems to be associated with PAP.

Also - in case you were wondering users can authenticate if they have a
valid user name and password.

Any suggestions would be appreciated.

Regards, John







More information about the Freeradius-Users mailing list