same username with different password mysql chap

Brent Wilkinson brent at air2data.com
Thu Mar 10 23:31:35 CET 2011


I am in the process of setting up freeradius with mysql. I pretty much have
everything working correctly except a issue that has come up. I am not sure
if I did something wrong or this cannot be done. 

Here is my radcheck database

+-----+----------+-----------+----+--------+-------+------------+
| id  | username | attribute | op | value  | PID   | expires    |
+-----+----------+-----------+----+--------+-------+------------+
| 462 | 10295    | password  | == | 912547 | 10295 | 2011-03-21 |
| 463 | 10295    | password  | == | 659320 | 10295 | 2011-03-21 |
| 464 | 10295    | password  | == | 322438 | 10295 | 2011-03-28 |
| 465 | 10295    | password  | == | 339410 | 10295 | 2011-04-04 |
| 466 | 10295    | password  | == | 987255 | 10295 | 2011-04-11 |
| 467 | 10295    | password  | == | 990160 | 10295 | 2011-04-18 |
| 468 | 10295    | password  | == | 373359 | 10295 | 2011-04-25 |
| 469 | 10295    | password  | == | 974781 | 10295 | 2011-05-02 |
| 470 | 10295    | password  | == | 121431 | 10295 | 2011-05-09 |
| 471 | 10295    | password  | == | 566703 | 10295 | 2011-05-16 |
| 472 | 10295    | password  | == | 430339 | 10295 | 2011-05-23 |
+-----+----------+-----------+----+--------+-------+------------+

Here is the debug I get from radius -X using username 10295 and password
912547

Ready to process requests.
rad_recv: Access-Request packet from host 192.168.99.175 port 48655, id=43,
length=216
	NAS-Port-Type = Wireless-802.11
	Calling-Station-Id = "00:13:E8:17:C9:09"
	Called-Station-Id = "test1"
	NAS-Port-Id = "ether2"
	User-Name = "10295"
	MS-CHAP-Domain = "test"
	NAS-Port = 2153775123
	Acct-Session-Id = "80600013"
	Framed-IP-Address = 10.0.100.251
	Mikrotik-Host-IP = 10.0.100.251
	CHAP-Challenge = 0x9a7dde24641b743604ed531068ad4662
	CHAP-Password = 0x1ac903f936a5ccd7efdf337e94bd4ba958
	Service-Type = Login-User
	WISPr-Logoff-URL = "http://10.0.100.1/logout"
	NAS-Identifier = "Air2Data"
	NAS-IP-Address = 192.168.99.175
	Mikrotik-Realm = "test"
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[chap] Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "10295", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[sql] 	expand: %{User-Name} -> 10295
[sql] sql_set_user escaped user --> '10295'
rlm_sql (sql): Reserving sql socket id: 3
[sql] 	expand: SELECT id, username, attribute, value, op           FROM
radcheck           WHERE username = '%{SQL-User-Name}'          ORDER BY id
-> SELECT id, username, attribute, value, op           FROM radcheck
WHERE username = '10295'          ORDER BY id
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
[sql] User found in radcheck table
[sql] 	expand: SELECT id, username, attribute, value, op           FROM
radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id
-> SELECT id, username, attribute, value, op           FROM radreply
WHERE username = '10295'           ORDER BY id
[sql] 	expand: SELECT groupname           FROM radusergroup           WHERE
username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT
groupname           FROM radusergroup           WHERE username = '10295'
ORDER BY priority
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] returns noop
Found Auth-Type = CHAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!
!!!    Replacing User-Password in config items with Cleartext-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!
!!! Please update your configuration so that the "known good"
!!!
!!! clear text password is in Cleartext-Password, and not in User-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group CHAP {...}
[chap] login attempt by "10295" with CHAP password
[chap] Using clear text password "912547" for user 10295 authentication.
[chap] Password check failed
++[chap] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] 	expand: %{User-Name} -> 10295
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 192.168.99.175 port 48655, id=43,
length=216
Waiting to send Access-Reject to client hotspot port 48655 - ID: 43
Waking up in 0.6 seconds.
rad_recv: Access-Request packet from host 192.168.99.175 port 48655, id=43,
length=216
Waiting to send Access-Reject to client hotspot port 48655 - ID: 43
Waking up in 0.3 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 43 to 192.168.99.175 port 48655
Waking up in 4.9 seconds.
Cleaning up request 0 ID 43 with timestamp +2
Ready to process requests.


What am I missing in that the chap is failing the password even though it is
in the mysql database?

Thanks
Brent





More information about the Freeradius-Users mailing list