Freeradius 2 + MySQL + MD5 hash don't work

joaocdc at gmail.com joaocdc at gmail.com
Thu Mar 17 21:01:34 CET 2011 

Hello,
Someone already has implemented two freeradius with mysql

I'm using version 2.1.10 of freeradius on a debian 6

If I try a plaintext based authentication, everything works.

But if I try to do an authentication with an MD5 password, I get the message
seguite:

*[pap] ERROR: You set 'Auth-Type = PAP' for a request that does not contain
a User-Password attribute!*

Below is my debug and table structures of authentication.


Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on authentication address 127.0.0.1 port 18120 as server
inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 172.25.3.0 port 1814, id=40,
length=143
    User-Name = "usql2 at visitantes"
    NAS-IP-Address = 127.0.0.1
    Calling-Station-Id = "02-00-00-00-00-01"
    Framed-MTU = 1400
    NAS-Port-Type = Wireless-802.11
    Connect-Info = "CONNECT 11Mbps 802.11b"
    EAP-Message = 0x02000015017573716c32407669736974616e746573
    Message-Authenticator = 0x026cbd100d0b63cacb106f91006b21f2
    Proxy-State = 0x30
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] Looking up realm "visitantes" for User-Name = "usql2 at visitantes"
[suffix] Found realm "visitantes"
[suffix] Adding Stripped-User-Name = "usql2"
[suffix] Adding Realm = "visitantes"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 0 length 21
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++? if (Realm == "visitantes" )
? Evaluating (Realm == "visitantes" ) -> TRUE
++? if (Realm == "visitantes" ) -> TRUE
++- entering if (Realm == "visitantes" ) {...}
[sql_visitantes]     expand: %{Stripped-User-Name} -> usql2
[sql_visitantes] sql_set_user escaped user --> 'usql2'
rlm_sql (sql_visitantes): Reserving sql socket id: 4
[sql_visitantes]     expand: SELECT id, username, attribute, value,
op           FROM radcheck           WHERE username =
'%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute,
value, op           FROM radcheck           WHERE username =
'usql2'           ORDER BY id
[sql_visitantes] User found in radcheck table
[sql_visitantes]     expand: SELECT id, username, attribute, value,
op           FROM radreply           WHERE username =
'%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute,
value, op           FROM radreply           WHERE username =
'usql2'           ORDER BY id
[sql_visitantes]     expand: SELECT groupname           FROM
radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER
BY priority -> SELECT groupname           FROM radusergroup           WHERE
username = 'usql2'           ORDER BY priority
[sql_visitantes]     expand: SELECT id, groupname, attribute,
Value, op           FROM radgroupcheck           WHERE groupname =
'%{Sql-Group}'           ORDER BY id -> SELECT id, groupname,
attribute,           Value, op           FROM radgroupcheck           WHERE
groupname = 'visitantes'           ORDER BY id
[sql_visitantes] User found in group visitantes
[sql_visitantes]     expand: SELECT id, groupname, attribute,
value, op           FROM radgroupreply           WHERE groupname =
'%{Sql-Group}'           ORDER BY id -> SELECT id, groupname,
attribute,           value, op           FROM radgroupreply           WHERE
groupname = 'visitantes'           ORDER BY id
rlm_sql (sql_visitantes): Released sql socket id: 4
+++[sql_visitantes] returns ok
++- if (Realm == "visitantes" ) returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing MD5-Password from hex encoding
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] returns noop
Found Auth-Type = PAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group PAP {...}
*[pap] ERROR: You set 'Auth-Type = PAP' for a request that does not contain
a User-Password attribute!*
++[pap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
++? if (Realm == "visitantes" )
? Evaluating (Realm == "visitantes" ) -> TRUE
++? if (Realm == "visitantes" ) -> TRUE
++- entering if (Realm == "visitantes" ) {...}
[sql_visitantes]     expand: %{Stripped-User-Name} -> usql2
[sql_visitantes] sql_set_user escaped user --> 'usql2'
[sql_visitantes]     expand: %{User-Password} ->
[sql_visitantes]     ... expanding second conditional
[sql_visitantes]     expand: %{Chap-Password} ->
[sql_visitantes]     expand: INSERT INTO
radpostauth                           (username, pass, reply,
authdate)                           VALUES (
'%{User-Name}',
'%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S') -> INSERT INTO
radpostauth                           (username, pass, reply,
authdate)                           VALUES (
'usql2 at visitantes',                           '',
'Access-Reject', '2011-03-17 16:54:17')
rlm_sql (sql_visitantes) in sql_postauth: query is INSERT INTO
radpostauth                           (username, pass, reply,
authdate)                           VALUES (
'usql2 at visitantes',                           '',
'Access-Reject', '2011-03-17 16:54:17')
rlm_sql (sql_visitantes): Reserving sql socket id: 3
rlm_sql (sql_visitantes): Released sql socket id: 3
+++[sql_visitantes] returns ok
++- if (Realm == "visitantes" ) returns ok
[attr_filter.access_reject]     expand: %{User-Name} -> usql2 at visitantes
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 40 to 172.25.3.0 port 1814
    Proxy-State = 0x30
Waking up in 4.9 seconds.
Cleaning up request 0 ID 40 with timestamp +12
Ready to process requests.


mysql> select * from radcheck;
+----+----------+--------------------+----+----------------------------------+
| id | username | attribute          | op | value
|
+----+----------+--------------------+----+----------------------------------+
|  1 | usql1    | Cleartext-Password | := | usql1
|
|  2 | usql2    | MD5-Password       | := | 18f3e5d08056778649949b6872a0d4ff
|
+----+----------+--------------------+----+----------------------------------+
2 rows in set (0.00 sec)

mysql> select * from radgroupcheck;
+----+------------+-----------+----+-------+
| id | groupname  | attribute | op | value |
+----+------------+-----------+----+-------+
|  1 | visitantes | Auth-Type | := | PAP   |
+----+------------+-----------+----+-------+
1 row in set (0.00 sec)

mysql> select * from radusergroup;;
+----------+------------+----------+
| username | groupname  | priority |
+----------+------------+----------+
| usql1    | visitantes |        1 |
| usql2    | visitantes |        1 |
+----------+------------+----------+
2 rows in set (0.00 sec)


-- 
João Paulo de Lima Barbosa
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110317/a06e5a2a/attachment.html>

More information about the Freeradius-Users mailing list