always received Access-Reject using mysql
Bogi Aditya
bogi at imtelkom.ac.id
Mon Nov 28 03:40:46 CET 2011
thanks Fajar
I've tried :
# radtest -t mschap usertest passtest localhost:1812 0 testing123
Sending Access-Request of id 13 to 127.0.0.1 port 1812
User-Name = "usertest"
NAS-IP-Address = 10.1.1.28
NAS-Port = 0
MS-CHAP-Challenge = 0x7effa6d1eaf313a9
MS-CHAP-Response =
0x0001000000000000000000000000000000000000000000000000d21d03024f55ebcf8c36dc84
d85ab07e2b6c828184d3f151
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=13,
length=108
Framed-Compression = Van-Jacobson-TCP-IP
Framed-Protocol = PPP
Service-Type = Framed-User
Framed-MTU = 1500
MS-CHAP-MPPE-Keys =
0x1e3efc59fb2a7c971c0de9b6d1dfe2f56b3d7d1338e5c7ee0000000000000000
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
then I change my radcheck table :
mysql> select * from radcheck;
+----+----------+--------------------+----+----------+
| id | username | attribute | op | value |
+----+----------+--------------------+----+----------+
| 1 | usertest | Cleartext-Password | := | passtest |
+----+----------+--------------------+----+----------+
and tried :
# radtest -t mschap usertest passtest localhost:1812 0 testing123
Sending Access-Request of id 149 to 127.0.0.1 port 1812
User-Name = "usertest"
NAS-IP-Address = 10.1.1.28
NAS-Port = 0
MS-CHAP-Challenge = 0xf13ba049100393c3
MS-CHAP-Response =
0x0001000000000000000000000000000000000000000000000000733c2565a50ac6d4c28569b9
59eca8a14ef7951536c66172
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=149,
length=108
Framed-Compression = Van-Jacobson-TCP-IP
Framed-Protocol = PPP
Service-Type = Framed-User
Framed-MTU = 1500
MS-CHAP-MPPE-Keys =
0x1e3efc59fb2a7c971c0de9b6d1dfe2f56b3d7d1338e5c7ee0000000000000000
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
should I change it to "Cleartext-Password" and op=":="
when it still work with "password" and op="==" ?
and why the default value is set to "=="
when it suppose to be ":=" ?
so sorry, this is the first time I used FreeRADIUS
(all this time I use OpenLDAP for authentication)
On Mon, 28 Nov 2011 09:08:26 +0700, Fajar A. Nugraha wrote
> On Mon, Nov 28, 2011 at 8:29 AM, Bogi Aditya <bogi at imtelkom.ac.id> wrote:
> > thanks Alan
> >
> > I found the problem was in the "attribute" field
> > where I put "Cleartext-Password" based on the wiki :
> > http://wiki.freeradius.org/SQL-HOWTO
>
> The example should be correct. From
> http://wiki.freeradius.org/SQL-HOWTO#Populating+SQL
>
> mysql> select * from radcheck;
> +----+----------------+--------------------+-----------------
> -+------+ | id | UserName | Attribute | Value
> | Op | +----+----------------+--------------------+---
> ---------------+------+ | 1 | fredf | Cleartext-
> Password | wilma | := | | 2 | barney |
> Cleartext-Password | betty | := | | 2 |
> dialrouter | Cleartext-Password | dialup | := |
> +----+----------------+--------------------+------------------+------
> + 3 rows in set (0.01 sec)
>
> Note how it uses ":=" as op?
>
> >
> > after I changed the value to just "password"
> > it works fine now.
>
> It has different meaning, actually.
>
> If you use Password (or User-Password) with op "==", you're basically
> comparing the attribute User-Password in user request to the one in
> the database. It SHOULD work if the request is using PAP, but it
> won't work if the request is using MS-CHAPv2 (or some other authentication
> protocol that does not send user password as plain text in
> User-Password attribute). You can test it with "radtest -t mschap"
> (available in newer versions of FR)
>
> I highly suggest you change it to Cleartext-Password and ":="
>
> --
> Fajar
-------------------------------
Bogi Aditya
Sisfo - IMTelkom
Telkom Institute of Management
http://bogi.blog.imtelkom.ac.id
More information about the Freeradius-Users
mailing list