always received Access-Reject using mysql

Bogi Aditya bogi at imtelkom.ac.id
Mon Nov 28 03:40:46 CET 2011


thanks Fajar

I've tried :
# radtest -t mschap usertest passtest localhost:1812 0 testing123
Sending Access-Request of id 13 to 127.0.0.1 port 1812
        User-Name = "usertest"
        NAS-IP-Address = 10.1.1.28
        NAS-Port = 0
        MS-CHAP-Challenge = 0x7effa6d1eaf313a9
        MS-CHAP-Response = 
0x0001000000000000000000000000000000000000000000000000d21d03024f55ebcf8c36dc84
d85ab07e2b6c828184d3f151
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=13, 
length=108
        Framed-Compression = Van-Jacobson-TCP-IP
        Framed-Protocol = PPP
        Service-Type = Framed-User
        Framed-MTU = 1500
        MS-CHAP-MPPE-Keys = 
0x1e3efc59fb2a7c971c0de9b6d1dfe2f56b3d7d1338e5c7ee0000000000000000
        MS-MPPE-Encryption-Policy = 0x00000001
        MS-MPPE-Encryption-Types = 0x00000006

then I change my radcheck table :
mysql> select * from radcheck;
+----+----------+--------------------+----+----------+
| id | username | attribute          | op | value    |
+----+----------+--------------------+----+----------+
|  1 | usertest | Cleartext-Password | := | passtest |
+----+----------+--------------------+----+----------+

and tried :
# radtest -t mschap usertest passtest localhost:1812 0 testing123
Sending Access-Request of id 149 to 127.0.0.1 port 1812
        User-Name = "usertest"
        NAS-IP-Address = 10.1.1.28
        NAS-Port = 0
        MS-CHAP-Challenge = 0xf13ba049100393c3
        MS-CHAP-Response = 
0x0001000000000000000000000000000000000000000000000000733c2565a50ac6d4c28569b9
59eca8a14ef7951536c66172
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=149, 
length=108
        Framed-Compression = Van-Jacobson-TCP-IP
        Framed-Protocol = PPP
        Service-Type = Framed-User
        Framed-MTU = 1500
        MS-CHAP-MPPE-Keys = 
0x1e3efc59fb2a7c971c0de9b6d1dfe2f56b3d7d1338e5c7ee0000000000000000
        MS-MPPE-Encryption-Policy = 0x00000001
        MS-MPPE-Encryption-Types = 0x00000006

should I change it to "Cleartext-Password" and op=":="
when it still work with "password" and op="==" ?
and why the default value is set to "=="
when it suppose to be ":=" ?

so sorry, this is the first time I used FreeRADIUS
(all this time I use OpenLDAP for authentication)


On Mon, 28 Nov 2011 09:08:26 +0700, Fajar A. Nugraha wrote
> On Mon, Nov 28, 2011 at 8:29 AM, Bogi Aditya <bogi at imtelkom.ac.id> wrote:
> > thanks Alan
> >
> > I found the problem was in the "attribute" field
> > where I put "Cleartext-Password" based on the wiki :
> > http://wiki.freeradius.org/SQL-HOWTO
> 
> The example should be correct. From
> http://wiki.freeradius.org/SQL-HOWTO#Populating+SQL
> 
> mysql> select * from radcheck;
>       +----+----------------+--------------------+-----------------
> -+------+      | id | UserName       | Attribute          | Value    
>         | Op   |      +----+----------------+--------------------+---
> ---------------+------+      |  1 | fredf          | Cleartext-
> Password | wilma            | :=   |      |  2 | barney         | 
> Cleartext-Password | betty            | :=   |      |  2 | 
> dialrouter     | Cleartext-Password | dialup           | :=   |      
> +----+----------------+--------------------+------------------+------
> +      3 rows in set (0.01 sec)
> 
> Note how it uses ":=" as op?
> 
> >
> > after I changed the value to just "password"
> > it works fine now.
> 
> It has different meaning, actually.
> 
> If you use Password (or User-Password) with op "==", you're basically
> comparing the attribute User-Password in user request to the one in
> the database. It SHOULD work if the request is using PAP, but it 
> won't work if the request is using MS-CHAPv2 (or some other authentication
> protocol that does not send user password as plain text in
> User-Password attribute). You can test it with "radtest -t mschap"
> (available in newer versions of FR)
> 
> I highly suggest you change it to Cleartext-Password and ":="
> 
> -- 
> Fajar


-------------------------------
Bogi Aditya
Sisfo - IMTelkom
Telkom Institute of Management
http://bogi.blog.imtelkom.ac.id




More information about the Freeradius-Users mailing list