always received Access-Reject using mysql

Fajar A. Nugraha list at fajar.net
Mon Nov 28 03:59:16 CET 2011 

On Mon, Nov 28, 2011 at 9:40 AM, Bogi Aditya <bogi at imtelkom.ac.id> wrote:
> thanks Fajar
>
> I've tried :
> # radtest -t mschap usertest passtest localhost:1812 0 testing123
> Sending Access-Request of id 13 to 127.0.0.1 port 1812
>        User-Name = "usertest"
>        NAS-IP-Address = 10.1.1.28
>        NAS-Port = 0
>        MS-CHAP-Challenge = 0x7effa6d1eaf313a9
>        MS-CHAP-Response =
> 0x0001000000000000000000000000000000000000000000000000d21d03024f55ebcf8c36dc84
> d85ab07e2b6c828184d3f151
> rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=13,

Weird.

I just tested similar thing on my setup (FR-2.1.12), and got
Access-Reject for both pap and mschap :)

> then I change my radcheck table :
> mysql> select * from radcheck;
> +----+----------+--------------------+----+----------+
> | id | username | attribute          | op | value    |
> +----+----------+--------------------+----+----------+
> |  1 | usertest | Cleartext-Password | := | passtest |
> +----+----------+--------------------+----+----------+
>
> and tried :
> # radtest -t mschap usertest passtest localhost:1812 0 testing123
> Sending Access-Request of id 149 to 127.0.0.1 port 1812
>        User-Name = "usertest"
>        NAS-IP-Address = 10.1.1.28
>        NAS-Port = 0
>        MS-CHAP-Challenge = 0xf13ba049100393c3
>        MS-CHAP-Response =
> 0x0001000000000000000000000000000000000000000000000000733c2565a50ac6d4c28569b9
> 59eca8a14ef7951536c66172
> rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=149,
> length=108

At least with Cleartext-Password and ":=" we got the same result

> should I change it to "Cleartext-Password" and op=":="
> when it still work with "password" and op="==" ?

Definitely.

My best guess at this point is your FR version is old enough to permit
"password" and "==" and activate some kind of compatibility code,
which didn't exist in my version. Cleartext-Password and ":=" is the
correct way to specify plain text user password in current and future
versions of FR. If you don't want future upgrades to break your setup,
better use Cleartext-Password and ":="

Running in debug mode (radiusd -X) should help in finding out why your
setup works (when it shouldn't). In my test (I'm using files instead
of db), I got these

WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
[files] users: Matched entry testuser at line 5
++[files] returns ok
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request:
Rejecting the user
Failed to authenticate the user.
Login incorrect: [testuser] (from client localhost port 0) Here


> and why the default value is set to "=="
> when it suppose to be ":=" ?

"==" is useful in certain cases. For example, if you want the user to
ONLY be able to login from a NAS with IP address = 10.0.0.1, you could
use something like this:

 usertest | Cleartext-Password | := | passtest |
 usertest | NAS-IP-Address | == | 10.0.0.1 |

>
> so sorry, this is the first time I used FreeRADIUS

No problem

> (all this time I use OpenLDAP for authentication)

Did you know you can use LDAP as backend for FR, thus allowing your
users to use the same user/password combination whether they're using
FR or LDAP directly? :D

-- 
Fajar

More information about the Freeradius-Users mailing list