Please update your configuration so that the "known good" clear text password is in Cleartext-Password, and not in User-Password
Yannick Barbeaux
ybarbeaux at gmail.com
Tue Feb 21 16:42:52 CET 2012
Hello,
I know this question has been asked many times before yet I could not find
a solution to my problem:
On debian squeeze, I installed freeradius 2.1.10 and use mysql (5.1.49) for
the authentication (I uncommented the line "sql" in the 'authorize' and
'accounting' sections of /etc/freeradius/sites-available/default )
When I test with the following command:
root at my-machine:~# radtest sqltest testpwd localhost 1812 testing123
Sending Access-Request of id 116 to 127.0.0.1 port 1812
User-Name = "sqltest"
User-Password = "testpwd"
NAS-IP-Address = 10.50.1.3
NAS-Port = 1812
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=116,
length=20
it receives the authorization correctly. It works fine...
Yet, on the debugging messages, I see the following (famous) message:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Replacing User-Password in config items with Cleartext-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good"
!!!
!!! clear text password is in Cleartext-Password, and not in User-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
I have read in the messages archive that I should
"replace in your configuration (either user file or database) all
occurrences of "User-Password" with "Cleartext-Password"."
Yet in my DB, I have:
mysql> select * from radcheck;
+----+----------+-----------+----+---------+
| id | username | attribute | op | value |
+----+----------+-----------+----+---------+
| 1 | sqltest | Password | == | testpwd |
+----+----------+-----------+----+---------+
If I change the attribute to "Cleartext-Password" instead of "Password",
the connection is rejected (ERROR: No authenticate method (Auth-Type) found
for the request: Rejecting the user)
I did grep "Cleartext" in /etc/freeradius/* but found nothing.
Should I really worry about that warning and if yes, how can I get rid of
that message?
DEBUG INFO:
-----------
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 35731, id=116,
length=59
User-Name = "sqltest"
User-Password = "testpwd"
NAS-IP-Address = 10.50.1.3
NAS-Port = 1812
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "sqltest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[sql] expand: %{User-Name} -> sqltest
[sql] sql_set_user escaped user --> 'sqltest'
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY
id -> SELECT id, username, attribute, value, op FROM
radcheck WHERE username = 'sqltest' ORDER BY id
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER BY
id -> SELECT id, username, attribute, value, op FROM
radreply WHERE username = 'sqltest' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
groupname FROM radusergroup WHERE username =
'sqltest' ORDER BY priority
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Replacing User-Password in config items with Cleartext-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good"
!!!
!!! clear text password is in Cleartext-Password, and not in User-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "testpwd"
[pap] Using clear text password "testpwd"
[pap] User authenticated successfully
++[pap] returns ok
# Executing section post-auth from file
/etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 116 to 127.0.0.1 port 35731
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 116 with timestamp +2
Ready to process requests
---------------
I did read 'man rlm_pap' as suggested but could not find the solution.
Here is an excerpt of my /etc/freeradius/sites-available/default :
authorize {
preprocess
chap
mschap
digest
suffix
eap {
ok = return
}
sql
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
digest
unix
eap
}
Any help would be greatly appreciated.
Yannick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120221/a1f3b286/attachment.html>
More information about the Freeradius-Users
mailing list