simple question about auth-type PAP

opensource at tigusoft.pl opensource at tigusoft.pl
Wed Sep 5 04:47:15 CEST 2012 


Hello
we use radius, with chilli hotspot for login but the password is not working:

users can not log in, from radius logs it would appear as if chilli login form 
for the user sends the password in some encrypted format (eap?)
while Radius only wants to use it as cleartext (despite configuration 
"authorize{...}" section allowing other types, as it is default).
The radius secret is the same in radius and chilli.

What can be wrong? 
How to make radius understand this encrypted password?
As a backup plan, how to make both radius and chilli (if any of you happen to 
know / if this is radius settings related) use simple PAP...


Radius logs show:

root at hotspot:/etc/freeradius# freeradius  -X 
FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Nov 14 2010 
at 21:12:30
(...)
++[sql] returns ok
[expiration] Checking Expiration time: '7 Sep 2012 19:00'
++[expiration] returns ok
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP 
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "?�?�??s?�B??xڧ4"
[pap] Using clear text password "2i"
[pap] Passwords don't match
++[pap] returns reject
Failed to authenticate the user.
	expand: LOGIN ERROR -> LOGIN ERROR
Login incorrect (rlm_pap: CLEAR TEXT password check failed): [ddjz/\222�?�?
\207s\231\264B\030\006xڧ4] (from client localhost port 1 cli 00-16-E6-35-
FB-04) LOGIN ERROR
  WARNING: Unprintable characters in the password. 	  Double-check the 
shared secret on the server and the NAS!
Using Post-Auth-Type Reject

( Full boring log with initialization debug is available as needed )


Why Auth-Type was found to be PAP, is it said in the RADIUS packet? Or 
configured wrongly in Radius or maybe in the database?
Radius config (and accounts, radius groups etc) are in database in postgresql.


Configuration reads:



# egrep -v " *#" /etc/freeradius/clients.conf | egrep -v "^ *$"

client localhost {
	ipaddr = 127.0.0.1
	secret		= testing123
	require_message_authenticator = no
}



# egrep -v " *#" /etc/freeradius/sites-enabled/default | egrep -v "^ *$"

authorize {
	preprocess
	chap
	mschap
	digest
	suffix
	eap {
		ok = return
	}
	files
	sql
	expiration
	logintime
	pap
}
authenticate {
	Auth-Type PAP {
		pap
	}
	Auth-Type CHAP {
		chap
	}
	Auth-Type MS-CHAP {
		mschap
	}
	 digest
	 unix
		
	eap
}
preacct {
	preprocess
	acct_unique
	suffix
	files
}
accounting {
	detail
	unix
	radutmp
	sql
	exec
	attr_filter.accounting_response
}
session {
	radutmp
}
post-auth {
	exec
	Post-Auth-Type REJECT {
		attr_filter.access_reject
	}
}
pre-proxy {
}
post-proxy {
	eap
} 

Other files are at defaults (from debian stable).

More information about the Freeradius-Users mailing list