Chap/Pap Authentication

Joseph Showalter Tech at ekn.com
Fri Jan 18 17:23:29 CET 2013 

What we would like to do is this:

Take this request:

	User-Name = "6064191111 at evdo.myawi.net"
	CHAP-Password = 0x59db2896a9629a7a1296e8e3dc7751da58
	NAS-IP-Address = 10.130.2.1
	CHAP-Challenge = 0x022074534be2e8405c867f676b46b432
	3GPP2-Attr-60 = 0x00000001
	3GPP2-Attr-61 = 0x0106000000010209a0000029275c41
	Message-Authenticator = 0x01f9054690c3a469fa1bf824dfba3bbe
	Proxy-State = 0x3136

And instead of using chap to authenticate the user, we take the 3GPP2-Attr-61, convert it to the password we want, set it into the cleartext-password, and have the sql module query the DB for that new password.

Here is the perl code that we run prior to the pap module:


 $retattr .= "Cleartext-Password := $meid";
 $retattr .= ", CHAP-Password :=\"\" , CHAP-Challenge :=\"\" ";
 $retattr .= ", Auth-Type := PAP ";

We return the retattr to freeradius.

Here is the output:


 Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
[preprocess] 	expand: %{NAS-IP-Address} -> 10.130.2.1
[preprocess] 	expand: %{NAS-IP-Address} -> 10.130.2.1
++[preprocess] returns ok
[evdoesn] 	expand: %{User-Name} -> 6064191111 at evdo.myawi.net
Exec-Program output: Cleartext-Password := 268435460102579521, CHAP-Password :="" , CHAP-Challenge :="" , Auth-Type := PAP 
Exec-Program-Wait: value-pairs: Cleartext-Password := 268435460102579521, CHAP-Password :="" , CHAP-Challenge :="" , Auth-Type := PAP 
Exec-Program: returned: 0
++[evdoesn] returns ok
[auth_log] 	expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/10.55.42.32/auth-detail-20130118
[auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.55.42.32/auth-detail-20130118
[auth_log] 	expand: %t -> Fri Jan 18 11:06:43 2013
++[auth_log] returns ok
[sql] 	expand: %{User-Name} -> 6064191111 at evdo.myawi.net
[sql] sql_set_user escaped user --> '6064191111 at evdo.myawi.net'
rlm_sql (sql): Reserving sql socket id: 50
[sql] 	expand: SELECT id, UserName, Attribute, Value, Op 		FROM radcheck 		WHERE Username = '%{SQL-User-Name}' 		ORDER BY id -> SELECT id, UserName, Attribute, Value, Op 	FROM radcheck 		WHERE Username = '6064191111 at evdo.myawi.net' 		ORDER BY id
rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op 		FROM radcheck 		WHERE Username = '6064191111 at evdo.myawi.net' 		ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 5
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
[sql] User found in radcheck table
[sql] 	expand: SELECT id, UserName, Attribute, Value, Op 		FROM radreply 		WHERE Username = '%{SQL-User-Name}' 		ORDER BY id -> SELECT id, UserName, Attribute, Value, Op 	FROM radreply 		WHERE Username = '6064191111 at evdo.myawi.net' 		ORDER BY id
rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op 		FROM radreply 		WHERE Username = '6064191111 at evdo.myawi.net' 		ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 5
[sql] 	expand: SELECT GroupName FROM usergroup WHERE UserName='%{SQL-User-Name}' -> SELECT GroupName FROM usergroup WHERE UserName='6064191111 at evdo.myawi.net'
rlm_sql_postgresql: query: SELECT GroupName FROM usergroup WHERE UserName='6064191111 at evdo.myawi.net'
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 1
[sql] 	expand: SELECT radgroupcheck.id, radgroupcheck.GroupName, 		radgroupcheck.Attribute, radgroupcheck.Value,radgroupcheck.Op 		FROM radgroupcheck, usergroup 		WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupcheck.GroupName 		ORDER BY radgroupcheck.id -> SELECT radgroupcheck.id, radgroupcheck.GroupName, 		radgroupcheck.Attribute, radgroupcheck.Value,radgroupcheck.Op 		FROM radgroupcheck, usergroup 		WHERE usergroup.Username = '6064191111 at evdo.myawi.net' AND usergroup.GroupName = radgroupcheck.GroupName 		ORDER BY radgroupcheck.id
rlm_sql_postgresql: query: SELECT radgroupcheck.id, radgroupcheck.GroupName, 		radgroupcheck.Attribute, radgroupcheck.Value,radgroupcheck.Op 		FROM radgroupcheck, usergroup 		WHERE usergroup.Username = '6064191111 at evdo.myawi.net' AND usergroup.GroupName = radgroupcheck.GroupName 	ORDER BY radgroupcheck.id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 5
[sql] User found in group evdo
[sql] 	expand: SELECT radgroupreply.id, radgroupreply.GroupName, radgroupreply.Attribute, 		radgroupreply.Value, radgroupreply.Op 		FROM radgroupreply,usergroup 		WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupreply.GroupName 		ORDER BY radgroupreply.id -> SELECT radgroupreply.id, radgroupreply.GroupName, radgroupreply.Attribute, 		radgroupreply.Value, radgroupreply.Op 		FROM radgroupreply,usergroup 		WHERE usergroup.Username = '6064191111 at evdo.myawi.net' AND usergroup.GroupName = radgroupreply.GroupName 		ORDER BY radgroupreply.id
rlm_sql_postgresql: query: SELECT radgroupreply.id, radgroupreply.GroupName, radgroupreply.Attribute, 	radgroupreply.Value, radgroupreply.Op 		FROM radgroupreply,usergroup 		WHERE usergroup.Username = '6064191111 at evdo.myawi.net' AND usergroup.GroupName = radgroupreply.GroupName 		ORDER BY radgroupreply.id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 5
rlm_sql (sql): Released sql socket id: 50
++[sql] returns ok
[pap] No clear-text password in the request.  Not performing PAP.
++[pap] returns noop
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!    Replacing User-Password in config items with Cleartext-Password.     !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good"               !!!
!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: Please update your configuration, and remove 'Auth-Type = Local'
WARNING: Use the PAP or CHAP modules instead.
CHAP-Password is incorrect.
Failed to authenticate the user.
Login incorrect: [6064191111 at evdo.myawi.net/<CHAP-Password>] (from client radius08 port 0)
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default





--
regards, Joseph

More information about the Freeradius-Users mailing list