Proxy Treatment of PAP/Chap Auth Types

James T Mugauri james at africonnect.co.zm
Fri May 3 04:46:27 CEST 2013 

Hi,

Hope someone can give me a pointer on this matter.

We have 2 RADIUS installations, thus:
1. FreeRADIUS/mysql Version 2.1.1, in whose radcheck, Password attribute 
is 'User-Password'
2. FreeRADIUS/mysql Version 2.1.10, in whose radcheck, Password 
attribute is 'Cleartext-Password'

On both freeradius servers sql and perl modules are enabled in authorize 
and accounting groups, and both servers accept PAP and CHAP auth if 
queried directly

Server 2 is configured to proxy requests for unknown users for certain 
prefixes/suffixes to server 1, if perl and sql return no user:

authorize {
preprocess
chap
mschap
digest
eap {
ok = return
}
files
expiration
logintime
sql
perl
if (notfound) {
suffix
hotspotUser
}
pap
}

Challenge is, on Server 2, testing with radtest (passing the attributes 
so: radtest -t <type> iS_u2h4gna a2uwv localhost 1812 secret) , local 
users are authed fine, but non-local users always return with a reject.
Debug output of server 1, if I use CHAP to attempt auth with radtest on 
server 2, is always:

++[pap] returns noop
Found Auth-Type = CHAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!    Replacing User-Password in config items with 
Cleartext-Password.     !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known 
good"               !!!
!!! clear text password is in Cleartext-Password, and not in 
User-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+- entering group CHAP {...}
[chap] login attempt by "iS_u2h4gna" with CHAP password
[chap] Using clear text password "uz3f9" for user iS_u2h4gna authentication.
[chap] Password check failed
++[chap] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}

If, I use PAP with radtest on server 2, server 1 returns

++[pap] returns updated
Found Auth-Type = PAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!    Replacing User-Password in config items with 
Cleartext-Password.     !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known 
good"               !!!
!!! clear text password is in Cleartext-Password, and not in 
User-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+- entering group PAP {...}
[pap] login attempt with password "a2uwv"
[pap] Using clear text password "uz3f9"
[pap] Passwords don't match
++[pap] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}

I have tried changing the "known good" clear text password on server 1 
as recommended in the warning to no effect. (Is this because 
User-Password and Cleartext-Password must necessarily be the unequal and 
co-related)?
If so, How can i convert 1 to the other?

Hopefully,

JamesTM

--

More information about the Freeradius-Users mailing list