v3, passwords, and auth-type

Alan Batie alan at peak.org
Thu Nov 19 22:49:18 CET 2015 

I'm trying to get v3.0.9 working and running into something that seems
mutually exclusive: PAP seems to require Cleartext-Password and then
complain that it's not getting User-Password?  Also, and probably more
important, it seems to be ignoring my Auth-Type Local configuration....

excerpt from site file:

authenticate {
        #
        #  PAP authentication, when a back-end database listed
        #  in the 'authorize' section supplies a password.  The
        #  password can be clear-text, or encrypted.
        Auth-Type PAP {
                pap
        }

        Auth-Type Local {
                pap
        }


Relevant sections from debug output in the different cases:

With Cleartext-Password and Auth-Type Local:

(0)     [sql] = ok
(0)     [expiration] = noop
(0)     [logintime] = noop
(0) pap: WARNING: Auth-Type already set.  Not setting to PAP
(0)     [pap] = noop
(0)   } # authorize = ok
(0) Found Auth-Type = Local
(0) Auth-Type sub-section not found.  Ignoring.

With Cleartext-Password and Auth-Type PAP:

(1)     [sql] = ok
(1)     [expiration] = noop
(1)     [logintime] = noop
(1) pap: WARNING: Auth-Type already set.  Not setting to PAP
(1)     [pap] = noop
(1)   } # authorize = ok
(1) Found Auth-Type = PAP
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/peak
(1)   Auth-Type PAP {
(1) pap: ERROR: You set 'Auth-Type = PAP' for a request that does not
contain a User-Password attribute!
(1)     [pap] = invalid
(1)   } # Auth-Type PAP = invalid
(1) Failed to authenticate the user
(1) Using Post-Auth-Type Reject

With User-Password and Auth-Type PAP:

(4)     [sql] = ok
(4)     [expiration] = noop
(4)     [logintime] = noop
(4) pap: WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
(4) pap: WARNING: !!! Ignoring control:User-Password.  Update your
  !!!
(4) pap: WARNING: !!! configuration so that the "known good" clear text !!!
(4) pap: WARNING: !!! password is in Cleartext-Password and NOT in
  !!!
(4) pap: WARNING: !!! User-Password.
  !!!
(4) pap: WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
(4) pap: WARNING: No "known good" password found for the user.  Not
setting Auth-Type
(4) pap: WARNING: Authentication will fail unless a "known good"
password is available
(4)     [pap] = noop
(4)   } # authorize = ok
(4) Found Auth-Type = PAP
(4) # Executing group from file /usr/local/etc/raddb/sites-enabled/peak
(4)   Auth-Type PAP {
(4) pap: Login attempt with password
(4) pap: No password configured for the user.  Cannot do authentication
(4)     [pap] = fail
(4)   } # Auth-Type PAP = fail
(4) Failed to authenticate the user
(4) Using Post-Auth-Type Reject

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5923 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20151119/709b0a72/attachment.bin>

More information about the Freeradius-Users mailing list