v3, passwords, and auth-type

Alan DeKok aland at deployingradius.com
Thu Nov 19 23:05:39 CET 2015 

On Nov 19, 2015, at 4:49 PM, Alan Batie <alan at peak.org> wrote:
> 
> I'm trying to get v3.0.9 working and running into something that seems
> mutually exclusive: PAP seems to require Cleartext-Password and then
> complain that it's not getting User-Password?  Also, and probably more
> important, it seems to be ignoring my Auth-Type Local configuration....

  Because you shouldn't have Auth-Type Local. 

  The default configuration doesn't have it.  It's not needed.

> excerpt from site file:

  So... why did you edit it to add Auth-Type Local?

> With Cleartext-Password and Auth-Type Local:

  And.... you don't show the *relevant* portions of the debug output.

  i.e. the portions where it shows the incoming packet.

> (0)     [sql] = ok
> (0)     [expiration] = noop
> (0)     [logintime] = noop
> (0) pap: WARNING: Auth-Type already set.  Not setting to PAP
> (0)     [pap] = noop
> (0)   } # authorize = ok
> (0) Found Auth-Type = Local

  You're forcing Auth-Type = Local.  Why?

  Don't do that.  It's wrong.

  The default configuration doesn't have it.  It's not needed.

> (0) Auth-Type sub-section not found.  Ignoring.
> 
> With Cleartext-Password and Auth-Type PAP:
> 
> (1)     [sql] = ok
> (1)     [expiration] = noop
> (1)     [logintime] = noop
> (1) pap: WARNING: Auth-Type already set.  Not setting to PAP

  The automatic system isn't working ...

> (1)     [pap] = noop
> (1)   } # authorize = ok
> (1) Found Auth-Type = PAP

  ... because *you* forced Auth-Type = PAP.  Why?

> (1) # Executing group from file /usr/local/etc/raddb/sites-enabled/peak
> (1)   Auth-Type PAP {
> (1) pap: ERROR: You set 'Auth-Type = PAP' for a request that does not
> contain a User-Password attribute!

  Again, *you* broke the server.  Don't do that.

> (1)     [pap] = invalid
> (1)   } # Auth-Type PAP = invalid
> (1) Failed to authenticate the user
> (1) Using Post-Auth-Type Reject
> 
> With User-Password and Auth-Type PAP:
> 
> (4)     [sql] = ok
> (4)     [expiration] = noop
> (4)     [logintime] = noop
> (4) pap: WARNING:
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> (4) pap: WARNING: !!! Ignoring control:User-Password.  Update your
>  !!!
> (4) pap: WARNING: !!! configuration so that the "known good" clear text !!!
> (4) pap: WARNING: !!! password is in Cleartext-Password and NOT in
>  !!!
> (4) pap: WARNING: !!! User-Password.
>  !!!
> (4) pap: WARNING:
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

  That should be pretty clear.

  Why not follow the instructions that are in front of you?

a) don't force Auth-Type.  It's almost always wrong.

b) delete the "Auth-Type Local" block.

c) yes, DON'T FORCE AUTH-TYPE.  Delete it from ALL databases, configurations, etc.

d) follow the instructions in the big warnings for packet (4) above.


  It shouldn't be hard.  Put the "known good" password into control:Cleartext-Password.  Change almost nothing else.  The server *will* figure out how to authenticate the user.

  It looks like you've followed some crappy third-party guide from 2005.  Don't do that.  Nearly all of them are wrong and outdated.

  The default configuration *works*.  PLEASE don't destroy it unless you know what you're doing.

  Alan DeKok.

More information about the Freeradius-Users mailing list