FreeRADIUS 3.0 - Help with understanding op value for cleartext-password
Ian Hiddleston
ian.hid at gmail.com
Wed Jul 6 14:23:00 CEST 2016
Ah, that makes sense! I'm asking because I was sat staring at this for a
bit before figuring it out. I did read through the Operators bit on the
website, I guess I failed pretty hard at getting the wider picture logic
though. At the time I was trying to match a plaintext password in the
request to a plaintext password in the DB, which I thought would work with
'=='.
We don't use these accounts for anything other than matching DSL users to
routes (not integrated with other backends) so the password is more for
misconfiguration prevention than anything security related.
Received Access-Request Id 170 from 127.0.0.1:39871 to 127.0.0.1:1812
length 79
User-Name = 'cocotest4'
User-Password = 'Password01'
NAS-IP-Address = 10.9.4.53
NAS-Port = 1812
Message-Authenticator = 0x6d25a89d069f56a85c48af5b3559227d
...
(0) mancmsmrad01mc1 : EXPAND
%{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}}
(0) mancmsmrad01mc1 : --> cocotest4
(0) mancmsmrad01mc1 : SQL-User-Name set to 'cocotest4'
rlm_sql (mancmsmrad01mc1): Reserved connection (4)
(0) mancmsmrad01mc1 : EXPAND SELECT id, username, attribute, value, op
FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) mancmsmrad01mc1 : --> SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'cocotest4' ORDER BY id
rlm_sql (mancmsmrad01mc1): Executing query: 'SELECT id, username,
attribute, value, op FROM radcheck WHERE username = 'cocotest4' ORDER BY id'
(0) mancmsmrad01mc1 : User found in radcheck table
...
(0) [mancmsmrad01mc1] = ok
(0) } # redundant redundant_sql = ok
(0) [expiration] = noop
(0) [logintime] = noop
(0) WARNING: pap : No "known good" password found for the user. Not
setting Auth-Type
(0) WARNING: pap : Authentication will fail unless a "known good" password
is available
(0) [pap] = noop
(0) } # authorize = ok
(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type =
Reject
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
MariaDB [radius]> select * from radcheck where username='cocotest4';
+------+-----------+--------------------+----+------------+
| id | username | attribute | op | value |
+------+-----------+--------------------+----+------------+
| 1653 | cocotest4 | Cleartext-Password | == | Password01 |
+------+-----------+--------------------+----+------------+
Thanks,
Ian
On 6 July 2016 at 12:10, Michael Schwartzkopff <ms at sys4.de> wrote:
> Am Mittwoch, 6. Juli 2016, 12:06:28 schrieb Ian Hiddleston:
> > Hi all,
> >
> > I've got my server working ok, one thing that I'm curious about is why
> the
> > op value for Cleartext-Password is ':=' rather than '==' ?
> >
> > As my google-fu appears to be lacking I figured I might as well ask the
> > question.
> >
> > Thanks,
> > Ian.
>
> goole: man 5 users
> bash: man 5 users
>
> Attribute := Value
> Always matches as a check item, and replaces in the configuration
> items any
> attribute of the same name. If no attribute of that name appears in the
> request, then this attribute is added.
> As a reply item, it has an identical meaning, but for the reply items,
> instead of the request items.
> Attribute == Value
> As a check item, it matches if the named attribute is present in the
> request, AND has the given value.
> Not allowed as a reply item.
>
> if you use "==" the Cleartext-Password must be in the incomming RADIUS
> request. Very unlikely.
>
> Mit freundlichen Grüßen,
>
> Michael Schwartzkopff
>
> --
> [*] sys4 AG
>
> http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
> Schleißheimer Straße 26/MG, 80333 München
>
> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
> Vorstand: Patrick Ben Koetter, Marc Schiffbauer
> Aufsichtsratsvorsitzender: Florian Kirstein
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list