upgrade to freeradius 3.0.15 and problem with authorization

Anton Kiryushkin swood at fotofor.biz
Mon Sep 18 14:59:32 CEST 2017 

Thank's for answered.

I've changed a config of SQL module from:

authorize_check_query = "SELECT vpn_id as id, vpn_username as UserName,
'User-Password' as attribute, pass as value, ':=' as op \
          FROM ${authcheck_table} \
          WHERE (vpn_username = '%{SQL-User-Name}' AND msk='1') \
          ORDER BY id"

to:

authorize_check_query = "SELECT vpn_id as id, vpn_username as UserName,
'MD5-Password' as attribute, pass as value, ':=' as op \
          FROM ${authcheck_table} \
          WHERE (vpn_username = '%{SQL-User-Name}' AND msk='1') \
          ORDER BY id"

And after that, I changed a value of password in a database from
"{MD5}hash" to "hash".

And it's work for me.

2017-09-18 15:56 GMT+03:00 Alan Buxey <alan.buxey at gmail.com>:

> post debug.  if NAS is sending that, its fine - its what FR
> knows/handles that matters - the warnings you worry about are probably
> due to mysql syntax you've ported :/
>
> On 18 September 2017 at 13:22, Anton Kiryushkin <swood at fotofor.biz> wrote:
> > Hello.
> >
> > I've upgraded to 3.0.15 from 2.X and now I have a problem with pap
> > authorization.
> >
> > My users saved in a MySQL with an attribute md5. But, from Cisco ASA I
> > receive header User-Password. In a source code I've found next strings:
> >
> >               case PW_USER_PASSWORD: /* deprecated */
> >                         RWDEBUG("!!!!!!!!!!!!!!!!!!!!!
> > !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
> >                         RWDEBUG("!!! Ignoring control:User-Password.
> > Update your        !!!");
> >                         RWDEBUG("!!! configuration so that the \"known
> > good\" clear text !!!");
> >                         RWDEBUG("!!! password is in Cleartext-Password
> and
> > NOT in        !!!");
> >                         RWDEBUG("!!! User-Password.
> >               !!!");
> >                         RWDEBUG("!!!!!!!!!!!!!!!!!!!!!
> > !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
> >                         break;
> >
> > Okay. I've found a workaround with unlang and paste it to "authorize"
> > section:
> >
> > if (!control:Cleartext-Password && control:User-Password) {
> >   update control {
> >     Cleartext-Password := "%{control:User-Password}"
> >   }
> > }
> >
> >
> > But it doesn't work.
> >
> > How can I save an encrypted password in MySQL and delete header
> > User-Password which I receive from Cisco ASA (I can't modify software on
> > the Cisco side)?
> >
> >
> >
> > --
> > Best regards,
> > Anton Kiryushkin
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html




-- 
Best regards,
Anton Kiryushkin

More information about the Freeradius-Users mailing list