User-Name Modification Assistance

Jeremy Lundquist pmudan01 at gmail.com
Fri May 11 19:22:45 CEST 2018


Here is the username/password from the mysql DB - note no password (blank).

MariaDB [radiusdb]> select * from radcheck where username='107b44c186e0';
+------+--------------+--------------------+----+-------+
| id   | username     | attribute          | op | value |
+------+--------------+--------------------+----+-------+
| 2308 | 107b44c186e0 | Cleartext-Password | := |       |
+------+--------------+--------------------+----+-------+
1 row in set (0.00 sec)


So when I tested using radclient (sending just username, no password)
without adding the following to my authorize section in
sites-enabled/default it failed (which I believe is expected? ).
                update control {
                        Auth-Type := Accept
                }

Debug snippet:
.
.
rlm_sql (sql): Released connection (2)
(0)     [sql] = ok
(0)     [expiration] = noop
(0)     [logintime] = noop
(0) pap: No User-Password attribute in the request.  Cannot do PAP
(0)     [pap] = noop
(0)   } # authorize = updated
(0) WARNING: Please update your configuration, and remove 'Auth-Type =
Local'
(0) WARNING: Use the PAP or CHAP modules instead
(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type =
Reject
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0)   Post-Auth-Type REJECT {
(0) sql: EXPAND .query
.
.

NOTE - I verified in my configs, I have not set "Auth-Type = Local"
anywhere.

But when I added it, it passed (again, expected per one of your
instructions in previous email).

Debug snippet:
.
.
(0)     [sql] = ok
(0)     [expiration] = noop
(0)     [logintime] = noop
(0) pap: WARNING: Auth-Type already set.  Not setting to PAP
(0)     [pap] = noop
(0)   } # authorize = updated
(0) Found Auth-Type = Accept
(0) Auth-Type = Accept, accepting the user
(0) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(0)   post-auth {
(0)     update {
(0)       No attributes updated
(0)     } # update = noop
.
.

So going back to my using the test HW, you are saying even without a
password it should work as long as what's in the DB and what's passed via
the HW is the same. But there is no password passed in the Access-Request
and there is none in the DB, thus it should work, but it's not? That's were
I'm getting hung up. I'd expect it to work as both are the same (nothing),
but it's not, unless I'm not understanding properly what you are saying.

Jeremy


On Fri, May 11, 2018 at 9:07 AM, Alan DeKok <aland at deployingradius.com>
wrote:

> On May 11, 2018, at 12:02 PM, Jeremy Lundquist <pmudan01 at gmail.com> wrote:
> >
> > Let me add an updated Debug output to be thorough:
>
>   Reading it, and my messages would help.
>
>   The reason there's no User-Password in the request is because the NAS is
> doing EAP.
>
>   As I said before, it's doing EAP-MD5.  And EAP-MD5 is failing because
> the password is wrong.
>
>   Stop trying to create a User-Password.  It's not necessary.  Test PAP
> with radclient.  It should work.
>
>   EAP-MD5 is basically CHAP.  So if the user enters the same password as
> what's in the DB, it *will* work.
>
>   The only reason it won't work is that the passwords *are not the same*.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>


More information about the Freeradius-Users mailing list