After posting I continued looking in to the problem, and searching the
list archives, and discovered that I really did not ask the right
question.
What I would like to do is be able to use MD5 passwords.
I've configured my radiusd.conf and database properly, as near as I can
tell, but it isn't working. The output of "radiusd -X" is:
rad_recv: Access-Request packet from host 64.254.34.5:1025, id=251,
length=116
User-Name = "[EMAIL PROTECTED]"
User-Password = "password"
NAS-IP-Address = 64.254.34.5
NAS-Port = 20205
NAS-Port-Type = Async
State = 0x
Calling-Station-Id = "6203312503"
Called-Station-Id = "3162606719"
Acct-Session-Id = "424765938"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat: '/var/log/radius/radacct/64.254.34.5/auth-detail-20050303'
rlm_detail:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /var/log/radius/radacct/64.254.34.5/auth-detail-20050303
modcall[authorize]: module "auth_log" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: Looking up realm "realm" for User-Name = "[EMAIL PROTECTED]"
rlm_realm: Found realm "realm"
rlm_realm: Adding Stripped-User-Name = "user"
rlm_realm: Proxying request from user user to realm realm
rlm_realm: Adding Realm = "realm"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 0
radius_xlat: 'user'
rlm_sql (sql): sql_set_user escaped user --> 'user'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = 'user' AND Active = 1 ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 3
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'user' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Username = 'user' ORDER BY id'
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = 'user' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): No matching entry in the database for request from user
[user]
rlm_sql (sql): Released sql socket id: 3
modcall[authorize]: module "sql" returns notfound for request 0
modcall: group authorize returns ok for request 0
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
My configuration file, relevant lines only:
modules {
pap {
encryption_scheme = crypt
}
pap md5 {
encryption_scheme = md5
}
}
authenticate {
Auth-Type MD5 {
md5
}
Auth-Type PAP {
pap
}
}
My database tables, relevant lines only:
radgroupcheck:
id 10, groupname MD5, attribute Auth-Type, op :=, Value MD5
id 11, groupname MD5, attribute Service-Type, op ==, Value Framed-User
^^^ added id #11 at the reccomendation of another mailing list post from
2003
radcheck:
id 3, username user, attribute Password, op ==, value <md5sum>
Now the odd part here is that it's basically saying it can't find the
username in the database (it's there). Now, get this, if I change
radgroupcheck id 10's Value back to "Dialup" (which was working fine
before i did this) it still didn't work, but when I removed the
Auth-Type MD5 from the configuration file, everything went back to
normal!
I'm scratchin my ass on this one, I clearly have no idea what to do, and
none of this is documented anywhere.
So far I've been pretty excited about this software. Very customizeable
and highly extensable. My one complaint? There's nearly ZERO
documentation on how to do that customization. This project REALLY needs
a wiki or something.
On Thu, 2005-03-03 at 15:11, Alan DeKok wrote:
> Nick Bright <[EMAIL PROTECTED]> wrote:
> > I'm using mysql for authorization, and have made everything work
> > wonderfully with plain text passwords. I'd like to find out, though,
> > what password types are supported for the mysql authorization system.
>
> None. :) The MySQL module doesn't look at, or use passwords.
>
> Instead, it pulls RADIUS attributes out of the database, and adds
> them to the request.
>
> > What I'd really like to know is what password types are supported
> > through this mechanism? Is there a list somewhere?
>
> In the latest CVS snapshots, see "man rlm_pap", which lists the
> password types it supports.
>
> > If I could simply put the users in with "md5-Password" and slap in their
> > md5'd password, that'd make my life really easy :)
>
> In the CVS head, that should work.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
- Nick Bright
Terraworld, Inc
888-332-1616 x315
http://home.terraworld.net
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
