Hi
Miguel,
Bellow you will find the config I'm using. It works
with Unix Crypt but not with md5 or SHA1. It looks like for md5 or sha1 the
crypt-password attribute has to be changed to MD5-password or SHA1-password.
However my freeRadius doesn't recognize any of these 2 attributes (rlm_sql: unknown attribute SSHA-Password). For the time
beeing I'll stick with Unix Crypt.
Please let me know if you find a better
config.
Bogdan.
-----Original Message-----
From: Bogdan Dumitriu - Technical Support Team [mailto:[EMAIL PROTECTED]
Sent: May 4, 2006 3:40 PM
To: 'freeradius-users@lists.freeradius.org'
Subject: FreeRadius + MySQL & Encrypted passwords
From: Bogdan Dumitriu - Technical Support Team [mailto:[EMAIL PROTECTED]
Sent: May 4, 2006 3:40 PM
To: 'freeradius-users@lists.freeradius.org'
Subject: FreeRadius + MySQL & Encrypted passwords
Hi
all,
I've been trying to
encrypt the passwords in mySQL using SHA1 or MD5 without any luck for the last
several days.
First let me tell
you a bit about our system:
RedHat ES
4
freeradius-1.0.1-2.RHEL4
freeradius-mysql-1.0.1-2.RHEL4
mysql-server-4.1.7-4.RHEL4.1
mysql-4.1.7-4.RHEL4.1
mysql-4.1.7-4.RHEL4.1
Everything works
fine with clear text passwords and if I use Unix Crypt.
This is the config
that works with Unix Crypt:
radcheck
+-----+------------+---------------+----+----------------------------------------------------------+
| id | UserName | Attribute | op | Value |
+-----+------------+---------------+----+----------------------------------------------------------+
| 844 | bogdan | Crypt-Password | == | 55MCU5TXMoKsA |
+-----+------------+---------------+----+----------------------------------------------------------+
| id | UserName | Attribute | op | Value |
+-----+------------+---------------+----+----------------------------------------------------------+
| 844 | bogdan | Crypt-Password | == | 55MCU5TXMoKsA |
+-----+------------+---------------+----+----------------------------------------------------------+
usergroup
+-----+------------+-------------+
| id | UserName | GroupName |
+-----+------------+-------------+
| 844 | bogdan | adsl-static |
+-----+------------+-------------+
| id | UserName | GroupName |
+-----+------------+-------------+
| 844 | bogdan | adsl-static |
+-----+------------+-------------+
radgroupcheck
+----+-------------+-----------+----+-------+
| id | GroupName | Attribute | op | Value |
+----+-------------+-----------+----+-------+
| 1 | adsl | Auth-Type | := | PAP |
| 2 | adsl-static | Auth-Type | := | PAP |
| id | GroupName | Attribute | op | Value |
+----+-------------+-----------+----+-------+
| 1 | adsl | Auth-Type | := | PAP |
| 2 | adsl-static | Auth-Type | := | PAP |
radius.conf
-------------
...........................
modules
{
..................
pap
{
encryption_scheme = crypt
}
encryption_scheme = crypt
}
....................
}
authenticate
{
..............
Auth-Type PAP {
pap
}
Auth-Type PAP {
pap
}
...............
}
This works perfect
!
now I want to use
MD5 or SHA1 so I change:
pap
{
encryption_scheme = sha1 (or md5)
}
encryption_scheme = sha1 (or md5)
}
and this is what I get in /usr/sbin/radiusd
-X
modcall[authorize]: module "sql"
returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type PAP
auth: type "PAP"
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 0
rlm_pap: login attempt by "shipcoadsl" with password test
rlm_pap: Crypt-Password attribute but encryption scheme is not set to CRYPT
modcall[authenticate]: module "pap" returns fail for request 0
modcall: group Auth-Type returns fail for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type PAP
auth: type "PAP"
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 0
rlm_pap: login attempt by "shipcoadsl" with password test
rlm_pap: Crypt-Password attribute but encryption scheme is not set to CRYPT
modcall[authenticate]: module "pap" returns fail for request 0
modcall: group Auth-Type returns fail for request 0
if I change:
+-----+------------+---------------+----+----------------------------------------------------------+
| id | UserName | Attribute | op | Value |
+-----+------------+---------------+----+----------------------------------------------------------+
| 844 | bogdan | Crypt-Password | == | {md5} password |
+-----+------------+---------------+----+----------------------------------------------------------+
| id | UserName | Attribute | op | Value |
+-----+------------+---------------+----+----------------------------------------------------------+
| 844 | bogdan | Crypt-Password | == | {md5} password |
+-----+------------+---------------+----+----------------------------------------------------------+
to:
+-----+------------+---------------+----+----------------------------------------------------------+
| id | UserName | Attribute | op | Value |
+-----+------------+---------------+----+----------------------------------------------------------+
| 844 | bogdan | User-Password | == | {md5} password |
+-----+------------+---------------+----+----------------------------------------------------------+
| id | UserName | Attribute | op | Value |
+-----+------------+---------------+----+----------------------------------------------------------+
| 844 | bogdan | User-Password | == | {md5} password |
+-----+------------+---------------+----+----------------------------------------------------------+
and this is
what I get:
rlm_sql (sql): No matching entry in the
database for request from user [shipcoadsl]
rlm_sql (sql): Released sql socket id: 4
modcall[authorize]: module "sql" returns notfound for request 0
modcall: group authorize returns ok for request 0
auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
auth: Failed to validate the user.
Login incorrect: [shipcoadsl/test] (from client TestNAS2 port 0)
rlm_sql (sql): Released sql socket id: 4
modcall[authorize]: module "sql" returns notfound for request 0
modcall: group authorize returns ok for request 0
auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
auth: Failed to validate the user.
Login incorrect: [shipcoadsl/test] (from client TestNAS2 port 0)
I also tried changing:
radgroupcheck
+----+-------------+-----------+----+-------+
| id | GroupName | Attribute | op | Value |
+----+-------------+-----------+----+-------+
| 1 | adsl | Auth-Type | := | PAP |
| id | GroupName | Attribute | op | Value |
+----+-------------+-----------+----+-------+
| 1 | adsl | Auth-Type | := | PAP |
to:
radgroupcheck
+----+-------------+-----------+----+-------+
| id | GroupName | Attribute | op | Value |
+----+-------------+-----------+----+-------+
| 1 | adsl | Auth-Type | := | MD5 |
| id | GroupName | Attribute | op | Value |
+----+-------------+-----------+----+-------+
| 1 | adsl | Auth-Type | := | MD5 |
then
add:
authenticate
{
..............
Auth-Type MD5 {
pap
}
Auth-Type MD5 {
pap
}
...............
}
an I got exactly the same answer as
before!
Tried adding to the
radgroupreply:
| 26 | adsl-static |
Auth-Type | := |
PAP
| 0 |
but still no luck!
Is this a bug? What am I
missing?
Your
help will be greatly appreciated!
Thanks,
Bogdan.
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Miguel Angel Quiles
Sent: May 8, 2006 5:34 AM
To: FreeRadius users mailing list
Subject: Re: FreeRadius + MySQL & Encrypted passwords
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Miguel Angel Quiles
Sent: May 8, 2006 5:34 AM
To: FreeRadius users mailing list
Subject: Re: FreeRadius + MySQL & Encrypted passwords
Hi,I would like to find out how to configure freeradius so I don't have to save clear text passwords in the users file.I've been following the mail list but I've seen so many ways of configuring crypted passwords, md5, .... that right now I've got a mess in my head.If someone can help me, to address me to a tutorial, or a link to a website where I can find some clear info over this, I would appreciate.Thank you.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html