On Tue, 22 Aug 2006, Alan DeKok wrote: |->Keith Woodworth <[EMAIL PROTECTED]> wrote: |->> One of the things I did try was add PAP to the authorize section, but |->> radius failed to start when I did that. |-> |-> And the error message was...?
Had to put this project a side for the last 2 weeks...Hate when I have to do that. Also this post has lots of debug output. Anyway here is the error: radiusd.conf: "PAP" modules aren't allowed in 'authorize' sections -- they have no such method. radiusd.conf[1569] Failed to parse authorize section. Here is where I put pap, with all the comments stripped: authorize { preprocess # auth_log # attr_filter ### KEITH pap chap mschap # digest # IPASS # ntdomain #eap files sql # etc_smbpasswd # ldap # daily # checkval } |->> Deployingradius.com did say there were very few circumstances to set |->> Auth-Type, but not which ones. Guess I found one? |-> |-> Possibly. Much of this is fixed in CVS head, which is currently |->planned to be 2.0 before Christmas. The PAP module does more there, |->and there are MANY fewer cases where you have to set Auth-Type. At the rate I'm going, it will be Christmas before I'm ready to go. |->> How stable is the current server version? Anyone using it in production? |-> |-> Yes. A number of people. There are 3 issues that need addressing |->before it's ready for an official 2.0, however. Would it be advisable to upgrade at this point or wait till its official? |->> Sounds like I might have to be using the CVS version to do what I want |->> properly of only having the user in one table and do PAP authentication |->> with the crypt password stored in sql. |-> |-> 1.1.2 can do it, it just takes a little more configuration. |->Basically, for every user who has a Crypt-Password attribute, you have |->to set "Auth-Type = Local". Not ":=", but "=". After having to put this aside for a few weeks I have finally done some testing. One. If the user has a crypt password in radcheck: 4 | tester | Crypt-Password | := | f3RCpSYQzT292 is listed in Usergroup: 14 | tester | default And default is in radgroupcheck: +----+-----------+-----------+----+-------+ | id | GroupName | Attribute | op | Value | +----+-----------+-----------+----+-------+ | 1 | default | Auth-Type | = | Local | This is the debug output: rad_recv: Access-Request packet from host 204.244.99.67:1645, id=92, length=76 NAS-Port-Type = Async User-Name = "tester" User-Password = "test" Service-Type = Framed-User Framed-Protocol = PPP Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 modcall[authorize]: module "files" returns notfound for request 0 radius_xlat: 'tester' rlm_sql (sql): sql_set_user escaped user --> 'tester' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'tester' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'tester' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'tester' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'tester' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module "sql" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type Local auth: type Local auth: user supplied User-Password does NOT match local User-Password auth: Failed to validate the user. Ok, so next change radgroupcheck so Auth-Type is PAP: +----+-----------+-----------+----+-------+ | id | GroupName | Attribute | op | Value | +----+-----------+-----------+----+-------+ | 1 | default | Auth-Type | := | PAP | and do another dialup try: rad_recv: Access-Request packet from host 204.244.99.67:1645, id=93, length=76 NAS-Port-Type = Async User-Name = "tester" User-Password = "test" Service-Type = Framed-User Framed-Protocol = PPP Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 modcall[authorize]: module "files" returns notfound for request 0 radius_xlat: 'tester' rlm_sql (sql): sql_set_user escaped user --> 'tester' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'tester' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'tester' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'tester' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'tester' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module "sql" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type PAP auth: type "PAP" Processing the authenticate section of radiusd.conf modcall: entering group PAP for request 0 rlm_pap: login attempt by "tester" with password test rlm_pap: Using password "f3RCpSYQzT292" for user tester authentication. rlm_pap: Using CRYPT encryption. rlm_pap: User authenticated succesfully modcall[authenticate]: module "pap" returns ok for request 0 modcall: leaving group PAP (returns ok) for request 0 Sending Access-Accept of id 93 to 204.244.99.67 port 1645 Service-Type := Framed-User Framed-Protocol := PPP Framed-Compression := Van-Jacobson-TCP-IP Framed-MTU := 1500 Framed-Routing := None Framed-IP-Netmask := 255.255.255.255 Finished request 0 I get authenticated, I get an IP and away I go. Now here is the main issue: I remove the user tester from the UserGroup table but leave Auth-Type := PAP rad_recv: Access-Request packet from host 204.244.99.67:1645, id=97, length=76 NAS-Port-Type = Async User-Name = "tester" User-Password = "test" Service-Type = Framed-User Framed-Protocol = PPP Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 modcall[authorize]: module "files" returns notfound for request 0 radius_xlat: 'tester' rlm_sql (sql): sql_set_user escaped user --> 'tester' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'tester' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'tester' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'tester' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'tester' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module "sql" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 auth: type Crypt Sending Access-Accept of id 97 to 204.244.99.67 port 1645 Finished request 0 And while Radius seems to send an Access-Accept, the dialup user gets an error 691 password invalid. So last change set Auth-Type = Local in radgroupcheck as per the suggestion above: 1 | default | Auth-Type | = | Local Debug output: rad_recv: Access-Request packet from host 204.244.99.67:1645, id=100, length=76 NAS-IP-Address = 204.244.98.67 NAS-Port = 23 NAS-Port-Type = Async User-Name = "tester" User-Password = "test" Service-Type = Framed-User Framed-Protocol = PPP Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 modcall[authorize]: module "files" returns notfound for request 1 radius_xlat: 'tester' rlm_sql (sql): sql_set_user escaped user --> 'tester' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'tester' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 3 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'tester' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'tester' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'tester' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 3 modcall[authorize]: module "sql" returns ok for request 1 modcall: leaving group authorize (returns ok) for request 1 auth: type Crypt Sending Access-Accept of id 100 to 204.244.99.67 port 1645 Finished request 1 Going to the next request Again I get Access-Accept, but a 691 password error on the client side. So as I see it with this: I have to have the user listed in UserGroup AND RadCheck with a Crypt-Password attribute and RadGroupCheck with Auth-Type := PAP for the user to authenticate and be able to get online. If the username is in UserGroup AND RadCheck with the Auth-Type = Local I see this: modcall[authorize]: module "sql" returns ok for request 5 modcall: leaving group authorize (returns ok) for request 5 rad_check_password: Found Auth-Type Local auth: type Local auth: user supplied User-Password does NOT match local User-Password auth: Failed to validate the user. So I guess I missed something completely or its not possible to have a username ONLY listed in Radcheck with Crypt-Password and authenticate that user? Does the username really need to be be in both the UserGroup table and Radcheck table for a crypt-password method to work? Sorry for the long post. Thanks, Keith - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html