Hello all, I'm trying to get Radius to work with encrypted passwords in the MySQL database.
My setup : FreeRADIUS 2.1.0 + MySQL + Dialup Admin installed via Ubuntu 9.04's official packages I posted my full config files here (please tell me if you need more info) : http://pastebin.com/f529d2cce If I leave "sql_password_attribute: Crypt-Password" in /etc/freeradius-dialupadmin/admin.conf After creating a user, I get this in the database : 5 | test1 | User-Password | := | $1$B0q/wVK4$2bxfP9RJMfqBbi/APaxa2 And here is the error I get : rad_recv: Access-Request packet from host x.x.x.x port 32769, id=175, length=57 User-Name = "test1" User-Password = "testing" NAS-IP-Address = x.x.x.x NAS-Port = 1812 +- entering group authorize {...} ++[preprocess] returns ok [suffix] No '@' in User-Name = "test1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound expand: %{User-Name} -> test1 [sql] sql_set_user escaped user --> 'test1' rlm_sql (sql): Reserving sql socket id: 4 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test1' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test1' ORDER BY id [sql] User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test1' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test1' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'test1' ORDER BY priority rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = 'test1' ORDER BY priority rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +- entering group PAP {...} [pap] login attempt with password "testing" [pap] Using clear text password "$1$B0q/wVK4$2bxfP9RJMfqBbi/APaxa2/" [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} expand: %{User-Name} -> test1 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 175 to x.x.x.x port 32769 But when I set "sql_password_attribute: Crypt-Password" and add "encryption_scheme = crypt" in "modules/pap" I then re-create a new user via dialupadmin, and get this in the database : 4 | test1 | Crypt-Password | := | $1$G/t7x3UX$GcfvNdGecUt6TJDyywOcZ0 I still get a Access-Reject, and this is the debug info : rad_recv: Access-Request packet from host x.x.x.x port 32769, id=230, length=57 User-Name = "test1" User-Password = "testing" NAS-IP-Address = x.x.x.x NAS-Port = 1812 +- entering group authorize {...} ++[preprocess] returns ok [suffix] No '@' in User-Name = "test1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound expand: %{User-Name} -> test1 [sql] sql_set_user escaped user --> 'test1' rlm_sql (sql): Reserving sql socket id: 4 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test1' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test1' ORDER BY id [sql] User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test1' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test1' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'test1' ORDER BY priority rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = 'test1' ORDER BY priority rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password "testing" [pap] No password configured for the user. Cannot do authentication ++[pap] returns fail Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} expand: %{User-Name} -> test1 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 230 to x.x.x.x port 32769 For now I tried using crypt, but would like using SHA if possible. Thank you - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
