On Mon, Nov 28, 2011 at 9:40 AM, Bogi Aditya <b...@imtelkom.ac.id> wrote: > thanks Fajar > > I've tried : > # radtest -t mschap usertest passtest localhost:1812 0 testing123 > Sending Access-Request of id 13 to 127.0.0.1 port 1812 > User-Name = "usertest" > NAS-IP-Address = 10.1.1.28 > NAS-Port = 0 > MS-CHAP-Challenge = 0x7effa6d1eaf313a9 > MS-CHAP-Response = > 0x0001000000000000000000000000000000000000000000000000d21d03024f55ebcf8c36dc84 > d85ab07e2b6c828184d3f151 > rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=13,
Weird. I just tested similar thing on my setup (FR-2.1.12), and got Access-Reject for both pap and mschap :) > then I change my radcheck table : > mysql> select * from radcheck; > +----+----------+--------------------+----+----------+ > | id | username | attribute | op | value | > +----+----------+--------------------+----+----------+ > | 1 | usertest | Cleartext-Password | := | passtest | > +----+----------+--------------------+----+----------+ > > and tried : > # radtest -t mschap usertest passtest localhost:1812 0 testing123 > Sending Access-Request of id 149 to 127.0.0.1 port 1812 > User-Name = "usertest" > NAS-IP-Address = 10.1.1.28 > NAS-Port = 0 > MS-CHAP-Challenge = 0xf13ba049100393c3 > MS-CHAP-Response = > 0x0001000000000000000000000000000000000000000000000000733c2565a50ac6d4c28569b9 > 59eca8a14ef7951536c66172 > rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=149, > length=108 At least with Cleartext-Password and ":=" we got the same result > should I change it to "Cleartext-Password" and op=":=" > when it still work with "password" and op="==" ? Definitely. My best guess at this point is your FR version is old enough to permit "password" and "==" and activate some kind of compatibility code, which didn't exist in my version. Cleartext-Password and ":=" is the correct way to specify plain text user password in current and future versions of FR. If you don't want future upgrades to break your setup, better use Cleartext-Password and ":=" Running in debug mode (radiusd -X) should help in finding out why your setup works (when it shouldn't). In my test (I'm using files instead of db), I got these WARNING: Found User-Password == "...". WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See "man rlm_pap" for more information. [files] users: Matched entry testuser at line 5 ++[files] returns ok [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Login incorrect: [testuser] (from client localhost port 0) Here > and why the default value is set to "==" > when it suppose to be ":=" ? "==" is useful in certain cases. For example, if you want the user to ONLY be able to login from a NAS with IP address = 10.0.0.1, you could use something like this: usertest | Cleartext-Password | := | passtest | usertest | NAS-IP-Address | == | 10.0.0.1 | > > so sorry, this is the first time I used FreeRADIUS No problem > (all this time I use OpenLDAP for authentication) Did you know you can use LDAP as backend for FR, thus allowing your users to use the same user/password combination whether they're using FR or LDAP directly? :D -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
