Hello
we use radius, with chilli hotspot for login but the password is not working:
users can not log in, from radius logs it would appear as if chilli login form
for the user sends the password in some encrypted format (eap?)
while Radius only wants to use it as cleartext (despite configuration
"authorize{...}" section allowing other types, as it is default).
The radius secret is the same in radius and chilli.
What can be wrong?
How to make radius understand this encrypted password?
As a backup plan, how to make both radius and chilli (if any of you happen to
know / if this is radius settings related) use simple PAP...
Radius logs show:
root@hotspot:/etc/freeradius# freeradius -X
FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Nov 14 2010
at 21:12:30
(...)
++[sql] returns ok
[expiration] Checking Expiration time: '7 Sep 2012 19:00'
++[expiration] returns ok
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "?�?�??s?�B??xڧ4"
[pap] Using clear text password "2i"
[pap] Passwords don't match
++[pap] returns reject
Failed to authenticate the user.
expand: LOGIN ERROR -> LOGIN ERROR
Login incorrect (rlm_pap: CLEAR TEXT password check failed): [ddjz/\222�?�?
\207s\231\264B\030\006xڧ4] (from client localhost port 1 cli 00-16-E6-35-
FB-04) LOGIN ERROR
WARNING: Unprintable characters in the password. Double-check the
shared secret on the server and the NAS!
Using Post-Auth-Type Reject
( Full boring log with initialization debug is available as needed )
Why Auth-Type was found to be PAP, is it said in the RADIUS packet? Or
configured wrongly in Radius or maybe in the database?
Radius config (and accounts, radius groups etc) are in database in postgresql.
Configuration reads:
# egrep -v " *#" /etc/freeradius/clients.conf | egrep -v "^ *$"
client localhost {
ipaddr = 127.0.0.1
secret = testing123
require_message_authenticator = no
}
# egrep -v " *#" /etc/freeradius/sites-enabled/default | egrep -v "^ *$"
authorize {
preprocess
chap
mschap
digest
suffix
eap {
ok = return
}
files
sql
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
digest
unix
eap
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
unix
radutmp
sql
exec
attr_filter.accounting_response
}
session {
radutmp
}
post-auth {
exec
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
eap
}
Other files are at defaults (from debian stable).
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
