Re: Problems with MySQL authentication
> > root@localhost# radtest radman2 testing localhost 10 2 > hostname> Sending Access-Request of id 128 to 127.0.0.1:1812 > > User-Name = "radman2" > > User-Password = "\2529M\234\353,\006w\2657K\346m\301\022@" > > NAS-IP-Address = > > NAS-Port-Id = "10" > > Framed-Protocol = PPP > > rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=128, > > length=20 rad_decode: Received Access-Reject packet from 127.0.0.1 with > > invalid signature! > > ^^^ > > ^ > > > output from radiusd -X > > [...] > > > WARNING: Unprintable characters in the password. ? Double-check the > > shared secret on the server and the NAS! > > > > > > This WARNING says check my secret, but I know that is correct for sure. > > From > > Are you _really really_ sure you have your shared secret correct? Both > the "invalid signature" error radtest gives and the warning from radiusd > indicate that the shared secrets don't match. > Could you paste the relevant section from raddb/clients.conf? You were correct in saying that I used an incorrect secret. I looked at my clients.conf and I saw that there are different secrets for localhost, and my NAS's. I guess I didn't understand that I needed to use the secret for localhost, I was using the secret for my NAS. Once, I used the secret for localhost, everything works great!! Thanks for the excellent support everyone! Nick -- Nick Davis Associate Systems Administrator [EMAIL PROTECTED] Internet Exposure, Inc. http://www.iexposure.com (612)676-1946 Web Development-Web Marketing-ISP Services - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with MySQL authentication was Re: Problems with MySQL Auth-Type
At 08:52 AM 5/31/2002 +0200, Simon wrote: >On Thu, May 30, 2002 at 07:14:14PM -0500, Nick Davis wrote: > >[...] > > > root@localhost# radtest radman2 testing localhost 10 2 hostname> > > Sending Access-Request of id 128 to 127.0.0.1:1812 > > User-Name = "radman2" > > User-Password = "\2529M\234\353,\006w\2657K\346m\301\022@" > > NAS-IP-Address = > > NAS-Port-Id = "10" > > Framed-Protocol = PPP > > rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=128, length=20 > > rad_decode: Received Access-Reject packet from 127.0.0.1 with invalid > > signature!^^^ > ^ > >Are you _really really_ sure you have your shared secret correct? Both >the "invalid signature" error radtest gives and the warning from radiusd >indicate that the shared secrets don't match. >Could you paste the relevant section from raddb/clients.conf? It is most likely just really old code on the NAS. Quite a few NAS in older code revs didn't sign Accounting-Request packets properly. Livingston Portmasters were one. I'd highly recommend looking at upgrading the NAS code as the suspect here. Also, if this is an older Ascend box, Ascend didn't quite follow the RFC method of encrypting PAP passwords when sending to the NAS ( they added additional NULL pads ). Newer Ascend/Lucent allow you to switch to an RFC compliant mode. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with MySQL authentication was Re: Problems with MySQL Auth-Type
On Thu, May 30, 2002 at 07:14:14PM -0500, Nick Davis wrote: [...] > root@localhost# radtest radman2 testing localhost 10 2 > Sending Access-Request of id 128 to 127.0.0.1:1812 > User-Name = "radman2" > User-Password = "\2529M\234\353,\006w\2657K\346m\301\022@" > NAS-IP-Address = > NAS-Port-Id = "10" > Framed-Protocol = PPP > rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=128, length=20 > rad_decode: Received Access-Reject packet from 127.0.0.1 with invalid > signature!^^^ ^ > output from radiusd -X [...] > WARNING: Unprintable characters in the password. ? Double-check the shared > secret on the server and the NAS! > > > This WARNING says check my secret, but I know that is correct for sure. From Are you _really really_ sure you have your shared secret correct? Both the "invalid signature" error radtest gives and the warning from radiusd indicate that the shared secrets don't match. Could you paste the relevant section from raddb/clients.conf? -- Simon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems with MySQL authentication was Re: Problems with MySQL Auth-Type
ok I think I am really close to getting this working (having everything in
mysql db).
as a side note. i use a table called user instead of radcheck with different
titles for the columns because this db is for other stuff too.. here are the
tables:
mysql> select * from user;
+--++-+--+--+---++
| useridnr | userid | passwd | clientid | maxmail_size | Attribute
| op |
+--++-+--+--+---++
| 30 | radman2| testing |0 | 2097152 |
User-Password | := |
+--++-+--+--+---++
mysql> select * from usergroup;
+++---+
| id | UserName | GroupName |
+++---+
| 2 | radman2| default |
+++---+
mysql> select * from radgroupcheck;
++---+--++--+
| id | GroupName | Attribute| Value | op |
++---+--++--+
| 10 | default | Simultaneous-Use | 1 | := |
| 9 | default | Auth-Type| PAP| := |
++---+--++--+
mysql> select * from radgroupreply;
++---+---+-+--+--+
| id | GroupName | Attribute | Value | op | prio |
++---+---+-+--+--+
| 2 | default | User-Service-Type | Framed-User | =|0 |
| 3 | default | Framed-Protocol | PPP | =|0 |
| 4 | default | Fall-Through | Yes | =|0 |
++---+---+-+--+--+
I have my radiusd.conf like this:
pap {
encryption_scheme = clear
}
authorize {
preprocess
sql
}
authenticate {
authtype PAP {
pap
}
}
preacct {
preprocess
}
accounting {
unix
sql
radutmp
}
session {
radutmp
}
When I run
radtest radman2 testing localhost 10 2
radtest seems to always encrypt my password, since I am storing pwds in
cleartext, the auth never works. Here is some output:
root@localhost# radtest radman2 testing localhost 10 2
Sending Access-Request of id 128 to 127.0.0.1:1812
User-Name = "radman2"
User-Password = "\2529M\234\353,\006w\2657K\346m\301\022@"
NAS-IP-Address =
NAS-Port-Id = "10"
Framed-Protocol = PPP
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=128, length=20
rad_decode: Received Access-Reject packet from 127.0.0.1 with invalid
signature!
*
output from radiusd -X
rad_recv: Access-Request packet from host 127.0.0.1:1087, id=128, length=63
User-Name = "radman2"
User-Password = "\2529M\234\353,\006w\2657K\346m\301\022@"
NAS-IP-Address = 255.255.255.255
NAS-Port-Id = "10"
Framed-Protocol = PPP
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
radius_xlat: 'radman2'
sql_escape in: 'radman2'
sql_escape out: 'radman2'
sql_set_user: escaped user --> 'radman2'
radius_xlat: 'SELECT useridnr,userid,Attribute,passwd,op FROM user WHERE
userid = 'radman2' ORDER BY useridnr'
rlm_sql: Reserving sql socket id: 4
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'radman2' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Username = 'radman2' ORDER BY id'
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = 'radman2' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
radius_xlat: 'SELECT passwd,Attribute FROM user WHERE userid = 'radman2' AND
( Attribute = 'User-Password' OR Attribute = 'Password' OR Attribute =
'Crypt-Password' ) ORDER BY Attribute DESC'
rlm_sql: Released sql socket id: 4
modcall[authorize]: module "sql" returns ok
modcall: group authorize returns ok
rad_check_password: Found Auth-Type PAP
auth: type "PAP"
modcall: entering group authtype
rlm_pap: login attempt by "radman2" with password à\z
rlm_pap: Using password testing for user radman2 authentication.
rlm_pap: Using clear text password.
rlm_pap: Passwords don't match
modcall[authenticate]: module "pap" returns reject
modcall: group authtype returns reject
auth: Failed to validate the user.
Login incorrect (rlm_pap: CLEAR TEXT password check failed): [radman2/\340\\z]
(from client localhost port 0)
WARNING: Unprintable characters in the password. ? Double-check the shared
secret on the server a
