Re: Freeradius 2 + MySQL + MD5 hash don't work
Okay folks, I appreciate the help. Already managed to solve. Basically there were two details, the first was as the supplicant was trying to authenticate, it was either use MSCHAPv2, but the passwords were encrypted at the base with MD5, just like CHAP authentication would not work . By forcing the supplicant to use TTLS + PAP, the authentication worked. I thank you all. 2011/3/17 Alan Buxey a.l.m.bu...@lboro.ac.uk Hi, Dear Phil, By removing this option, it tries to authenticate with EAP/MSCHAPv2, and also fails. no...it works - but you havent got the 'sql' module enabled in the inner-tunnel (which is where the server goes to when its doing EAP) put sql into the inner-tunnel virtual-server and then the password will be exposed in the EAP tunnel...et voila, it will work(tm) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- João Paulo de Lima Barbosa Fone: (45) 9938-8399 Blog: http://joao.us Twitter: @joaocdc O erro dos que tem poder é colocar barreiras para que ninguém os alcance, incentivando-nos a buscar todas as formas que encontramos para alcança-los. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius 2 + MySQL + MD5 hash don't work
Hello,
Someone already has implemented two freeradius with mysql
I'm using version 2.1.10 of freeradius on a debian 6
If I try a plaintext based authentication, everything works.
But if I try to do an authentication with an MD5 password, I get the message
seguite:
*[pap] ERROR: You set 'Auth-Type = PAP' for a request that does not contain
a User-Password attribute!*
Below is my debug and table structures of authentication.
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on authentication address 127.0.0.1 port 18120 as server
inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 172.25.3.0 port 1814, id=40,
length=143
User-Name = usql2@visitantes
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = 02-00-00-00-00-01
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 11Mbps 802.11b
EAP-Message = 0x0215017573716c32407669736974616e746573
Message-Authenticator = 0x026cbd100d0b63cacb106f91006b21f2
Proxy-State = 0x30
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] Looking up realm visitantes for User-Name = usql2@visitantes
[suffix] Found realm visitantes
[suffix] Adding Stripped-User-Name = usql2
[suffix] Adding Realm = visitantes
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 0 length 21
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++? if (Realm == visitantes )
? Evaluating (Realm == visitantes ) - TRUE
++? if (Realm == visitantes ) - TRUE
++- entering if (Realm == visitantes ) {...}
[sql_visitantes] expand: %{Stripped-User-Name} - usql2
[sql_visitantes] sql_set_user escaped user -- 'usql2'
rlm_sql (sql_visitantes): Reserving sql socket id: 4
[sql_visitantes] expand: SELECT id, username, attribute, value,
op FROM radcheck WHERE username =
'%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute,
value, op FROM radcheck WHERE username =
'usql2' ORDER BY id
[sql_visitantes] User found in radcheck table
[sql_visitantes] expand: SELECT id, username, attribute, value,
op FROM radreply WHERE username =
'%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute,
value, op FROM radreply WHERE username =
'usql2' ORDER BY id
[sql_visitantes] expand: SELECT groupname FROM
radusergroup WHERE username = '%{SQL-User-Name}' ORDER
BY priority - SELECT groupname FROM radusergroup WHERE
username = 'usql2' ORDER BY priority
[sql_visitantes] expand: SELECT id, groupname, attribute,
Value, op FROM radgroupcheck WHERE groupname =
'%{Sql-Group}' ORDER BY id - SELECT id, groupname,
attribute, Value, op FROM radgroupcheck WHERE
groupname = 'visitantes' ORDER BY id
[sql_visitantes] User found in group visitantes
[sql_visitantes] expand: SELECT id, groupname, attribute,
value, op FROM radgroupreply WHERE groupname =
'%{Sql-Group}' ORDER BY id - SELECT id, groupname,
attribute, value, op FROM radgroupreply WHERE
groupname = 'visitantes' ORDER BY id
rlm_sql (sql_visitantes): Released sql socket id: 4
+++[sql_visitantes] returns ok
++- if (Realm == visitantes ) returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing MD5-Password from hex encoding
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = PAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group PAP {...}
*[pap] ERROR: You set 'Auth-Type = PAP' for a request that does not contain
a User-Password attribute!*
++[pap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
++? if (Realm == visitantes )
? Evaluating (Realm == visitantes ) - TRUE
++? if (Realm == visitantes ) - TRUE
++- entering if (Realm == visitantes ) {...}
[sql_visitantes] expand: %{Stripped-User-Name} - usql2
[sql_visitantes] sql_set_user escaped user -- 'usql2'
[sql_visitantes] expand: %{User-Password} -
[sql_visitantes] ... expanding second conditional
[sql_visitantes] expand: %{Chap-Password} -
[sql_visitantes] expand: INSERT INTO
radpostauth (username, pass, reply,
authdate) VALUES (
'%{User-Name}',
'%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S') - INSERT INTO
radpostauth
Re: Freeradius 2 + MySQL + MD5 hash don't work
On 03/17/2011 08:01 PM, joao...@gmail.com wrote: *[pap] ERROR: You set 'Auth-Type = PAP' for a request that does not contain a User-Password attribute!* This is very clear: mysql select * from radgroupcheck; +++---++---+ | id | groupname | attribute | op | value | +++---++---+ | 1 | visitantes | Auth-Type | := | PAP | +++---++---+ 1 row in set (0.00 sec) This is wrong. Remove it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2 + MySQL + MD5 hash don't work
Dear Phil,
By removing this option, it tries to authenticate with EAP/MSCHAPv2, and also
fails.
Authentication is what I'm doing wireless network.
Below is the result of debugging when I removed the Auth-Type PAP table
radgroupcheck:
[sql_visitantes] expand: %{Stripped-User-Name} - usql2
[sql_visitantes] sql_set_user escaped user -- 'usql2'
rlm_sql (sql_visitantes): Reserving sql socket id: 1
[sql_visitantes] expand: SELECT id, username, attribute, value,
op FROM radcheck WHERE username =
'%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute,
value, op FROM radcheck WHERE username =
'usql2' ORDER BY id
[sql_visitantes] User found in radcheck table
[sql_visitantes] expand: SELECT id, username, attribute, value,
op FROM radreply WHERE username =
'%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute,
value, op FROM radreply WHERE username =
'usql2' ORDER BY id
[sql_visitantes] expand: SELECT groupname FROM
radusergroup WHERE username = '%{SQL-User-Name}' ORDER
BY priority - SELECT groupname FROM radusergroup WHERE
username = 'usql2' ORDER BY priority
[sql_visitantes] expand: SELECT id, groupname, attribute,
Value, op FROM radgroupcheck WHERE groupname =
'%{Sql-Group}' ORDER BY id - SELECT id, groupname,
attribute, Value, op FROM radgroupcheck WHERE
groupname = 'visitantes' ORDER BY id
[sql_visitantes] User found in group visitantes
[sql_visitantes] expand: SELECT id, groupname, attribute,
value, op FROM radgroupreply WHERE groupname =
'%{Sql-Group}' ORDER BY id - SELECT id, groupname,
attribute, value, op FROM radgroupreply WHERE
groupname = 'visitantes' ORDER BY id
rlm_sql (sql_visitantes): Released sql socket id: 1
+++[sql_visitantes] returns ok
++- if (Realm == visitantes ) returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
*[eap] EAP/mschapv2*
[eap] processing type mschapv2
[mschapv2] # Executing group from file
/etc/freeradius/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Creating challenge hash with username: usql2@visitantes
[mschap] Told to do MS-CHAPv2 for usql2@visitantes with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
2011/3/17 Phil Mayers p.may...@imperial.ac.uk
On 03/17/2011 08:01 PM, joao...@gmail.com wrote:
*[pap] ERROR: You set 'Auth-Type = PAP' for a request that does not
contain a User-Password attribute!*
This is very clear:
mysql select * from radgroupcheck;
+++---++---+
| id | groupname | attribute | op | value |
+++---++---+
| 1 | visitantes | Auth-Type | := | PAP |
+++---++---+
1 row in set (0.00 sec)
This is wrong. Remove it.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
João Paulo de Lima Barbosa
Fone: (45) 9938-8399
Blog: http://joao.us
Twitter: @joaocdc
O erro dos que tem poder é colocar barreiras para que ninguém os alcance,
incentivando-nos a buscar todas as formas que encontramos para alcança-los.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2 + MySQL + MD5 hash don't work
Hi, [pap] ERROR: You set 'Auth-Type = PAP' for a request that does not contain a User-Password attribute! its fair enough. you've set Auth-Type = PAP why? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2 + MySQL + MD5 hash don't work
Hi, Dear Phil, By removing this option, it tries to authenticate with EAP/MSCHAPv2, and also fails. no...it works - but you havent got the 'sql' module enabled in the inner-tunnel (which is where the server goes to when its doing EAP) put sql into the inner-tunnel virtual-server and then the password will be exposed in the EAP tunnel...et voila, it will work(tm) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
