Re: Freeradius 2 + MySQL + MD5 hash don't work
Okay folks, I appreciate the help. Already managed to solve. Basically there were two details, the first was as the supplicant was trying to authenticate, it was either use MSCHAPv2, but the passwords were encrypted at the base with MD5, just like CHAP authentication would not work . By forcing the supplicant to use TTLS + PAP, the authentication worked. I thank you all. 2011/3/17 Alan Buxey a.l.m.bu...@lboro.ac.uk Hi, Dear Phil, By removing this option, it tries to authenticate with EAP/MSCHAPv2, and also fails. no...it works - but you havent got the 'sql' module enabled in the inner-tunnel (which is where the server goes to when its doing EAP) put sql into the inner-tunnel virtual-server and then the password will be exposed in the EAP tunnel...et voila, it will work(tm) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- João Paulo de Lima Barbosa Fone: (45) 9938-8399 Blog: http://joao.us Twitter: @joaocdc O erro dos que tem poder é colocar barreiras para que ninguém os alcance, incentivando-nos a buscar todas as formas que encontramos para alcança-los. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius 2 + MySQL + MD5 hash don't work
Hello, Someone already has implemented two freeradius with mysql I'm using version 2.1.10 of freeradius on a debian 6 If I try a plaintext based authentication, everything works. But if I try to do an authentication with an MD5 password, I get the message seguite: *[pap] ERROR: You set 'Auth-Type = PAP' for a request that does not contain a User-Password attribute!* Below is my debug and table structures of authentication. Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 172.25.3.0 port 1814, id=40, length=143 User-Name = usql2@visitantes NAS-IP-Address = 127.0.0.1 Calling-Station-Id = 02-00-00-00-00-01 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 11Mbps 802.11b EAP-Message = 0x0215017573716c32407669736974616e746573 Message-Authenticator = 0x026cbd100d0b63cacb106f91006b21f2 Proxy-State = 0x30 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] Looking up realm visitantes for User-Name = usql2@visitantes [suffix] Found realm visitantes [suffix] Adding Stripped-User-Name = usql2 [suffix] Adding Realm = visitantes [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 0 length 21 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++? if (Realm == visitantes ) ? Evaluating (Realm == visitantes ) - TRUE ++? if (Realm == visitantes ) - TRUE ++- entering if (Realm == visitantes ) {...} [sql_visitantes] expand: %{Stripped-User-Name} - usql2 [sql_visitantes] sql_set_user escaped user -- 'usql2' rlm_sql (sql_visitantes): Reserving sql socket id: 4 [sql_visitantes] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'usql2' ORDER BY id [sql_visitantes] User found in radcheck table [sql_visitantes] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radreply WHERE username = 'usql2' ORDER BY id [sql_visitantes] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM radusergroup WHERE username = 'usql2' ORDER BY priority [sql_visitantes] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'visitantes' ORDER BY id [sql_visitantes] User found in group visitantes [sql_visitantes] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'visitantes' ORDER BY id rlm_sql (sql_visitantes): Released sql socket id: 4 +++[sql_visitantes] returns ok ++- if (Realm == visitantes ) returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing MD5-Password from hex encoding [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = PAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group PAP {...} *[pap] ERROR: You set 'Auth-Type = PAP' for a request that does not contain a User-Password attribute!* ++[pap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} ++? if (Realm == visitantes ) ? Evaluating (Realm == visitantes ) - TRUE ++? if (Realm == visitantes ) - TRUE ++- entering if (Realm == visitantes ) {...} [sql_visitantes] expand: %{Stripped-User-Name} - usql2 [sql_visitantes] sql_set_user escaped user -- 'usql2' [sql_visitantes] expand: %{User-Password} - [sql_visitantes] ... expanding second conditional [sql_visitantes] expand: %{Chap-Password} - [sql_visitantes] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') - INSERT INTO radpostauth
Re: Freeradius 2 + MySQL + MD5 hash don't work
On 03/17/2011 08:01 PM, joao...@gmail.com wrote: *[pap] ERROR: You set 'Auth-Type = PAP' for a request that does not contain a User-Password attribute!* This is very clear: mysql select * from radgroupcheck; +++---++---+ | id | groupname | attribute | op | value | +++---++---+ | 1 | visitantes | Auth-Type | := | PAP | +++---++---+ 1 row in set (0.00 sec) This is wrong. Remove it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2 + MySQL + MD5 hash don't work
Dear Phil, By removing this option, it tries to authenticate with EAP/MSCHAPv2, and also fails. Authentication is what I'm doing wireless network. Below is the result of debugging when I removed the Auth-Type PAP table radgroupcheck: [sql_visitantes] expand: %{Stripped-User-Name} - usql2 [sql_visitantes] sql_set_user escaped user -- 'usql2' rlm_sql (sql_visitantes): Reserving sql socket id: 1 [sql_visitantes] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'usql2' ORDER BY id [sql_visitantes] User found in radcheck table [sql_visitantes] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radreply WHERE username = 'usql2' ORDER BY id [sql_visitantes] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM radusergroup WHERE username = 'usql2' ORDER BY priority [sql_visitantes] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'visitantes' ORDER BY id [sql_visitantes] User found in group visitantes [sql_visitantes] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'visitantes' ORDER BY id rlm_sql (sql_visitantes): Released sql socket id: 1 +++[sql_visitantes] returns ok ++- if (Realm == visitantes ) returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list *[eap] EAP/mschapv2* [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: usql2@visitantes [mschap] Told to do MS-CHAPv2 for usql2@visitantes with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. 2011/3/17 Phil Mayers p.may...@imperial.ac.uk On 03/17/2011 08:01 PM, joao...@gmail.com wrote: *[pap] ERROR: You set 'Auth-Type = PAP' for a request that does not contain a User-Password attribute!* This is very clear: mysql select * from radgroupcheck; +++---++---+ | id | groupname | attribute | op | value | +++---++---+ | 1 | visitantes | Auth-Type | := | PAP | +++---++---+ 1 row in set (0.00 sec) This is wrong. Remove it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- João Paulo de Lima Barbosa Fone: (45) 9938-8399 Blog: http://joao.us Twitter: @joaocdc O erro dos que tem poder é colocar barreiras para que ninguém os alcance, incentivando-nos a buscar todas as formas que encontramos para alcança-los. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2 + MySQL + MD5 hash don't work
Hi, [pap] ERROR: You set 'Auth-Type = PAP' for a request that does not contain a User-Password attribute! its fair enough. you've set Auth-Type = PAP why? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2 + MySQL + MD5 hash don't work
Hi, Dear Phil, By removing this option, it tries to authenticate with EAP/MSCHAPv2, and also fails. no...it works - but you havent got the 'sql' module enabled in the inner-tunnel (which is where the server goes to when its doing EAP) put sql into the inner-tunnel virtual-server and then the password will be exposed in the EAP tunnel...et voila, it will work(tm) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html