On Wed, May 29, 2002 at 02:44:23PM -0500, Nick Davis wrote:
> >
> > > We're trying to set up a web front, where all of this stuff can be
> > > changed without having to know any linux commands or mysql commands. I
> > > have the web front basically done, but tying it into FreeRadius would be
> > > nearly impossible from what I'm understanding. That means the password
> > > needs to also be stored in one of the configuration files correct? Such
> > > as clients.conf? Or is PAP just used to verify the password stored in the
> > > SQL database?
> >
> > Nono, you can store the password in the (per default) radcheck table in
> > the sql database. PAP (for example) is, like you said, only used to
> > verify the password returned from the sql module. PAP can check
> > cleartext, crypt and md5 passwords at the moment.
> > clients.conf is used for the secrets etc. for communicating with other
> > 'clients', NAS'es etc, and has nothing to do with the actual user
> > authentication, i think you meant the 'users' file above.
> >
> > You can also set the Auth-Type attribute in the radgroupcheck table if
> > you want to avoid the users file alltogether.
> >
> > Ie. you never need to touch anything other then the sql database with
> > your web frontend.
>
> I'm in the process of setting up something very similar (wanting to use the
> database only). What you said above has me somewhat confused now.
>
> If I set Auth-Type := PAP in my radgroupcheck table, I also need to set
>
> authenticate{
> authtype PAP {
> pap
> }
> }
Yepp.
Also, don't forget to set the encryption_scheme in the PAP section of
the modules section. It defaults to md5.
> Is there anything else I need to do as far as authentication goes? Do I still
> need to use the files module like radius.conf says:
>
> "# Uncomment the following if you want to support PAP and you extract user
> # passwords from the user database (LDAP,SQL etc). You should use the files
> # module to set Auth-Type to PAP for this to work."
This is along the lines of what Alan said earlier, if you include the
files modules and add:
DEFAULT Auth-Type := PAP
to the 'users' file, you won't need to set the Auth-Type in the
radgroupcheck table. If you want to do away with the 'users' file
completely, setting Auth-Type := PAP in radgroupcheck seems to work
fine.
Perhaps the above comment in the radiusd.conf should be updated?
> because the files module looks for 'users' and 'acct_users'.
>
> Also, if PAP can do cleartext, crypt and md5 passwords, why would anyone need
> to use Auth-Type := Local while using a sql database to store user names and
> pwds?
Beats me :), less complexity perhaps? You can do both cleartext and
standard unix crypted passwords with just the local auth-type which
might be fine for some (most?) cases. That also removes the need of
setting any auth-type at all, it appears to be set automatically if you
have either Password or Crypt-Password set and no Auth-Type set.
I've tried cleartext, crypt and md5 with PAP against latest cvs, and
they all seem to work fine.
On a side note, it seem that you should use Password, and not
Crypt-Password with all three PAP encryption schemes, unlike with the
local auth-type.
--
Simon
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
