I have sql and chap in authorize section and the password is cleartext for sure =) freeradius even finds it!
rlm_chap: Using clear text password testpasswd for user test Evren On Tue, 26 Nov 2002, Chhai Thach wrote: > In the radius.conf file under the authenticate function, it say: > > > Most people want CHAP authentication > A back-end database listed in the 'authorize' section > MUST supply a CLEAR TEXT password. Encrypted passwords > won't work. > > > I couldn't get MS-Chap going though with neither encrypted or unencripted password. > > > > > -----Original Message----- > From: Evren Yurtesen [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, 26 November 2002 2:19 PM > To: [EMAIL PROTECTED] > Subject: serious radclient bug! (2) > > Sorry, maybe this is not a bug =) > But still I couldnt get freeradius to work with MySQL and CHAP > I use plain text passwords in MySQL and everything else seems fine > > in radcheck I have > Username Attribute Value Op > test User-Passwd testpassed := > > in radgroupcheck > GroupName Attribute Value op > 64Kbit/s Auth-Type CHAP := > > and test user is in this group... > > I get this error > > tunnel:/usr/local/dialup_admin#radclient localhost auth testing123 > User-Name = "test" > CHAP-Password = "testpasswd" > Received response ID 242, code 3, length = 32 > Ascend-Data-Rate = 64000 > tunnel:/usr/local/dialup_admin# > > and my -sxx output is... > > tunnel:/usr/local/etc/raddb#radiusd -sxx > Starting - reading configuration files ... > reread_config: reading radiusd.conf > Config: including file: /usr/local/etc/raddb/clients.conf > Config: including file: /usr/local/etc/raddb/sql.conf > main: prefix = "/usr/local" > main: localstatedir = "/usr/local/var" > main: logdir = "/var/log" > main: libdir = "/usr/local/lib" > main: radacctdir = "/var/log/radacct" > main: hostname_lookups = no > read_config_files: reading dictionary > read_config_files: reading clients > read_config_files: reading realms > read_config_files: reading naslist > main: max_request_time = 30 > main: cleanup_delay = 5 > main: max_requests = 1024 > main: delete_blocked_requests = 0 > main: port = 0 > main: allow_core_dumps = no > main: log_stripped_names = no > main: log_auth = no > main: log_auth_badpass = no > main: log_auth_goodpass = no > main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" > main: user = "(null)" > main: group = "(null)" > main: usercollide = no > main: lower_user = "no" > main: lower_pass = "no" > main: nospace_user = "no" > main: nospace_pass = "no" > main: proxy_requests = no > security: max_attributes = 200 > security: reject_delay = 1 > main: debug_level = 0 > read_config_files: entering modules setup > Module: Library search path is /usr/local/lib > Module: Loaded CHAP > Module: Instantiated chap (chap) > Module: Loaded SQL > sql: driver = "rlm_sql_mysql" > sql: server = "localhost" > sql: port = "" > sql: login = "radius" > sql: password = "radius2best" > sql: radius_db = "radius" > sql: acct_table = "radacct" > sql: acct_table2 = "radacct" > sql: authcheck_table = "radcheck" > sql: authreply_table = "radreply" > sql: groupcheck_table = "radgroupcheck" > sql: groupreply_table = "radgroupreply" > sql: usergroup_table = "usergroup" > sql: nas_table = "nas" > sql: dict_table = "dictionary" > sql: sqltrace = no > sql: sqltracefile = "/var/log/sqltrace.sql" > sql: deletestalesessions = yes > sql: num_sql_socks = 5 > sql: sql_user_name = "%{User-Name}" > sql: authorize_check_query = "SELECT id,UserName,Attribute,Value,op FROM > radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id" > sql: authorize_reply_query = "SELECT id,UserName,Attribute,Value,op FROM > radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id" > sql: authorize_group_check_query = "SELECT > >radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op > FROM radgroupcheck,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' > AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY > radgroupcheck.id" > sql: authorize_group_reply_query = "SELECT > >radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op > FROM radgroupreply,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' > AND usergroup.GroupName = radgroupreply.GroupName ORDER BY > radgroupreply.id" > sql: authenticate_query = "SELECT Value,Attribute FROM radcheck WHERE > UserName = '%{User-Name}' AND ( Attribute = 'User-Password' OR Attribute = > 'Password' OR Attribute = 'Crypt-Password' ) ORDER BY Attribute DESC" > sql: accounting_onoff_query = "UPDATE radacct SET AcctStopTime='%S', > AcctSessionTime=unix_timestamp('%S') - unix_timestamp(AcctStartTime), > AcctTerminateCause='%{Acct-Terminate-Cause}', AcctStopDelay = > %{Acct-Delay-Time} WHERE AcctSessionTime=0 AND AcctStopTime=0 AND > NASIPAddress= '%{NAS-IP-Address}' AND AcctStartTime <= '%S'" > sql: accounting_update_query = "UPDATE radacct SET FramedIPAddress = > '%{Framed-IP-Address}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND > UserName = '%{SQL-User-Name}' AND NASIPAddress= '%{NAS-IP-Address}' AND > AcctStopTime = 0" > sql: accounting_start_query = "INSERT into radacct (RadAcctId, > AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, > NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, > ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, > CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, > FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('', > '%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', > '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', > '0', '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', > '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', > '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Acct-Delay-Time}', '0')" > sql: accounting_start_query_alt = "UPDATE radacct SET AcctStartTime = > '%S', AcctStartDelay = '%{Acct-Delay-Time}', ConnectInfo_start = > '%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName > = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}' AND > AcctStopTime = 0" > sql: accounting_stop_query = "UPDATE radacct SET AcctStopTime = '%S', > AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets = > '%{Acct-Input-Octets}', AcctOutputOctets = '%{Acct-Output-Octets}', > AcctTerminateCause = '%{Acct-Terminate-Cause}', AcctStopDelay = > '%{Acct-Delay-Time}', ConnectInfo_stop = '%{Connect-Info}' WHERE > AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND > NASIPAddress = '%{NAS-IP-Address}' AND AcctStopTime = 0" > sql: accounting_stop_query_alt = "INSERT into radacct (RadAcctId, > AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, > NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, > ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, > CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, > FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('', > '%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', > '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '0', > '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Connect-Info}', > '%{Acct-Input-Octets}', '%{Acct-Output-Octets}', '%{Called-Station-Id}', > '%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}', > '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{Acct-Delay-Time}')" > sql: connect_failure_retry_delay = 60 > sql: simul_count_query = "" > sql: simul_verify_query = "SELECT RadAcctId, AcctSessionId, UserName, > NASIPAddress, NASPortId, FramedIPAddress, CalledStationId FROM radacct > WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0" > sql: simul_zap_query = "DELETE FROM radacct WHERE RadAcctId = '%s'" > rlm_sql: Driver rlm_sql_mysql loaded and linked > rlm_sql: Attempting to connect to radius@localhost:/radius > rlm_sql: starting 0 > rlm_sql: Attempting to connect #0 > rlm_sql: Starting connect to MySQL server for #0 > rlm_sql: Connected new DB handle, #0 > rlm_sql: starting 1 > rlm_sql: Attempting to connect #1 > rlm_sql: Starting connect to MySQL server for #1 > rlm_sql: Connected new DB handle, #1 > rlm_sql: starting 2 > rlm_sql: Attempting to connect #2 > rlm_sql: Starting connect to MySQL server for #2 > rlm_sql: Connected new DB handle, #2 > rlm_sql: starting 3 > rlm_sql: Attempting to connect #3 > rlm_sql: Starting connect to MySQL server for #3 > rlm_sql: Connected new DB handle, #3 > rlm_sql: starting 4 > rlm_sql: Attempting to connect #4 > rlm_sql: Starting connect to MySQL server for #4 > rlm_sql: Connected new DB handle, #4 > Module: Instantiated sql (sql) > Listening on IP address *, ports 1812/udp and 1813/udp. > Ready to process requests. > rad_recv: Access-Request packet from host 127.0.0.1:1558, id=242, > length=45 > User-Name = "test" > CHAP-Password = 0xf26580dede51cb48778629d0487cd5fad7 > modcall: entering group authorize > rlm_chap: Adding Auth-Type = CHAP > modcall[authorize]: module "chap" returns ok > radius_xlat: 'test' > sql_set_user: escaped user --> 'test' > radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE > Username = 'test' ORDER BY id' > rlm_sql: Reserving sql socket id: 4 > radius_xlat: 'SELECT > >radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op > FROM radgroupcheck,usergroup WHERE usergroup.Username = 'test' AND > usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' > radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE > Username = 'test' ORDER BY id' > radius_xlat: 'SELECT > >radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op > FROM radgroupreply,usergroup WHERE usergroup.Username = 'test' AND > usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' > radius_xlat: 'SELECT Value,Attribute FROM radcheck WHERE UserName = > 'test' AND ( Attribute = 'User-Password' OR Attribute = 'Password' OR > Attribute = 'Crypt-Password' ) ORDER BY Attribute DESC' > rlm_sql: Released sql socket id: 4 > modcall[authorize]: module "sql" returns ok > modcall: group authorize returns ok > rad_check_password: Found Auth-Type CHAP > auth: type "CHAP" > modcall: entering group authtype > rlm_chap: login attempt by "test" with CHAP password �e?��Q�Hw?)�H|��� > rlm_chap: Using clear text password testpasswd for user test > authentication. > rlm_chap: Pasword check failed > modcall[authenticate]: module "chap" returns reject > modcall: group authtype returns reject > auth: Failed to validate the user. > Delaying request 0 for 1 seconds > Finished request 0 > Going to the next request > --- Walking the entire request list --- > Waking up in 1 seconds... > --- Walking the entire request list --- > Waking up in 1 seconds... > --- Walking the entire request list --- > Sending Access-Reject of id 242 to 127.0.0.1:1558 > Ascend-Data-Rate = 64000 > Waking up in 4 seconds... > --- Walking the entire request list --- > Cleaning up request 0 ID 242 with timestamp 3de2eee0 > Nothing to do. Sleeping until we see a request. > > > So what is the solution to this problem? > > > ---------- Forwarded message ---------- > Date: Tue, 26 Nov 2002 05:35:16 +0200 (WET) > From: Evren Yurtesen <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: serious radclient bug! > > Hi, > > I have been sittin here all night to find out to see this; > > I run radclient like this > #radclient localhost auth testing123 > > I enter these > User-Name = test > CHAP-Password = testpasswd > > then press CTRL-D > > I somehow never could login! > > I (at last) set in conf file to see password in logs... > > Tue Nov 26 05:29:20 2002 : Auth: Login incorrect: [test/<CHAP-Password>] (from >client localhost port 0) > > I believe this happens to be a bug? If I use these pairs it works though > > User-Name = test > Password = testpasswd > Auth-Type = CHAP > > > Evren > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
