okay. it definently refuses to do md5 password authentication, which is
strange.
i've got Crypt-Password == $1$salt$password style md5 entries in the
radcheck sql table for that user. if i replace it with an ENCRYPT()'ed
string, it works fine, but that's not an md5 password.
i've tried setting
encryption_scheme = md5 and crypt, and sha1.
have i got the Attribute name correct for an md5 password?
I've checked through the rlm_pap.c code as best i can, and barring a
failure of the MD5 encryption routines, i can't see where it's going
wrong...
appropriate snippets of radius -x -x output:
Thread 2 handling request 7, (2 handled so far)
User-Name = "testuser"
User-Password = "testpass"
NAS-IP-Address = 192.168.100.108
NAS-Port = 1
NAS-Port-Type = Async
Service-Type = Framed-User
Framed-Protocol = PPP
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module "suffix" returns noop
radius_xlat: 'testuser'
rlm_sql (sql): sql_set_user escaped user --> 'testuser'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = 'testuser' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 3
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'testuser' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Username = 'testuser' ORDER BY id'
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = 'testuser' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): Released sql socket id: 3
modcall[authorize]: module "sql" returns ok
modcall: group authorize returns ok
auth: type Crypt
auth: Failed to validate the user.
Login incorrect: [testuser/testpass] (from client pm1 port 1)
now, i've double-checked that it's using pap as best i can, but from
there, it doesn't look like it is...
can anyone shed some light on where i may have left something out of the
config?
thanks
Andrew Pilley
On Thu, Dec 19, 2002 at 10:38:39AM +1100, Andrew Pilley wrote:
> On Wed, Dec 18, 2002 at 11:18:56AM -0500, Alan DeKok wrote:
> > Andrew Pilley <[EMAIL PROTECTED]> wrote:
> > > since md5 is a one-way hash, i can't just recover the passwords and
> > > recrypt them.
> >
> > Just use them in place.
>
> i've tried that. i changed the Crypt-Password's Value field to basically
> be a copy of an existing md5 based password, but i think pap is having
> issues with it, as it basically seems to reject me... am i using the
> right Attribute name for an md5-based password?
>
> >
> > > What would i need to do to acheive basically a straight copy-paste of
> > > the existing md5 passwords into appropriate SQL rows? i've tried setting
> > > pap {
> > > encryption_scheme = md5
> > > }
> > > as well as setting it to crypt, and neither seem to work.
> >
> > Wow. Why doesn't it work? Did you read the FAQ?
>
> there isn't anything in the FAQ on www.freeradius.org about this
> particular issue, as far as i can see... i'll try turning up the
> debugging output, and seeing what i can get pap's code to tell me
> tomorrow (not at work today, so it's a little hard to test)
>
> that said, it works fine if i insert the plaintext password into the
> Value field, running the ENCRYPT mysql function on it (so it's CRYPT'ed
> in the database). (when using encryption_scheme=crypt)
>
> Andrew Pilley
>
> >
> > Alan DeKok.
> >
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
