Dear List,
I am experiencing a strange behaviour during pap authentication.
I tried this with freeradius 0.7 and 0.8.1, both running under
freebsd 4.7.
My steps:
0. preparation of radiusd.conf
--------------------------------
under modules section:
pap {
encryption_scheme = crypt
}
under authentication section:
authtype PAP {
pap
}
1. create an account in users file:
--------------------------------
> perl -e 'print crypt(passwort,aa) '
aaFO1iP18KyBk>
[Here the relevant part of the 'users' file:]
[...]
cryjk Auth-Type := pap, User-Password == "aaFO1iP18KyBk"
Idle-Timeout := 3000
[...]
2. I start radiusd:
--------------------------------
radiusd -xx
3. I start a radtest client with: (output under 'Test 1')
-----------------------------------------------------------
(User-Name: cryjk
Password: aaFO1iP18KyBk)
radtest cryjk aaFO1iP18KyBk localhost 0 testing123
Since I provide the original crypted pw (which I expect is crypted
by some application) I expect an Access-Accept
4. I start another radtest client with: (output under 'Test 2')
-----------------------------------------------------------------
(User-Name: cryjk
Passwort: bogus)
radtest cryjk FO1iP18KyBk localhost 0 testing123
As expected, I get an Access-Reject.
5. What is the strange thing about it:
-----------------------------------------
When I see the output for these tests I wonder why I get totally
different output ...
With Test 1 the radiusd finds the user 'cryjk' and in Test 2
it is not found.
Since it is the exact crypt-output which I do send to radius,
I expect it to give me an accept.
Where is my mistake?
Help deeply appreciated.
with kind regards,
Jochen Kaiser
--
Dipl. Inf. Jochen Kaiser, GPG 0x3C93A870, phone +49 9131 85-28681
Network Administration mailto:[EMAIL PROTECTED]
Regionales Rechenzentrum Universitaet Erlangen-Nuernberg, Germany
Homepage and PublicKey: http://ipv6.rrze.uni-erlangen.de/~unrz111
Test 1
------
> radtest cryjk aaFO1iP18KyBk localhost 0 testing123
Sending Access-Request of id 99 to 127.0.0.1:1812
User-Name = "cryjk"
User-Password = "\210\3752\306Q\274is\354^\263)CF!s"
NAS-IP-Address = ipv6.rrze.uni-erlangen.de
NAS-Port = 0
Re-sending Access-Request of id 99 to 127.0.0.1:1812
User-Name = "cryjk"
User-Password = "\210\3752\306Q\274is\354^\263)CF!s"
NAS-IP-Address = ipv6.rrze.uni-erlangen.de
NAS-Port = 0
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=99, length=20
>
output of radiusd -xx:
Thread 2 assigned request 2
--- Walking the entire request list ---
Threads: total/active/spare threads = 5/1/4
Waking up in 5 seconds...
Thread 2 handling request 2, (1 handled so far)
User-Name = "cryjk"
User-Password = "aaFO1iP18KyBk"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
rlm_chap: Could not find proper Chap-Password attribute in request
modcall[authorize]: module "chap" returns noop
modcall[authorize]: module "mschap" returns notfound
rlm_realm: No '@' in User-Name = "cryjk", looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module "suffix" returns noop
users: Matched cryjk at 113
modcall[authorize]: module "files" returns ok
modcall: group authorize returns ok
rad_check_password: Found Auth-Type pap
auth: type "PAP"
modcall: entering group authtype
rlm_pap: login attempt by "cryjk" with password aaFO1iP18KyBk
rlm_pap: Using password "aaFO1iP18KyBk" for user cryjk authentication.
rlm_pap: Using CRYPT encryption.
rlm_pap: Passwords don't match
modcall[authenticate]: module "pap" returns reject
modcall: group authtype returns reject
auth: Failed to validate the user.
Delaying request 2 for 1 seconds
Finished request 2
Going to the next request
Thread 2 waiting to be assigned a request
rad_recv: Access-Request packet from host 127.0.0.1:2268, id=99, length=57
Sending Access-Reject of id 99 to 127.0.0.1:2268
--- Walking the entire request list ---
Threads: total/active/spare threads = 5/0/5
Waking up in 3 seconds...
--- Walking the entire request list ---
Cleaning up request 2 ID 99 with timestamp 3e888dc9
Nothing to do. Sleeping until we see a request.
Test 2
------
> radtest cryjk FO1iP18KyBk localhost 0 testing123
Sending Access-Request of id 107 to 127.0.0.1:1812
User-Name = "cryjk"
User-Password = "\265f\236\272\\\222\352}2;%\234%\357g-"
NAS-IP-Address = ipv6.rrze.uni-erlangen.de
NAS-Port = 0
Re-sending Access-Request of id 107 to 127.0.0.1:1812
User-Name = "cryjk"
User-Password = "\265f\236\272\\\222\352}2;%\234%\357g-"
NAS-IP-Address = ipv6.rrze.uni-erlangen.de
NAS-Port = 0
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=107, length=20
>
output of radiusd -xx:
rad_recv: Access-Request packet from host 127.0.0.1:2269, id=107, length=57
Thread 3 assigned request 4
--- Walking the entire request list ---
Threads: total/active/spare threads = 5/1/4
Waking up in 5 seconds...
Thread 3 handling request 4, (1 handled so far)
User-Name = "cryjk"
User-Password = "FO1iP18KyBk"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
rlm_chap: Could not find proper Chap-Password attribute in request
modcall[authorize]: module "chap" returns noop
modcall[authorize]: module "mschap" returns notfound
rlm_realm: No '@' in User-Name = "cryjk", looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module "suffix" returns noop
users: Matched DEFAULT at 172
modcall[authorize]: module "files" returns ok
modcall: group authorize returns ok
rad_check_password: Found Auth-Type System
auth: type "System"
modcall: entering group authenticate
modcall[authenticate]: module "unix" returns notfound
modcall: group authenticate returns notfound
auth: Failed to validate the user.
Delaying request 4 for 1 seconds
Finished request 4
Going to the next request
Thread 3 waiting to be assigned a request
rad_recv: Access-Request packet from host 127.0.0.1:2269, id=107, length=57
Sending Access-Reject of id 107 to 127.0.0.1:2269
--- Walking the entire request list ---
Threads: total/active/spare threads = 5/0/5
Waking up in 3 seconds...
--- Walking the entire request list ---
Cleaning up request 4 ID 107 with timestamp 3e888e26
Nothing to do. Sleeping until we see a request.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
