Alan DeKok wrote:
Because User-Password is the password as entered by the user.
Cleartext-Password is the "known good" password on the server. They are
*not* the same.
When you do EAP, there is *no* User-Password attribute in the packets.
So doing "User-Password == ..." is *wrong*. There's no User-Password,
so there's nothing to compare to.
OK. So the rlm_mschap will look for the internal check-Item
"Cleartext-Password" and it will use that value for authentication.
From share/freeradius/dictionary.freeradius.internal
ATTRIBUTE Cleartext-Password 1100 string
This item should be set by some module (rlm_file, rlm_ldap, possibly
others) during the "authorize" state. Beside, rlm_mschap has no idea on
where the passwords (in any form) are stored.
Correct ?
In my envirnoment I authenticate against an LDAP server, so according to
the ldap.attrmap file the LDAP attribute "userPassword" (which contain
the password in clear text form) is copied to the check-item
"User-Password". While no attribute seems copied as check-item
"Cleartext-Password". Still the mschap module is able to authenticate
the users.
That is a historical artifact of the server. See the big warnings in
debugging mode in 2.0.x.
In rlm_ldap I found this warning (I found just one):
if (!pairfind(request->config_items,
PW_CLEARTEXT_PASSWORD) &&
!pairfind(request->config_items, PW_USER_PASSWORD)) {
DEBUG("WARNING: No \"known good\" password was
found in LDAP. Are you sure that the user is configured correctly?");
}
This fragment is from the "ldap_authorize" section
PW_CLEARTEXT_PASSWORD is defined as value 1100 elsewhere in the source,
I think in accordance with the internal dictionary file.
Few lines before, it seems that it tries to copy all the attributes that
smell like a password in the request; this warning is raised if there's
no user pwd (from the supplicant) and/or no clear text pwd in the DB.
In may environment da LDAP server also is used by samba; so there're
also LM/NT password available (in fact, some users are not also samba
users but are authenticed via radius); but while googling about using
freeradius with LDAP that possibility wasn't mentioned, while I found an
howto that said to add to ldap.attrmap the line:
checkItem User-Password userPassword
Which is wrong. It should map to Cleartext-Password.
I understand that, but how could be possible that my users who are not
samba users are able lo connect to the AP ?
There's no LM/NT pwd for them, and there's also no "Cleartext-Password"
because the mapping is wrong (but I've changed now). So how does
rlm_mschap find the password ?
I've looked the mschap_authenticate and it seems to look for LM pwd and
NT pwd in the request, and to build one or both of them from the
cleartext password if they're missing.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
