Hi,
Hope someone can give me a pointer on this matter.
We have 2 RADIUS installations, thus:
1. FreeRADIUS/mysql Version 2.1.1, in whose radcheck, Password attribute
is 'User-Password'
2. FreeRADIUS/mysql Version 2.1.10, in whose radcheck, Password
attribute is 'Cleartext-Password'
On both freeradius servers sql and perl modules are enabled in authorize
and accounting groups, and both servers accept PAP and CHAP auth if
queried directly
Server 2 is configured to proxy requests for unknown users for certain
prefixes/suffixes to server 1, if perl and sql return no user:
authorize {
preprocess
chap
mschap
digest
eap {
ok = return
}
files
expiration
logintime
sql
perl
if (notfound) {
suffix
hotspotUser
}
pap
}
Challenge is, on Server 2, testing with radtest (passing the attributes
so: radtest -t <type> iS_u2h4gna a2uwv localhost 1812 secret) , local
users are authed fine, but non-local users always return with a reject.
Debug output of server 1, if I use CHAP to attempt auth with radtest on
server 2, is always:
++[pap] returns noop
Found Auth-Type = CHAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Replacing User-Password in config items with
Cleartext-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known
good" !!!
!!! clear text password is in Cleartext-Password, and not in
User-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+- entering group CHAP {...}
[chap] login attempt by "iS_u2h4gna" with CHAP password
[chap] Using clear text password "uz3f9" for user iS_u2h4gna authentication.
[chap] Password check failed
++[chap] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
If, I use PAP with radtest on server 2, server 1 returns
++[pap] returns updated
Found Auth-Type = PAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Replacing User-Password in config items with
Cleartext-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known
good" !!!
!!! clear text password is in Cleartext-Password, and not in
User-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+- entering group PAP {...}
[pap] login attempt with password "a2uwv"
[pap] Using clear text password "uz3f9"
[pap] Passwords don't match
++[pap] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
I have tried changing the "known good" clear text password on server 1
as recommended in the warning to no effect. (Is this because
User-Password and Cleartext-Password must necessarily be the unequal and
co-related)?
If so, How can i convert 1 to the other?
Hopefully,
JamesTM
--
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
