WARNING about auth-type = Local
Hi,
I use a completely custom setup.
Not using the default server at all.
All is working fine, except for a warning.
In the authorise section, I have rlm_sql that selects the cleartext password
from a database.
The query looks like this.
authorize_check_query = SELECT AccountID, Login, 'Cleartext-Password',
Password, ':=' \
from Account WHERE Login = '%{SQL-User-Name}'
}
This is the rlm_sql query defined.
My authorise and authenticate section looks like this.
authorize {
authorisation_log
chap
mschap
sql
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
}
When a PAP request comes in, just after the sql selects the password and
somewhere before authenticate, I get a warning.
(Unsure if the warning will appear for CHAP/MSCHAP)
-
[sql] expand: SELECT AccountID, Login, 'Cleartext-Password', Password, ':='
from Account WHERE Login = '%{SQL-User-Name}' -
SELECT AccountID, Login, 'Cleartext-Password', Password, ':='
from Account WHERE Login = 't...@domain.co.za'
[sql] User found in radcheck table
rlm_sql (sql): Released sql socket id: 1
+++[sql] returns ok
++- else else returns ok
WARNING: Please update your configuration, and remove 'Auth-Type = Local'
WARNING: Use the PAP or CHAP modules instead.
User-Password in the request is correct.
# Executing section post-auth from file /etc/freeradius/sites-enabled/custom
+- entering group post-auth {...}
---
Do I need to concern myself with the warning?
All is working fine, I was just enquisitive as to why this happens.
Thanks!
--
Johan Meiring
Cape PC Services CC
Tel: (021) 883-8271
Fax: (021) 886-7782
Before acting on this email or opening any attachments
you should read Cape PC Service's email disclaimer at:
http://www.pcservices.co.za/disclaimer.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WARNING about auth-type = Local
On 21/09/11 17:11, Johan Meiring wrote:
-
[sql] expand: SELECT AccountID, Login, 'Cleartext-Password', Password, ':='
[sql] User found in radcheck table
rlm_sql (sql): Released sql socket id: 1
+++[sql] returns ok
++- else else returns ok
WARNING: Please update your configuration, and remove 'Auth-Type = Local'
WARNING: Use the PAP or CHAP modules instead.
User-Password in the request is correct.
# Executing section post-auth from file /etc/freeradius/sites-enabled/custom
+- entering group post-auth {...}
---
You've trimmed the debug. Don't do that, it means we can't see what else
happened.
Do I need to concern myself with the warning?
Possibly. Difficult to tell, since you trimmed the debug. It is
concerning that the authenticate {} section doesn't appear to be run.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WARNING about auth-type = Local
Johan Meiring wrote:
My authorise and authenticate section looks like this.
authorize {
authorisation_log
chap
mschap
sql
pap
}
You need the pap module last in the authorize section. It will
set Auth-Type for you.
In 3.0, the Auth-Type = Local warnings will likely go away, because
the server *won't* set it. Instead, you'll just get no Auth-Type
Do I need to concern myself with the warning?
Yes. Use the pap module as noted above.
See the default configuration file for why this is necessary.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WARNING about auth-type = Local
On 2011/09/21 06:19 PM, Alan DeKok wrote:
Johan Meiring wrote:
My authorise and authenticate section looks like this.
authorize {
authorisation_log
chap
mschap
sql
pap
}
You need the pap module last in the authorize section. It will
set Auth-Type for you.
In 3.0, the Auth-Type = Local warnings will likely go away, because
the server *won't* set it. Instead, you'll just get no Auth-Type
Do I need to concern myself with the warning?
Yes. Use the pap module as noted above.
See the default configuration file for why this is necessary.
Hi,
Thanks, makes perfect sense.
Now it looks like this.
--
[sql] User found in radcheck table
rlm_sql (sql): Released sql socket id: 2
+++[sql] returns ok
++- else else returns ok
++[chap] returns noop
++[mschap] returns noop
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/freeradius/sites-enabled/custom
+- entering group PAP {...}
[pap] login attempt with password password
[pap] Using clear text password password
[pap] User authenticated successfully
++[pap] returns ok
# Executing section post-auth from file /etc/freeradius/sites-enabled/custom
+- entering group post-auth {...}
What now interests me, is how authentication worked at all previously?
An invalid password WAS actually rejected, without the pap module showing
that it is running.
The only reference in the debug that showed that the password was actually
checked was one of the following:
User-Password in the request is correct
or
User-Password in the request does NOT match known good password.
Failed to authenticate the user.
Is that the local module?
Thanks again for super support!
Even paid support cannot get close to this.
Cheers,
--
Johan Meiring
Cape PC Services CC
Tel: (021) 883-8271
Fax: (021) 886-7782
Before acting on this email or opening any attachments
you should read Cape PC Service's email disclaimer at:
http://www.pcservices.co.za/disclaimer.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WARNING about auth-type = Local
Johan Meiring wrote: Thanks, makes perfect sense. Good... What now interests me, is how authentication worked at all previously? Magic. :( The server core had hacks to work around legacy configurations from version 0.x. That's bad, and should be removed from the server. Is that the local module? No. It's internal hacks in the server core. Thanks again for super support! Even paid support cannot get close to this. Thanks. As always, good questions get good answers. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
