Hello all,
Due to a policy change with MCI we now have to change our authentication/authorization scheme for dial-in users to CHAP, but for some reason I just gan't get it to work. I've checked mailing list archives and google, and as far as I can see I've done everything right, but I'm still getting "Cleartext password not available." Here's the log from freeradius -X : rad_recv: Access-Request packet from host 195.129.12.34:1645, id=129, length=228 User-Name = "[hidden email]" CHAP-Password = 0x01cf2e2a27fc74a7b6271039f9c3e1b0e6 NAS-IP-Address = 213.116.1.36 NAS-Port = 70 NAS-Port-Type = ISDN Service-Type = Framed-User Framed-Protocol = PPP State = 0x Calling-Station-Id = "774642968" Called-Station-Id = "0676011850" Acct-Session-Id = "436504632" X-Ascend-Data-Rate = 64000 X-Ascend-Xmit-Rate = 64000 Proxy-State = 0x50583031000065bd93266f974b08f6115766e0d35d7719e900020691d574012400000000000000000002066dc2e5a4030000000000000000000000030000000200000f73008d192a9815e82047235efbe3c5fbb341 modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module "chap" returns ok rlm_realm: Looking up realm "systemec.nl" for User-Name = "[hidden email]" rlm_realm: Found realm "systemec.nl" rlm_realm: Adding Stripped-User-Name = "testflex" rlm_realm: Proxying request from user testflex to realm systemec.nl rlm_realm: Adding Realm = "systemec.nl" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop radius_xlat: '[hidden email]' rlm_sql (sql): sql_set_user escaped user --> '[hidden email]' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '[hidden email]' ORDER BY id' * This returns the following data when run in a mysql shell: +-----+----------------------+----------------+-------+------+ | id | UserName | Attribute | Value | op | +-----+----------------------+----------------+-------+------+ | 186 | [hidden email] | Password | ----- | == | | 271 | [hidden email] | CHAP-Challenge | ----- | == | | 272 | [hidden email] | Auth-Type | Local | := | +-----+----------------------+----------------+-------+------+ (password and challenge secret changed for security purposes) rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName, radgroupcheck.Attribute, radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '[hidden email]' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' +----+-----------+----------------+-------+------+ | id | GroupName | Attribute | Value | op | +----+-----------+----------------+-------+------+ | 3 | flex | Huntgroup-Name | flex | == | | 4 | flex | Auth-Type | Local | := | +----+-----------+----------------+-------+------+ radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '[hidden email]' ORDER BY id' Empty set (0.00 sec) radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName, radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '[hidden email]' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' +----+-----------+-----------------+-------------+------+ | id | GroupName | Attribute | Value | op | +----+-----------+-----------------+-------------+------+ | 1 | flex | Auth-Type | Local | := | | 4 | flex | Framed-Protocol | PPP | := | | 5 | flex | Service-type | Framed-User | := | +----+-----------+-----------------+-------------+------+ rlm_sql (sql): No matching entry in the database for request from user [[hidden email]] rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module "sql" returns notfound modcall: group authorize returns ok rad_check_password: Found Auth-Type CHAP auth: type "CHAP" modcall: entering group Auth-Type rlm_chap: login attempt by "testflex" with CHAP password rlm_chap: Could not find clear text password for user testflex modcall[authenticate]: module "chap" returns invalid modcall: group Auth-Type returns invalid auth: Failed to validate the user. Login incorrect (rlm_chap: Clear text password not available): [[hidden email]/<CHAP-Password>] (from client worldcom4 port 70 cli 774642968) Delaying request 0 for 1 seconds Finished request 0 I've tried using the attribute names 'Password', 'User-Password', 'CHAP-Password', as well as forcing Auth-Type to CHAP, in pretty much every configuration I could think of, but the end result remains the same. Does anyone have a suggestion on what I've missed? (Version 0.9.1, by the way) -- Rens Houben | opinions are mine Resident linux guru and sysadmin | if my employers have one Systemec Internet Services. |they'll tell you themselves PGP key at http://swordbreaker.systemec.nl/~shadur/shadur.key.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |
On Thursday 09 June 2005 08:26, Rens Houben wrote:
> radius_xlat: 'SELECT id,UserName,Attribute,Value,op > FROM radcheck WHERE Username = '[hidden email]' ORDER BY id' > > * This returns the following data when run in a mysql shell: > +-----+----------------------+----------------+-------+------+ > > | id | UserName | Attribute | Value | op | > > +-----+----------------------+----------------+-------+------+ > | 186 | [hidden email] | Password | ----- | == | > | 271 | [hidden email] | CHAP-Challenge | ----- | == | > | 272 | [hidden email] | Auth-Type | Local | := | > +-----+----------------------+----------------+-------+------+ > (password and challenge secret changed for security purposes) Auth-Type isn't necessary. Also, I don't think CHAP-Challenge should be listed there. The only attribute you should need in the db for CHAP auth is User-Password. Kevin Bonner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |
Free forum by Nabble | Edit this page |