FreeRadius and md5 hashed passwords
Martin Jessa
freebsd at yazzy.org
Tue Sep 16 20:19:14 PDT 2003
Hi Scott, guys.
I am stucked. I made some changes in the config file and added Auth-Type to the radgroupcheck table (which was previously empty) and now I cannot authenticate at all.
Seems like the problem is somewhere else.
My radiusd.conf:
modules {
mschap {
authtype = MD5
use_mppe = yes
require_encryption = yes
require_strong = yes
encryption_scheme = md5
}
authorize {
preprocess
suffix
sql
}
authenticate {
authtype MD5 {
mschap
}
}
mysql> select * from radgroupreply;
+----+-----------+-------------------+----+-----------------+------+
| id | GroupName | Attribute | op | Value | prio |
+----+-----------+-------------------+----+-----------------+------+
| 1 | user | Framed-IP-Netmask | := | 255.255.255.0 | 0 |
| 2 | user | Framed-IP-Address | := | 255.255.255.254 | 0 |
| 3 | user | Service-Type | := | Framed-User | 0 |
| 4 | user | Auth-Type | := | Local | 0 |
+----+-----------+-------------------+----+-----------------+------+
mysql> select * from usergroup;
+----+-----------------+-----------+
| id | UserName | GroupName |
+----+-----------------+-----------+
| 1 | yazzy at yazzy.org | user |
+----+-----------------+-----------+
mysql> select * from radgroupcheck;
+----+-----------+-----------+----+-------+
| id | GroupName | Attribute | op | Value |
+----+-----------+-----------+----+-------+
| 1 | user | Auth-Type | := | MD5 |
+----+-----------+-----------+----+-------+
mysql> select * from radcheck;
+----+-----------------+---------------+----+----------------+
| id | UserName | Attribute | op | Value |
+----+-----------------+---------------+----+----------------+
| 1 | yazzy at yazzy.org | User-Password | := | $1$bc8bf6f2fd343cab9d387d5dcc777be3 |
+----+-----------------+---------------+----+----------------+
Then running:
radtest yazzy at yazzy.org my_pass 127.0.0.1 1812 radius_pass 127.0.0.1
i get following error:
rad_recv: Access-Request packet from host 127.0.0.1:57048, id=44, length=73
User-Name = "yazzy at yazzy.org"
User-Password = "my_pass"
NAS-IP-Address = 255.255.255.255
NAS-Port = 1812
Framed-Protocol = PPP
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
modcall[authorize]: module "mschap" returns notfound
rlm_realm: Looking up realm yazzy.org for User-Name = "yazzy at yazzy.org"
rlm_realm: Found realm DEFAULT
rlm_realm: Adding Stripped-User-Name = "yazzy"
rlm_realm: Proxying request from user yazzy to realm DEFAULT
rlm_realm: Adding Realm = "DEFAULT"
rlm_realm: Authentication realm is LOCAL.
***SNIP***
rlm_sql (sql): Released sql socket id: 1
modcall[authorize]: module "sql" returns ok
modcall: group authorize returns ok
rad_check_password: Found Auth-Type MD5
auth: type "MD5"
modcall: entering group authtype
rlm_mschap: No LM/NT password configured. Check authorization.
modcall[authenticate]: module "mschap" returns invalid
modcall: group authtype returns invalid
auth: Failed to validate the user.
Delaying request 4 for 1 seconds
Finished request 4
Any idea how to fix that and what can be wrong?
On Tue, 16 Sep 2003 22:24:35 -0400
Scott Lambert <lambert at lambertfam.org> wrote:
> On Wed, Sep 17, 2003 at 03:03:43AM +0200, Martin Jessa wrote:
> > Hi guys.
> >
> > I have set up freeradius with authentication agains MySQL.
> > I have poptop talking to the radius server and in that way authenticating my users.
> > The problem is I cannot make the radius server read md5 encrypted passwords, only plain text.
> > Any idea what to do to make it read md5 passwords?
> > Example of the password table:
> >
> > table 'radcheck' :
> >
> > Cleartext (works):
> > INSERT INTO radcheck VALUES (2,'test at yazzy.org','User-Password',':=','12233445');
> >
> > MD5 (no love):
> > INSERT INTO radcheck VALUES (3,'test at yazzy.org','User-Password',':=','bc8bf6f2fd343cab9d387d5dcc777be3');
>
> I think you are missing the salt.
>
> This is an MD5 cryptpassword of your example cleartext password:
>
> $1$HuVWpRMf$dmUeqUO15b9HGbDmmki6W.
>
>
> --
> Scott Lambert KC5MLE Unix SysAdmin
> lambert at lambertfam.org
> _______________________________________________
> freebsd-isp at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-isp
> To unsubscribe, send any mail to "freebsd-isp-unsubscribe at freebsd.org"
More information about the freebsd-isp
mailing list