(RADIATOR) Mysql Authentication Failing

Hugh Irvine hugh at open.com.au
Sun Jun 10 18:42:15 CDT 2001


Hello Roger -

NAS equipment can be configured to use either PAP or CHAP for authentication. 
PAP sends in the request, a reversible encryption of the password that 
Radiator first decrypts before re-encrypting with the appropriate algorithm 
and compares the result against the encrypted string in the database. CHAP on 
the other hand sends in the request, the result of a one-way encryption which 
must then be compared to the results of the same encryption of the clear-text 
password in the database. 

In other words, you can only use PAP authentication with encrypted passwords 
in the database, and you can only use CHAP with cleartext passwords in the 
database.

Oooops - I have just noticed this in your original post (mis-spelled):

          AuthColumnDef 0, Encypted-Password, check

which should of course be this:

          AuthColumnDef 0, Encrypted-Password, check

Sorry I missed it the first time.

hth

Hugh


On Saturday 09 June 2001 23:19, Roger Hedrick wrote:
> Ok...It definitely has something to do with the fact that the mysql
> database is
> using encrypted password.  If I change the password in the mysql database
> to be
> a clear text password...and change the configuration file it auth's
> correctly.  It definitely has something to do with the comparision of the
> clear
> text password coming from radpwtst against the encrypted password retrieved
> from
> the database.
>
> Do NAS servers generally send the passwords as clear text or encyrpted?
>
> I would hope their is someway to make the NAS server send encrypted
> password.
>
> Is radpwtst a valid test compared to an actual NAS request?
>
> I just hope that I don't get it working using radpwtst and then find out I
> have
> to work the password problem all over again because of the way livingston
> gear makes requests.
>
> I feel I am close but still missing something.  Help...
>
> Roger
>
> At 02:44 PM 6/9/01 +1000, you wrote:
> >Hello Roger -
> >
> > > I was able to get radiator installed and tested using the simple.cfg
> > > configuration
> > > against the fred user.
> >
> >Good.
> >
> > > I am having problems testing authentication against a mysql database.
> > > Debug from the radius server looks as if it is loosing the password
> > > entered from the radpwtst program.  It does look like it is able to get
> > > the encrypted password from the mysql database.  Is the radpwtst not a
> > > good test to use against
> > > an encrypted password entry from the mysql database?  The 'AuthSql:
> > > Reject' debug message from the server seems to lead to a password
> > > comparison mismatch.
> > >
> > > What am I doing wrong?
> > >
> > > I have included the following:
> > > 1) Radius config file
> > > 2) radpwtst command output
> > > 3) radiusd server debug
> > > 4) mysql select output showing user account entry
> >
> >Thanks for providing this very complete problem description.
> >
> >See below for my comments.
> >
> > > <Realm DEFAULT>
> > >      #PasswordLogFileName %L/password/log.%Y%m%d
> > >      <AuthBy SQL>
> > >          DBSource        dbi:mysql:auth
> > >          DBUsername      xxxxx
> > >          DBAuth          xxxxx
> > >
> > >          AuthSelect select password, checkattr, replyattr \
> > >            from subscriber where username='%U'
> > >
> > >          AuthColumnDef 0, Encypted-Password, check
> > >          #EncryptedPassword
> > >      </AuthBy>
> > > </Realm>
> >
> >The configuration file is incorrect. The AuthColumnDef should indicate to
> >Radiator what SQL response value and what radius attribute should be
> > compared.
> >
> >As you can see from the packet dump below, the radius attribute containing
> >the password is called "User-Password", hence you should use this:
> >
> >           AuthColumnDef 0, User-Password, check
> >
> >In addition, if this is an encrypted password you will also need this:
> >
> >           EncryptedPassword
> >
> >Alternatively, the passwords in the database can have the standard
> > prefixes on the strings to indicate what form of encryption they are
> > using ({crypt}, $1$, {SHA}, {MD5},...). See section 13.1.2 in the
> > Radiator 2.18.2 manual.
> >
> > > ../radiusd -config_file ../etc/axiom.cfg
> > > Fri Jun  8 22:45:22 2001: INFO: Server started: Radiator 2.18.1 on elm
> > > Fri Jun  8 22:46:10 2001: DEBUG: Packet dump:
> > > *** Received from 127.0.0.1 port 33799 ....
> > > Code:       Access-Request
> > > Identifier: 220
> > > Authentic:  1234567890123456
> > > Attributes:
> > >          User-Name = "testuser"
> > >          Service-Type = Framed-User
> > >          NAS-IP-Address = 203.63.154.1
> > >          NAS-Port = 1234
> > >          Called-Station-Id = "123456789"
> > >          Calling-Station-Id = "987654321"
> > >          NAS-Port-Type = Async
> > >          User-Password =
> > > "<141><238>,<217><198>(<4><246><188>8<9><160><216>}x<153>"
> >
> >hth
> >
> >Hugh
> >
> >--
> >Radiator: the most portable, flexible and configurable RADIUS server
> >anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
> >-
> >Nets: internetwork inventory and management - graphical, extensible,
> >flexible with hardware, software, platform and database independence.
> >===
> >Archive at http://www.open.com.au/archives/radiator/
> >Announcements on radiator-announce at open.com.au
> >To unsubscribe, email 'majordomo at open.com.au' with
> >'unsubscribe radiator' in the body of the message.

-- 
Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list