Captive Portal w/ Radius MAC Auth - error in radpostauth code



  • I am just getting started w/ pfSense.  I am trying to setup a Captive Portal w/ Radius MAC Authentication

    I am getting an error message back when my machine trys to go through the portal.  Basically, the error is related to the code that to post an auth record to the radius database.  It seems the # of parameters does not match the # of fields for the SQL "Insert" command.

    You will notice the issue in the last 3-4 lines of the debug output below.  The MD5 structure becomes 2 password values and I think it should be 1.  So, a "syntax" error is returned by SQL.

    Is this something I can correct?  Does it have to do with a bad setting on my part, perhaps related to the cleartext passwords?

    Process flow:
    –-----------
    The pfSense server sends a request to an external Radius server.  The Radius server is FreeRadius running on CentOS 6.3 w/ mysql as the database engine.
    Please let me know what other information I can provide to help anyone understand if I am not clear enough now.
    Thanks,

    Here is the SQL debug I captured.

    rad_recv: Access-Request packet from host 192.168.11.228 port 34512, id=183, length=144

    [suffix] No such realm "NULL"        NAS-IP-Address = 192.168.11.228
           NAS-Identifier = "oak-cp1.domain.com"
           User-Name = "00:0f:1f:67:61:ce"
           User-Password = xyz"
           Service-Type = Login-User
           NAS-Port-Type = Ethernet
           NAS-Port = 9
           Framed-IP-Address = 192.168.111.10
           Called-Station-Id = "192.168.11.228"
           Calling-Station-Id = "00:0f:1f:67:61:ce"

    Executing section authorize from file /etc/raddb/sites-enabled/default

    +- entering group authorize {…}
    ++[preprocess] returns ok
    ++[chap] returns noop
    ++[mschap] returns noop
    ++[digest] returns noop
    [suffix] No '@' in User-Name = "00:0f:1f:67:61:ce", looking up realm NULL
    ++[suffix] returns noop
    [eap] No EAP-Message, not doing EAP
    ++[eap] returns noop
    ++[files] returns noop
    [sql]   expand: %{User-Name} -> 00:0f:1f:67:61:ce
    [sql] sql_set_user escaped user –> '00:0f:1f:67:61:ce'
    rlm_sql (sql): Reserving sql socket id: 3
    [sql]   expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '00:0f:1f:67:61:ce'           ORDER BY id
    WARNING: Found User-Password == "…".
    WARNING: Are you sure you don't mean Cleartext-Password?
    WARNING: See "man rlm_pap" for more information.
    [sql] User found in radcheck table
    [sql]   expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '00:0f:1f:67:61:ce'           ORDER BY id
    [sql]   expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = '00:0f:1f:67:61:ce'           ORDER BY priority
    rlm_sql (sql): Released sql socket id: 3
    ++[sql] returns ok
    ++[expiration] returns noop
    ++[logintime] returns noop
    ++[pap] returns updated
    Found Auth-Type = PAP
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    !!!    Replacing User-Password in config items with Cleartext-Password.     !!!
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    !!! Please update your configuration so that the "known good"               !!!
    !!! clear text password is in Cleartext-Password, and not in User-Password. !!!
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

    Executing group from file /etc/raddb/sites-enabled/default

    +- entering group PAP {…}
    [pap] login attempt with password "xyz
    [pap] Using clear text password "xyz"
    [pap] User authenticated successfully
    ++[pap] returns ok

    Executing section post-auth from file /etc/raddb/sites-enabled/default

    +- entering group post-auth {…}
    [sql]   expand: %{User-Name} -> 00:0f:1f:67:61:ce
    [sql] sql_set_user escaped user –> '00:0f:1f:67:61:ce'
    [sql]   expand: %{User-Password} -> xyz
    [sql]   expand: %{User-Password} -> xyz
    [sql]   expand: INSERT INTO radpostauth                           (username, pass, reply, authdate)                           VALUES (                           '%{User-Name}', #                         MD5 ('%{%{User-Password}:-%{Chap-Password}}'),                           '%{%{User-Password}:-%{Chap-Password}}',                           '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth                           (username, pass, reply, authdate)                           VALUES (                           '00:0f:1f:67:61:ce', #                         MD5 ('xyz'),                           'xyz',                           'Access-Accept', '2013-06-05 22:42:01')
    rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth                           (username, pass, reply, authdate)                           VALUES (                           '00:0f:1f:67:61:ce', #                         MD5 ('xyz'),                           'xyz',                           'Access-Accept', '2013-06-05 22:42:01')

    Thanks,
    Mike



  • Updated of post to help clarify issue:

    Here are the important statements from the full debug text below:
    –---
    [sql]  expand:
    INSERT INTO radpostauth (username, pass, reply, authdate)
    VALUES ('%{User-Name}', #MD5 ('%{%{User-Password}:-%{Chap-Password}}'), '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
    ->
    INSERT INTO radpostauth (username, pass, reply, authdate)
    VALUES ('00:0f:1f:67:61:ce', #MD5 ('xyz'), 'xyz', 'Access-Accept',  '2013-06-05 22:42:01')

    rlm_sql (sql) in sql_postauth: query is
    INSERT INTO radpostauth (username, pass, reply, authdate)
    VALUES ( '00:0f:1f:67:61:ce', #MD5 ('xyz'), 'xyz', 'Access-Accept', '2013-06-05 22:42:01')
    –---

    In the SQL INSERT stmt, we see 4 fields: username,                      pass, reply, authdate.
    But, we see 5 values:                          username, MD5 password, pass, reply, authdate.

    Why is the password being sent as MD5 and cleartext?

    What options should I set set to fix this?  Is it on the pfSense server or something I need to fix in mysql?

    Thanks,
    Mike



  • I figured out this is part of the Radius SQL on my Radius server and not part of pfSense.

    If anyone is interested…
    The dialup.conf file in /etc/raddb/sql/mysql/dialup.conf has an entry for Authentication Logging options and this entry for the INSERT stmt was incorrect.

    mike