Freeradius denies auth when "Framed-IP-Address" set

Gerret Apelt gerret.apelt at gmail.com
Wed Aug 24 17:03:30 CEST 2005


Hi all --

Debian Sarge 
2.4.27-2-386 kernel
freeRadius (dpkg version 1.0.2-4)
MySQL Server (dpkg version 4.1.11a-4)

I have been using FreeRadius successfully for half a year.
All my setup does is authenticate dialup connections. Radius auth requests
come in from a NAS, and once authentication has been successful, the
NAS will assign an IP address out of its pool. I use mysql to store
'User-Password' attribute/value pairs, where the password is stored in
cleartext (there is PAP and CHAP authentication). This all works very well.

I am now trying to have FreeRadius also assign IP Address and Netmask to a
subset of the user accounts, and that's where I'm getting stuck: As
soon as I add the additional attributes "Framed-IP-Address" and
"Framed-IP-Netmask" to the table, FreeRadius will reject the
authentication request.

When using PAP, radius.log reports:
Wed Aug 24 09:31:27 2005 : Auth: Login incorrect: [gerret/testme] 

When using CHAP, radius.log reports:
Wed Aug 24 09:33:25 2005 : Auth: Login incorrect (rlm_chap: Clear text
password not available): [gerret/<CHAP-Password>]

This issue goes away as soon as I delete rows with id 1343 and 1344 below:

mysql> select id, username, attribute, value, op from login_accounts
where username='gerret';
+------+----------+-------------------+----+---------------+
| id   | username | attribute         | op | value         |
+------+----------+-------------------+----+---------------+
|  414 | gerret   | User-Password     | == | testme        |
| 1343 | gerret   | Framed-IP-Address | == | 65.166.58.202 |
| 1344 | gerret   | Framed-IP-Netmask | == | 255.255.254.0 |
+------+----------+-------------------+----+---------------+

When running in full debug mode, FreeRadius outputs the exact queries
it fires at the database. I have run these queries manually: the
'authorize_check_query' returns the three rows listed above. All
other queries return the empty set. Then at the end of the debug
output:

rlm_sql (sql): No matching entry in the database for request from user [gerret]
rlm_sql (sql): Released sql socket id: 2
modcall[authorize]: module "sql" returns notfound for request 7
modcall: group authorize returns ok for request 7
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Login incorrect: [gerret/testme] (from client north port 0 cli
00:02:6F:37:D9:D4)

Am I filling the wrong rows into the database? I dont understand how
authentication can fail due to the addition of two extra attributes --
especially since the queries still return the "User-Password"
information.

It looks like this post describes a similar issue:

http://lists.cistron.nl/pipermail/freeradius-users/2005-January/039705.html

Any help on this is much appreciated :)

cheers
Gerret




More information about the Freeradius-Users mailing list