SQL Call-Check Authentication (again :( )

florian broder flobroed at googlemail.com
Mon Dec 5 14:18:40 CET 2005


Hi.

I'm still having a hard time of implementing the Calling-Station-Id
Authentication. Basis is a Cisco Catalyst with
"Mac-Authentication-Bypass" turned on.

Alan DeKok told me, that I can use sql.conf:

	#    Use Stripped-User-Name, if it's there.
	#    Else use User-Name, if it's there,
	-->>#    Else use hard-coded string "DEFAULT" as the user name.<<--
	sql_user_name = "%{Stripped-User-Name:-%{User-Name:-DEFAULT}}"

To tell freeradius, that there is no user-name.
Ok, I've done that, but It gives me this error:

rad_recv: Access-Request packet from host 192.168.1.222:1038, id=13, length=45
        Service-Type = Call-Check
        Calling-Station-Id = "11-22-33-44-55-66"
-->> rlm_sql (sql): zero length username not permitted <<--

That's basically the same packet, the Cisco Switch sends as
Auth-Request. Notice, that there is NO user-name in here at all.

The fact is also mentioned in the sql Source-Code:

/*
	 *	They MUST have a user name to do SQL authorization.
	 */
	if ((request->username == NULL) ||
	    (request->username->length == 0)) {
		radlog(L_ERR, "rlm_sql (%s): zero length username not permitted\n",
inst->config->xlat_name);
		return RLM_MODULE_INVALID;
	}

Switching to "file-based-Authentication" (in radiusd.conf) it works immediately:

rad_recv: Access-Request packet from host 192.168.1.222:1044, id=19, length=45
        Service-Type = Call-Check
        Calling-Station-Id = "11-22-33-44-55-66"
Sending Access-Accept of id 19 to 192.168.1.222:1044
        Reply-Message = "Hello"

So, it's really a limitation in sql, rather that a misconfiguration?

Would be nice, if anyone can confirm this!


Bye Flo




More information about the Freeradius-Users mailing list