Why do I need to force Auth-Type?

sphaero arnaud at sphaero.org
Mon Aug 11 14:59:46 CEST 2008 

In a previous post "PAP what password encryption is used?" I managed to get
authentication working with a msssql backend however I need to force
Auth-Type := PAP. I read it's bad practice to force the Auth-Type so I was
wondering what I could do to let freeradius figure the authentication
itself.

This is all done on freeradius 1.1.6 (OSS 10.3)

I've setup an sql module:

sql mssql {
	driver = "rlm_sql_unixodbc"
	# Connect info
	server = "test"
	login = "Radius_User"
	password = "blabla"
	radius_db = "V2"
	# niet gebruikt wel geset!
	acct_table1 = "radacct"
	acct_table2 = "radacct"

	authcheck_table = "user"
	authreply_table = "user"

	# niet gebruikt wel geset!
	groupcheck_table = "radgroupcheck"
	groupreply_table = "radgroupreply"
	usergroup_table = "usergroup"
	# Remove stale session if checkrad does not see a double login
	deletestalesessions = yes

	# Print all SQL statements when in debug mode (-x)
	sqltrace = no
	sqltracefile = ${logdir}/sqltrace.sql

	# number of sql connections to make to server
	num_sql_socks = 5
	sql_user_name = "%{Stripped-User-Name:-%{User-Name:-none}}"
	# Custom query die attributen klaar zet!
	authorize_check_query = "SELECT UserID,Usernaam,'SHA-Password' AS
Attribute, Wachtwoord, ':=' AS Op FROM ${authcheck_table} WHERE Usernaam =
'%{SQL-User-Name}' ORDER BY UserID"
	authorize_reply_query = "SELECT UserID,Usernaam from {authreply_table}
WHERE Usernaam = '%{SQL-User-Name}' ORDER BY UserID"
}

You can see I'm using a custom SQL query to get the right attributes. I can
only compare username and password in this database. I actually don't need
any groupcheck's etc.

I've setup its authorize entry:
Autz-Type mssql {
	mssql
}

and finally in users file:
DEFAULT Realm == mssql.nl", Autz-Type := mssql

This setup doesn't work:
modcall: entering group authorize for request 1
  modcall[authorize]: module "preprocess" returns ok for request 1
  modcall[authorize]: module "chap" returns noop for request 1
  modcall[authorize]: module "mschap" returns noop for request 1
    rlm_realm: Looking up realm "mssql.nl" for User-Name = "lsa at mssql.nl"
    rlm_realm: Found realm "DEFAULT"
    rlm_realm: Adding Stripped-User-Name = "lsa"
    rlm_realm: Proxying request from user lsa to realm DEFAULT
    rlm_realm: Adding Realm = "DEFAULT"
    rlm_realm: Authentication realm is LOCAL.
  modcall[authorize]: module "suffix" returns noop for request 1
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 1
    users: Matched entry DEFAULT at line 153
  modcall[authorize]: module "files" returns ok for request 1
rlm_pap: WARNING! No "known good" password found for the user. 
Authentication may fail because of this.
  modcall[authorize]: module "pap" returns noop for request 1
modcall: leaving group authorize (returns ok) for request 1
  Found Autz-Type mssql
  Processing the authorize section of radiusd.conf
modcall: entering group mssql for request 1
radius_xlat:  'lsa'
rlm_sql (mssql): sql_set_user escaped user --> 'lsa'
radius_xlat:  'SELECT UserID,Usernaam,'SHA-Password' AS Attribute,
Wachtwoord, ':=' AS Op FROM bas_user WHERE Usernaam = 'lsa' ORDER BY UserID'
rlm_sql (mssql): Reserving sql socket id: 3
radius_xlat:  ''
radius_xlat:  'SELECT UserID,Usernaam from {authreply_table} WHERE Usernaam
= 'lsa' ORDER BY UserID'
rlm_sql_getvpdata: database query error
radius_xlat:  ''
rlm_sql (mssql): Released sql socket id: 3
  modcall[authorize]: module "mssql" returns ok for request 1
modcall: leaving group mssql (returns ok) for request 1
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Delaying request 1 for 1 seconds
Finished request 1
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 223 to 127.0.0.1 port 32770
Waking up in 4 seconds...
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=223, length=20

If I add Auth-Type in users file it works:
DEFAULT Realm == mssql.nl", Autz-Type := mssql, Auth-Type := PAP

Rg,

Arnaud Loonstra


-- 
View this message in context: http://www.nabble.com/Why-do-I-need-to-force-Auth-Type--tp18925418p18925418.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

More information about the Freeradius-Users mailing list