Problem authenticating cleartext-passwords locally and proxy realms
mikoi
mika.koivisto at logica.com
Fri Aug 14 12:26:29 CEST 2009
Hello.
I want freeradius to authenticate users with Cleartext-Password locally and
proxy others with realms.
I use SQL for users, groups, nas and huntgroups.
The problem:
When logging in with the user with Cleartext-Password all passwords are
accepted.
The proxied users need the correct password.
What am i missing? Please help.
My set up consists of:
AAA Client -> Freeradius 2.1.6 with MySQL -> RADIUS-server
##sites-enabled/default
authorize section
# SQL query huntgroups
update request {
Huntgroup-Name := "%{sql:select groupname from radhuntgroup
where nasipaddress=\"%{NAS-IP-Address}\"}"
}
#
#
# SQL query Proxy-To-Realm
#
update control {
Proxy-To-Realm := "%{sql:select authserver from authmethod
where username =\"%{User-Name}\"}"
}
radhuntgroup table:
mysql> select * from radhuntgroup;
+----+-------------+--------------+-----------+
| id | groupname | nasipaddress | nasportid |
+----+-------------+--------------+-----------+
| 4 | VPN-service | x.x.x.x | NULL |
radgroupcheck table:
mysql> select * from radgroupcheck;
+----+-----------+----------------+----+-------------+
| id | groupname | attribute | op | value |
+----+-----------+----------------+----+-------------+
| 8 | VPN-AUTH | Huntgroup-Name | == | VPN-Service |
| 9 | VPN-AUTH | Auth-Type | := | Accept |
usergroup table;
mysql> select * from usergroup;
+--------------+-----------+----------+
| UserName | GroupName | priority |
+--------------+-----------+----------+
| testuser | VPN-AUTH | 0 |
| safewordtest | VPN-AUTH | 0 |
+--------------+-----------+----------+
users-file
# On no match, the user is denied access.
DEFAULT Auth-Type := Reject
Users are defined in radcheck.
testuser is to be authenticated locally
safewordtest is to be proxied (table authmethod).
mysql> select * from radcheck;
+----+--------------+--------------------+----+----------+
| id | username | attribute | op | value |
+----+--------------+--------------------+----+----------+
| 33 | testuser | Cleartext-Password | := | testuser |
| 39 | safewordtest | Cleartext-Password | := | testttsd |
+----+--------------+--------------------+----+----------+
mysql> select * from authmethod;
+--------------+------------+----------+
| username | authserver | priority |
+--------------+------------+----------+
| safewordtest | Safeword | 1 |
+--------------+------------+----------+
Debug: Incorrect username/password.
rad_recv: Access-Request packet from host x.x.x.x port 1812, id=38,
length=70
User-Name = "testuser"
User-Password = "wrongpasswordibelieve" NAS-IP-Address =
x.x.x.x
+- entering group authorize {...}
++[preprocess] returns ok
sql_xlat
expand: %{User-Name} -> testuser
sql_set_user escaped user --> 'testuser'
expand: select groupname from radhuntgroup where
nasipaddress="%{NAS-IP-Address}" -> select groupname from radhuntgroup where
nasipaddress="x.x.x.x"
rlm_sql (sql): Reserving sql socket id: 3
sql_xlat finished
rlm_sql (sql): Released sql socket id: 3
expand: %{sql:select groupname from radhuntgroup where
nasipaddress="%{NAS-IP-Address}"} -> VPN-Service
++[request] returns ok
sql_xlat
expand: %{User-Name} -> testuser
sql_set_user escaped user --> 'testuser'
expand: select authserver from authmethod where username
="%{User-Name}" -> select authserver from authmethod where username
="testuser"
rlm_sql (sql): Reserving sql socket id: 2
SQL query did not return any results
rlm_sql (sql): Released sql socket id: 2
expand: %{sql:select authserver from authmethod where username
="%{User-Name}"} ->
++[control] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 204
++[files] returns ok
[sql] expand: %{User-Name} -> testuser
[sql] sql_set_user escaped user --> 'testuser'
rlm_sql (sql): Reserving sql socket id: 1
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
-> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'testuser' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
-> SELECT id, username, attribute, value, op FROM radreply
WHERE username = 'testuser' ORDER BY id
[sql] expand: SELECT groupname FROM usergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
groupname FROM usergroup WHERE username = 'testuser'
ORDER BY priority
[sql] expand: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = '%{Sql-Group}'
ORDER BY id -> SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = 'VPN-AUTH' ORDER BY
id
[sql] User found in group VPN-AUTH
[sql] expand: SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = '%{Sql-Group}'
ORDER BY id -> SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = 'VPN-AUTH' ORDER BY
id
rlm_sql (sql): Released sql socket id: 1
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
WARNING: You set Proxy-To-Realm = , but the realm does not exist!
Cancelling invalid proxy request.
Found Auth-Type = Accept
Auth-Type = Accept, accepting the user
+- entering group post-auth {...}
[sql] expand: %{User-Name} -> testuser
[sql] sql_set_user escaped user --> 'testuser'
[sql] expand: %{User-Password} -> wrongpasswordibelieve
[sql] expand: INSERT INTO radpostauth (username,
pass, reply, authdate) VALUES (
'%{User-Name}',
'%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES (
'testuser', 'wrongpasswordibelieve',
'Access-Accept', '2009-08-13 21:01:08')
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES (
'testuser', 'wrongpasswordibelieve',
'Access-Accept', '2009-08-13 21:01:08')
rlm_sql (sql): Reserving sql socket id: 0
rlm_sql (sql): Released sql socket id: 0
++[sql] returns ok
++[exec] returns noop
Sending Access-Accept of id 38 to x.x.x.x port 1812
Class := 0x6f753d7672663337302c6f753d72657472726565
Finished request 0.
--
View this message in context: http://www.nabble.com/Problem-authenticating-cleartext-passwords-locally-and-proxy-realms-tp24969543p24969543.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
More information about the Freeradius-Users
mailing list