again .. mac based auth + user/password for pppoe

S Adrian dexter at d3xt3r01.tk
Wed Feb 22 21:57:12 CET 2012


Hey again,

I've searched the list for my old conversation here but couldn't find
it .. still.. here it goes...
I have rp-pppoe started in kernel mode ( the calling-station-id gets
sent as I can see it )

You'll notice that even though I added in radcheck Calling-Station-Id
to be 11:22:33:44:55:66,
trying with radclient got me accepted ( even though I specified
11:22:33:44:55:77 )

The idea is that I want to also do a mac check ( if the
Calling-Station-Id is present in sql ..)
I don't want to bind the username/password combination to the mac
address for all the users

PPPoE ~ # cat dexter | radclient -x 127.0.0.1 auth r4d1usP4ssw0rd
Sending Access-Request of id 61 to 127.0.0.1 port 1812
       Service-Type = Framed-User
       Framed-Protocol = PPP
       User-Name = "dexter"
       User-Password = "250896"
       Calling-Station-Id = "11:22:33:44:55:77"
       NAS-IP-Address = 127.0.0.1
       NAS-Port = 242
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=61, length=50
       Framed-Protocol = PPP
       Service-Type = Framed-User
       Framed-Compression = Van-Jacobson-TCP-IP
       Framed-MTU = 1500
       Framed-IP-Address = 10.10.0.82

mysql> select * from radcheck WHERE `username` = 'dexter';
+------+----------+--------------------+----+-------------------+
| id   | username | attribute          | op | value             |
+------+----------+--------------------+----+-------------------+
| 2298 | dexter   | Cleartext-Password | := | 250896            |
| 2299 | dexter   | Simultaneous-Use   | := | 1                 |
| 2300 | dexter   | Pool-Name          | := | main              |
| 2301 | dexter   | Calling-Station-Id | := | 11:22:33:44:55:66 |
+------+----------+--------------------+----+-------------------+
4 rows in set (0.01 sec)

mysql> select * from radreply WHERE `username` = 'dexter';
+------+----------+--------------------+----+---------------------+
| id   | username | attribute          | op | value               |
+------+----------+--------------------+----+---------------------+
| 4461 | dexter   | Framed-MTU         | := | 1500                |
| 4459 | dexter   | Service-Type       | := | Framed-User         |
| 4458 | dexter   | Framed-Protocol    | := | PPP                 |
| 4460 | dexter   | Framed-Compression | := | Van-Jacobsen-TCP-IP |
+------+----------+--------------------+----+---------------------+

radiusd -X reports this:
rad_recv: Access-Request packet from host 127.0.0.1 port 52468, id=61, length=89
       Service-Type = Framed-User
       Framed-Protocol = PPP
       User-Name = "dexter"
       User-Password = "250896"
       Calling-Station-Id = "11:22:33:44:55:77"
       NAS-IP-Address = 127.0.0.1
       NAS-Port = 242
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log]      expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radius/radacct/127.0.0.1/auth-detail-20120222
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20120222
[auth_log]      expand: %t -> Wed Feb 22 22:36:07 2012
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[sql]   expand: %{User-Name} -> dexter
[sql] sql_set_user escaped user --> 'dexter'
rlm_sql (sql): Reserving sql socket id: 2
[sql]   expand: SELECT id, username, attribute, value, op
FROM radcheck           WHERE username = '%{SQL-User-Name}'
ORDER BY id -> SELECT id, username, attribute, value, op
FROM radcheck           WHERE username = 'dexter'           ORDER BY
id
[sql] User found in radcheck table
[sql]   expand: SELECT id, username, attribute, value, op
FROM radreply           WHERE username = '%{SQL-User-Name}'
ORDER BY id -> SELECT id, username, attribute, value, op
FROM radreply           WHERE username = 'dexter'           ORDER BY
id
[sql]   expand: SELECT groupname           FROM radusergroup
WHERE username = '%{SQL-User-Name}'           ORDER BY priority ->
SELECT groupname           FROM radusergroup           WHERE username
= 'dexter'           ORDER BY priority
[sql]   expand: SELECT id, groupname, attribute,           Value, op
       FROM radgroupcheck           WHERE groupname = '%{Sql-Group}'
        ORDER BY id -> SELECT id, groupname, attribute,
Value, op           FROM radgroupcheck           WHERE groupname =
'dynamic'           ORDER BY id
[sql] User found in group dynamic
[sql]   expand: SELECT id, groupname, attribute,           value, op
       FROM radgroupreply           WHERE groupname = '%{Sql-Group}'
        ORDER BY id -> SELECT id, groupname, attribute,
value, op           FROM radgroupreply           WHERE groupname =
'dynamic'           ORDER BY id
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop

WARNING: Please update your configuration, and remove 'Auth-Type = Local'
WARNING: Use the PAP or CHAP modules instead.
User-Password in the request is correct.
+- entering group session {...}
[radutmp]       expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
[radutmp]       expand: %{User-Name} -> dexter
++[radutmp] returns ok
Login OK: [dexter/250896] (from client localhost port 242 cli 11:22:33:44:55:77)
+- entering group post-auth {...}
[reply_log]     expand:
/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d ->
/var/log/radius/radacct/127.0.0.1/reply-detail-20120222
[reply_log] /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d
expands to /var/log/radius/radacct/127.0.0.1/reply-detail-20120222
[reply_log]     expand: %t -> Wed Feb 22 22:36:07 2012
++[reply_log] returns ok
[sql]   expand: %{User-Name} -> dexter
[sql] sql_set_user escaped user --> 'dexter'
[sql]   expand: %{User-Password} -> 250896
[sql]   expand: INSERT INTO radpostauth
(username, pass, reply, authdate)                           VALUES (
                       '%{User-Name}',
'%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth
           (username, pass, reply, authdate)
 VALUES (                           'dexter',
 '250896',                           'Access-Accept', '2012-02-22
22:36:07')
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth
                  (username, pass, reply, authdate)
       VALUES (                           'dexter',
       '250896',                           'Access-Accept',
'2012-02-22 22:36:07')
rlm_sql (sql): Reserving sql socket id: 1
rlm_sql (sql): Released sql socket id: 1
++[sql] returns ok
[sql_log] Processing sql_log_postauth
[sql_log]       expand: %{User-Name} -> dexter
[sql_log]       expand: %{%{User-Name}:-DEFAULT} -> dexter
[sql_log] sql_set_user escaped user --> 'dexter'
[sql_log] WARNING: Deprecated conditional expansion ":-".  See "man
unlang" for details
[sql_log]       expand: INSERT INTO radpostauth
 (username, pass, reply, authdate) VALUES
('%{User-Name}', '%{User-Password:-Chap-Password}',
'%{reply:Packet-Type}', '%S'); -> INSERT INTO radpostauth
          (username, pass, reply, authdate) VALUES
   ('dexter', '250896',            'Access-Accept', '2012-02-22
22:36:07');
[sql_log]       expand: /var/log/radius/radacct/sql-relay ->
/var/log/radius/radacct/sql-relay
++[sql_log] returns ok
rlm_sql (sql): Reserving sql socket id: 0
[sqlippool]     expand: %{User-Name} -> dexter
[sqlippool] sql_set_user escaped user --> 'dexter'
[sqlippool]     expand: START TRANSACTION -> START TRANSACTION
[sqlippool]     expand: UPDATE radippool   SET nasipaddress = '',
pool_key = 0,   callingstationid = '', username = '',   expiry_time =
NULL   WHERE expiry_time <= NOW() - INTERVAL 1 SECOND   AND
nasipaddress = '%{Nas-IP-Address}' -> UPDATE radippool   SET
nasipaddress = '', pool_key = 0,   callingstationid = '', username =
'',   expiry_time = NULL   WHERE expiry_time <= NOW() - INTERVAL 1
SECOND   AND nasipaddress = '127.0.0.1'
[sqlippool]     expand: SELECT framedipaddress FROM radippool   WHERE
pool_name = '%{control:Pool-Name}'   AND expiry_time IS NULL   ORDER
BY RAND()   LIMIT 1   FOR UPDATE -> SELECT framedipaddress FROM
radippool   WHERE pool_name = 'main'   AND expiry_time IS NULL   ORDER
BY RAND()   LIMIT 1   FOR UPDATE
[sqlippool]     expand: UPDATE radippool  SET nasipaddress =
'%{NAS-IP-Address}', pool_key = '%{NAS-Port}',  callingstationid =
'%{Calling-Station-Id}', username = '%{User-Name}',  expiry_time =
NOW() + INTERVAL 604800 SECOND  WHERE framedipaddress = '10.10.0.82'
AND expiry_time IS NULL -> UPDATE radippool  SET nasipaddress =
'127.0.0.1', pool_key = '242',  callingstationid =
'11:22:33:44:55:77', username = 'dexter',  expiry_time = NOW() +
INTERVAL 604800 SECOND  WHERE framedipaddress = '10.10.0.82' AND
expiry_time IS NULL
[sqlippool] Allocated IP 10.10.0.82 [780fe5bc]
[sqlippool]     expand: COMMIT -> COMMIT

rlm_sql (sql): Released sql socket id: 0
[sqlippool]     expand: Allocated IP: %{reply:Framed-IP-Address} from
%{control:Pool-Name}   (did %{Called-Station-Id} cli
%{Calling-Station-Id} port %{NAS-Port} user %{User-Name}) -> Allocated
IP: 10.10.0.82 from main   (did  cli 11:22:33:44:55:77 port 242 user
dexter)
Allocated IP: 10.10.0.82 from main   (did  cli 11:22:33:44:55:77 port
242 user dexter)
++[sqlippool] returns ok
Sending Access-Accept of id 61 to 127.0.0.1 port 52468
       Framed-Protocol := PPP
       Service-Type := Framed-User
       Framed-Compression := Van-Jacobson-TCP-IP
       Framed-MTU := 1500
       Framed-IP-Address = 10.10.0.82
Finished request 3.




More information about the Freeradius-Users mailing list