FreeRADIUS + MySQL + DHCP Opt82

IVB ivb at is.ua
Fri Mar 30 13:12:50 CEST 2012 

Fajar A. Nugraha-2 wrote
> 
> On Fri, Mar 30, 2012 at 4:29 PM, IVB <ivb@> wrote:
>> I need help.
>>
>> Software: FreeRADIUS v2.1.11, MySQL v5.1.61.
>> Hardware: RB SE100 under SEOS-6.4.1.4-Release
>>
>> BRAS sends Opt-82 related attributes in following format:
>>
> 
> What format?
> 

Agent-Remote-Id = 0x0006001e58ab0304
ADSL-Agent-Remote-Id = "\000\006\000\036X\253\003\004"
Agent-Circuit-Id = 0x000403fc0001
ADSL-Agent-Circuit-Id = "\000\004\003\374\000\001"



>>
>> Attributes Agent-* described in radius dictionary as 'octets'. Attributes
>> ADSL-Agent-* described in radius dictionary as 'string'.
> 
> AFAIK those are not DHCP dictionary. They're part of "normal" radius
> dictionary. So you just treat them like any other attribute.
> 
>>
>> I was try to store needed data in MySQL database from which Radius gets
>> 'check' attributes:
> 

INSERT INTO
  `radcheck` ( `UserName`, `Attribute`, `Value`, `op` )
VALUES
  ( '00:12:23:56:78:9A', 'Cleartext-Password', 'Redback', ':=' ),
  ( '00:12:23:56:78:9A', 'Agent-Circuit-ID', x'000403fc0001', '==' ),
  ( '00:12:23:56:78:9A', 'Agent-Remote-ID', x'0006001e58ab0304', '==' )

(most important part of message disappears from my post)



>>
>> to Radius select that attributes to authenticate. But I got 'Login
>> incorrect' message in Radius log.
>>
>> If I remove both Agent-* attributes from DB (that means that I dont
>> validate
>> Opt-82 parameters) - I got 'Login OK'.
>>
>> I think that I use wrong format for Agent-* attributes, but I was try
>> some
>> different variants without success.
>>
>> I was try to use ADSL-Agent-* instead Agent-* in DB, but I receive 'Login
>> OK' with _any_ attributes values - match and mismatch.
>>
>> So I need help. Very need.
> 
> You need to know what the NAS (i.e. BRAS) sends. An easy way to get
> that is to run FR in debug mode (-X) while the NAS is sending
> authentication packet.
> 

Yes, I know about debug mode, but BRAS and Radius are in project mode (using
PPPoE authorisation now). DHCP testing uses same context and same Radius
server. To run different Radius in debug mode I need to configure different
context...



> Then compare to what you have on radcheck. Note the operators (you
> probably need "==").
> 
> Then you need to find out what's going on. Again, debug mode would be
> the best way.
> 
> -- 
> Fajar
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 


--
View this message in context: http://freeradius.1045715.n5.nabble.com/FreeRADIUS-MySQL-DHCP-Opt82-tp5606148p5606373.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

More information about the Freeradius-Users mailing list