MySQL Authentication Problem (v3.0.3)
Pyromancer
pyromancer at inkubus-sukkubus.co.uk
Wed Jul 15 22:10:40 CEST 2015
I am attempting to build a replacement radius server for a client who's
primary v2.0.2 machine has gone down for good. There is a secondary so
service continues for now.
The old system had a very complex config which hands off lots of realms to
LNSs and also does authentication for non-handed-off users via MySQL.
Initially I attempted to replicate the original server on a newly installed
machine, however FR 2.0.2 refused to compile with MySQL on the new box
(Current SuSE, vendor MySQL). So I've installed the vendor FreeRadius
(3.0.3 64bit). Initially I tried using the existing config copied from the
secondary box, after commenting out all the depreciated attributes it ran
and talked to MySQL however refused to authenticate a test user.
Research led to the Wiki and mailing list, comments re changing the default
config as little as possible (and potentially greater b0rkake the more this
is ignored noted), So having backed up the original config I cleared it and
am starting from scratch with the default one, and slowly adding in the
features of the client's original system. This has the side benefit of
removing a lot of redundant stuff from the files.
However it's refusing to authenticate the MySQL users, giving a no known
good password error, even though the cleartext password is present in the
database and matches what radtest is submitting.
The output from radiusd -X is below - the obvious problem is the "(0)
WARNING: pap : No "known good" password found for the user. Not setting
Auth-Type." line. But look above that and the user is found in the
radcheck table - there are no group entries as this is a purely local
auth-only user. This user was able to authenticate from radtest on the old
server (and still is on the secondary), the databases are identical. I
know there's another error further down regarding the accounting due to a
missing table, but as that's after the auth section I'm assuming that won't
be related to why a reject is being generated. I've tried running -X -x
and -xx to get more detailed debug, but it doesn't reveal any more
information on why the reject is being generated.
The database entry looks like this:
mysql> SELECT id, username, attribute, value, op FROM radcheck WHERE
username = 'xktester' ORDER BY id;
+------+------------+----------------------+------------------------------+----+
| id | username | attribute | value |
op |
+------+------------+----------------------+------------------------------+----+
| 3983 | xktester | Cleartext-Password | correct_horse_battery_staple |
== |
+------+------------+----------------------+------------------------------+----+
1 row in set (0.00 sec)
radiusd -X output:
Received Access-Request Id 228 from 127.0.0.1:60330 to 127.0.0.1:21812 length
76
User-Name = 'xktester'
User-Password = 'correct_horse_battery_staple'
NAS-IP-Address = 192.168.142.85
NAS-Port = 10
Message-Authenticator = 0x48c52fb5b7f81584a37eccc1eb44a643
(0) # Executing section authorize from file
/etc/raddb_ADSL//sites-enabled/default
(0) authorize {
(0) filter_username filter_username {
(0) if (User-Name != "%{tolower:%{User-Name}}")
(0) EXPAND %{tolower:%{User-Name}}
(0) --> xktester
(0) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(0) if (User-Name =~ / /)
(0) if (User-Name =~ / /) -> FALSE
(0) if (User-Name =~ /@.*@/ )
(0) if (User-Name =~ /@.*@/ ) -> FALSE
(0) if (User-Name =~ /\\.\\./ )
(0) if (User-Name =~ /\\.\\./ ) -> FALSE
(0) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(0) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(0) if (User-Name =~ /\\.$/)
(0) if (User-Name =~ /\\.$/) -> FALSE
(0) if (User-Name =~ /@\\./)
(0) if (User-Name =~ /@\\./) -> FALSE
(0) } # filter_username filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix : No '@' in User-Name = "xktester", looking up realm NULL
(0) suffix : No such realm "NULL"
(0) [suffix] = noop
(0) eap : No EAP-Message, not doing EAP
(0) [eap] = noop
(0) [files] = noop
(0) sql : EXPAND %{User-Name}
(0) sql : --> xktester
(0) sql : SQL-User-Name set to 'xktester'
rlm_sql (sql): Reserved connection (4)
(0) sql : EXPAND SELECT id, username, attribute, value, op FROM radcheck
WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql : --> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'xktester' ORDER BY id
rlm_sql (sql): Executing query: 'SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'xktester' ORDER BY id'
(0) sql : User found in radcheck table
(0) sql : EXPAND # SELECT groupname # FROM radusergroup #
WHERE username = BINARY '%{SQL-User-Name}' # ORDER BY priority
(0) sql : --> # SELECT groupname # FROM radusergroup #
WHERE username = BINARY 'xktester' # ORDER BY priority
rlm_sql (sql): Executing query: '# SELECT groupname # FROM
radusergroup # WHERE username = BINARY 'xktester' # ORDER BY
priority'
rlm_sql_mysql: MYSQL Error: No Fields
rlm_sql_mysql: MYSQL error:
(0) sql : User not found in any groups
rlm_sql (sql): Released connection (4)
(0) [sql] = noop
(0) [expiration] = noop
(0) [logintime] = noop
(0) WARNING: pap : No "known good" password found for the user. Not
setting Auth-Type.
(0) WARNING: pap : Authentication will fail unless a "known good" password
is available.
(0) [pap] = noop
(0) } # authorize = ok
(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type =
Reject
(0) Failed to authenticate the user.
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/raddb_ADSL//sites-enabled/default
(0) Post-Auth-Type REJECT {
(0) sql : EXPAND .query
(0) sql : --> .query
(0) sql : Using query template 'query'
rlm_sql (sql): Reserved connection (4)
(0) sql : EXPAND %{User-Name}
(0) sql : --> xktester
(0) sql : SQL-User-Name set to 'xktester'
(0) sql : EXPAND INSERT INTO radpostauth (username, pass, reply, authdate)
VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S')
(0) sql : --> INSERT INTO radpostauth (username, pass, reply, authdate)
VALUES ( 'xktester', 'correct_horse_battery_staple', 'Access-Reject',
'2015-07-15 20:38:03')
rlm_sql (sql): Executing query: 'INSERT INTO radpostauth (username, pass,
reply, authdate) VALUES ( 'xktester', 'correct_horse_battery_staple',
'Access-Reject', '2015-07-15 20:38:03')'
rlm_sql_mysql: MYSQL check_error: 1146 received
rlm_sql (sql): Table 'radius_ADSL.radpostauth' doesn't exist
rlm_sql_mysql: MYSQL check_error: 1146 received
rlm_sql_mysql: Cannot store result
rlm_sql_mysql: MySQL error 'Table 'radius_ADSL.radpostauth' doesn't exist'
(0) sql : No additional queries configured
rlm_sql (sql): Released connection (4)
(0) [sql] = noop
(0) attr_filter.access_reject : EXPAND %{User-Name}
(0) attr_filter.access_reject : --> xktester
(0) attr_filter.access_reject : Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) eap : Request didn't contain an EAP-Message, not inserting EAP-Failure
(0) [eap] = noop
(0) remove_reply_message_if_eap remove_reply_message_if_eap {
(0) if (reply:EAP-Message && reply:Reply-Message)
(0) if (reply:EAP-Message && reply:Reply-Message) -> FALSE
(0) else else {
(0) [noop] = noop
(0) } # else else = noop
(0) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(0) } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed response
Sending Access-Reject Id 228 from 127.0.0.1:21812 to 127.0.0.1:60330
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 228 with timestamp +10
Ready to process requests.
More information about the Freeradius-Users
mailing list