Accept all Auth requests while replying individual parameters

Pavel Uhliar pavel.uhliar at gmail.com
Sat Feb 20 15:19:09 CET 2016


Hi guys.

I am trying to modify existing FreeRADIUS setup (version 2.1.12) to accept
all Auth requests, while responding to them with individual parameters
(Framed-IP-Address and Framed-Route) based on Calling-Station-Id.

I am in a running environment, where until now login requests are
authorized by User-Name/Password based on radcheck table and individual
parameters are sent based on the User-Name from radreply table and combined
with group parameters from radgroupreply table (all MySQL). Users are
paired to groups by individual entries in usergroup table

I would like to keep intact as much of the structure as possible, I just
need to stop verifying User-Name/Password (because now whoever is able to
access physical infrastructure is authorized to use it) and change the
individual responses to be based on Calling-Station-Id instead of User-Name.

I don't care about group, I do not need to distinguish between groups
anymore, so I can move group parameters to default response once I solve
the major issue with sending the individual parameters.


First I thought the solution will be quite simple:
1) I change the SQL query selecting from radreply table to be based on
Calling-Station-Id
2) I add "DEFAULT Auth-Type := Accept" and "Fall-Through=Yes" in
/etc/raddb/users file

Step 1 is OK, no problem (change in /etc/raddb/sql/mysql/dialup.conf)

Problem is in Step 2. It does authorize all requests as expected (even
those not matching User-Name/Password records in radcheck table), but when
the User-Name/Password in request does not match User-Name/Password in
radcheck, RADIUS skips querying the radreply table for additional
parameters. This results in Auth response containing only parameters
from radgroupreply table, but none from radreply. Requests containing
User-Name/Password matching to those in radcheck get full responses
(with radgroupreply and radreply)


Here is comparison of debug output between authorization with valid
credentials and invalid ones:

Valid:

[files] users: Matched entry DEFAULT at line 46
++[files] returns ok
[sql] expand: %{User-Name} -> XXXX
[sql] sql_set_user escaped user --> 'XXXX'
rlm_sql (sql): Reserving sql socket id: 7
[sql] expand: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE ...
ASC LIMIT 1
 -> SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE ... ASC LIMIT
1
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
[sql] User found in radcheck table
[sql] expand: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE ...
ORDER BY id -> SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
... ORDER BY id
[sql] expand: SELECT GroupName FROM usergroup WHERE
UserName='%{SQL-User-Name}' -> SELECT GroupName FROM usergroup WHERE
UserName='XXXX'
[sql] expand: SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
 FROM radgroupcheck,usergroup WHERE usergroup.Username = '%{SQL-User-Name}'
AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id ->
SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
 FROM radgroupcheck,usergroup WHERE usergroup.Username = 'XXXX' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id
[sql] User found in group YYYY
[sql] expand: SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
 FROM radgroupreply,usergroup WHERE usergroup.Username = '%{SQL-User-Name}'
AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id ->
SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
 FROM radgroupreply,usergroup WHERE usergroup.Username = 'XXXX' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id
rlm_sql (sql): Released sql socket id: 7
++[sql] returns ok
Found Auth-Type = Accept
Auth-Type = Accept, accepting the user
expand: Auth-Type: %{control:Auth-Type} -> Auth-Type: Accept
Login OK: [XXXX] (from client xxx port xxx cli xxx) Auth-Type: Accept

Invalid credentials (output is the same, just the radreply query is
missing).

[files] users: Matched entry DEFAULT at line 46
++[files] returns ok
[sql] expand: %{User-Name} -> XXXX
[sql] sql_set_user escaped user --> 'XXXX'
rlm_sql (sql): Reserving sql socket id: 9
[sql] expand: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE ...
ASC LIMIT 1 -> SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
... ASC LIMIT 1
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
[sql] expand: SELECT GroupName FROM usergroup WHERE
UserName='%{SQL-User-Name}' -> SELECT GroupName FROM usergroup WHERE
UserName='XXXX'
[sql] expand: SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
 FROM radgroupcheck,usergroup WHERE usergroup.Username = '%{SQL-User-Name}'
AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id ->
SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
 FROM radgroupcheck,usergroup WHERE usergroup.Username = 'XXXX' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id
[sql] User found in group YYYY
[sql] expand: SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
 FROM radgroupreply,usergroup WHERE usergroup.Username = '%{SQL-User-Name}'
AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id ->
SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
 FROM radgroupreply,usergroup WHERE usergroup.Username = 'XXXX' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id
rlm_sql (sql): Released sql socket id: 9
++[sql] returns ok
Found Auth-Type = Accept
Auth-Type = Accept, accepting the user
expand: Auth-Type: %{control:Auth-Type} -> Auth-Type: Accept
Login OK: [XXXX] (from client xxx port xxx cli xxx) Auth-Type: Accept



I was trying to find some solution, did try "query_on_not_found"
configuration directive, did play with "Fall-Through", but nothing seems to
work. I was not able to force RADIUS to do the radreply query for
not-matched credentials.



As other ways to solve the problem, I was trying to use policy to
rewrite User-Name/Password in request to
a Calling-Station-Id/<universal-password> to have all request authorized
under my control, but this is not feasible as devices do not use only PAP,
but also CHAP and MSCHAP, and password rewriting does not work for
CHAP/MSCHAP requests.


Another way I was trying was to setup policy that will add parameters "by
hand" based on SQL query to radreply table. This I can do for
Framed-IP-Address (which is only one for each user), but I am not able to
do it for Framed-Route, as there can be zero or multiple Framed-Route
entries for every user.


I am dead stuck, I will appreciate any hints to solve the problem.

Thanks a lot, Pavel


More information about the Freeradius-Users mailing list