Hi I now a have solution where an SBC is acting as a Radius Client that is connecting to FreeRadius (2.1.12) to do SIP Digest authentication. The password is stored in an external database (this is not the default schema but my own). I have extracted the password (clear text) using an sql query.
From the previous e-mail I put the sql query in the inner-tunnel (this was confirmed by Alan), however, I think this maybe incorrect - I believe it should go in the default file (AM I CORRECT?)
Now I have done two tests - one test passes the other fails. The test that passes - see the following two files: draft_sterman_aaa_sip_03_freeradius_debug for the radiusd -X output and radiusclient_draft_sterman_aaa_sip_03 for the Radiusclient output. As can be seen this passes and my endpoint is authenticated. The other test fails - see the following two files: rfc4590_freeradius_debug and the radiusclient_rfc4590. The authentication fails, I suspect that the attributes passed seems to cause FreeRadius to reject the authentication. Not sure whether it is the client causing the trouble with erroneous setting of the attributes or whether Freeradius is interpreting them incorrectly It would be good to get to the bottom of the problem with using RFC 4590 - I hope the debug files help. In the debug some fields are set as removed - this is what I replaced sensitive information with. Thx Mike -----Original Message----- From: freeradius-users-bounces+mbrennan=thrupoint.com@lists.freeradius.org [mailto:freeradius-users-bounces+mbrennan=thrupoint.com@lists.freeradius.o rg] On Behalf Of Alan DeKok Sent: 25 April 2013 16:20 To: FreeRadius users mailing list Subject: Re: Digest using an external database for the Password Mike Brennan wrote:
Hi Alan Thx for your input I did the following: In radiusd.conf file, within the instantiate section the following was added: sql authorize { ... update control { Cleartext-Password := "%{sql: SELECT password FROM fusion ...}" } ... }
That is *not* what I said to do. Some amount of independent thought is required. List "sql" in the "instantiate" section. DON'T put the rest of the text above. DO edit the "inner-tunnel" file. Look for the "authorize" section. The text above shows an EXAMPLE of what you put in the "authorize" section. That's why it uses the word "authorize" DON'T put the "..." text in the config files. That was meant to show that OTHER text was also in the "authorize" section. DON'T put the "..." text in the SQL query. That was meant to show the REST of the SQL query DO think about what you're doing. DO put the ENTIRE sql SELECT statement into the example text I showed above.
In the inner-tunnel file I commented out the sql in the authorize section.
It seemed to work - see attached small snippet from my debug. In the attached file there is still a rlm_sql_mysql: MYSQL check_error: 1146 received message I have missed something else?
Yes. That error is a MySQL error. You've mis-typed the query. Go read MySQL documentation to see how to create a correct query. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -------------------- Note: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. Thrupoint, Inc. nXaR2cC3