So I've gotten further with the investigation, but I'm still experiencing 1 last issue. This username/password works - 107b44c186e0/10-7b-44-c1-86-e0 This username/password fails - 107b44c186e0/107b44c186e0 and it's because this password is used as the MD5 Password also in the request. So I'm trying to see how I can use the first combination and have it pass. It seems per the DEBUG snippet below that the issue is that the mysql query returns the Cleartext-Password right before the failing EAP section, thus I believe if I can override the returned value of the mysql query and return it with dashes it should work. But there in lies my issue. Where can I do that without modifying the raw sql queries. The following will update the query return values: update control { Cleartext-Password := "%{sql:SELECT concat(left(value,2), \"-\" ,substring(value,3,2), \"-\" , substring(value,5,2), \"-\",substring(value,7,2), \"-\",substring(value,9,2), \"-\", right(value,2)) FROM radcheck WHERE username='%{Stripped-User-Name}'}" } But I don't know where to put it in order to override that below. I cannot modify the raw sql queries as I have other NAS' that work fine and cannot modify the SQL queries that work for them. Thus this will be a unlang fix that is tied to a specific Called-Station-Id ultimately. Any hints on where I could do this would be much appreciated. Thxs Jeremy . . . (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "107b44c186e0", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: Peer sent EAP Response (code 2) ID 2 length 39 (1) eap: No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) sql: EXPAND %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} (1) sql: --> 107b44c186e0 (1) sql: SQL-User-Name set to '107b44c186e0' rlm_sql (sql): Reserved connection (3) (1) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (1) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '107b44c186e0' ORDER BY id (1) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '107b44c186e0' ORDER BY id (1) sql: User found in radcheck table (1) sql: Conditional check items matched, merging assignment check items (1) sql: Cleartext-Password := "107b44c186e0" (1) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (1) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = '107b44c186e0' ORDER BY id (1) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = '107b44c186e0' ORDER BY id (1) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (1) sql: --> SELECT groupname FROM radusergroup WHERE username = '107b44c186e0' ORDER BY priority (1) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = '107b44c186e0' ORDER BY priority (1) sql: User found in the group table (1) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id (1) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'saili_mdu_snjs_133_current' ORDER BY id (1) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'saili_mdu_snjs_133_current' ORDER BY id (1) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id (1) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'saili_mdu_tower2_current' ORDER BY id (1) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'saili_mdu_tower2_current' ORDER BY id (1) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id (1) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'saili_mdu_tower3_current' ORDER BY id (1) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'saili_mdu_tower3_current' ORDER BY id (1) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id (1) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'saili_mdu_tower1_current' ORDER BY id (1) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'saili_mdu_tower1_current' ORDER BY id (1) sql: Group "saili_mdu_tower1_current": Conditional check items matched (1) sql: Group "saili_mdu_tower1_current": Merging assignment check items (1) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id (1) sql: --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'saili_mdu_tower1_current' ORDER BY id (1) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'saili_mdu_tower1_current' ORDER BY id (1) sql: Group "saili_mdu_tower1_current": Merging reply items (1) sql: Tunnel-Type := VLAN (1) sql: Tunnel-Medium-Type := IEEE-802 (1) sql: Tunnel-Private-Group-Id := "90" rlm_sql (sql): Released connection (3) (1) [sql] = ok (1) [expiration] = noop (1) [logintime] = noop (1) pap: WARNING: Auth-Type already set. Not setting to PAP (1) [pap] = noop (1) } # authorize = updated (1) Found Auth-Type = eap (1) # Executing group from file /etc/raddb/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0x839da8a8839facfd (1) eap: Finished EAP session with state 0x839da8a8839facfd (1) eap: Previous EAP request found for state 0x839da8a8839facfd, released from the list (1) eap: Peer sent packet with method EAP MD5 (4) (1) eap: Calling submodule eap_md5 to process data (1) eap: Sending EAP Failure (code 4) ID 2 length 4 (1) eap: Freeing handler (1) [eap] = reject (1) } # authenticate = reject (1) Failed to authenticate the user (1) Using Post-Auth-Type Reject (1) # Executing group from file /etc/raddb/sites-enabled/default (1) Post-Auth-Type REJECT { (1) sql: EXPAND .query . . . On Fri, May 11, 2018 at 11:43 AM, Jeremy Lundquist <pmudan01@gmail.com> wrote:
So I figured it out. The value of User-Name (MAC) in the Access-Request is also used as the EAP Password (determined through trial and error testing). So going back to my original reason for doing this work. I'd like to be able to have in my DB the username/password to be the MAC of the new HW and without dashes. Currently I have working the following - the username (MAC) without dashes but the password (MAC) still with dashes, as the EAP password is this value also. Thus I'm wondering, as the NAS passes over the EAP password with dashes, is there a way I can store in my Radius DB the password without dashes, but when EAP needs to query it for the hash comparison it does so but inserts dashes before using it?
This all goes without saying I'm trying to work with the vendor to implement things differently on their end, but need to get this working now as we are using them in network.
Thxs Jeremy
On Fri, May 11, 2018 at 10:53 AM, Jeremy Lundquist <pmudan01@gmail.com> wrote:
So by " you need to add to your SQL DB the value that the NAS is sending in its EAP-MD5 auth request ", I'll need to contact the NAS vendor and get the value as I believe in the auth request it's a hash value, correct?
Jeremy
On Fri, May 11, 2018 at 10:36 AM, Alan Buxey <alan.buxey@gmail.com> wrote:
there IS a password...its not a plain PAP user-Password though - its in that EAP-Message that you can see. so, you need to add to your SQL DB the value that the NAS is sending in its EAP-MD5 auth request
you cannot just Access-Accept an EAP request, there needs to be a full, correct response.
alan
On 11 May 2018 at 18:22, Jeremy Lundquist <pmudan01@gmail.com> wrote:
Here is the username/password from the mysql DB - note no password (blank).
MariaDB [radiusdb]> select * from radcheck where username='107b44c186e0'; +------+--------------+--------------------+----+-------+ | id | username | attribute | op | value | +------+--------------+--------------------+----+-------+ | 2308 | 107b44c186e0 | Cleartext-Password | := | | +------+--------------+--------------------+----+-------+ 1 row in set (0.00 sec)
So when I tested using radclient (sending just username, no password) without adding the following to my authorize section in sites-enabled/default it failed (which I believe is expected? ). update control { Auth-Type := Accept }
Debug snippet: . . rlm_sql (sql): Released connection (2) (0) [sql] = ok (0) [expiration] = noop (0) [logintime] = noop (0) pap: No User-Password attribute in the request. Cannot do PAP (0) [pap] = noop (0) } # authorize = updated (0) WARNING: Please update your configuration, and remove 'Auth-Type = Local' (0) WARNING: Use the PAP or CHAP modules instead (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (0) Failed to authenticate the user (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Post-Auth-Type REJECT { (0) sql: EXPAND .query . .
NOTE - I verified in my configs, I have not set "Auth-Type = Local" anywhere.
But when I added it, it passed (again, expected per one of your instructions in previous email).
Debug snippet: . . (0) [sql] = ok (0) [expiration] = noop (0) [logintime] = noop (0) pap: WARNING: Auth-Type already set. Not setting to PAP (0) [pap] = noop (0) } # authorize = updated (0) Found Auth-Type = Accept (0) Auth-Type = Accept, accepting the user (0) # Executing section post-auth from file /etc/raddb/sites-enabled/ default (0) post-auth { (0) update { (0) No attributes updated (0) } # update = noop . .
So going back to my using the test HW, you are saying even without a password it should work as long as what's in the DB and what's passed via the HW is the same. But there is no password passed in the Access-Request and there is none in the DB, thus it should work, but it's not? That's were I'm getting hung up. I'd expect it to work as both are the same (nothing), but it's not, unless I'm not understanding properly what you are saying.
Jeremy
On Fri, May 11, 2018 at 9:07 AM, Alan DeKok <aland@deployingradius.com
wrote:
On May 11, 2018, at 12:02 PM, Jeremy Lundquist <pmudan01@gmail.com> wrote:
Let me add an updated Debug output to be thorough:
Reading it, and my messages would help.
The reason there's no User-Password in the request is because the NAS is doing EAP.
As I said before, it's doing EAP-MD5. And EAP-MD5 is failing because the password is wrong.
Stop trying to create a User-Password. It's not necessary. Test PAP with radclient. It should work.
EAP-MD5 is basically CHAP. So if the user enters the same password as what's in the DB, it *will* work.
The only reason it won't work is that the passwords *are not the same*.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list /users.html