authentication problem with sql
Hi, my freeradius works well with users files users but when I test it with one of my users that is stored in db, the authentication fails. what is needed to authenticate users that are stored in db. two debug mode output is attached: it's debug response for a user that is stored in db: rad_recv: Access-Request packet from host 127.0.0.1:1029, id=90, length=58 User-Name = "n2test" User-Password = "n2test" NAS-IP-Address = 255.255.255.255 NAS-Port = 1645 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "n2test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 1 users: Matched entry DEFAULT at line 154 modcall[authorize]: module "files" returns ok for request 1 radius_xlat: 'n2test' rlm_sql (sql): sql_set_user escaped user --> 'n2test' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'n2test' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 2 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName, radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'n2test' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'n2test' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName, radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'n2test' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 2 modcall[authorize]: module "sql" returns ok for request 1 rlm_pap: Found existing Auth-Type, not changing it. modcall[authorize]: module "pap" returns noop for request 1 modcall: leaving group authorize (returns ok) for request 1 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 modcall[authenticate]: module "unix" returns notfound for request 1 modcall: leaving group authenticate (returns notfound) for request 1 auth: Failed to validate the user. Delaying request 1 for 1 seconds Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 90 to 127.0.0.1 port 1029 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 90 with timestamp 471de1e9 Nothing to do. Sleeping until we see a request. and it's the output for a normal user that is stored in users file: rad_recv: Access-Request packet from host 127.0.0.1:1029, id=43, length=62 User-Name = "normaltest" User-Password = "normaltest" NAS-IP-Address = 255.255.255.255 NAS-Port = 1645 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "normaltest", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry normaltest at line 1 modcall[authorize]: module "files" returns ok for request 0 radius_xlat: 'normaltest' rlm_sql (sql): sql_set_user escaped user --> 'normaltest' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'normaltest' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 rlm_sql (sql): User normaltest not found in radcheck radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName, radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'normaltest' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName, radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'normaltest' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): User normaltest not found in radgroupcheck rlm_sql (sql): Released sql socket id: 4 rlm_sql (sql): User not found modcall[authorize]: module "sql" returns notfound for request 0 modcall[authorize]: module "pap" returns updated for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type pap auth: type "PAP" Processing the authenticate section of radiusd.conf modcall: entering group PAP for request 0 rlm_pap: login attempt with password normaltest rlm_pap: Using clear text password "normaltest". rlm_pap: User authenticated successfully modcall[authenticate]: module "pap" returns ok for request 0 modcall: leaving group PAP (returns ok) for request 0 Processing the post-auth section of radiusd.conf modcall: entering group post-auth for request 0 rlm_sql (sql): Processing sql_postauth radius_xlat: 'normaltest' rlm_sql (sql): sql_set_user escaped user --> 'normaltest' radius_xlat: 'INSERT into radpostauth (user, pass, reply, date) values ('normaltest', 'normaltest', 'Access-Accept', NOW())' rlm_sql (sql) in sql_postauth: query is INSERT into radpostauth (user, pass, reply, date) values ('normaltest', 'normaltest', 'Access-Accept', NOW()) rlm_sql (sql): Reserving sql socket id: 3 rlm_sql (sql): Released sql socket id: 3 modcall[post-auth]: module "sql" returns ok for request 0 modcall: leaving group post-auth (returns ok) for request 0 Sending Access-Accept of id 43 to 127.0.0.1 port 1029 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 43 with timestamp 471de179 Nothing to do. Sleeping until we see a request.
No one knows? On 10/23/07, hadi golestani <hadi.golestani@gmail.com> wrote:
Hi, my freeradius works well with users files users but when I test it with one of my users that is stored in db, the authentication fails. what is needed to authenticate users that are stored in db.
two debug mode output is attached: it's debug response for a user that is stored in db:
rad_recv: Access-Request packet from host 127.0.0.1:1029, id=90, length=58 User-Name = "n2test" User-Password = "n2test" NAS-IP-Address = 255.255.255.255 NAS-Port = 1645 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "n2test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 1 users: Matched entry DEFAULT at line 154 modcall[authorize]: module "files" returns ok for request 1 radius_xlat: 'n2test' rlm_sql (sql): sql_set_user escaped user --> 'n2test' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'n2test' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 2 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName, radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'n2test' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'n2test' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName, radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'n2test' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 2 modcall[authorize]: module "sql" returns ok for request 1 rlm_pap: Found existing Auth-Type, not changing it. modcall[authorize]: module "pap" returns noop for request 1 modcall: leaving group authorize (returns ok) for request 1 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 modcall[authenticate]: module "unix" returns notfound for request 1 modcall: leaving group authenticate (returns notfound) for request 1 auth: Failed to validate the user. Delaying request 1 for 1 seconds Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 90 to 127.0.0.1 port 1029 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 90 with timestamp 471de1e9 Nothing to do. Sleeping until we see a request.
and it's the output for a normal user that is stored in users file:
rad_recv: Access-Request packet from host 127.0.0.1:1029, id=43, length=62 User-Name = "normaltest" User-Password = "normaltest" NAS-IP-Address = 255.255.255.255 NAS-Port = 1645 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "normaltest", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry normaltest at line 1 modcall[authorize]: module "files" returns ok for request 0 radius_xlat: 'normaltest' rlm_sql (sql): sql_set_user escaped user --> 'normaltest' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'normaltest' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 rlm_sql (sql): User normaltest not found in radcheck radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName, radgroupcheck.Attribute ,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'normaltest' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id ' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName, radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'normaltest' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): User normaltest not found in radgroupcheck rlm_sql (sql): Released sql socket id: 4 rlm_sql (sql): User not found modcall[authorize]: module "sql" returns notfound for request 0 modcall[authorize]: module "pap" returns updated for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type pap auth: type "PAP" Processing the authenticate section of radiusd.conf modcall: entering group PAP for request 0 rlm_pap: login attempt with password normaltest rlm_pap: Using clear text password "normaltest". rlm_pap: User authenticated successfully modcall[authenticate]: module "pap" returns ok for request 0 modcall: leaving group PAP (returns ok) for request 0 Processing the post-auth section of radiusd.conf modcall: entering group post-auth for request 0 rlm_sql (sql): Processing sql_postauth radius_xlat: 'normaltest' rlm_sql (sql): sql_set_user escaped user --> 'normaltest' radius_xlat: 'INSERT into radpostauth (user, pass, reply, date) values ('normaltest', 'normaltest', 'Access-Accept', NOW())' rlm_sql (sql) in sql_postauth: query is INSERT into radpostauth (user, pass, reply, date) values ('normaltest', 'normaltest', 'Access-Accept', NOW()) rlm_sql (sql): Reserving sql socket id: 3 rlm_sql (sql): Released sql socket id: 3 modcall[post-auth]: module "sql" returns ok for request 0 modcall: leaving group post-auth (returns ok) for request 0 Sending Access-Accept of id 43 to 127.0.0.1 port 1029 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 43 with timestamp 471de179 Nothing to do. Sleeping until we see a request.
Hi! I'm trying to set up a WLAN (5 APs) with a RADIUS Server (SuSe 10.2). RADIUS should authenticate the MAC Adresses of the WLAN Users to grant them access to the network. There are often new computers, which should get access to the Network immediately and without installing anything. RADIUS is running (APs in clients.conf listed, but not yet any further settings made), APs are set up and I can roam in my network all over the office. I use WPA2 PSK at the moment to cipher the WLAN. I have a MySQL Database to enter user information. Question: I just found some options with Certificates/PWs to authenticate users. Can I authenticate them just with their MAC? Where do I specify it in my Database? It's my first RADIUS Project and I don't think I'm a "Stephen Hawking" in RADIUS configuration... ;) Anyway...I'm thankful for every help I get. Thanks in advance Bernd
Dear All, Is there any relation between the accounting requests and the LDAP, in case i'm using LDAP for authentication and MySql for accounting. Now i have many accounting requests and my DB machine is loaded , but what i can't understand is why my LDAP machine is loaded too. i make a debug on the RADIUS and found that when handling the accounting request the RADIUS contacts the sql and ldap to check GroupMember, in sql.conf i commented the group member query and nothing happens against the MySql , but still happens against the LDAP . any idea ??? thanks all
Amr el-Saeed wrote:
Is there any relation between the accounting requests and the LDAP, in case i'm using LDAP for authentication and MySql for accounting.
No.
Now i have many accounting requests and my DB machine is loaded , but what i can't understand is why my LDAP machine is loaded too. i make a debug on the RADIUS and found that when handling the accounting request the RADIUS contacts the sql and ldap to check GroupMember,
It only does that if you configured the server to look for LDAP groups as part of your local policy. i.e. "LDAP-Group == ...".
in sql.conf i commented the group member query and nothing happens against the MySql , but still happens against the LDAP .
If you want to use LDAP groups, then understand that doing so will involve using the LDAP server. If you don't want to use LDAP groups, then remove that configuration from your system. The default configuration does NOT do LDAP group matching on accounting requests. So it's definitely something you added locally to your system. Alan DeKok.
i just noticed that this happens in the Interim-Update packet only not the Start or the Stop !! Alan DeKok wrote:
Amr el-Saeed wrote:
Is there any relation between the accounting requests and the LDAP, in case i'm using LDAP for authentication and MySql for accounting.
No.
Now i have many accounting requests and my DB machine is loaded , but what i can't understand is why my LDAP machine is loaded too. i make a debug on the RADIUS and found that when handling the accounting request the RADIUS contacts the sql and ldap to check GroupMember,
It only does that if you configured the server to look for LDAP groups as part of your local policy. i.e. "LDAP-Group == ...".
in sql.conf i commented the group member query and nothing happens against the MySql , but still happens against the LDAP .
If you want to use LDAP groups, then understand that doing so will involve using the LDAP server. If you don't want to use LDAP groups, then remove that configuration from your system.
The default configuration does NOT do LDAP group matching on accounting requests. So it's definitely something you added locally to your system.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
can i just drop the Interim-Update packet from the RADIUS server ?? Amr el-Saeed wrote:
i just noticed that this happens in the Interim-Update packet only not the Start or the Stop !!
Alan DeKok wrote:
Amr el-Saeed wrote:
Is there any relation between the accounting requests and the LDAP, in case i'm using LDAP for authentication and MySql for accounting.
No.
Now i have many accounting requests and my DB machine is loaded , but what i can't understand is why my LDAP machine is loaded too. i make a debug on the RADIUS and found that when handling the accounting request the RADIUS contacts the sql and ldap to check GroupMember,
It only does that if you configured the server to look for LDAP groups as part of your local policy. i.e. "LDAP-Group == ...".
in sql.conf i commented the group member query and nothing happens against the MySql , but still happens against the LDAP .
If you want to use LDAP groups, then understand that doing so will involve using the LDAP server. If you don't want to use LDAP groups, then remove that configuration from your system.
The default configuration does NOT do LDAP group matching on accounting requests. So it's definitely something you added locally to your system.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Bernd wrote:
I'm trying to set up a WLAN (5 APs) with a RADIUS Server (SuSe 10.2). RADIUS should authenticate the MAC Adresses of the WLAN Users to grant them access to the network.
Do the AP's send RADIUS requests to authenticate the MAC when they see a new machine? If not, you can't do it.
I just found some options with Certificates/PWs to authenticate users. Can I authenticate them just with their MAC? Where do I specify it in my Database?
Yes, you can authenticate them with the MAC. See what is in the RADIUS Access-Request from the NAS, then use that as keys for local policies.
It's my first RADIUS Project and I don't think I'm a "Stephen Hawking" in RADIUS configuration... ;)
Anyway...I'm thankful for every help I get.
Unfortunately, you're being told to go read the NAS documentation. Then, if what you want is possible, come back here for more FreeRADIUS questions. Alan DeKok.
Do the AP's send RADIUS requests to authenticate the MAC when they see a new machine? If not, you can't do it.
How do I know if they do? -----Ursprüngliche Nachricht----- Von: freeradius-users-bounces@lists.freeradius.org [mailto:freeradius-users-bounces@lists.freeradius.org] Im Auftrag von Alan DeKok Gesendet: Mittwoch, 24. Oktober 2007 11:21 An: FreeRadius users mailing list Betreff: Re: Newbie Question o.O Bernd wrote:
I'm trying to set up a WLAN (5 APs) with a RADIUS Server (SuSe 10.2). RADIUS should authenticate the MAC Adresses of the WLAN Users to grant them access to the network.
Do the AP's send RADIUS requests to authenticate the MAC when they see a new machine? If not, you can't do it.
I just found some options with Certificates/PWs to authenticate users. Can I authenticate them just with their MAC? Where do I specify it in my Database?
Yes, you can authenticate them with the MAC. See what is in the RADIUS Access-Request from the NAS, then use that as keys for local policies.
It's my first RADIUS Project and I don't think I'm a "Stephen Hawking" in RADIUS configuration... ;)
Anyway...I'm thankful for every help I get.
Unfortunately, you're being told to go read the NAS documentation. Then, if what you want is possible, come back here for more FreeRADIUS questions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I'm sorry...I never worked with RADIUS, please consider that. I don't mind reading documentations :) - but I don't know where I can find the NAS documentation -----Ursprüngliche Nachricht----- Von: freeradius-users-bounces@lists.freeradius.org [mailto:freeradius-users-bounces@lists.freeradius.org] Im Auftrag von Alan DeKok Gesendet: Mittwoch, 24. Oktober 2007 12:38 An: FreeRadius users mailing list Betreff: Re: AW: Newbie Question o.O Bernd wrote:
Do the AP's send RADIUS requests to authenticate the MAC when they see a new machine? If not, you can't do it.
How do I know if they do? ...
Unfortunately, you're being told to go read the NAS documentation.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Bernd wrote:
I'm sorry...I never worked with RADIUS, please consider that. I don't mind reading documentations :) - but I don't know where I can find the NAS documentation
We don't have copies of it. You haven't even said what kind of NAS it is, so it's impossible for us to help you. Perhaps the vendor has a web site? Alan DeKok.
Bernd please correct your system date. You keep sending mails dated in the future! Sebastian Am Mittwoch, den 31.10.2007, 14:20 +0100 schrieb Bernd:
I'm sorry...I never worked with RADIUS, please consider that. I don't mind reading documentations :) - but I don't know where I can find the NAS documentation
-----Ursprüngliche Nachricht----- Von: freeradius-users-bounces@lists.freeradius.org [mailto:freeradius-users-bounces@lists.freeradius.org] Im Auftrag von Alan DeKok Gesendet: Mittwoch, 24. Oktober 2007 12:38 An: FreeRadius users mailing list Betreff: Re: AW: Newbie Question o.O
Bernd wrote:
Do the AP's send RADIUS requests to authenticate the MAC when they see a new machine? If not, you can't do it.
How do I know if they do? ...
Unfortunately, you're being told to go read the NAS documentation.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
which explains why gmail shows all his mails as being 0 minutes ago. Not even Google has harnessed time travel (don't tell the shareholders tho) On 24/10/2007, Sebastian Wild <sw@cronon.org> wrote:
Bernd please correct your system date. You keep sending mails dated in the future!
Sebastian
Am Mittwoch, den 31.10.2007, 14:20 +0100 schrieb Bernd:
I'm sorry...I never worked with RADIUS, please consider that. I don't mind reading documentations :) - but I don't know where I can find the NAS documentation
-----Ursprüngliche Nachricht----- Von: freeradius-users-bounces@lists.freeradius.org [mailto:freeradius-users-bounces@lists.freeradius.org] Im Auftrag von Alan DeKok Gesendet: Mittwoch, 24. Oktober 2007 12:38 An: FreeRadius users mailing list Betreff: Re: AW: Newbie Question o.O
Bernd wrote:
Do the AP's send RADIUS requests to authenticate the MAC when they see a new machine? If not, you can't do it.
How do I know if they do? ...
Unfortunately, you're being told to go read the NAS documentation.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
No one knows?
On 10/23/07, hadi golestani <hadi.golestani@gmail.com> wrote: ^^^^^^^^^^^^^
you posted less than 24 hours ago. this isnt a commercial support contract. maybe someone knows and is currently busy or away. looking from the logs, it seems that your FR is configured to use system authentication (unix module) - and yet you want to auth via SQL. so remove DEFAULT Auth-Type = System from your users file/ that should help. alan
sorry alan, problem solved, tnx a lot , It's a great community. On 10/24/07, A.L.M.Buxey@lboro.ac.uk <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
No one knows?
On 10/23/07, hadi golestani <hadi.golestani@gmail.com> wrote: ^^^^^^^^^^^^^
you posted less than 24 hours ago. this isnt a commercial support contract. maybe someone knows and is currently busy or away.
looking from the logs, it seems that your FR is configured to use system authentication (unix module) - and yet you want to auth via SQL. so remove DEFAULT Auth-Type = System
from your users file/ that should help.
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (7)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Amr el-Saeed -
Andy Billington -
Bernd -
hadi golestani -
Sebastian Wild