Platform: OpenBSD 5.1 Version: 2.1.12 Hello, I have a problem setting up freeradius and I think it's related to the domain stripping Here's what I did for my configuration 1) Imported the scripts schema.sql, admin.sql, ippool.sql, nas.sql in my MySQL radiusdb database 2) Inserted a user: INSERT INTO radcheck (UserName, Attribute, Value) VALUES ('testuser', 'Password', 'passsecret'); 3) Configured clients.conf client localhost { ipaddr = 127.0.0.1 secret = testing123 require_message_authenticator = no nastype = other # localhost isn't usually a NAS... } 4) Uncommented in radiusd.conf $INCLUDE ${confdir}/sql.conf $INCLUDE ${confdir}/sql/mysql/counter.conf 5) In /etc/raddb/sites-enabled/default uncommented authorize { sql } accounting { sql sql_log } 6) Configured /etc/raddb/sql.conf sql { database = "mysql" driver = "rlm_sql_${database}" #socket= var/run/mysql/mysql.sock server = "localhost" port = 3306 login = "radiususer" password = "passradius" radius_db = "radius" acct_table1 = "radacct" acct_table2 = "radacct" postauth_table = "radpostauth" authcheck_table = "radcheck" authreply_table = "radreply" groupcheck_table = "radgroupcheck" groupreply_table = "radgroupreply" usergroup_table = "radusergroup" deletestalesessions = yes sqltrace = no sqltracefile = ${logdir}/sqltrace.sql num_sql_socks = 5 connect_failure_retry_delay = 60 lifetime = 0 max_queries = 0 nas_table = "nas" $INCLUDE sql/${database}/dialup.conf } 7) In /etc/raddb/sql/mysql/dialup.conf added sql_user_name = '%{Stripped-User-Name}' 8) I start the radius server # /usr/local/sbin/radiusd -X And make a test on the local machine $ radtest testuser passsecret 127.0.0.1 1812 testing123 And I receive an access reject: rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=222, length=20 9) Le debug says rad_recv: Access-Request packet from host 127.0.0.1 port 10251, id=122, length=78 User-Name = "testuser" User-Password = "passsecret" NAS-IP-Address = 192.168.1.1 NAS-Port = 1812 Message-Authenticator = 0xf16b463a77e5dfefbd9385915a307e88 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "testuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop [sql] expand: %{Stripped-User-Name} -> [sql] sql_set_user escaped user --> '' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: -> [sql] Error generating query; rejecting user rlm_sql (sql): Released sql socket id: 3 ++[sql] returns fail Invalid user: [testuser] (from client localhost port 1812) Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> testuser attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 122 to 127.0.0.1 port 10251 Waking up in 4.9 seconds. Cleaning up request 1 ID 122 with timestamp +74 Ready to process requests. 10) I can see that something goes wrong with this message [sql] Error generating query; rejecting user But I don't understand why Thank you to those who can point the right direction. Regards
Hi,
[sql] expand: %{Stripped-User-Name} -> [sql] sql_set_user escaped user --> '' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: -> [sql] Error generating query; rejecting user rlm_sql (sql): Released sql socket id: 3 ++[sql] returns fail
Stripped-User-Name not populated - so a blank expansion. do you need stripped-user-name? - just use User-Name if not alan
[sql] expand: %{Stripped-User-Name} ->
[sql] sql_set_user escaped user --> '' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: -> [sql] Error generating query; rejecting user rlm_sql (sql): Released sql socket id: 3 ++[sql] returns fail
Stripped-User-Name not populated - so a blank expansion. do you need stripped-user-name? - just use User-Name if not
Hello Alan, Thank you for your answer. I may have not understood what you wrote. I replaced in /etc/raddb/sql/mysql/dialup.conf sql_user_name = '%{Stripped-User-Name}' by sql_user_name = '%{User-Name}' But my authentication is still rejected [suffix] No '@' in User-Name = "testuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop [sql] expand: %{User-Name} -> testuser [sql] sql_set_user escaped user --> 'testuser' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: -> [sql] Error generating query; rejecting user rlm_sql (sql): Released sql socket id: 4 ++[sql] returns fail Invalid user: [testuser] (from client localhost port 1812) Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> testuser attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds I would like to have simple logins such as testuser and not testuser@somedomain
[sql] expand: %{Stripped-User-Name} ->
[sql] sql_set_user escaped user --> '' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: -> [sql] Error generating query; rejecting user rlm_sql (sql): Released sql socket id: 3 ++[sql] returns fail
Stripped-User-Name not populated - so a blank expansion. do you need stripped-user-name? - just use User-Name if not
Hello Alan,
Thank you for your answer. I may have not understood what you wrote. I replaced in /etc/raddb/sql/mysql/dialup.conf
sql_user_name = '%{Stripped-User-Name}' by sql_user_name = '%{User-Name}'
But my authentication is still rejected
[suffix] No '@' in User-Name = "testuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop [sql] expand: %{User-Name} -> testuser [sql] sql_set_user escaped user --> 'testuser' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: -> [sql] Error generating query; rejecting user rlm_sql (sql): Released sql socket id: 4 ++[sql] returns fail Invalid user: [testuser] (from client localhost port 1812) Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> testuser attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds
I would like to have simple logins such as testuser and not testuser@somedomain
Hello lsclrstd, I have created a second user testuser2 with the password in 'Cleartext-Password' It doesn't work either. I have enabled the logs in Mysql, but I don't see any sql request that is been made. I think there's a way to enable additional logs with freeradius and see what are the queries done to the mysql server. Does anyone knows how to do that ? I'll search more. Thank you
Hi,
[sql] expand: %{User-Name} -> testuser [sql] sql_set_user escaped user --> 'testuser' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: -> [sql] Error generating query; rejecting user
seems fair enough - there is no expansion for the query - so I would now check your sql.conf and dialup file to verify that the query for authentication/authorization is sane and correct (I've deleted your previous email where you gave more details) alan
Hello Alan,
Thank you for your answer. I may have not understood what you wrote. I replaced in /etc/raddb/sql/mysql/dialup.conf
sql_user_name = '%{Stripped-User-Name}' by sql_user_name = '%{User-Name}'
Hello lsclrstd, I have created a second user testuser2 with the password in 'Cleartext-Password'
Hello everyone, I finally solved my problem. My dialup.conf was empty with the exception of the statement I added. And dialup.conf is supposed to have some sql queries inside. For the test to work, the password should be 'Password' and not 'Cleartext-Password' Thank you to those who helped
Mik J wrote:
I finally solved my problem. My dialup.conf was empty with the exception of the statement I added. And dialup.conf is supposed to have some sql queries inside. For the test to work, the password should be 'Password' and not 'Cleartext-Password'
NO. ABSOLUTELY NOT. Please stop giving erroneous advice. The advice to use "Password" or "User-Password" has been INVALID for about 7 years. It's time that people learn. If you have the password in a database, it's Cleartext-Password, ALWAYS. Anything else is WRONG. Alan DeKok.
lscrlstld wrote:
2) Inserted a user: INSERT INTO radcheck (UserName, Attribute, Value) VALUES ('testuser', 'Password', 'passsecret');
Use 'Cleartext-Password' instead of 'Password' and try again.
The "Password" attribute will be removed in 3.0. I'm thinking of deleting it in 2.2.0, too. Too many people make this *basic* mistake. Alan DeKok.
participants (4)
-
alan buxey -
Alan DeKok -
lscrlstld -
Mik J