Problem authenticating cleartext-passwords locally and proxy realms
Hello. I want freeradius to authenticate users with Cleartext-Password locally and proxy others with realms. I use SQL for users, groups, nas and huntgroups. The problem: When logging in with the user with Cleartext-Password all passwords are accepted. The proxied users need the correct password. What am i missing? Please help. My set up consists of: AAA Client -> Freeradius 2.1.6 with MySQL -> RADIUS-server ##sites-enabled/default authorize section # SQL query huntgroups update request { Huntgroup-Name := "%{sql:select groupname from radhuntgroup where nasipaddress=\"%{NAS-IP-Address}\"}" } # # # SQL query Proxy-To-Realm # update control { Proxy-To-Realm := "%{sql:select authserver from authmethod where username =\"%{User-Name}\"}" } radhuntgroup table: mysql> select * from radhuntgroup; +----+-------------+--------------+-----------+ | id | groupname | nasipaddress | nasportid | +----+-------------+--------------+-----------+ | 4 | VPN-service | x.x.x.x | NULL | radgroupcheck table: mysql> select * from radgroupcheck; +----+-----------+----------------+----+-------------+ | id | groupname | attribute | op | value | +----+-----------+----------------+----+-------------+ | 8 | VPN-AUTH | Huntgroup-Name | == | VPN-Service | | 9 | VPN-AUTH | Auth-Type | := | Accept | usergroup table; mysql> select * from usergroup; +--------------+-----------+----------+ | UserName | GroupName | priority | +--------------+-----------+----------+ | testuser | VPN-AUTH | 0 | | safewordtest | VPN-AUTH | 0 | +--------------+-----------+----------+ users-file # On no match, the user is denied access. DEFAULT Auth-Type := Reject Users are defined in radcheck. testuser is to be authenticated locally safewordtest is to be proxied (table authmethod). mysql> select * from radcheck; +----+--------------+--------------------+----+----------+ | id | username | attribute | op | value | +----+--------------+--------------------+----+----------+ | 33 | testuser | Cleartext-Password | := | testuser | | 39 | safewordtest | Cleartext-Password | := | testttsd | +----+--------------+--------------------+----+----------+ mysql> select * from authmethod; +--------------+------------+----------+ | username | authserver | priority | +--------------+------------+----------+ | safewordtest | Safeword | 1 | +--------------+------------+----------+ Debug: Incorrect username/password. rad_recv: Access-Request packet from host x.x.x.x port 1812, id=38, length=70 User-Name = "testuser" User-Password = "wrongpasswordibelieve" NAS-IP-Address = x.x.x.x +- entering group authorize {...} ++[preprocess] returns ok sql_xlat expand: %{User-Name} -> testuser sql_set_user escaped user --> 'testuser' expand: select groupname from radhuntgroup where nasipaddress="%{NAS-IP-Address}" -> select groupname from radhuntgroup where nasipaddress="x.x.x.x" rlm_sql (sql): Reserving sql socket id: 3 sql_xlat finished rlm_sql (sql): Released sql socket id: 3 expand: %{sql:select groupname from radhuntgroup where nasipaddress="%{NAS-IP-Address}"} -> VPN-Service ++[request] returns ok sql_xlat expand: %{User-Name} -> testuser sql_set_user escaped user --> 'testuser' expand: select authserver from authmethod where username ="%{User-Name}" -> select authserver from authmethod where username ="testuser" rlm_sql (sql): Reserving sql socket id: 2 SQL query did not return any results rlm_sql (sql): Released sql socket id: 2 expand: %{sql:select authserver from authmethod where username ="%{User-Name}"} -> ++[control] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "testuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 204 ++[files] returns ok [sql] expand: %{User-Name} -> testuser [sql] sql_set_user escaped user --> 'testuser' rlm_sql (sql): Reserving sql socket id: 1 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'testuser' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'testuser' ORDER BY id [sql] expand: SELECT groupname FROM usergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM usergroup WHERE username = 'testuser' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'VPN-AUTH' ORDER BY id [sql] User found in group VPN-AUTH [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'VPN-AUTH' ORDER BY id rlm_sql (sql): Released sql socket id: 1 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop WARNING: You set Proxy-To-Realm = , but the realm does not exist! Cancelling invalid proxy request. Found Auth-Type = Accept Auth-Type = Accept, accepting the user +- entering group post-auth {...} [sql] expand: %{User-Name} -> testuser [sql] sql_set_user escaped user --> 'testuser' [sql] expand: %{User-Password} -> wrongpasswordibelieve [sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'testuser', 'wrongpasswordibelieve', 'Access-Accept', '2009-08-13 21:01:08') rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'testuser', 'wrongpasswordibelieve', 'Access-Accept', '2009-08-13 21:01:08') rlm_sql (sql): Reserving sql socket id: 0 rlm_sql (sql): Released sql socket id: 0 ++[sql] returns ok ++[exec] returns noop Sending Access-Accept of id 38 to x.x.x.x port 1812 Class := 0x6f753d7672663337302c6f753d72657472726565 Finished request 0. -- View this message in context: http://www.nabble.com/Problem-authenticating-cleartext-passwords-locally-and... Sent from the FreeRadius - User mailing list archive at Nabble.com.
mikoi wrote:
The problem: When logging in with the user with Cleartext-Password all passwords are accepted.
Because that's what you told it to do.
mysql> select * from radgroupcheck; +----+-----------+----------------+----+-------------+ | id | groupname | attribute | op | value | +----+-----------+----------------+----+-------------+ | 8 | VPN-AUTH | Huntgroup-Name | == | VPN-Service | | 9 | VPN-AUTH | Auth-Type | := | Accept |
Why is the Auth-Type := Accept in there?
users-file # On no match, the user is denied access. DEFAULT Auth-Type := Reject
This is ALWAYS the default. There is no need for this line. Delete it. Alan DeKok.
Why is the Auth-Type := Accept in there?
Yes, you are right. This was the cause. Removed the line from radgroupcheck and added Auth-Type := LOCAL to radcheck instead and that did the trick. Thanks. For users that are proxied to the backend RADIUS-server i need Auth-Type := Accept otherwise it will reject since it is the default. -- View this message in context: http://www.nabble.com/Problem-authenticating-cleartext-passwords-locally-and... Sent from the FreeRadius - User mailing list archive at Nabble.com.
mikoi wrote:
Why is the Auth-Type := Accept in there?
Yes, you are right. This was the cause.
Removed the line from radgroupcheck and added Auth-Type := LOCAL
Why? That is NOT necessary. All of the documentation and all of the examples and many of the messages on this list say DO NOT SET AUTH-TYPE. Especially Auth-Type := Local. That configuration has been NOT recommended for many years now. Many, many, years. Alan DeKok.
Why? That is NOT necessary. All of the documentation and all of the examples and many of the messages on this list say DO NOT SET AUTH-TYPE.
Especially Auth-Type := Local. That configuration has been NOT recommended for many years now. Many, many, years.
Yes, you are so right! Removed Auth-Type from everywhere and as you said. It kept on working. I must have had some other configurations that messed up my testingresults and led me to believe Auth-Type fixed the errors. Now after a lot of trial and error i think i have a decent configuration. Thanks again! -- View this message in context: http://www.nabble.com/Problem-authenticating-cleartext-passwords-locally-and... Sent from the FreeRadius - User mailing list archive at Nabble.com.
participants (2)
-
Alan DeKok -
mikoi