Hi. Some weeks ago I was asking for this, but didn't receive an answer. Subject is MySQL Authentication based on a Calling-Station-ID. The problem is, that the cisco Switch doesn't send a user-name&user-password in his access-request, and mysql doesn't like! --> *Error: rlm_sql *>* (sql): zero length username not permitted" I tried to comment out this part in the sql-module source-code, and recompile freeradius. To my surprise, this actually DOES work. --> rad_recv: Access-Request packet from host 127.0.0.1:1046, id=134, length=52 User-Name = "" User-Password = "michael" NAS-IP-Address = 255.255.255.255 NAS-Port = 1812 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 0 radius_xlat: 'michael' rlm_sql (sql): sql_set_user escaped user --> 'michael' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck ? WHERE Username = 'michael' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'michael' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'michael' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'michael' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module "sql" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type Accept rad_check_password: Auth-Type = Accept, accepting the user Sending Access-Accept of id 134 to 127.0.0.1:1046 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 134 with timestamp 43bc1274 Nothing to do. Sleeping until we see a request. Sql.conf was told, to check for the password, not username. It works! So, my question is, like in the subject, mainly directed to alan, or some other developper of the sql-module. WHY was it done like that, i.e. that you HAVE to use a username in sql? Thanks for your help, I really appreciate it! Bye. *
florian broder wrote:
WHY was it done like that, i.e. that you HAVE to use a username in sql? I am no developer but my guess would be because you have just allowed everyone in the world in as long as they know you have a password correct. You can't config the cisco switch to send the mac as the user? That would be the normal behavior. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841
Hi.
WHY was it done like that, i.e. that you HAVE to use a username in sql? I am no developer but my guess would be because you have just allowed everyone in the world in as long as they know you have a password
correct. That was just an example by me, you can tell the sql module (sql.conf) to look for virtually every attribute in an access-request. You can't config the cisco switch to send the mac as the user?
That would be the normal behavior.
I told Cisco that too. I'm in contact with them, for this task. Nortel for example sends the MAC as username/password, no problem with that. I'd just like to know, if I can use safely my own compiled version (zero length username on sql allowed), or if I run into problems afterwards, maybe for accounting etc. That's why I was asking the developpers here directly. I mean, they must have had a reason to NOT allow that on sql, while the "normal" authentication via users file allows that. Thanks again! Bye.
florian broder wrote:
Hi.
> WHY was it done like that, i.e. that you HAVE to use a username in sql? I am no developer but my guess would be because you have just allowed everyone in the world in as long as they know you have a password
correct.
That was just an example by me, you can tell the sql module (sql.conf) to look for virtually every attribute in an access-request.
You can't config the cisco switch to send the mac as the user? That would be the normal behavior.
I told Cisco that too. I'm in contact with them, for this task.
Nortel for example sends the MAC as username/password, no problem with that.
I'd just like to know, if I can use safely my own compiled version (zero length username on sql allowed), or if I run into problems afterwards, maybe for accounting etc. That's why I was asking the developpers here directly. I mean, they must have had a reason to NOT allow that on sql, while the "normal" authentication via users file allows that.
Thanks again! Yea, Alan has told me that the sql module differs in some areas and some of the reasons may be good and others not so much. Good luck.
-- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841
Hi.
Yea, Alan has told me that the sql module differs in some areas and some of the reasons may be good and others not so much. Good luck. Today I let the switch talk to freeradius (&sql-database with modified source-code) for the first time. Before I was only testing with ntradping. It works really well, the switch authenticates the mac and puts the port in the given VLAN.
But still my concern is, that I MAY run into problems. The system should serve a few hundred "Clients" all authenticated through some (three to four) Cisco 6500 Switches and one freeradius (using mysql) machine. Maybe nobody here can tell me, if it works out, but ANY suggestion is really appreciated. No developpers here? :( Bye. Florian.
participants (2)
-
florian broder -
Lewis Bergman