How to strip REALM but insert it from a username@MAC onto an MySQL DB
Hi All; I have been running a FreeRADIUS Server Version 2.1.6 setup to work with MySQL 5 to authenticate VPN Dial-up users with no problems at all. My next step is to try to log the users realms, which is their MAC addresses, the authentication today is CHAP with a combination of username + password check on the mysql db. I would like to continue with the same authentication method by when the user is authenticating they will include their MAC address as such: username @ MAC_ADDRESS Freeradius is to strip the MAC_ADDRESS, then insert onto the field "Realm" on the table "radacct" and then authenticate the user normally via the username+password combination. I have researched and have not found a way to implement this. Have any of you got any ideas how to implement this pls? Any help appreciated. Many thanks Lucio PS: Have not included any conf files as my FR is pretty much out of the box setup, but will happily do so. _________________________________________________________________ Got a cool Hotmail story? Tell us now http://clk.atdmt.com/UKM/go/195013117/direct/01/
Guys; I really need some ideas here pls. Many thanks Lucio From: luciocfgodoy@hotmail.com To: freeradius-users@lists.freeradius.org Subject: How to strip REALM but insert it from a username@MAC onto an MySQL DB Date: Fri, 22 Jan 2010 14:28:50 +0000 Hi All; I have been running a FreeRADIUS Server Version 2.1.6 setup to work with MySQL 5 to authenticate VPN Dial-up users with no problems at all. My next step is to try to log the users realms, which is their MAC addresses, the authentication today is CHAP with a combination of username + password check on the mysql db. I would like to continue with the same authentication method by when the user is authenticating they will include their MAC address as such: username @ MAC_ADDRESS Freeradius is to strip the MAC_ADDRESS, then insert onto the field "Realm" on the table "radacct" and then authenticate the user normally via the username+password combination. I have researched and have not found a way to implement this. Have any of you got any ideas how to implement this pls? Any help appreciated. Many thanks Lucio PS: Have not included any conf files as my FR is pretty much out of the box setup, but will happily do so. Got a cool Hotmail story? Tell us now _________________________________________________________________ Got a cool Hotmail story? Tell us now http://clk.atdmt.com/UKM/go/195013117/direct/01/
Hi,
Guys;
I really need some ideas here pls.
what help, exactly, do you need? you've described pretty much all you need and how you'll do it - just write the relevant unlang in your site config... alan
Lucio Godoy wrote:
I would like to continue with the same authentication method by when the user is authenticating they will include their MAC address as such:
username @ MAC_ADDRESS
Freeradius is to strip the MAC_ADDRESS, then insert onto the field "Realm" on the table "radacct" and then authenticate the user normally via the username+password combination.
Use regexes.
I have researched and have not found a way to implement this.
See "man unlang". Match the User-Name with a regex, split it into two fields, and update any attribute lists you believe to be necessary. Alan DeKok.
Hi Alan B and Alan D; I'll investigate the unlang, thats what i needed a pointer where to look. I'll post my findings Many thanks Lucio
Date: Sun, 24 Jan 2010 17:04:42 +0100 From: aland@deployingradius.com To: freeradius-users@lists.freeradius.org Subject: Re: Help pls: How to strip REALM but insert it from a username@MAC onto an MySQL DB
Lucio Godoy wrote:
I would like to continue with the same authentication method by when the user is authenticating they will include their MAC address as such:
username @ MAC_ADDRESS
Freeradius is to strip the MAC_ADDRESS, then insert onto the field "Realm" on the table "radacct" and then authenticate the user normally via the username+password combination.
Use regexes.
I have researched and have not found a way to implement this.
See "man unlang". Match the User-Name with a regex, split it into two fields, and update any attribute lists you believe to be necessary.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_________________________________________________________________ Tell us your greatest, weirdest and funniest Hotmail stories http://clk.atdmt.com/UKM/go/195013117/direct/01/
On 01/24/2010 03:01 PM, Lucio Godoy wrote:
Hi Alan B and Alan D;
I'll investigate the unlang, thats what i needed a pointer where to look.
man unlang -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
Hi All; I have been reading unlang and also digging the Internet for help with my issue. I have added the following line to "vi sql/mysql/dialup.conf" #Comented out this line #sql_user_name = "%{User-Name}" #as per the man pages: # Double-quoted strings are expanded by inserting the value of any variables # Single-quoted strings are evaluated as-is. if("%{User-Name}" == 'london'){ sql_user_name = "hasworked" } And i try to logon using the username london Still not working!! I get: Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.2.253 port 4981, id=41, length=222 Acct-Session-Id = "1096" NAS-IP-Address = 192.168.2.253 Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 0 MS-RAS-Vendor = 311 MS-RAS-Version = "MSRASV5.20" NAS-Port-Type = Virtual Tunnel-Type:0 = PPTP Tunnel-Medium-Type:0 = IPv4 Calling-Station-Id = "10.10.108.136" Tunnel-Client-Endpoint:0 = "10.10.108.136" MS-RAS-Client-Version = "MSRASV5.10" MS-RAS-Client-Name = "MSRAS-0-CRIS_D620_LAPTO" User-Name = "london" CHAP-Challenge = 7006be2aedd9dca01 CHAP-Password = 2f9fea3082b5bae5fb +- entering group authorize {...} [preprocess] expand: %{User-Name} -> london ++[preprocess] returns ok [chap] Setting 'Auth-Type := CHAP' ++[chap] returns ok ++[mschap] returns noop rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = '' ORDER BY priority rlm_sql (sql): Released sql socket id: 3 [sql] User not found ++[sql] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = CHAP +- entering group CHAP {...} [chap] login attempt by "london" with CHAP password [chap] Cleartext-Password is required for authentication ++[chap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> london attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 41 to 192.168.2.253 port 4981 Waking up in 4.9 seconds. Cleaning up request 0 ID 41 with timestamp +3 Ready to process requests. _________________________________________________________________ We want to hear all your funny, exciting and crazy Hotmail stories. Tell us now http://clk.atdmt.com/UKM/go/195013117/direct/01/
Lucio Godoy wrote:
I have been reading unlang and also digging the Internet for help with my issue.
I have added the following line to "vi sql/mysql/dialup.conf"
Nope. As the "man" page says, you need to put the if/else/update statements into the "authorize" section. Alan DeKok.
Hi all; I am nearly there, thanks to you all. I have created this rule on the file sites-available/default on the authorize section: if("%{User-Name}"){ if ("%{User-Name}" =~ /^([^@]*)(@([-[:alnum:].]+))?$/){ update request { User-Name := "%{1}" Digest-Realm := "%{3}" } } else { reject } } I am getting the user to authenticate as "user @ MAC_ADDRESS", and the REGEX is doing what is supposed to do, but the field Realm on the radacct table is not being updated with the MAC_ADDRESS it is empty, is the Digest-Realm the right attribute to be updated for the realm? Thanks Lucio
Date: Mon, 25 Jan 2010 17:52:35 +0100 From: aland@deployingradius.com To: freeradius-users@lists.freeradius.org Subject: Re: Help pls: How to strip REALM but insert it from a username@MAC onto an MySQL DB
Lucio Godoy wrote:
I have been reading unlang and also digging the Internet for help with my issue.
I have added the following line to "vi sql/mysql/dialup.conf"
Nope. As the "man" page says, you need to put the if/else/update statements into the "authorize" section.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_________________________________________________________________ Do you have a story that started on Hotmail? Tell us now http://clk.atdmt.com/UKM/go/195013117/direct/01/
Lucio Godoy wrote:
I have created this rule on the file sites-available/default on the authorize section:
if("%{User-Name}"){
Or just: if (User-Name) { The "unlang" docs say that means check if the attribute exists.
if ("%{User-Name}" =~ /^([^@]*)(@([-[:alnum:].]+))?$/){
Why not just: /^(.*)@(.*)$/ That's a lot simpler. You may need to put two '$$' in.
I am getting the user to authenticate as "user @ MAC_ADDRESS", and the REGEX is doing what is supposed to do, but the field Realm on the radacct table is not being updated with the MAC_ADDRESS it is empty, is the Digest-Realm the right attribute to be updated for the realm?
No. You need to update the "Realm" attribute. Alan DeKok.
Hi All; With your help i have managed to get Radius to do what i needed, thanks. Basically i have placed the following into the sites-available/default file on the authorize and accounting areas: if(User-Name){ if ("%{User-Name}" =~ /^(.{6,32})(@{1})(.{17})$/){ update request { User-Name := "%{1}" Realm := "%{3}" } } else { reject } } The Regex will allow: Usernames from 6 to 32 characters; Only one @ sign, and 32 Chars for the MAC Address Users without the @ MAC_ADDRESS will be dropped. With that REGEX true the Username and Realm are updated respectively on my MySQL DB. Next time anybody is around Windsor UK, let me know (email at the top) i'll treat you for a pint(s) of Stella and a Kebab Thanks again Lucio _________________________________________________________________ Tell us your greatest, weirdest and funniest Hotmail stories http://clk.atdmt.com/UKM/go/195013117/direct/01/
hi, out on a limb but i dont think unlang works in that conf environment...ou need to do the unlang before you call the SQL - and ensure that you set SQL-User-Name before you call the sql in the virtual server.... alan
participants (4)
-
Alan Buxey -
Alan DeKok -
John Dennis -
Lucio Godoy