failed login accounting with dialup admin
I have a small accounting problem with freeradius and dialup admin which I can't find a way to solve it. I've set freeradius to authenticate EAP-TLS, I want to log people who failed to authenticate to mysql with rlm_sql, which will show in dialup admin failed login page. I put in radiusd.con post-auth section the sql module: Post-Auth-Type REJECT { #insert-module-name-here sql } the post-auth query in sql.conf: postauth_query = "INSERT into ${postauth_table} (id, user, pass, reply, date) values ('', '%{User-Name}', '%{User-Password:-Chap- Password}', '%{reply:Packet-Type}', NOW())" the sql query runs well, it put the failed login to the radpostauth table but the dialup admin failed login page is searching to the radacct table for the failed user which will never find it. am I doing the right way to put the sql module inside the post-auth? or should I put it in other section? I don't want to change the postauth_query but is there any way to add another query to put the data to radacct table? thanks in advance
Hi! I am using mysql module as the authorization module and I get the following warning: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! How can I force sql module to put the password value taken from the database into the Cleartext-Password instead od User-Password?? And one more question but about digest module: Will it work if I will use a sql module in authorize section and then digest in the authentication?? Thank you for any help. Bests -Tomasz
tzieleniewski wrote:
I am using mysql module as the authorization module and I get the following warning: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
How can I force sql module to put the password value taken from the database into the Cleartext-Password instead od User-Password??
Update the data in the SQL database? You have the string "User-Password". Change it to "Cleartext-Password".
And one more question but about digest module: Will it work if I will use a sql module in authorize section and then digest in the authentication??
Yes. You should list "digest" in the authorize section, too, as the example config file shows. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
TZieleniewski wrote:
the authorize section is the section which defines procedures responsible for granting a user an access to specific type of service. For instance if we use sql or files module in authorize section we can intuitivly imagine that they do some checks about user data. For instance checks if data are present in the users file or in the data base.
yes
And then in the authentication section they are for innstance authenticate with the pap module wich makes the verification between the data received from access packet and those taken from the users file or data base.
yes
but there is another situation a little bit confusing when we for instance call the chap, mschap or ldap modules in the authorize section and then
in the authenticate section. Does it work this way that somehow those modules know that they are invoked in different phases(authorize, authenticate)
Yes. Taking e.g. "mschap" as an example - during the "authorize" phase, the module looks at the request and does this: * IF the ms-chap-challenge and ms-chap-response attributes exist * THEN set Auth-Type = MS-CHAP During the "authenticate" phase it says: * Get ms-chap-challenge * Get User-Password from "config" items * Compute correct response * If corrct == ms-chap-response: ...
and perform different operations according to the needs?? Or for instance the digest module what those the authorize section really do?? Does it take any data from the users file ?? Or it just check the data format and stuff?? for instance
authorise { preprocess chap mschap }
authenticate { authtype PAP { pap } authtype CHAP { chap } authtype MS-CHAP{ mschap } }
I can really get the filling of those authtype declarations in the authenticate section Im sure that few words of explanation will make me to understand everything.
Basically, the *algorithm* modules just check to see if they're applicable to a request during authorize. If they are applicable they arrange to run themselves again during authenticate, *after* data for authentication has been added to the request. Hope that helps
update to my fault because not RTFM first. I add another sql to the sql.conf sql sql_failed_reject { driver = "rlm_sql_mysql" server = "localhost" login = "xxx" password = "xxx" radius_db = "radius" postauth_table = "radpostauth" authcheck_table = "radcheck" authreply_table = "radreply" groupcheck_table = "radgroupcheck" groupreply_table = "radgroupreply" usergroup_table = "usergroup" nas_table = "nas" safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" acct_table1 = "radacct" num_sql_socks = 3 connect_failure_retry_delay = 60 postauth_query = "INSERT into ${acct_table1} (radacctid, username, nasipaddress, nasportid, acctterminatecause, acctstarttime, acctstoptime, callingstationid, servicetype, framedprotocol, framedipaddress,acctauthentic) values ('', '%{User-Name}', '%{NAS-IP- Address}', '%{NAS-PORT}', '%{reply:Packet-Type}', DATE_SUB('%S', INTERVAL (%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0}) SECOND), '% S', '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', '% {Framed-IP-Address}', '%{Acct-Authentic}')" } then I put sql_failed_reject to the postauth section in radiusd.conf post-auth { # Get an address from the IP Pool. # main_pool reply_log sql # sql_log # ldap Post-Auth-Type REJECT { #insert-module-name-here #sql sql_failed_reject } } modify dialup admin failed login page to check for Access Reject. that's it, now I can see failed user in dialup admin thanks for freeradius === On Wed, 2007-01-31 at 19:42 +0700, kemas wrote:
I have a small accounting problem with freeradius and dialup admin which I can't find a way to solve it.
I've set freeradius to authenticate EAP-TLS, I want to log people who failed to authenticate to mysql with rlm_sql, which will show in dialup admin failed login page.
I put in radiusd.con post-auth section the sql module: Post-Auth-Type REJECT { #insert-module-name-here sql }
the post-auth query in sql.conf: postauth_query = "INSERT into ${postauth_table} (id, user, pass, reply, date) values ('', '%{User-Name}', '%{User-Password:-Chap- Password}', '%{reply:Packet-Type}', NOW())"
the sql query runs well, it put the failed login to the radpostauth table but the dialup admin failed login page is searching to the radacct table for the failed user which will never find it.
am I doing the right way to put the sql module inside the post-auth? or should I put it in other section?
I don't want to change the postauth_query but is there any way to add another query to put the data to radacct table?
thanks in advance
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (5)
-
Alan DeKok -
kemas -
Phil Mayers -
tzieleniewski -
TZieleniewski