Why do I need to force Auth-Type?
In a previous post "PAP what password encryption is used?" I managed to get authentication working with a msssql backend however I need to force Auth-Type := PAP. I read it's bad practice to force the Auth-Type so I was wondering what I could do to let freeradius figure the authentication itself. This is all done on freeradius 1.1.6 (OSS 10.3) I've setup an sql module: sql mssql { driver = "rlm_sql_unixodbc" # Connect info server = "test" login = "Radius_User" password = "blabla" radius_db = "V2" # niet gebruikt wel geset! acct_table1 = "radacct" acct_table2 = "radacct" authcheck_table = "user" authreply_table = "user" # niet gebruikt wel geset! groupcheck_table = "radgroupcheck" groupreply_table = "radgroupreply" usergroup_table = "usergroup" # Remove stale session if checkrad does not see a double login deletestalesessions = yes # Print all SQL statements when in debug mode (-x) sqltrace = no sqltracefile = ${logdir}/sqltrace.sql # number of sql connections to make to server num_sql_socks = 5 sql_user_name = "%{Stripped-User-Name:-%{User-Name:-none}}" # Custom query die attributen klaar zet! authorize_check_query = "SELECT UserID,Usernaam,'SHA-Password' AS Attribute, Wachtwoord, ':=' AS Op FROM ${authcheck_table} WHERE Usernaam = '%{SQL-User-Name}' ORDER BY UserID" authorize_reply_query = "SELECT UserID,Usernaam from {authreply_table} WHERE Usernaam = '%{SQL-User-Name}' ORDER BY UserID" } You can see I'm using a custom SQL query to get the right attributes. I can only compare username and password in this database. I actually don't need any groupcheck's etc. I've setup its authorize entry: Autz-Type mssql { mssql } and finally in users file: DEFAULT Realm == mssql.nl", Autz-Type := mssql This setup doesn't work: modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: Looking up realm "mssql.nl" for User-Name = "lsa@mssql.nl" rlm_realm: Found realm "DEFAULT" rlm_realm: Adding Stripped-User-Name = "lsa" rlm_realm: Proxying request from user lsa to realm DEFAULT rlm_realm: Adding Realm = "DEFAULT" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 1 users: Matched entry DEFAULT at line 153 modcall[authorize]: module "files" returns ok for request 1 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 1 modcall: leaving group authorize (returns ok) for request 1 Found Autz-Type mssql Processing the authorize section of radiusd.conf modcall: entering group mssql for request 1 radius_xlat: 'lsa' rlm_sql (mssql): sql_set_user escaped user --> 'lsa' radius_xlat: 'SELECT UserID,Usernaam,'SHA-Password' AS Attribute, Wachtwoord, ':=' AS Op FROM bas_user WHERE Usernaam = 'lsa' ORDER BY UserID' rlm_sql (mssql): Reserving sql socket id: 3 radius_xlat: '' radius_xlat: 'SELECT UserID,Usernaam from {authreply_table} WHERE Usernaam = 'lsa' ORDER BY UserID' rlm_sql_getvpdata: database query error radius_xlat: '' rlm_sql (mssql): Released sql socket id: 3 modcall[authorize]: module "mssql" returns ok for request 1 modcall: leaving group mssql (returns ok) for request 1 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Delaying request 1 for 1 seconds Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 223 to 127.0.0.1 port 32770 Waking up in 4 seconds... rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=223, length=20 If I add Auth-Type in users file it works: DEFAULT Realm == mssql.nl", Autz-Type := mssql, Auth-Type := PAP Rg, Arnaud Loonstra -- View this message in context: http://www.nabble.com/Why-do-I-need-to-force-Auth-Type--tp18925418p18925418.... Sent from the FreeRadius - User mailing list archive at Nabble.com.
sphaero wrote:
In a previous post "PAP what password encryption is used?" I managed to get authentication working with a msssql backend however I need to force Auth-Type := PAP. I read it's bad practice to force the Auth-Type so I was wondering what I could do to let freeradius figure the authentication itself.
List "pap" *inside* of the Autz-Type blocks, *after* your SQL modules.
This is all done on freeradius 1.1.6 (OSS 10.3)
Ugh. 2.0 is much better. Alan DeKok.
Alan DeKok-2 wrote:
List "pap" *inside* of the Autz-Type blocks, *after* your SQL modules.
This is all done on freeradius 1.1.6 (OSS 10.3)
Ugh. 2.0 is much better.
Alan DeKok.
Thanks for that Alan, that does work as well. However I still don'y know why freeradius didn't try pap in the first place. I need to work with the 1.1 serie since eventually I need to implement this HP procurve agent for freeradius and I haven't found any support for 2.0 series yet. Rg, Arnaud Loonstra -- View this message in context: http://www.nabble.com/Why-do-I-need-to-force-Auth-Type--tp18925418p18943719.... Sent from the FreeRadius - User mailing list archive at Nabble.com.
sphaero wrote:
Thanks for that Alan, that does work as well. However I still don'y know why freeradius didn't try pap in the first place.
It did. Read the debug output.
I need to work with the 1.1 serie since eventually I need to implement this HP procurve agent for freeradius and I haven't found any support for 2.0 series yet.
Ask them. It shouldn't be too hard to port any module from 1.1.x. Alan DeKok.
participants (2)
-
Alan DeKok -
sphaero