What we would like to do is this: Take this request: User-Name = "6064191111@evdo.myawi.net" CHAP-Password = 0x59db2896a9629a7a1296e8e3dc7751da58 NAS-IP-Address = 10.130.2.1 CHAP-Challenge = 0x022074534be2e8405c867f676b46b432 3GPP2-Attr-60 = 0x00000001 3GPP2-Attr-61 = 0x0106000000010209a0000029275c41 Message-Authenticator = 0x01f9054690c3a469fa1bf824dfba3bbe Proxy-State = 0x3136 And instead of using chap to authenticate the user, we take the 3GPP2-Attr-61, convert it to the password we want, set it into the cleartext-password, and have the sql module query the DB for that new password. Here is the perl code that we run prior to the pap module: $retattr .= "Cleartext-Password := $meid"; $retattr .= ", CHAP-Password :=\"\" , CHAP-Challenge :=\"\" "; $retattr .= ", Auth-Type := PAP "; We return the retattr to freeradius. Here is the output: Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} [preprocess] expand: %{NAS-IP-Address} -> 10.130.2.1 [preprocess] expand: %{NAS-IP-Address} -> 10.130.2.1 ++[preprocess] returns ok [evdoesn] expand: %{User-Name} -> 6064191111@evdo.myawi.net Exec-Program output: Cleartext-Password := 268435460102579521, CHAP-Password :="" , CHAP-Challenge :="" , Auth-Type := PAP Exec-Program-Wait: value-pairs: Cleartext-Password := 268435460102579521, CHAP-Password :="" , CHAP-Challenge :="" , Auth-Type := PAP Exec-Program: returned: 0 ++[evdoesn] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/10.55.42.32/auth-detail-20130118 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.55.42.32/auth-detail-20130118 [auth_log] expand: %t -> Fri Jan 18 11:06:43 2013 ++[auth_log] returns ok [sql] expand: %{User-Name} -> 6064191111@evdo.myawi.net [sql] sql_set_user escaped user --> '6064191111@evdo.myawi.net' rlm_sql (sql): Reserving sql socket id: 50 [sql] expand: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '6064191111@evdo.myawi.net' ORDER BY id rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '6064191111@evdo.myawi.net' ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 1 , fields = 5 WARNING: Found User-Password == "...". WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See "man rlm_pap" for more information. [sql] User found in radcheck table [sql] expand: SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE Username = '6064191111@evdo.myawi.net' ORDER BY id rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE Username = '6064191111@evdo.myawi.net' ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 0 , fields = 5 [sql] expand: SELECT GroupName FROM usergroup WHERE UserName='%{SQL-User-Name}' -> SELECT GroupName FROM usergroup WHERE UserName='6064191111@evdo.myawi.net' rlm_sql_postgresql: query: SELECT GroupName FROM usergroup WHERE UserName='6064191111@evdo.myawi.net' rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 1 , fields = 1 [sql] expand: SELECT radgroupcheck.id, radgroupcheck.GroupName, radgroupcheck.Attribute, radgroupcheck.Value,radgroupcheck.Op FROM radgroupcheck, usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id -> SELECT radgroupcheck.id, radgroupcheck.GroupName, radgroupcheck.Attribute, radgroupcheck.Value,radgroupcheck.Op FROM radgroupcheck, usergroup WHERE usergroup.Username = '6064191111@evdo.myawi.net' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id rlm_sql_postgresql: query: SELECT radgroupcheck.id, radgroupcheck.GroupName, radgroupcheck.Attribute, radgroupcheck.Value,radgroupcheck.Op FROM radgroupcheck, usergroup WHERE usergroup.Username = '6064191111@evdo.myawi.net' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 0 , fields = 5 [sql] User found in group evdo [sql] expand: SELECT radgroupreply.id, radgroupreply.GroupName, radgroupreply.Attribute, radgroupreply.Value, radgroupreply.Op FROM radgroupreply,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id -> SELECT radgroupreply.id, radgroupreply.GroupName, radgroupreply.Attribute, radgroupreply.Value, radgroupreply.Op FROM radgroupreply,usergroup WHERE usergroup.Username = '6064191111@evdo.myawi.net' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql_postgresql: query: SELECT radgroupreply.id, radgroupreply.GroupName, radgroupreply.Attribute, radgroupreply.Value, radgroupreply.Op FROM radgroupreply,usergroup WHERE usergroup.Username = '6064191111@evdo.myawi.net' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 0 , fields = 5 rlm_sql (sql): Released sql socket id: 50 ++[sql] returns ok [pap] No clear-text password in the request. Not performing PAP. ++[pap] returns noop !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. CHAP-Password is incorrect. Failed to authenticate the user. Login incorrect: [6064191111@evdo.myawi.net/<CHAP-Password>] (from client radius08 port 0) Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default -- regards, Joseph
Joseph Showalter wrote:
What we would like to do is this:
Take this request:
User-Name = "6064191111@evdo.myawi.net" CHAP-Password = 0x59db2896a9629a7a1296e8e3dc7751da58 NAS-IP-Address = 10.130.2.1 CHAP-Challenge = 0x022074534be2e8405c867f676b46b432 3GPP2-Attr-60 = 0x00000001 3GPP2-Attr-61 = 0x0106000000010209a0000029275c41
That looks like a series of TLVs to me. i.e. not a password. There seems to be a 32-bit integer, followed by a 64-bit integer.
And instead of using chap to authenticate the user, we take the 3GPP2-Attr-61, convert it to the password we want, set it into the cleartext-password, and have the sql module query the DB for that new password.
I'm not sure what that means. "convert it to the password we want"?
Here is the perl code that we run prior to the pap module:
$retattr .= "Cleartext-Password := $meid"; $retattr .= ", CHAP-Password :=\"\" , CHAP-Challenge :=\"\" "; $retattr .= ", Auth-Type := PAP ";
Well, that won't work. The Cleartext-Password is the *known good* password. The PAP module needs a User-Password, too. The User-Password is the password as entered by the user. If you're going to force authentication success, why not just set "Auth-Type := Accept"? That avoids all of the mangling of passwords (chap and pap) Alan DeKok.
Thanks so much for taking a look... See comments below: On Jan 18, 2013, at 3:04 PM, Alan DeKok <aland@deployingradius.com> wrote:
Joseph wrote:
What we would like to do is this:
Take this request:
User-Name = "6064191111@evdo.myawi.net" CHAP-Password = 0x59db2896a9629a7a1296e8e3dc7751da58 NAS-IP-Address = 10.130.2.1 CHAP-Challenge = 0x022074534be2e8405c867f676b46b432 3GPP2-Attr-60 = 0x00000001 3GPP2-Attr-61 = 0x0106000000010209a0000029275c41
That looks like a series of TLVs to me. i.e. not a password. There seems to be a 32-bit integer, followed by a 64-bit integer.
And instead of using chap to authenticate the user, we take the 3GPP2-Attr-61, convert it to the password we want, set it into the cleartext-password, and have the sql module query the DB for that new password.
I'm not sure what that means. "convert it to the password we want"?
Instead of using Chap which we are getting above, we want to use the "3GPP2-Attr-61 = 0x0106000000010209a0000029275c41" value which we can convert to the device serial number. In our DB we store the device serial number. The devices chap info most of them time might be tampered with or wrong. So we wanted our EXEC script to replace the chap user/pass with the new PAP user/password.
Here is the perl code that we run prior to the pap module:
$retattr .= "Cleartext-Password := $meid"; $retattr .= ", CHAP-Password :=\"\" , CHAP-Challenge :=\"\" "; $retattr .= ", Auth-Type := PAP ";
Well, that won't work.
The Cleartext-Password is the *known good* password. The PAP module needs a User-Password, too. The User-Password is the password as entered by the user.
Should we be setting Cleartext-Password and the User-Password?
If you're going to force authentication success, why not just set "Auth-Type := Accept"? That avoids all of the mangling of passwords (chap and pap)
We still want radius to run through the normal SQL process to verify that the above serial number is valid.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--regards, Joseph
Joseph Showalter wrote:
Instead of using Chap which we are getting above, we want to use the "3GPP2-Attr-61 = 0x0106000000010209a0000029275c41" value which we can convert to the device serial number.
OK.
In our DB we store the device serial number. The devices chap info most of them time might be tampered with or wrong.
That's a little surprising, but OK.
So we wanted our EXEC script to replace the chap user/pass with the new PAP user/password.
No. You don't want that. I said you don't want that. Don't do that. It's wrong.
Should we be setting Cleartext-Password and the User-Password?
No. You should be setting Auth-Type := Accept, just like I said in my last message.
If you're going to force authentication success, why not just set "Auth-Type := Accept"? That avoids all of the mangling of passwords (chap and pap)
We still want radius to run through the normal SQL process to verify that the above serial number is valid.
So... do an SQL query to see if the serial number is valid. There's no need to run a script. There's no need to play games with CHAP. There's no need to play games with PAP. Write an SQL statement that returns a string if the serial number is in the database. If the number isn't in the database, it returns nothing. Then, use the SQL statement in the "authorize" section: authorize { ... if (! "%{sql:SELECT ... }") { reject } update control { Auth-Type := Accept } ... } It's that easy. Alan DeKok.
On Jan 18, 2013, at 3:34 PM, Alan DeKok <aland@deployingradius.com> wrote:
authorize { ...
if (! "%{sql:SELECT ... }") { reject }
Can I use a userdefined variable in the select statement that the EXEC perl script returns: I would like to use the User-Password below: [evdoesn] expand: %{User-Name} -> 6064191111@evdo.myawi.net Exec-Program output: User-Password := 268435460102579521, CHAP-Password :="" , CHAP-Challenge :="" , Auth-Type := PAP Exec-Program-Wait: value-pairs: User-Password := 268435460102579521, CHAP-Password :="" , CHAP-Challenge :="" , Auth-Type := PAP Exec-Program: returned: 0 ++[evdoesn] returns ok Here is the relevant entry from the "default" file: evdoesn (exec script/perl) if (! "%{sql:SELECT username FROM 'radcheck' WHERE username=%{User-Name} AND value=%{User-Password} }") { reject } update control { Auth-Type := Accept } But it can't expand the %User-Password... rlm_sql_postgresql: query: SELECT username FROM 'radcheck' WHERE username=6064191111@evdo.myawi.net AND value= rlm_sql_postgresql: Status: PGRES_FATAL_ERROR rlm_sql_postgresql: Error syntax error at or near "'radcheck'" rlm_sql_postgresql: Postgresql Fatal Error: [42601: SYNTAX ERROR] Occurred!! Its not expanding the User-Password variable which was setup in EXEC.
update control { Auth-Type := Accept } ... }
It's that easy.
-- respectfully, Joseph / IT [M] +1(606)477-7551 / tech@ekn.com East Kentucky Network, LLC. dba Appalachian Wireless ==============================
Joseph Showalter wrote:
Can I use a userdefined variable in the select statement that the EXEC perl script returns:
Only if it's returned in the Perl script.
I would like to use the User-Password below:
[evdoesn] expand: %{User-Name} -> 6064191111@evdo.myawi.net Exec-Program output: User-Password := 268435460102579521, CHAP-Password :="" , CHAP-Challenge :="" , Auth-Type := PAP Exec-Program-Wait: value-pairs: User-Password := 268435460102579521, CHAP-Password :="" , CHAP-Challenge :="" , Auth-Type := PAP Exec-Program: returned: 0 ++[evdoesn] returns ok
So... you're going to ignore my advice, and still run the script, and still mangle the CHAP / User-Passwords, and still not have a *simple* SQL query as I suggsted.I I have no idea why I'm wasting my time trying to help you. Alan DeKok.
participants (2)
-
Alan DeKok -
Joseph Showalter