Hello, I'm fairly new to freeradius so to some my problem may seem trivial, but ... I'm trying to get EAP-TLS to work, and when using "file" setup everything works as it's suppose to - only selected users can authorize after meeteing check criteria. When i switch to SQL (postgresql) it seems that no matter what i insert to radcheck and radreply tables *any user (if he has valid cert) can authorize without any problems* :-( Can anybody shed some light on this issue ? My configuration: ### USERS ### "ajax" Auth-Type := EAP, Calling-Station-Id == "some-valid-mac" # "ajax" Auth-Type := EAP, Calling-Station-Id == "some-invalid-mac" DEFAULT Auth-Type := Reject Reply-Message = "ACCESS DENIED" ### SQL ### radius=> select * from radcheck; id | username | attribute | op | value -----+----------+--------------------+----+--------------- 410 | ajax | Auth-Type | := | EAP 411 | ajax | Calling-Station-ID | == | some-INVALID-mac 412 | DEFAULT | Auth-Type | := | Reject (3 rows) radius=> select * from radreply; id | username | attribute | op | value ----+----------+---------------+----+--------------- 3 | DEFAULT | Reply-Message | = | ACCESS DENIED (1 row) All other tables are _empty_ ### postgresql.conf ### Is a default postgresql.conf from freeradius (with database connection settings set) ### radiusd.conf ### authorize { preprocess suffix eap sql # files } authenticate { eap } -- best regards, Marcin 'Yans' Bazarnik
Yans van Horn wrote:
I'm trying to get EAP-TLS to work, and when using "file" setup everything works as it's suppose to - only selected users can authorize after meeteing check criteria.
When i switch to SQL (postgresql) it seems that no matter what i insert to radcheck and radreply tables *any user (if he has valid cert) can authorize without any problems* :-(
The SQL module doesn't work in the same way as the users file, unfortunately. So you can't just translate the "users" file entries to a bunch of SQL rows, and expect it to do exactly the same thing. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Alan DeKok <aland@deployingradius.com> wrote:
Yans van Horn wrote:
I'm trying to get EAP-TLS to work, and when using "file" setup everything works as it's suppose to - only selected users can authorize after meeteing check criteria.
When i switch to SQL (postgresql) it seems that no matter what i insert to radcheck and radreply tables *any user (if he has valid cert) can authorize without any problems* :-(
The SQL module doesn't work in the same way as the users file, unfortunately. So you can't just translate the "users" file entries to a bunch of SQL rows, and expect it to do exactly the same thing.
Thats for sure. According to docs: 1. Search the radcheck table for any check attributes specific to the user 2. If check attributes are found, and there's a match, pull the reply items from the radreply table for this user and add them to the reply 3. Group processing then begins if any of the following conditions are met: a. The user IS NOT found in radcheck b. The user IS found in radcheck, but the check items don't match c. The user IS found in radcheck, the check items DO match AND the read_groups directive is set to 'yes' 4. If groups are to be processed for this user, the first thing that is done is the list of groups this user is a member of is pulled from the usergroup table ordered by the priority field. The priority field of the usergroup table allows us to control the order in which groups are processed, so that we can emulate the ordering in the users file. This can be important in many cases. 5. For each group this user is a member of, the corresponding check items are pulled from radgroupcheck table and compared with the request. If there is a match, the reply items for this group are pulled from the radgroupreply table and applied. 6. Processing continues to the next group IF: a. There was not a match for the last group's check items (The above is exactly the same as in the users file) 7. Finally, if the user has a User-Profile attribute set or the Default Profile option is set in the sql.conf, then steps 4-6 are repeated for the groups that the profile is a member of. If i understand correctly, setting: sql { .... default_user_profile = "DEFAULT" } And: radius=> select * from radcheck order by id; id | username | attribute | op | value -----+----------+--------------------+----+--------------- 410 | ajax | Auth-Type | := | EAP 411 | ajax | Calling-Station-ID | == | ----- 413 | revoked | Auth-Type | := | EAP 414 | revoked | Calling-Station-ID | == | ----- 420 | DEFAULT | Auth-Type | := | Reject (5 rows) radius=> select * from radreply order by id; id | username | attribute | op | value ----+----------+---------------+----+--------------- 3 | DEFAULT | Reply-Message | = | ACCESS DENIED (1 row) radius=> select * from radgroupcheck order by id; id | groupname | attribute | op | value ----+-----------+-----------+----+-------- 2 | wifi | Auth-Type | := | Reject (1 row) radius=> select * from radgroupreply order by id; id | groupname | attribute | op | value ----+-----------+---------------+----+--------------- 1 | wifi | Reply-Message | = | ACCESS DENIED (1 row) radius=> select * from usergroup order by id; id | username | groupname ----+----------+----------- 1 | revoked | wifi 2 | ajax | wifi (2 rows) This should prevent _any_ user from authenticating, but "ajax", "revoked" certs allow access. If i understand correctly auth should look like something like this: - cert revocation should reject "revoked" - users should not match - groups should match and should reject - default user should match and reject (if checked after group matched) That's at least strange or above config is completely screwed. If so, please show me correct table contents for earlier "users" file. -- regards, Marcin 'Yans' Bazarnik
Yans van Horn wrote: ...
Thats for sure. According to docs:
There's no need to quote the documentation here.
This should prevent _any_ user from authenticating, but "ajax", "revoked" certs allow access.
Maybe. I don't use SQL, so I can't really say.
That's at least strange or above config is completely screwed. If so, please show me correct table contents for earlier "users" file.
Uh... do we have a business relationship I'm unaware of? If you want a consultant to configure your system for you, please see the "support" link on freeradius.org. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Alan DeKok <aland@deployingradius.com> wrote:
Uh... do we have a business relationship I'm unaware of? If you want a consultant to configure your system for you, please see the "support" link on freeradius.org.
You are right, we do not have a bussiness agreement. And I was not asking for configuring for me the whole system or resolving any complicated problem. The "users" file i presented was as simple as it can be, i thought it wouldn't be much of a problem to help out - point in a right direction. It seems i was wrong. I'm really sorry for taking so much of Your time. What is most dissapointing is Your cynism and rudeness, I did not expect that. I'm just curious if this is Your "way" through life ? (retorical question) -- still, best regards, Marcin 'Yans' Bazarnik
Yans van Horn wrote:
What is most dissapointing is Your cynism and rudeness,
Ah, yes. That's the standard complaint when I point out you have the option to learn for yourself, or to pay someone to do the work for you. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Alan DeKok <aland@deployingradius.com> wrote:
Yans van Horn wrote:
What is most dissapointing is Your cynism and rudeness,
Ah, yes. That's the standard complaint when I point out you have the option to learn for yourself, or to pay someone to do the work for you.
I wonder, if in Canada, ie. when someone asks for directions the reply is always "how much ?" :-) I'm MTB passionate, and i'm happy to help people with technical problems or just needing advice. Following Your "advice" i should start charging them for "support" :-) -- best regards, Marcin 'Yans' Bazarnik
Yans van Horn wrote:
I'm MTB passionate, and i'm happy to help people with technical problems or just needing advice.
Remind me which open source project you've been supporting for free for nearly the past decade? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Alan DeKok wrote:
Yans van Horn wrote:
I'm MTB passionate, and i'm happy to help people with technical problems or just needing advice.
Remind me which open source project you've been supporting for free for nearly the past decade?
You have to broaden Your mind, not everyone have to be open source programmer. If You didn't know, some people may participate in non-profit projects for _over_ decade, and You don't have to be listed on sourceforge or freshmeat to do that. But i guess You're used to judging people through Your narrow point of view. Best of luck to You on freeradius. It is a nice piece of software. -- best regards, Marcin 'Yans' Bazarnik
UPDATE: "revoked" _is_ rejected when using postgresql. Sorry for confusion. -- regards, Marcin 'Yans' Bazarnik
participants (2)
-
Alan DeKok -
Yans van Horn