Freeradius denies auth when "Framed-IP-Address" set
Hi all -- Debian Sarge 2.4.27-2-386 kernel freeRadius (dpkg version 1.0.2-4) MySQL Server (dpkg version 4.1.11a-4) I have been using FreeRadius successfully for half a year. All my setup does is authenticate dialup connections. Radius auth requests come in from a NAS, and once authentication has been successful, the NAS will assign an IP address out of its pool. I use mysql to store 'User-Password' attribute/value pairs, where the password is stored in cleartext (there is PAP and CHAP authentication). This all works very well. I am now trying to have FreeRadius also assign IP Address and Netmask to a subset of the user accounts, and that's where I'm getting stuck: As soon as I add the additional attributes "Framed-IP-Address" and "Framed-IP-Netmask" to the table, FreeRadius will reject the authentication request. When using PAP, radius.log reports: Wed Aug 24 09:31:27 2005 : Auth: Login incorrect: [gerret/testme] When using CHAP, radius.log reports: Wed Aug 24 09:33:25 2005 : Auth: Login incorrect (rlm_chap: Clear text password not available): [gerret/<CHAP-Password>] This issue goes away as soon as I delete rows with id 1343 and 1344 below: mysql> select id, username, attribute, value, op from login_accounts where username='gerret'; +------+----------+-------------------+----+---------------+ | id | username | attribute | op | value | +------+----------+-------------------+----+---------------+ | 414 | gerret | User-Password | == | testme | | 1343 | gerret | Framed-IP-Address | == | 65.166.58.202 | | 1344 | gerret | Framed-IP-Netmask | == | 255.255.254.0 | +------+----------+-------------------+----+---------------+ When running in full debug mode, FreeRadius outputs the exact queries it fires at the database. I have run these queries manually: the 'authorize_check_query' returns the three rows listed above. All other queries return the empty set. Then at the end of the debug output: rlm_sql (sql): No matching entry in the database for request from user [gerret] rlm_sql (sql): Released sql socket id: 2 modcall[authorize]: module "sql" returns notfound for request 7 modcall: group authorize returns ok for request 7 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [gerret/testme] (from client north port 0 cli 00:02:6F:37:D9:D4) Am I filling the wrong rows into the database? I dont understand how authentication can fail due to the addition of two extra attributes -- especially since the queries still return the "User-Password" information. It looks like this post describes a similar issue: http://lists.cistron.nl/pipermail/freeradius-users/2005-January/039705.html Any help on this is much appreciated :) cheers Gerret
Gerret Apelt wrote:
I am now trying to have FreeRadius also assign IP Address and Netmask to a subset of the user accounts, and that's where I'm getting stuck.
[...]
This issue goes away as soon as I delete rows with id 1343 and 1344 below:
mysql> select id, username, attribute, value, op from login_accounts where username='gerret'; +------+----------+-------------------+----+---------------+ | id | username | attribute | op | value | +------+----------+-------------------+----+---------------+ | 414 | gerret | User-Password | == | testme | | 1343 | gerret | Framed-IP-Address | == | 65.166.58.202 | | 1344 | gerret | Framed-IP-Netmask | == | 255.255.254.0 | +------+----------+-------------------+----+---------------+
When running in full debug mode, FreeRadius outputs the exact queries it fires at the database. I have run these queries manually: the 'authorize_check_query' returns the three rows listed above. All other queries return the empty set.
'Framed-IP-Address' is a reply item and should be in the authreply_table table. (and not authcheck_table) -- Nicolas Baradakis
participants (2)
-
Gerret Apelt -
Nicolas Baradakis