Hi list. I'm trying to implement MAC-Authentication directly from a Mysql database. I follow the wiki page http://wiki.freeradius.org/Mac-Auth for authenticate macs from a file. I want to authenticate macs reading the authorized macs from a mysql database. I understand that in the radcheck table I need to put the macs like this: username attribute op value ======= ====== == ==== 00:11:22:33:44:55 Cleartext-Password := 00:11:22:33:44:55 I don't know where put the sql instruction for read macs from database. Is in the post-auth section? How can I do this? Regards, David
Hi Alan. Thanks for your time. In the authorize section I have the next instructions for authorize users in a mac file: if((Service-Type == 'Call-Check') || (User-Name =~ /^%{Calling-Station-Id}$/i)){ update control { Auth-Type = 'CSID' } } I don't know how to call the sql module for read the list users from mysql. If I put in that section the sql instruction I don't know how compare the sql results with the Calling-Station-Id that the NAS return in the request. Another thing is that I don't know why the authorization is made in post-auth section. Thanks for your help. Regards, David 2010/11/22 Alan DeKok <aland@deployingradius.com>
David Seira wrote:
I don't know where put the sql instruction for read macs from database.
Read raddb/sites-available/default. Look for "sql".
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I don't know how to call the sql module for read the list users from mysql. If I put in that section the sql instruction I don't know how compare the sql results with the Calling-Station-Id that the NAS return in the request.
Another thing is that I don't know why the authorization is made in post-auth section.
Because technically authorisation should be performed after authentication, and the server really has it the wrong way round. Just change the files call in post-auth to be sql.authorize and check for the correct return code... Or use SQL XLAT... post-auth{ if(%{sql:SELECT COUNT(*) FROM `authorized_macs` WHERE `mac_address` == "%{Calling-Station-ID}"} > 0){ ok } else{ reject } } You'll have to build the tables yourself, but thats not hard... -Arran
Thanks for your responses. I tried SQL XLAT yesterday but I had the next radiusd -X errors: /usr/local/etc/raddb/sites-enabled/default[598]: Failed to parse "if" subsection. /usr/local/etc/raddb/sites-enabled/default[485]: Errors parsing post-auth section. I think it is not possible to that with SQL XLAT. Is it possible to store the return code of a sql query with SQL XLAT? I'll try with sql.authorize. Thanks. Regards, David 2010/11/23 EasyHorpak.com <info@easyhorpak.com>
On 22/11/2553 22:41, David Seira wrote:
Hi Alan.
Thanks for your time.
In the authorize section I have the next instructions for authorize users in a mac file:
if((Service-Type == 'Call-Check') || (User-Name =~ /^%{Calling-Station-Id}$/i)){ update control { Auth-Type = 'CSID' } }
I don't know how to call the sql module for read the list users from mysql. If I put in that section the sql instruction I don't know how compare the sql results with the Calling-Station-Id that the NAS return in the request.
Another thing is that I don't know why the authorization is made in post-auth section.
Thanks for your help.
Regards, David
2010/11/22 Alan DeKok <aland@deployingradius.com>
David Seira wrote:
I don't know where put the sql instruction for read macs from database.
Read raddb/sites-available/default. Look for "sql".
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
try "%{sql: SELECT Value from radcheck WHERE Value='%{User-Name}' and Attribute='Cleartext-Password'"
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
David Seira wrote:
Thanks for your responses.
I tried SQL XLAT yesterday but I had the next radiusd -X errors:
/usr/local/etc/raddb/sites-enabled/default[598]: Failed to parse "if" subsection.
The next logical step would be to post *that line* from the file, and ask "What is wrong about it"? Or, to look at the 2-3 previous error messages above that one, which likely tell you *what* is wrong.
I think it is not possible to that with SQL XLAT.
Nonsense. Alan DeKok.
The next logical step would be to post *that line* from the file, and ask "What is wrong about it"?
Yes, but I think it is not possible with SQL XLAT. For that reason, finally, I try with sql.authorize, as Arran advised me, and I think I've achieved the solution. The problem was I didn't understand the rlm_mysql module; I didn't know the authorize function of rlm_mysql. The solution for my scenario is: sql.authorize if(notfound){ reject } else{ ok } This configuration works for me if the NAS sends username and Calling-Station-Id. But I don't know if all comercial NAS send these attributes or only Calling-Station-Id. What do you know about it? Thanks for all. Regards, David 2010/11/23 Alan DeKok <aland@deployingradius.com>
David Seira wrote:
Thanks for your responses.
I tried SQL XLAT yesterday but I had the next radiusd -X errors:
/usr/local/etc/raddb/sites-enabled/default[598]: Failed to parse "if" subsection.
The next logical step would be to post *that line* from the file, and ask "What is wrong about it"?
Or, to look at the 2-3 previous error messages above that one, which likely tell you *what* is wrong.
I think it is not possible to that with SQL XLAT.
Nonsense.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (4)
-
Alan DeKok -
Arran Cudbard-Bell -
David Seira -
EasyHorpak.com