How to modify dialup.conf for each virtual server?
Hello again, Now I have the other question I told in the post before. I have some equipament (wireless) that authenticate the wireless client using MAC over my radius database. I want that in one of my virtual servers I have this kind of authentication. I need it to check MAC address that is, already, in my radcheck table. this is a common user setup into radcheck table: +------+----------+--------------------+----+-------------------+--------+------+ | id | UserName | Attribute | op | Value | numero | obs | +------+----------+--------------------+----+-------------------+--------+------+ | 1613 | nataniel | MD5-Password | := | XXXXXXXXX | 01046 | | | 1656 | nataniel | Calling-Station-Id | == | AA:AA:AA:AA:AA:AA | 01046 | NULL | +------+----------+--------------------+----+-------------------+--------+------+ So, MAC Address is set as "Calling-Station-Id". This is ok for my PPPoE setup but for my access points this is not ok. I need my access point to verify if this MAC here is well listed and not bloked. I use this to blok: +------+----------+--------------------+----+-------------------+--------+------+ | id | UserName | Attribute | op | Value | numero | obs | +------+----------+--------------------+----+-------------------+--------+------+ | 1613 | nataniel | MD5-Password | := | XXXXXXXXX | 01046 | | | 1656 | nataniel | Calling-Station-Id | == | AA:AA:AA:AA:AA:AA | 01046 | NULL | | 1657 | nataniel | Auth-Type | := | Reject | 01046 | NULL | +------+----------+--------------------+----+-------------------+--------+------+ I have to change dialup.conf to meet this options and returno to my access point. This is a common query comming from on of my APs: Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 172.30.0.142 port 6001, id=1, length=69 User-Name = "00:19:79:0f:98:3d" User-Password = "wireless" NAS-IP-Address = 172.30.0.142 NAS-Port = 0 +- entering group authorize ++[preprocess] returns ok rlm_realm: No '@' in User-Name = "00:19:79:0f:98:3d", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop expand: %{User-Name} -> 00:19:79:0f:98:3d rlm_sql (sql): sql_set_user escaped user --> '00:19:79:0f:98:3d' rlm_sql (sql): Reserving sql socket id: 4 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '00:19:79:0f:98:3d' ORDER BY id expand: SELECT groupname FROM usergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM usergroup WHERE username = '00:19:79:0f:98:3d' ORDER BY priority rlm_sql (sql): Released sql socket id: 4 rlm_sql (sql): User 00:19:79:0f:98:3d not found ++[sql] returns notfound rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Found Post-Auth-Type Reject WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested action. Sending Access-Reject of id 1 to 172.30.0.142 port 6001 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 1 with timestamp +274 Ready to process requests. So, where I see "WHERE username = '00:19:79:0f:98:3d' " it should be Attribute. But I need to be sure that this client is not rejected somewhere in the database. Can someone help me? I am not a guru of mysql but I can try some changes... ;) -- Att, NATANIEL KLUG nata@cnett.com.br LEIA O DIA-A-DIA DO NATA http://nataklug.blogspot.com/ Cyber Nett - Internet Banda Larga www.cnett.com.br (42) 3635-2957 Rua Diogo Pinto, 1046, Centro Laranjeiras do Sul - PR Brasil - 85301-290 "... também os sábios possuem coração tangível e podem, por vezes, usar da ciência como meio de demonstrar impressões sentimentais de que muitos não os julgam suscetíveis." Visconde de Taunay
In mac authentication mac address is sent as User-Name not Calling-Station-Id. You don't have to make any changes to dialup.conf - just use database properly: username: AA:AA:AA:AA:AA:AA attribute: Auth-Type op: := Value: Accept or Reject Ivan Kalik Kalik Informatika ISP Dana 8/9/2008, "Nataniel Klug" <nata@cnett.com.br> piše:
Hello again,
Now I have the other question I told in the post before. I have some equipament (wireless) that authenticate the wireless client using MAC over my radius database. I want that in one of my virtual servers I have this kind of authentication. I need it to check MAC address that is, already, in my radcheck table. this is a common user setup into radcheck table:
+------+----------+--------------------+----+-------------------+--------+------+ | id | UserName | Attribute | op | Value | numero | obs | +------+----------+--------------------+----+-------------------+--------+------+ | 1613 | nataniel | MD5-Password | := | XXXXXXXXX | 01046 | | | 1656 | nataniel | Calling-Station-Id | == | AA:AA:AA:AA:AA:AA | 01046 | NULL | +------+----------+--------------------+----+-------------------+--------+------+
So, MAC Address is set as "Calling-Station-Id". This is ok for my PPPoE setup but for my access points this is not ok. I need my access point to verify if this MAC here is well listed and not bloked. I use this to blok:
+------+----------+--------------------+----+-------------------+--------+------+ | id | UserName | Attribute | op | Value | numero | obs | +------+----------+--------------------+----+-------------------+--------+------+ | 1613 | nataniel | MD5-Password | := | XXXXXXXXX | 01046 | | | 1656 | nataniel | Calling-Station-Id | == | AA:AA:AA:AA:AA:AA | 01046 | NULL | | 1657 | nataniel | Auth-Type | := | Reject | 01046 | NULL | +------+----------+--------------------+----+-------------------+--------+------+
I have to change dialup.conf to meet this options and returno to my access point. This is a common query comming from on of my APs:
Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 172.30.0.142 port 6001, id=1, length=69 User-Name = "00:19:79:0f:98:3d" User-Password = "wireless" NAS-IP-Address = 172.30.0.142 NAS-Port = 0 +- entering group authorize ++[preprocess] returns ok rlm_realm: No '@' in User-Name = "00:19:79:0f:98:3d", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop expand: %{User-Name} -> 00:19:79:0f:98:3d rlm_sql (sql): sql_set_user escaped user --> '00:19:79:0f:98:3d' rlm_sql (sql): Reserving sql socket id: 4 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '00:19:79:0f:98:3d' ORDER BY id expand: SELECT groupname FROM usergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM usergroup WHERE username = '00:19:79:0f:98:3d' ORDER BY priority rlm_sql (sql): Released sql socket id: 4 rlm_sql (sql): User 00:19:79:0f:98:3d not found ++[sql] returns notfound rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Found Post-Auth-Type Reject WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested action. Sending Access-Reject of id 1 to 172.30.0.142 port 6001 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 1 with timestamp +274 Ready to process requests.
So, where I see "WHERE username = '00:19:79:0f:98:3d' " it should be Attribute. But I need to be sure that this client is not rejected somewhere in the database.
Can someone help me? I am not a guru of mysql but I can try some changes... ;)
-- Att,
NATANIEL KLUG nata@cnett.com.br
LEIA O DIA-A-DIA DO NATA http://nataklug.blogspot.com/
Cyber Nett - Internet Banda Larga www.cnett.com.br (42) 3635-2957 Rua Diogo Pinto, 1046, Centro Laranjeiras do Sul - PR Brasil - 85301-290
"... também os sábios possuem coraçăo tangível e podem, por vezes, usar da cięncia como meio de demonstrar impressőes sentimentais de que muitos năo os julgam suscetíveis." Visconde de Taunay
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ivan, I can't use User-Name as MAC becouse this is being used by another systema I run... I just need to change some settings in dialup.conf to meet my requirements, all said in other message. tnt@kalik.net escreveu:
In mac authentication mac address is sent as User-Name not Calling-Station-Id. You don't have to make any changes to dialup.conf - just use database properly:
username: AA:AA:AA:AA:AA:AA attribute: Auth-Type op: := Value: Accept or Reject
Ivan Kalik Kalik Informatika ISP
Well, you don't have much say in this because NAS sends it that way: rad_recv: Access-Request packet from host 172.30.0.142 port 6001, id=1, length=69 User-Name = "00:19:79:0f:98:3d" User-Password = "wireless" NAS-IP-Address = 172.30.0.142 NAS-Port = 0 You see what is in the User-Name field? That's how mac authentication works. Ivan Kalik Kalik Informatika ISP Dana 8/9/2008, "Nataniel Klug" <nata@cnett.com.br> piše:
Ivan,
I can't use User-Name as MAC becouse this is being used by another systema I run... I just need to change some settings in dialup.conf to meet my requirements, all said in other message.
tnt@kalik.net escreveu:
In mac authentication mac address is sent as User-Name not Calling-Station-Id. You don't have to make any changes to dialup.conf - just use database properly:
username: AA:AA:AA:AA:AA:AA attribute: Auth-Type op: := Value: Accept or Reject
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Can't I change the way it's look into MySQL table? Even this comming with User-Name I can't look for the value in another field? This is a MySQL query, not the way it came... i hope... :) tnt@kalik.net escreveu:
Well, you don't have much say in this because NAS sends it that way:
rad_recv: Access-Request packet from host 172.30.0.142 port 6001, id=1, length=69 User-Name = "00:19:79:0f:98:3d" User-Password = "wireless" NAS-IP-Address = 172.30.0.142 NAS-Port = 0
You see what is in the User-Name field? That's how mac authentication works.
Ivan Kalik Kalik Informatika ISP
Dana 8/9/2008, "Nataniel Klug" <nata@cnett.com.br> piše:
Ivan,
I can't use User-Name as MAC becouse this is being used by another systema I run... I just need to change some settings in dialup.conf to meet my requirements, all said in other message.
tnt@kalik.net escreveu:
In mac authentication mac address is sent as User-Name not Calling-Station-Id. You don't have to make any changes to dialup.conf - just use database properly:
username: AA:AA:AA:AA:AA:AA attribute: Auth-Type op: := Value: Accept or Reject
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Att, NATANIEL KLUG nata@cnett.com.br LEIA O DIA-A-DIA DO NATA http://nataklug.blogspot.com/ Cyber Nett - Internet Banda Larga www.cnett.com.br (42) 3635-2957 Rua Diogo Pinto, 1046, Centro Laranjeiras do Sul - PR Brasil - 85301-290 "... também os sábios possuem coraça~o tangível e podem, por vezes, usar da cie^ncia como meio de demonstrar impresso~es sentimentais de que muitos na~o os julgam suscetíveis." Visconde de Taunay
Can't I change the way it's look into MySQL table? Even this comming with User-Name I can't look for the value in another field? This is a MySQL query, not the way it came... i hope... :)
You have three options: - fill your database with (useless) data and try to change rlm_sql code and queries in order to match up requests and data. Don't expect much help there - if you want to customize the database you should know what you are doing. It is quite likely that this will render that sql instance (and possibly whole sql module) useless for any other request apart form mac auth. You will need to: rewrite value of User-Name into Calling-Station-Id pull new User-Name from the database (WHERE Attribute='Calling-Sattion-Id' and Value='%{User-Name}) fix code in rlm_sql where this brakes it or: - authenticate with a special script (perl or such). Adjust queries for this type of authentication as much as you like without affecting other authentication types. You can use multiple queries to match up data and request. Easier and more sensible than above. or: - fill your database with correct data - what you expect to come in User-Name field should be used as UserName etc. No adjustments needed. mac auth works together with other authentication types. Take your pick. Ivan Kalik Kalik Informatika ISP
Thanks Ivan. Another question: is there any way to have one database for each virtual server? tnt@kalik.net escreveu:
Can't I change the way it's look into MySQL table? Even this comming with User-Name I can't look for the value in another field? This is a MySQL query, not the way it came... i hope... :)
You have three options:
- fill your database with (useless) data and try to change rlm_sql code and queries in order to match up requests and data. Don't expect much help there - if you want to customize the database you should know what you are doing. It is quite likely that this will render that sql instance (and possibly whole sql module) useless for any other request apart form mac auth.
You will need to:
rewrite value of User-Name into Calling-Station-Id
pull new User-Name from the database (WHERE Attribute='Calling-Sattion-Id' and Value='%{User-Name})
fix code in rlm_sql where this brakes it
or:
- authenticate with a special script (perl or such). Adjust queries for this type of authentication as much as you like without affecting other authentication types. You can use multiple queries to match up data and request. Easier and more sensible than above.
or:
- fill your database with correct data - what you expect to come in User-Name field should be used as UserName etc. No adjustments needed. mac auth works together with other authentication types.
Take your pick.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Att, NATANIEL KLUG nata@cnett.com.br LEIA O DIA-A-DIA DO NATA http://nataklug.blogspot.com/ Cyber Nett - Internet Banda Larga www.cnett.com.br (42) 3635-2957 Rua Diogo Pinto, 1046, Centro Laranjeiras do Sul - PR Brasil - 85301-290 "... também os sábios possuem coração tangível e podem, por vezes, usar da ciência como meio de demonstrar impressões sentimentais de que muitos não os julgam suscetíveis." Visconde de Taunay
Yes. Create multiple sql instances. List the name of the instance you want to use in place of "sql" in appropriate sections (authorize, accounting, post-auth, etc.). Ivan Kalik Kalik Informatika ISP Dana 9/9/2008, "Nataniel Klug" <nata@cnett.com.br> piše:
Thanks Ivan.
Another question: is there any way to have one database for each virtual server?
Ok... Thank you Ivan. tnt@kalik.net escreveu:
Yes. Create multiple sql instances. List the name of the instance you want to use in place of "sql" in appropriate sections (authorize, accounting, post-auth, etc.).
Ivan Kalik Kalik Informatika ISP
Dana 9/9/2008, "Nataniel Klug" <nata@cnett.com.br> piše:
Thanks Ivan.
Another question: is there any way to have one database for each virtual server?
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Att, NATANIEL KLUG nata@cnett.com.br LEIA O DIA-A-DIA DO NATA http://nataklug.blogspot.com/ Cyber Nett - Internet Banda Larga www.cnett.com.br (42) 3635-2957 Rua Diogo Pinto, 1046, Centro Laranjeiras do Sul - PR Brasil - 85301-290 "... também os sábios possuem coraça~o tangível e podem, por vezes, usar da cie^ncia como meio de demonstrar impresso~es sentimentais de que muitos na~o os julgam suscetíveis." Visconde de Taunay
participants (2)
-
Nataniel Klug -
tnt@kalik.net