Realm users authentication failure
Hello, I've setup a simple freeradius server to authenticate two local realms, one stripped (no @realm suffix, let's call it myrealm) and the other with @suffix (let's call it otherrealm.com). I use the rlm_sql module to auth against a MySQL backend. I'm using radtest to do inital server testing and everything seems to work so far for users in myrealm, but I get auth-reject for any user@otherrealm.com. In the logs of the radius server I see just: Tue Oct 18 23:47:15 2005 : Info: rlm_sql (sql): No matching entry in the database for request from user [user@otherrealm.com] This is the relevant configuration. --- proxy.conf --- realm myrelam { type = radius authhost = LOCAL accthost = LOCAL } realm otherrealm.com { type = radius authhost = LOCAL accthost = LOCAL nostrip } --- radiusd.conf --- ... realm suffix { format = suffix delimiter = "@" ignore_default = yes ignore_null = yes } authorize { chap mschap suffix sql } preacct { acct_unique suffix } accounting { sql } session { sql } ... Any idea? thanks in advance -- Luca Corti PGP Key ID 1F38C091
On Tuesday 18 October 2005 18:10, Luca Corti wrote:
Hello,
I've setup a simple freeradius server to authenticate two local realms, one stripped (no @realm suffix, let's call it myrealm) and the other with @suffix (let's call it otherrealm.com). I use the rlm_sql module to auth against a MySQL backend.
I'm using radtest to do inital server testing and everything seems to work so far for users in myrealm, but I get auth-reject for any user@otherrealm.com.
In the logs of the radius server I see just:
Tue Oct 18 23:47:15 2005 : Info: rlm_sql (sql): No matching entry in the database for request from user [user@otherrealm.com]
...
Any idea?
Run in debug mode. Look at the queries that are being run and try to run them by hand to see what is returned by MySQL. Without more debug output, it is difficult to know what is happening. Kevin Bonner
On Wed, 2005-10-19 at 17:34 -0400, Kevin Bonner wrote:
Run in debug mode. Look at the queries that are being run and try to run them by hand to see what is returned by MySQL. Without more debug output, it is difficult to know what is happening.
Please see the debug output I've just posted. I've also run the queries using the mysql client and They return the calues stored in the tables. mysql> SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'user@otherrealm' ORDER BY id; +-----+-----------------+---------------+----------+----+ | id | UserName | Attribute | Value | op | +-----+-----------------+---------------+----------+----+ | 376 | user@otherrealm | User-Password | password | == | +-----+-----------------|---------------+----------+----+ 1 row in set (0.00 sec) mysql> SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'user@otherrealm' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id; +----+-----------+-------------------+------------+----+ | id | GroupName | Attribute | Value | op | +----+-----------+-------------------+------------+----+ | 4 | MY-GROUP | Called-Station-Id | 1234567890 | == | +----+-----------+-------------------+------------+----+ 1 row in set (0.00 sec) mysql> SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'user@otherrealm' ORDER BY id -> ; Empty set (0.00 sec) mysql> SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'user@otherrealm' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id; +----+-----------+-----------------+-----------------------+----+ | id | GroupName | Attribute | Value | op | +----+-----------+-----------------+-----------------------+----+ | 35 | MY-GROUP | Service-Type | Framed-User | = | | 36 | MY-GROUP | Framed-Protocol | PPP | = | | 38 | MY-GROUP | Cisco-AVPair | ip:addr-pool= my-pool | += | +----+-----------+-----------------+-----------------------+----+ 3 rows in set (0.00 sec) thanks -- Luca Corti PGP Key ID 1F38C091
Luca Corti <cortez@tiscali.it> wrote:
mysql> SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'user@otherrealm' ORDER BY id; +-----+-----------------+---------------+----------+----+ | id | UserName | Attribute | Value | op | +-----+-----------------+---------------+----------+----+ | 376 | user@otherrealm | User-Password | password | == |
Use :=, not ==. See other messages today to the list. Alan DeKok.
On Wed, 2005-10-19 at 19:28 -0400, Alan DeKok wrote:
+-----+-----------------+---------------+----------+----+ | id | UserName | Attribute | Value | op | +-----+-----------------+---------------+----------+----+ | 376 | user@otherrealm | User-Password | password | == |
Use :=, not ==.
Just for User-Password? thanks -- Luca Corti PGP Key ID 1F38C091 BOFH excuse of the moment: The static electricity routing is acting up...
On Thu, 2005-10-20 at 09:17 +0200, Luca Corti wrote:
On Wed, 2005-10-19 at 19:28 -0400, Alan DeKok wrote:
+-----+-----------------+---------------+----------+----+ | id | UserName | Attribute | Value | op | +-----+-----------------+---------------+----------+----+ | 376 | user@otherrealm | User-Password | password | == |
Use :=, not ==. Just for User-Password?
This gives the same results, with or without Auth-Type set. Also note that users in the default stripped realm are authenticated with User-Password == password and without Auth-Type, while non stripped users are not, no matter which operator is used and with or without setting Auth-Type := Local and changing password operator to :=. thanks -- Luca Corti PGP Key ID 1F38C091 BOFH excuse of the moment: We need a licensed electrician to replace the light bulbs in the computer room.
On Wed, 2005-10-19 at 00:10 +0200, Luca Corti wrote: I've done further debugging on this with 'radiusd -X', here's what I get: Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: Looking up realm "otherrealm" for User-Name = "user@otherrealm" rlm_realm: Found realm "otherrealm" rlm_realm: Proxying request from user user to realm othereralm rlm_realm: Adding Realm = "otherrealm" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 1 radius_xlat: 'user@otherrealm' rlm_sql (sql): sql_set_user escaped user --> 'user@otherrealm' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'user@otherealm' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 2 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'user@otherrealm' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'user@otherrealm' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'user@otherrealm' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): No matching entry in the database for request from user [user@otherrealm] rlm_sql (sql): Released sql socket id: 2 modcall[authorize]: module "sql" returns notfound for request 1 modcall: group authorize returns noop for request 1 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user I've searched the mailing-list archives and google looking for similar problems, and they suggest to set Auth-Type := Local in the radgroupcheck table. I've done this, but I get the same result. Also my users in the stripped realm don't have Auth-Type set and they authenticate correctly. thanks -- Luca Corti PGP Key ID 1F38C091
participants (3)
-
Alan DeKok -
Kevin Bonner -
Luca Corti