Calling-Station-Id Issue
Hi Guys, We are currently using FR 3.0.4 on CentOS7 with SQL backend. Now we are planning to migrate it to 3.0.25 installed from https://networkradius.com/packages/#:~:text=number%20of%20platforms-,UBUNTU, -Add%20the%20APT Currently the authentication is getting failed with below logs. Thu Mar 10 13:47:43 2022 : Debug: rlm_sql (sql): Reserved connection (0) Thu Mar 10 13:47:43 2022 : Debug: SELECT id, username, attribute, value, op FROM radcheck WHERE username = BINARY '%{SQL-User-Name}' ORDER BY id Thu Mar 10 13:47:43 2022 : Debug: Parsed xlat tree: Thu Mar 10 13:47:43 2022 : Debug: literal --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = BINARY ' Thu Mar 10 13:47:43 2022 : Debug: attribute --> SQL-User-Name Thu Mar 10 13:47:43 2022 : Debug: literal --> ' ORDER BY id Thu Mar 10 13:47:43 2022 : Debug: (0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = BINARY '%{SQL-User-Name}' ORDER BY id Thu Mar 10 13:47:43 2022 : Debug: (0) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = BINARY 'noctest' ORDER BY id Thu Mar 10 13:47:43 2022 : Debug: (0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = BINARY 'noctest' ORDER BY id Thu Mar 10 13:47:43 2022 : Debug: (0) sql: User found in radcheck table Thu Mar 10 13:47:43 2022 : ERROR: (0) sql: Thu Mar 10 13:47:43 2022 : ERROR: (0) sql: ^ Empty expression Thu Mar 10 13:47:43 2022 : WARNING: (0) sql: check items do not match. Thu Mar 10 13:47:43 2022 : Debug: (0) sql: ... falling-through to group processing Thu Mar 10 13:47:43 2022 : Debug: SELECT groupname FROM radusergroup WHERE username = BINARY '%{SQL-User-Name}' ORDER BY priority Thu Mar 10 13:47:43 2022 : Debug: Parsed xlat tree: Thu Mar 10 13:47:43 2022 : Debug: literal --> SELECT groupname FROM radusergroup WHERE username = BINARY ' ... Thu Mar 10 13:47:43 2022 : Debug: rlm_sql_mysql: Socket destructor called, closing socket Thu Mar 10 13:47:43 2022 : Debug: (0) modsingle[authorize]: returned from sql (rlm_sql) Thu Mar 10 13:47:43 2022 : Debug: (0) [sql] = ok Thu Mar 10 13:47:43 2022 : Debug: (0) modsingle[authorize]: calling expiration (rlm_expiration) Thu Mar 10 13:47:43 2022 : Debug: (0) modsingle[authorize]: returned from expiration (rlm_expiration) Thu Mar 10 13:47:43 2022 : Debug: (0) [expiration] = noop Thu Mar 10 13:47:43 2022 : Debug: (0) modsingle[authorize]: calling logintime (rlm_logintime) Thu Mar 10 13:47:43 2022 : Debug: (0) modsingle[authorize]: returned from logintime (rlm_logintime) Thu Mar 10 13:47:43 2022 : Debug: (0) [logintime] = noop Thu Mar 10 13:47:43 2022 : Debug: (0) modsingle[authorize]: calling pap (rlm_pap) Thu Mar 10 13:47:43 2022 : WARNING: (0) pap: No "known good" password found for the user. Not setting Auth-Type Thu Mar 10 13:47:43 2022 : WARNING: (0) pap: Authentication will fail unless a "known good" password is available Thu Mar 10 13:47:43 2022 : Debug: (0) modsingle[authorize]: returned from pap (rlm_pap) Thu Mar 10 13:47:43 2022 : Debug: (0) [pap] = noop Thu Mar 10 13:47:43 2022 : Debug: (0) } # authorize = ok Thu Mar 10 13:47:43 2022 : ERROR: (0) No Auth-Type found: rejecting the user via Post-Auth-Type = Reject Thu Mar 10 13:47:43 2022 : Debug: (0) Failed to authenticate the user The full logs are here. https://pastebin.com/r1b2nZRc I am using below values in radcheck table for user. I am using Calling-Station-Id to restrict MAC as well. mysql> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'noctest' ORDER BY id -> ; +---------+----------+--------------------+---------+----+ | id | username | attribute | value | op | +---------+----------+--------------------+---------+----+ | 2882016 | noctest | Cleartext-Password | noctest | := | | 2882017 | noctest | Calling-Station-Id | | =~ | +---------+----------+--------------------+---------+----+ I have tested by removing the Calling-Station-Id ROW from radcheck table. The authentication goes successful Thu Mar 10 18:04:04 2022 : Debug: Parsed xlat tree: Thu Mar 10 18:04:04 2022 : Debug: literal --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = ' Thu Mar 10 18:04:04 2022 : Debug: attribute --> SQL-User-Name Thu Mar 10 18:04:04 2022 : Debug: literal --> ' ORDER BY id Thu Mar 10 18:04:04 2022 : Debug: (3) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id Thu Mar 10 18:04:04 2022 : Debug: (3) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'noctest' ORDER BY id Thu Mar 10 18:04:04 2022 : Debug: (3) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'noctest' ORDER BY id Thu Mar 10 18:04:04 2022 : Debug: (3) sql: User found in radcheck table Thu Mar 10 18:04:04 2022 : Debug: (3) sql: Conditional check items matched, merging assignment check items Thu Mar 10 18:04:04 2022 : Debug: (3) sql: Cleartext-Password := "noctest" Thu Mar 10 18:04:04 2022 : Debug: (3) sql: ::: FROM 1 TO 0 MAX 1 Thu Mar 10 18:04:04 2022 : Debug: (3) sql: ::: Examining Cleartext-Password Thu Mar 10 18:04:04 2022 : Debug: (3) sql: ::: APPENDING Cleartext-Password FROM 0 TO 0 Thu Mar 10 18:04:04 2022 : Debug: (3) sql: ::: TO in 0 out 0 Thu Mar 10 18:04:04 2022 : Debug: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id Thu Mar 10 18:04:04 2022 : Debug: Parsed xlat tree: .. Thu Mar 10 18:04:04 2022 : Debug: (3) modsingle[authorize]: returned from sql (rlm_sql) Thu Mar 10 18:04:04 2022 : Debug: (3) [sql] = ok Thu Mar 10 18:04:04 2022 : Debug: (3) modsingle[authorize]: calling expiration (rlm_expiration) Thu Mar 10 18:04:04 2022 : Debug: (3) modsingle[authorize]: returned from expiration (rlm_expiration) Thu Mar 10 18:04:04 2022 : Debug: (3) [expiration] = noop Thu Mar 10 18:04:04 2022 : Debug: (3) modsingle[authorize]: calling logintime (rlm_logintime) Thu Mar 10 18:04:04 2022 : Debug: (3) modsingle[authorize]: returned from logintime (rlm_logintime) Thu Mar 10 18:04:04 2022 : Debug: (3) [logintime] = noop Thu Mar 10 18:04:04 2022 : Debug: (3) modsingle[authorize]: calling pap (rlm_pap) Thu Mar 10 18:04:04 2022 : Debug: (3) modsingle[authorize]: returned from pap (rlm_pap) Thu Mar 10 18:04:04 2022 : Debug: (3) [pap] = updated Thu Mar 10 18:04:04 2022 : Debug: (3) } # authorize = updated Thu Mar 10 18:04:04 2022 : Debug: (3) Found Auth-Type = PAP Thu Mar 10 18:04:04 2022 : Debug: (3) # Executing group from file /etc/freeradius/sites-enabled/default Thu Mar 10 18:04:04 2022 : Debug: (3) Auth-Type PAP { Thu Mar 10 18:04:04 2022 : Debug: (3) modsingle[authenticate]: calling pap (rlm_pap) Thu Mar 10 18:04:04 2022 : Debug: (3) pap: Login attempt with password "noctest" (7) Thu Mar 10 18:04:04 2022 : Debug: (3) pap: Comparing with "known good" Cleartext-Password "noctest" (7) Thu Mar 10 18:04:04 2022 : Debug: (3) pap: User authenticated successfully Thu Mar 10 18:04:04 2022 : Debug: (3) modsingle[authenticate]: returned from pap (rlm_pap) Thu Mar 10 18:04:04 2022 : Debug: (3) [pap] = ok Thu Mar 10 18:04:04 2022 : Debug: (3) } # Auth-Type PAP = ok Thu Mar 10 18:04:04 2022 : Debug: (3) # Executing section session from file /etc/freeradius/sites-enabled/default Thu Mar 10 18:04:04 2022 : Debug: (3) session { Full logs are here. https://pastebin.com/7xvgukiq With my current production setup I am using Calling-Station-Id to restrict MAC for authentication and I want to use the same with 3.0.25. How to achieve this ? Ammad
On Mar 10, 2022, at 11:28 AM, Ammad Ali <ammad.ali@rapidcompute.com> wrote:
We are currently using FR 3.0.4 on CentOS7 with SQL backend. Now we are planning to migrate it to 3.0.25 installed from https://networkradius.com/packages/#:~:text=number%20of%20platforms-,UBUNTU, -Add%20the%20APT
Hmm... mangled URLs. OK...
Currently the authentication is getting failed with below logs. ... Thu Mar 10 13:47:43 2022 : Debug: (0) sql: User found in radcheck table
Thu Mar 10 13:47:43 2022 : ERROR: (0) sql:
Thu Mar 10 13:47:43 2022 : ERROR: (0) sql: ^ Empty expression
So... you have garbage in your SQL database. Why? Put attributes and values into SQL. Follow the documentation for how to do this.
Full logs are here.
Case the logs in the message, as suggested by the documentation. The harder you make it for people to help you, the less likely people are to help you.
With my current production setup I am using Calling-Station-Id to restrict MAC for authentication and I want to use the same with 3.0.25. How to achieve this ?
Read the docs. The issue here is that you're not saying what you want to do. You're not saying what you put into SQL. But you want us to help you. We need more information. Until you post that information, there's very little advice we can give you. Alan DeKok.
Hi Alan, I have put two attributes in SQL radcheck table. +---------+----------+--------------------+---------+----+ | id | username | attribute | value | op | +---------+----------+--------------------+---------+----+ | 2882016 | noctest | Cleartext-Password | noctest | := | | 2882017 | noctest | Calling-Station-Id | | =~ | +---------+----------+--------------------+---------+----+ The Calling-Station-Id attribute mentioned in documentation. https://freeradius.org/rfc/rfc2865.html#Calling-Station-Id I am using operator =~ to match the Calling-Station-Id of client. What our scenario is that the value of Calling-Station-Id is empty initially. When client authenticate first time, our SQL trigger puts its MAC address Calling-Station-Id value to restrict its MAC address. The debug logs says SQL expression empty. Thu Mar 10 13:47:43 2022 : ERROR: (0) sql: Thu Mar 10 13:47:43 2022 : ERROR: (0) sql: ^ Empty expression Thu Mar 10 13:47:43 2022 : WARNING: (0) sql: check items do not match. Ammad -----Original Message----- From: Freeradius-Users <freeradius-users-bounces+ammad.ali=rapidcompute.com@lists.freeradius.org> On Behalf Of Alan DeKok Sent: Thursday, March 10, 2022 10:03 PM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: Calling-Station-Id Issue On Mar 10, 2022, at 11:28 AM, Ammad Ali <ammad.ali@rapidcompute.com> wrote:
We are currently using FR 3.0.4 on CentOS7 with SQL backend. Now we are planning to migrate it to 3.0.25 installed from https://networkradius.com/packages/#:~:text=number%20of%20platforms-,U BUNTU, -Add%20the%20APT
Hmm... mangled URLs. OK...
Currently the authentication is getting failed with below logs. ... Thu Mar 10 13:47:43 2022 : Debug: (0) sql: User found in radcheck table
Thu Mar 10 13:47:43 2022 : ERROR: (0) sql:
Thu Mar 10 13:47:43 2022 : ERROR: (0) sql: ^ Empty expression
So... you have garbage in your SQL database. Why? Put attributes and values into SQL. Follow the documentation for how to do this.
Full logs are here.
Case the logs in the message, as suggested by the documentation. The harder you make it for people to help you, the less likely people are to help you.
With my current production setup I am using Calling-Station-Id to restrict MAC for authentication and I want to use the same with 3.0.25. How to achieve this ?
Read the docs. The issue here is that you're not saying what you want to do. You're not saying what you put into SQL. But you want us to help you. We need more information. Until you post that information, there's very little advice we can give you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi, Some more testing's I have done. If the value of Calling-Station-Id with operator =~ is empty then authentication fails. But it was working in FR 3.0.4 might be something has changed in FR 3.0.25. If I explicitly add value of Calling-Station-Id, then client authenticated successfully. So, is there a way to make Calling-Station-Id attribute with empty value and =~ operator work initially by some policy or configuration in authorize or authenticate section ? Ammad -----Original Message----- From: Freeradius-Users <freeradius-users-bounces+ammad.ali=rapidcompute.com@lists.freeradius.org> On Behalf Of Ammad Ali Sent: Friday, March 11, 2022 11:46 AM To: 'FreeRadius users mailing list' <freeradius-users@lists.freeradius.org> Subject: RE: Calling-Station-Id Issue Hi Alan, I have put two attributes in SQL radcheck table. +---------+----------+--------------------+---------+----+ | id | username | attribute | value | op | +---------+----------+--------------------+---------+----+ | 2882016 | noctest | Cleartext-Password | noctest | := | | 2882017 | noctest | Calling-Station-Id | | =~ | +---------+----------+--------------------+---------+----+ The Calling-Station-Id attribute mentioned in documentation. https://freeradius.org/rfc/rfc2865.html#Calling-Station-Id I am using operator =~ to match the Calling-Station-Id of client. What our scenario is that the value of Calling-Station-Id is empty initially. When client authenticate first time, our SQL trigger puts its MAC address Calling-Station-Id value to restrict its MAC address. The debug logs says SQL expression empty. Thu Mar 10 13:47:43 2022 : ERROR: (0) sql: Thu Mar 10 13:47:43 2022 : ERROR: (0) sql: ^ Empty expression Thu Mar 10 13:47:43 2022 : WARNING: (0) sql: check items do not match. Ammad -----Original Message----- From: Freeradius-Users <freeradius-users-bounces+ammad.ali=rapidcompute.com@lists.freeradius.org> On Behalf Of Alan DeKok Sent: Thursday, March 10, 2022 10:03 PM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: Calling-Station-Id Issue On Mar 10, 2022, at 11:28 AM, Ammad Ali <ammad.ali@rapidcompute.com> wrote:
We are currently using FR 3.0.4 on CentOS7 with SQL backend. Now we are planning to migrate it to 3.0.25 installed from https://networkradius.com/packages/#:~:text=number%20of%20platforms-,U BUNTU, -Add%20the%20APT
Hmm... mangled URLs. OK...
Currently the authentication is getting failed with below logs. ... Thu Mar 10 13:47:43 2022 : Debug: (0) sql: User found in radcheck table
Thu Mar 10 13:47:43 2022 : ERROR: (0) sql:
Thu Mar 10 13:47:43 2022 : ERROR: (0) sql: ^ Empty expression
So... you have garbage in your SQL database. Why? Put attributes and values into SQL. Follow the documentation for how to do this.
Full logs are here.
Case the logs in the message, as suggested by the documentation. The harder you make it for people to help you, the less likely people are to help you.
With my current production setup I am using Calling-Station-Id to restrict MAC for authentication and I want to use the same with 3.0.25. How to achieve this ?
Read the docs. The issue here is that you're not saying what you want to do. You're not saying what you put into SQL. But you want us to help you. We need more information. Until you post that information, there's very little advice we can give you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 11/03/2022 09:11, Ammad Ali wrote:
So, is there a way to make Calling-Station-Id attribute with empty value and =~ operator work initially by some policy or configuration in authorize or authenticate section ?
If you're checking it matches a fixed (empty) string, there's no point using a regex test. Just use "==". -- Matthew
participants (3)
-
Alan DeKok -
Ammad Ali -
Matthew Newton