Problem with using MySQL for radius clients
Hello, I know that by default you configure your radius clients in the file /etc/raddb/clients.conf However I would like them to be entered in MySQL I have modified the file /etc/raddb/sites-enabled/default and I expect the Freeradius server to check the clients in MySQL instead of clients.conf authorize { sql #files } And added an input into the nas table INSERT INTO nas VALUES (NULL , '192.168.0.1', 'myNAS', 'other', NULL , 'mysecret', NULL , NULL , 'RADIUS Client' ); Unfortunately this doesn't work because 1) $ radtest testuser passsecret 127.0.0.1 1812 testing123 <= works and testing123 is what is specified in clients.conf 2) $ radtest testuser passsecret 127.0.0.1 1812 mysecret <= doesn't work and what's specified in the nas table Since I have commented "files" I would also expect the freeradius server not to check clients.conf Could someone point out my misunderstanding ? Thank you
On 9 Nov 2013, at 11:03, Mik J <mikydevel@yahoo.fr> wrote:
Hello,
I know that by default you configure your radius clients in the file /etc/raddb/clients.conf However I would like them to be entered in MySQL
I have modified the file /etc/raddb/sites-enabled/default and I expect the Freeradius server to check the clients in MySQL instead of clients.conf authorize { sql #files }
You have no basis for thinking that. None of the documentation states that, it's not even logical to query a database for client information on every request. Look in the sql.conf file, the config option is pretty clearly marked in there. The server will then load all clients from your database ONCE on startup. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
Hi,
I know that by default you configure your radius clients in the file /etc/raddb/clients.conf
correct
However I would like them to be entered in MySQL
thats easy. add them to the NAS table in your MySQL DB and then simply read the sql.conf file near the bottom and uncomment the readclients = yes line.
I have modified the file /etc/raddb/sites-enabled/default and I expect the Freeradius server to check the clients in MySQL instead of clients.conf authorize { sql #files }
???? no. what you've done there is enable SQL in the authorise stage...so a device attempting to use RADIUS will be checked against SQL. except that it wont because the NAS trying to talk wont be allowed to talk (and commenting out 'files' means that the users file wont work anymore....thats what that option does!) alan
Thank you both for your answers. I had forgotten to specify in my first mail that I've restarted the radiusd numerous times and that my sql.conf file contains readclients = yes nas_table = "nas" I've put a # in front of files because I wanted the radiusd to check the user's password only in MySQLAlan, sorry but I didn't understand what you wrote in your last sentence, about that. And how to enable MySQL only without clients.conf ? So I still have the problem and I don't understand what's wrong mysql> select * from nas; +----+----------------+-----------+-------+-------+-----------+--------+-----------+-------------------+ | id | nasname | shortname | type | ports | secret | server | community | description | +----+----------------+-----------+-------+-------+-----------+--------+-----------+-------------------+ | 1 | 192.168.0.1 | myNAS | other | NULL | mysecret | NULL | NULL | RADIUS Client | When I start the server with the -X option rlm_sql_mysql: query: SELECT id, nasname, shortname, type, secret, server FROM nas rlm_sql (sql): Read entry nasname=192.168.0.1,shortname=myNAS,secret=mysecret rlm_sql (sql): Adding client 192.168.0.1 (myNAS, server=<none>) to clients list Le Samedi 9 novembre 2013 13h02, "A.L.M.Buxey@lboro.ac.uk" <A.L.M.Buxey@lboro.ac.uk> a écrit : Hi,
I know that by default you configure your radius clients in the file /etc/raddb/clients.conf
correct
However I would like them to be entered in MySQL
thats easy. add them to the NAS table in your MySQL DB and then simply read the sql.conf file near the bottom and uncomment the readclients = yes line.
I have modified the file /etc/raddb/sites-enabled/default and I expect the Freeradius server to check the clients in MySQL instead of clients.conf authorize { sql #files }
???? no. what you've done there is enable SQL in the authorise stage...so a device attempting to use RADIUS will be checked against SQL. except that it wont because the NAS trying to talk wont be allowed to talk (and commenting out 'files' means that the users file wont work anymore....thats what that option does!)
alan
Hi,
And how to enable MySQL only without clients.conf ?
you've already done it.
rlm_sql (sql): Read entry nasname=192.168.0.1,shortname=myNAS,secret=mysecret rlm_sql (sql): Adding client 192.168.0.1 (myNAS, server=<none>) to clients list
read the above. 192.168.0.1 is a valid client. the trouble is, you seem to be running radtest with 127.0.0.1 - and THAT isnt in your tables...so isnt a valid client - its there by default in clients.conf - so add it to your NAS table! beware, you cannot have duplicates. alan
Hello Alan, Test1 Where I do the command $ radtest testuser passsecret 127.0.0.1 1812 testing1234 It works and testing1234 is what is configured in the clients.conf file. If I change the secret to testing12345 and restart the radiusd server it works with the command $ radtest testuser passsecret 127.0.0.1 1812 testing12345 Also the radtest command output says $ radtest testuser passsecret 127.0.0.1 1812 testing12345 Sending Access-Request of id 18 to 127.0.0.1 port 1812 User-Name = "testuser" User-Password = "passsecret" NAS-IP-Address = x.x.x.x NAS-Port = 1812 Message-Authenticator = 0x00000000000000000000000000000000 With x.x.x.x a public IP address (mine), that's why I supposed I didn't need an entry for 127.0.0.1 Test 2 When I start the radiusd server after adding an entry for 127.0.0.1 it says rlm_sql (sql): Released sql socket id: 4 rlm_sql (sql): Failed to add client 127.0.0.1 (myNAS3x) to clients list. Maybe there's a duplicate? Failed to load clients from SQL. /etc/raddb/sql.conf[22]: Instantiation failed for module "sql" /etc/raddb/sites-enabled/default[177]: Failed to find "sql" in the "modules" section. /etc/raddb/sites-enabled/default[69]: Errors parsing authorize section. As a conclusion I think clients.conf is still used because of test 1) when I change the secret. And that's why it finds a duplicate for 127.0.0.1 in Test 2. If I delete the entry in the mysql table it starts normally. I think commenting the files doesn't work authorize { sql #files } and radiusd still reads clients.conf, that should explain test 1 & 2 .... As I was writting this email I found the solution. I've put a comment on #$INCLUDE ${confdir}/clients.conf in radiusd.conf And normalised the section authorize { sql files } Now it behaves as expected. Thank you for your answers Le Samedi 9 novembre 2013 15h23, "A.L.M.Buxey@lboro.ac.uk" <A.L.M.Buxey@lboro.ac.uk> a écrit : Hi,
And how to enable MySQL only without clients.conf ?
you've already done it.
rlm_sql (sql): Read entry nasname=192.168.0.1,shortname=myNAS,secret=mysecret rlm_sql (sql): Adding client 192.168.0.1 (myNAS, server=<none>) to clients list
read the above. 192.168.0.1 is a valid client.
the trouble is, you seem to be running radtest with 127.0.0.1 - and THAT isnt in your tables...so isnt a valid client - its there by default in clients.conf - so add it to your NAS table! beware, you cannot have duplicates.
alan
participants (3)
-
A.L.M.Buxey@lboro.ac.uk -
Arran Cudbard-Bell -
Mik J