FreeRadius different authorization and authentication methods
Hello, I'm attempting to use a FreeRadius server for authentication of wireless using 802.1x. I would also like to use a SQL database for authorization. I've done some limited testing without success. It looks like the authorization method also is the authentication method, for example if I use sql for the authorization and eap for the authentication, the authentication request fails: modcall[authorize]: module "sql" returns ok for request 1 modcall: group authorize returns ok for request 1 auth: type Local auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. Even though the config file states: ... authorize { preprocess sql } authenticate { eap } ... Any assistance would be greatly appreciated. -- Jason Carr Carnegie Mellon University Network Development
Jason Carr <jcarr@andrew.cmu.edu> wrote:
I'm attempting to use a FreeRadius server for authentication of wireless using 802.1x. I would also like to use a SQL database for authorization. I've done some limited testing without success. It looks like the authorization method also is the authentication method,
No, they're completely independent.
for example if I use sql for the authorization and eap for the authentication, the authentication request fails:
modcall[authorize]: module "sql" returns ok for request 1 modcall: group authorize returns ok for request 1 auth: type Local
Don't set "Auth-Type := Local". The server doesn't do this by default, so it must be something in your site's configuration. Alan DeKok.
Alan DeKok wrote:
Jason Carr <jcarr@andrew.cmu.edu> wrote:
I'm attempting to use a FreeRadius server for authentication of wireless using 802.1x. I would also like to use a SQL database for authorization. I've done some limited testing without success. It looks like the authorization method also is the authentication method,
No, they're completely independent.
for example if I use sql for the authorization and eap for the authentication, the authentication request fails:
modcall[authorize]: module "sql" returns ok for request 1 modcall: group authorize returns ok for request 1 auth: type Local
Don't set "Auth-Type := Local".
The server doesn't do this by default, so it must be something in your site's configuration.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I grepped for local in the raddb directory, and I'm not seeing anything related to Auth-Type := Local in any config file. I saw that I'm not supposed to explicitly define Auth-Type := EAP, but perhaps this is what I want? -- Jason Carr Carnegie Mellon University Network Development
Jason Carr <jcarr@andrew.cmu.edu> wrote:
I grepped for local in the raddb directory, and I'm not seeing anything related to Auth-Type := Local in any config file.
Did you set it in the SQL database?
I saw that I'm not supposed to explicitly define Auth-Type := EAP, but perhaps this is what I want?
No. It's almost always wrong. Alan DeKok.
Alan DeKok wrote:
Jason Carr <jcarr@andrew.cmu.edu> wrote:
I grepped for local in the raddb directory, and I'm not seeing anything related to Auth-Type := Local in any config file.
Did you set it in the SQL database?
I saw that I'm not supposed to explicitly define Auth-Type := EAP, but perhaps this is what I want?
No. It's almost always wrong.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I don't see anything in the SQL database that would indicate which authentication method to use. -- Jason Carr Carnegie Mellon University Network Development
Alan DeKok wrote:
Jason Carr <jcarr@andrew.cmu.edu> wrote:
I grepped for local in the raddb directory, and I'm not seeing anything related to Auth-Type := Local in any config file.
Did you set it in the SQL database?
I saw that I'm not supposed to explicitly define Auth-Type := EAP, but perhaps this is what I want?
No. It's almost always wrong.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Against recommendations, I've added DEFAULT Auth-Type := EAP and the server still says it's trying to use local authentication. Does the server fall back to local if it doesn't know which method to use or if there's an error? - Jason -- Jason Carr Carnegie Mellon University Network Development
Jason Carr <jcarr@andrew.cmu.edu> wrote:
Against recommendations, I've added DEFAULT Auth-Type := EAP and the server still says it's trying to use local authentication. Does the server fall back to local if it doesn't know which method to use or if there's an error?
It uses Auth-Type = Local in one of two situations: a) There is a User-Password in the packet, AND there is a "known good" User-Password found in the configuration b) A configuration file tells it to use Auth-Type = Local. As I said in a previous message, the default configuration of the server DOES NOT use Auth-Type = Local for EAP. The ONLY reason it's happening is that your local configuration is telling it to. This is doubly true, now that you've forced Auth-Type to EAP, and it *still* doesn't work. The server does not have magic code inside of it to force Auth-Type = Local. YOU are setting it somewhere in a configuration. Go back, and read your configuration. Odds are that one of the things you put into SQL was Auth-Type = Local. If you still don't believe me, delete "sql" from the "authorize" section, and add a user & password to the "users" file. If you've configured EAP, then EAP *will* work. Alan DeKok.
participants (2)
-
Alan DeKok -
Jason Carr