In 'Ralink Wireless Utility' -> '802.1x Setting' I can choose 'PEAP' and foll 3 fields (with my example values): 1. Identyty = myidentyty 2. Login = mylogin 3. Password = mypass (I set protocol as EAP-MSCHAP v2) in freeradius users file I can write: mylogin Auth-Type = EAP, User-Password := "mypassword" So identity can by any word. I hope mylogin and mypassword is sent to radius encrypted, not as plain text. But when I clear the users file and use sql I have a recerd in radcheck table: id UserName Attribute op Value ... (other fields) 1 mylogin User-Password == mypassword ... (other values) and in "Ralink...' I MUST (?) set (Identity = Login = mylogin) and Password = mypassword to be authorized in freeradius. But isn't Identity sent as clear text ??? I want to set Identity as Client Name, not as his login, is it possible? SQL queries check User-Name attribute and *I don't know how* put it to rlm_eap_peap and it says: Tunneled data is valid. (...) Success. But I don't want to login be equals to identity... Norbert
"Norbert Grochal" <norboro@celpol.pl> wrote:
in freeradius users file I can write:
mylogin Auth-Type = EAP, User-Password := "mypassword"
Please read eap.conf. Setting Auth-Type is NOT recommended.
So identity can by any word. I hope mylogin and mypassword is sent to radius encrypted, not as plain text.
That's what MS-CHAP is.
But when I clear the users file and use sql I have a recerd in radcheck table:
id UserName Attribute op Value ... (other fields) 1 mylogin User-Password == mypassword ... (other values)
Please read the "rlm_sql" documentation. You are *comparing* the passwords via '=='. Since, as you said, the client is sending MS-CHAP, there will be no clear-text password in the request. Therefore, there will be no clear-text password to compare, and the comparison will fail.
But isn't Identity sent as clear text ???
Yes. So?
I want to set Identity as Client Name, not as his login, is it possible?
I think so. I'm not sure what you mean by that, though. Alan DeKok.
But when I clear the users file and use sql I have a record in radcheck table:
id UserName Attribute op Value ... (other fields) 1 mylogin User-Password == mypassword ... (other values)
Please read the "rlm_sql" documentation. You are *comparing* the passwords via '=='. Since, as you said, the client is sending MS-CHAP, there will be no clear-text password in the request.
I have "rlm_sql" documentation :-) But I think rlm_sql doesn't chceck the password (!). Look at sql queries, (there is no password fields)... radius_xlat: 'cserwis' rlm_sql (sql): sql_set_user escaped user --> 'cserwis' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'cserwis' ORDER BY id' I think this query builds something like Access-Request... and adds to it what is in table radcheck. So a have an idea... I have modified queries in sql.conf: # authorize_check_query = "SELECT id, UserName, Attribute, Value, op \ # FROM ${authcheck_table} \ # WHERE Username = '%{SQL-User-Name}' \ # ORDER BY id" # authorize_reply_query = "SELECT id, UserName, Attribute, Value, op \ # FROM ${authreply_table} \ # WHERE Username = '%{SQL-User-Name}' \ # ORDER BY id" authorize_check_query = "SELECT id, UserName, Attribute, Value, op \ FROM ${authcheck_table} \ WHERE id = 74 \ ORDER BY id" authorize_reply_query = "SELECT id, UserName, Attribute, Value, op \ FROM ${authreply_table} \ WHERE id = 74 \ ORDER BY id" of course in future I will not use the id fiels but add my own username field to table radcheck. Now in 'Raconfig...' I can set Identity to 'Jan Kowalski' ;-) and login = mylogin and password = mypassword and IT WORKS :-). Now I have what I want: logins are not == Identity. Is it good solution? I have freeradius1.1.0, and sql queries 'thinks' that Username is Identity but *I don't know how* it push Username as login to EAP-PEAP authorization ( sorry, isn't it a BUG ??? ) . Can I overwrite it by another entry in radcheck table? Something like this: id UserName Attribute op Value ... (other fields) 2 myidentity User-Name == mylogin ... (other values) I think I cannot... there is not (?) operator to erase what was *I don't know how* pushed to EAP-PEAP... Norbert
Oh no, with these queries:
authorize_check_query = "SELECT id, UserName, Attribute, Value, op
\
FROM ${authcheck_table} \ WHERE id = 74 \ ORDER BY id" authorize_reply_query = "SELECT id, UserName, Attribute, Value, op
\
FROM ${authreply_table} \ WHERE id = 74 \ ORDER BY id"
I can use any login name and radius always authirize me... Why? I removed my changes from sql.conf and add one record to radcheck: insert into radcheck (UserName, Attribute, op, Value) values ('cserwis', 'User-Name', '==', 'aaa'); Now I have 2 records for 'cserwis' but I also have an error: radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'cserwis' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 0 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'cserwis' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'cserwis' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'cserwis' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 0 rlm_sql (sql): No matching entry in the database for request from user [cserwis] modcall[authorize]: module "sql" returns notfound for request 7 "No matching entry in the database" ... but there are 2 records... Norbert
participants (2)
-
Alan DeKok -
Norbert Grochal