radiusd: FreeRADIUS Version 1.1.3, for host i686-pc-linux-gnu, built on Dec 26 2006 at 01:46:55 mysql Ver 14.12 Distrib 5.0.30, for pc-linux-gnu (i686) using readline 5.2 I thought that I had everything configured properly for MySQL authentication, but when I try to do a test with radtest, the test user is not authenticated and there is no log of activity to the MySQL database. Anyway, here is the output of radiusd -X and, at the end, the population of my database: rad_recv: Access-Request packet from host 192.168.182.1:2053, id=7, length=55 User-Name = "ian" User-Password = "test" NAS-IP-Address = 255.255.255.255 NAS-Port = 1812 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "ian", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 0 radius_xlat: 'ian' rlm_sql (sql): sql_set_user escaped user --> 'ian' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'ian' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'ian' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'ian' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'ian' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module "sql" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 modcall[authenticate]: module "unix" returns notfound for request 0 modcall: leaving group authenticate (returns notfound) for request 0 auth: Failed to validate the user. Login incorrect: [ian/test] (from client brentwood port 1812) Delaying request 0 for 1 seconds Finished request 0 mysql> select * from radcheck -> ; +----+----------+-----------+----+-------+ | id | UserName | Attribute | op | Value | +----+----------+-----------+----+-------+ | 1 | Password | == | te | | | 2 | ian | Password | == | test | +----+----------+-----------+----+-------+ 2 rows in set (0.01 sec) Any thoughts on why this is not working would be greatly appreciated. -- Ian Truelsen s/v Sting Email: ian.truelsen@gmail.com AIM: ihtruelsen MSN: ihtruelsen@hotmail.com Google Talk: ian.truelsen@gmail.com
ian, just review your radiusd.conf (authenticate and authorize sections) because you sql IS going ok..... modcall[authorize]: module "sql" returns ok for request 0 but your "unix" IS not modcall[authenticate]: module "unix" returns notfound for request 0 just leave "sql" in your auth section if you plan to do it tha way Hernan Antolini Ian Truelsen <ian.truelsen@gmail.com> Sent by: freeradius-users-bounces+antolini=ar.ibm.com@lists.freeradius.org 01/01/07 07:32 PM Please respond to FreeRadius users mailing list <freeradius-users@lists.freeradius.org> To Freeradius Mailing List <freeradius-users@lists.freeradius.org> cc Subject MySQL authentication problem radiusd: FreeRADIUS Version 1.1.3, for host i686-pc-linux-gnu, built on Dec 26 2006 at 01:46:55 mysql Ver 14.12 Distrib 5.0.30, for pc-linux-gnu (i686) using readline 5.2 I thought that I had everything configured properly for MySQL authentication, but when I try to do a test with radtest, the test user is not authenticated and there is no log of activity to the MySQL database. Anyway, here is the output of radiusd -X and, at the end, the population of my database: rad_recv: Access-Request packet from host 192.168.182.1:2053, id=7, length=55 User-Name = "ian" User-Password = "test" NAS-IP-Address = 255.255.255.255 NAS-Port = 1812 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "ian", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 0 radius_xlat: 'ian' rlm_sql (sql): sql_set_user escaped user --> 'ian' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'ian' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'ian' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'ian' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'ian' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module "sql" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 modcall[authenticate]: module "unix" returns notfound for request 0 modcall: leaving group authenticate (returns notfound) for request 0 auth: Failed to validate the user. Login incorrect: [ian/test] (from client brentwood port 1812) Delaying request 0 for 1 seconds Finished request 0 mysql> select * from radcheck -> ; +----+----------+-----------+----+-------+ | id | UserName | Attribute | op | Value | +----+----------+-----------+----+-------+ | 1 | Password | == | te | | | 2 | ian | Password | == | test | +----+----------+-----------+----+-------+ 2 rows in set (0.01 sec) Any thoughts on why this is not working would be greatly appreciated. -- Ian Truelsen s/v Sting Email: ian.truelsen@gmail.com AIM: ihtruelsen MSN: ihtruelsen@hotmail.com Google Talk: ian.truelsen@gmail.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Tue, 2007-01-02 at 09:37 -0300, Hernan Antolini wrote:
ian, just review your radiusd.conf (authenticate and authorize sections) because you sql IS going ok.....
modcall[authorize]: module "sql" returns ok for request 0
but your "unix" IS not
modcall[authenticate]: module "unix" returns notfound for request 0
just leave "sql" in your auth section if you plan to do it tha way
Hernan Antolini
Well, I only want authentication from the MySQL database, so that should authenticate the user, if the sql section is working correctly. Why then, would the user not be authenticated, based on the information in the radcheck table (below)? mysql> select * from radcheck -> ; +----+----------+-----------+----+-------+ | id | UserName | Attribute | op | Value | +----+----------+-----------+----+-------+ | 1 | Password | == | te | | | 2 | ian | Password | == | test | +----+----------+-----------+----+-------+ 2 rows in set (0.01 sec) Sorry if I am being obtuse, but there is something that I am not quite getting here. Thanks for the help. -- Ian Truelsen s/v Sting Email: ian.truelsen@gmail.com AIM: ihtruelsen MSN: ihtruelsen@hotmail.com Google Talk: ian.truelsen@gmail.com
ian "sql" goes in authorize section and accounting only; leave "preprocess", "auth_log", "suffix" and "sql" uncommented there to start. what about your "ian" entry in your users file ?...and delete that strange entry in your radcheck (id 1). Ian Truelsen <ian.truelsen@gmail.com> Sent by: freeradius-users-bounces+antolini=ar.ibm.com@lists.freeradius.org 01/02/07 04:35 PM Please respond to FreeRadius users mailing list <freeradius-users@lists.freeradius.org> To FreeRadius users mailing list <freeradius-users@lists.freeradius.org> cc Subject Re: MySQL authentication problem On Tue, 2007-01-02 at 09:37 -0300, Hernan Antolini wrote:
ian, just review your radiusd.conf (authenticate and authorize sections) because you sql IS going ok.....
modcall[authorize]: module "sql" returns ok for request 0
but your "unix" IS not
modcall[authenticate]: module "unix" returns notfound for request 0
just leave "sql" in your auth section if you plan to do it tha way
Hernan Antolini
Well, I only want authentication from the MySQL database, so that should authenticate the user, if the sql section is working correctly. Why then, would the user not be authenticated, based on the information in the radcheck table (below)? mysql> select * from radcheck -> ; +----+----------+-----------+----+-------+ | id | UserName | Attribute | op | Value | +----+----------+-----------+----+-------+ | 1 | Password | == | te | | | 2 | ian | Password | == | test | +----+----------+-----------+----+-------+ 2 rows in set (0.01 sec) Sorry if I am being obtuse, but there is something that I am not quite getting here. Thanks for the help. -- Ian Truelsen s/v Sting Email: ian.truelsen@gmail.com AIM: ihtruelsen MSN: ihtruelsen@hotmail.com Google Talk: ian.truelsen@gmail.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Tue, 2007-01-02 at 17:45 -0300, Hernan Antolini wrote:
ian "sql" goes in authorize section and accounting only; leave "preprocess", "auth_log", "suffix" and "sql" uncommented there to start. what about your "ian" entry in your users file ?...and delete that strange entry in your radcheck (id 1).
Okay, here is where I am unclear on the concept: If I need an entry in the users file, as well as radcheck database, then why am I using MySQL at all? I envisioned the sql authorization as negating the need to hard code a file on the system, but if I need both, then I don't really need MySQL. Would the sql database not make the users file unnecessary? The first entry in the radcheck table is me forgetting to add the null as the first collumn. -- Ian Truelsen s/v Sting Email: ian.truelsen@gmail.com AIM: ihtruelsen MSN: ihtruelsen@hotmail.com Google Talk: ian.truelsen@gmail.com
Ian Truelsen wrote:
Okay, here is where I am unclear on the concept: If I need an entry in the users file, as well as radcheck database,
You don't. The server is modular, which means any (or almost all) modules are optional.
then why am I using MySQL at all? I envisioned the sql authorization as negating the need to hard code a file on the system, but if I need both, then I don't really need MySQL. Would the sql database not make the users file unnecessary?
Yes. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
On Wed, 2007-01-03 at 17:01 -0800, Alan DeKok wrote:
Ian Truelsen wrote:
Okay, here is where I am unclear on the concept: If I need an entry in the users file, as well as radcheck database,
You don't. The server is modular, which means any (or almost all) modules are optional.
then why am I using MySQL at all? I envisioned the sql authorization as negating the need to hard code a file on the system, but if I need both, then I don't really need MySQL. Would the sql database not make the users file unnecessary?
Yes.
Thanks for the clarification. Now, I still have the problem that, if I populate the users file with the same information that I have in my radcheck table, I get a positive authentication on the user. Without the users entry, I do not. Is there something else that needs to be populated in the radius database, like the group tables, or something? -- Ian Truelsen s/v Sting Email: ian.truelsen@gmail.com AIM: ihtruelsen MSN: ihtruelsen@hotmail.com Google Talk: ian.truelsen@gmail.com
Ian Truelsen wrote:
Thanks for the clarification. Now, I still have the problem that, if I populate the users file with the same information that I have in my radcheck table, I get a positive authentication on the user. Without the users entry, I do not. Is there something else that needs to be populated in the radius database, like the group tables, or something?
No. Perhaps you could try describing what is going into the "users" file, and what you think it should be doing. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
On Thu, 2007-01-04 at 05:14 -0800, Alan DeKok wrote:
Ian Truelsen wrote:
Thanks for the clarification. Now, I still have the problem that, if I populate the users file with the same information that I have in my radcheck table, I get a positive authentication on the user. Without the users entry, I do not. Is there something else that needs to be populated in the radius database, like the group tables, or something?
No.
Perhaps you could try describing what is going into the "users" file, and what you think it should be doing.
All I did with the users file was to duplicate the entry in the radcheck table. So I have: ian Auth-Type := Local, User-Password == "test" added to my users file and with that, radtest authenticates user ian. Without it, user ian is not authenticated. The same information is stored in my radcheck table: mysql> select * from radcheck; +----+----------+-----------+----+-------+ | id | UserName | Attribute | op | Value | +----+----------+-----------+----+-------+ | 3 | ian | Password | == | test | +----+----------+-----------+----+-------+ 1 row in set (0.01 sec) -- Ian Truelsen s/v Sting Email: ian.truelsen@gmail.com AIM: ihtruelsen MSN: ihtruelsen@hotmail.com Google Talk: ian.truelsen@gmail.com
Ian Truelsen wrote:
All I did with the users file was to duplicate the entry in the radcheck table. So I have:
ian Auth-Type := Local, User-Password == "test"
1) Don't set Auth-Type by hand. It's not necessary. 2) Use ":=" for User-Password, not '=='. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
On 1/4/07, Alan DeKok <aland@deployingradius.com> wrote:
Ian Truelsen wrote:
All I did with the users file was to duplicate the entry in the radcheck table. So I have:
ian Auth-Type := Local, User-Password == "test"
1) Don't set Auth-Type by hand. It's not necessary. 2) Use ":=" for User-Password, not '=='.
Alright, but that part of it works. It is the MySQL section that does not. Would these be related somehow? --
Ian Truelsen s/v Sting
On Thu, 2007-01-04 at 05:14 -0800, Alan DeKok wrote:
Ian Truelsen wrote:
Thanks for the clarification. Now, I still have the problem that, if I populate the users file with the same information that I have in my radcheck table, I get a positive authentication on the user. Without the users entry, I do not. Is there something else that needs to be populated in the radius database, like the group tables, or something?
No.
Perhaps you could try describing what is going into the "users" file, and what you think it should be doing.
It seems that I got it to work by setting the Default auth_type in /etc/raddb/users to Local as opposed to system. Not sure why that works, but it does. Many thanks for all the suggestions. -- Ian Truelsen s/v Sting Email: ian.truelsen@gmail.com AIM: ihtruelsen MSN: ihtruelsen@hotmail.com Google Talk: ian.truelsen@gmail.com
On Tue, 2007-01-02 at 09:37 -0300, Hernan Antolini wrote:
ian, just review your radiusd.conf (authenticate and authorize sections) because you sql IS going ok.....
modcall[authorize]: module "sql" returns ok for request 0
but your "unix" IS not
modcall[authenticate]: module "unix" returns notfound for request 0
just leave "sql" in your auth section if you plan to do it tha way
Hernan Antolini
BTW, I just noticed that while there is a section in authorize for sql, there is not one in authenticate. Is that correct? -- Ian Truelsen s/v Sting Email: ian.truelsen@gmail.com AIM: ihtruelsen MSN: ihtruelsen@hotmail.com Google Talk: ian.truelsen@gmail.com
Ian Truelsen wrote:
BTW, I just noticed that while there is a section in authorize for sql, there is not one in authenticate. Is that correct?
Yes. SQL servers are databases, not authentication servers. RADIUS servers are authentication servers, not databases. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
participants (4)
-
Alan DeKok -
Dennis Skinner -
Hernan Antolini -
Ian Truelsen