Hello list, I am currently using FreeRADIUS as my AAA server for a WiMAX network. Authentication is working perfectly, and the server is performing well. As part of my infrastructure-design I need to be able to forcibly kick users off the radiolink. As far as I have understood, this needs to be done using CoA/Disconnect-Request packets forged to match the NAS requirement. So far, so good. I have set up this query in my accounting section: if("%{sql:SELECT value FROM radcheck WHERE UserName = '%{SQL-User-Name}' and attribute = 'Acct-Logout-Now'}") { update disconnect { Reply-Message = "You have been closed." } } as a small test. However, %{SQL-User-Name} is an encrypted version of the username, which of course will not match anything in my database. Thu Aug 26 11:16:42 2010 : Info: (2) expand: SELECT value FROM radcheck WHERE UserName = '%{SQL-User-Name}' and attribute = 'Acct-Logout-Now' -> SELECT value FROM radcheck WHERE UserName = '=8Ham=3D1=7A62345d3c567f85678749f233ebe4577fbad' and attribute = 'Acct-Logout-Now' Thu Aug 26 11:16:42 2010 : Debug: rlm_sql (sql): Reserving sql socket id: 0 Thu Aug 26 11:16:42 2010 : Info: (2) SQL query did not return any results Thu Aug 26 11:16:42 2010 : Debug: rlm_sql (sql): Released sql socket id: 0 Thu Aug 26 11:16:42 2010 : Info: (2) expand: %{sql:SELECT value FROM radcheck WHERE UserName = '%{SQL-User-Name}' and attribute = 'Acct-Logout-Now'} -> Thu Aug 26 11:16:42 2010 : Info: (2) ? Evaluating ("%{sql:SELECT value FROM radcheck WHERE UserName = '%{SQL-User-Name}' and attribute = 'Acct-Logout-Now'}") -> FALSE Thu Aug 26 11:16:42 2010 : Info: (2) ++? if ("%{sql:SELECT value FROM radcheck WHERE UserName = '%{SQL-User-Name}' and attribute = 'Acct-Logout-Now'}") -> FALSE How can I get the username in a cleartext format? Thanks in advance, - Kristoffer Milligan
Kristoffer Milligan wrote:
as a small test. However, %{SQL-User-Name} is an encrypted version of the username, which of course will not match anything in my database.
Ask the client PC why it's sending an encrypted user name.
How can I get the username in a cleartext format?
Figure out how the client PC is encrypting it, and decrypt it. Alan DeKok.
The same thing happens during authentication when the CPE intially enters the network .. but then the username/password is decrypted and successfully compared in the database. What's the difference between the accounting and the authentication .. apart from the info that's exchanged? - Kristoffer Milligan On 08/26/2010 01:11 PM, Alan DeKok wrote:
Kristoffer Milligan wrote:
as a small test. However, %{SQL-User-Name} is an encrypted version of the username, which of course will not match anything in my database.
Ask the client PC why it's sending an encrypted user name.
How can I get the username in a cleartext format?
Figure out how the client PC is encrypting it, and decrypt it.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Kristoffer Milligan wrote:
The same thing happens during authentication when the CPE intially enters the network .. but then the username/password is decrypted and successfully compared in the database.
What's the difference between the accounting and the authentication .. apart from the info that's exchanged?
Read the debug log to see? Alan DeKok.
participants (2)
-
Alan DeKok -
Kristoffer Milligan