SQL Call-Check Authentication (again :( )
florian broder
flobroed at googlemail.com
Mon Dec 5 14:18:40 CET 2005
Hi.
I'm still having a hard time of implementing the Calling-Station-Id
Authentication. Basis is a Cisco Catalyst with
"Mac-Authentication-Bypass" turned on.
Alan DeKok told me, that I can use sql.conf:
# Use Stripped-User-Name, if it's there.
# Else use User-Name, if it's there,
-->># Else use hard-coded string "DEFAULT" as the user name.<<--
sql_user_name = "%{Stripped-User-Name:-%{User-Name:-DEFAULT}}"
To tell freeradius, that there is no user-name.
Ok, I've done that, but It gives me this error:
rad_recv: Access-Request packet from host 192.168.1.222:1038, id=13, length=45
Service-Type = Call-Check
Calling-Station-Id = "11-22-33-44-55-66"
-->> rlm_sql (sql): zero length username not permitted <<--
That's basically the same packet, the Cisco Switch sends as
Auth-Request. Notice, that there is NO user-name in here at all.
The fact is also mentioned in the sql Source-Code:
/*
* They MUST have a user name to do SQL authorization.
*/
if ((request->username == NULL) ||
(request->username->length == 0)) {
radlog(L_ERR, "rlm_sql (%s): zero length username not permitted\n",
inst->config->xlat_name);
return RLM_MODULE_INVALID;
}
Switching to "file-based-Authentication" (in radiusd.conf) it works immediately:
rad_recv: Access-Request packet from host 192.168.1.222:1044, id=19, length=45
Service-Type = Call-Check
Calling-Station-Id = "11-22-33-44-55-66"
Sending Access-Accept of id 19 to 192.168.1.222:1044
Reply-Message = "Hello"
So, it's really a limitation in sql, rather that a misconfiguration?
Would be nice, if anyone can confirm this!
Bye Flo
More information about the Freeradius-Users
mailing list