PEAP with sql - plain Identity

Norbert Grochal norboro at celpol.pl
Thu Feb 9 12:27:05 CET 2006 

> > But when I clear the users file and use sql I have a record in radcheck
> > table:
> >
> > id    UserName    Attribute            op     Value             ...
> > (other fields)
> > 1     mylogin        User-Password   ==    mypassword   ... (other
> > values)
>
>   Please read the "rlm_sql" documentation.  You are *comparing* the
> passwords via '=='.  Since, as you said, the client is sending
> MS-CHAP, there will be no clear-text password in the request.

I have "rlm_sql" documentation :-)

But I think rlm_sql doesn't chceck the password (!).
Look at sql queries, (there is no password fields)...

radius_xlat:  'cserwis'
rlm_sql (sql): sql_set_user escaped user --> 'cserwis'
radius_xlat:  'SELECT id, UserName, Attribute, Value, op           FROM
radcheck           WHERE Username = 'cserwis'           ORDER BY id'

I think this query builds something like Access-Request... and adds to it
what is in table radcheck.

So a have an idea...

I have modified queries in sql.conf:

#       authorize_check_query = "SELECT id, UserName, Attribute, Value, op \
#          FROM ${authcheck_table} \
#          WHERE Username = '%{SQL-User-Name}' \
#          ORDER BY id"
#       authorize_reply_query = "SELECT id, UserName, Attribute, Value, op \
#          FROM ${authreply_table} \
#          WHERE Username = '%{SQL-User-Name}' \
#          ORDER BY id"

        authorize_check_query = "SELECT id, UserName, Attribute, Value, op \
          FROM ${authcheck_table} \
          WHERE id = 74 \
          ORDER BY id"
        authorize_reply_query = "SELECT id, UserName, Attribute, Value, op \
          FROM ${authreply_table} \
          WHERE id = 74 \
          ORDER BY id"

of course in future I will not use the id fiels but add my own username
field to table radcheck.

Now in 'Raconfig...' I can set Identity to 'Jan Kowalski' ;-) and login =
mylogin and password = mypassword and IT WORKS :-). Now I have what I want:
logins are not == Identity.

Is it good solution? I have freeradius1.1.0, and sql queries 'thinks' that
Username is Identity but *I don't know how* it push Username as login to
EAP-PEAP authorization ( sorry, isn't it a BUG ??? ) . Can I overwrite it by
another entry in radcheck table?

Something like this:
id    UserName    Attribute            op     Value             ... (other
fields)
2     myidentity     User-Name   ==    mylogin   ... (other values)

I think I cannot... there is not (?) operator to erase what was *I don't
know how* pushed to EAP-PEAP...

Norbert

More information about the Freeradius-Users mailing list