mysql and Auth-Type:=Reject Problem

Norbert Wegener nw at sbs.de
Thu Oct 12 17:03:34 CEST 2006


I am using a mysql database with user information and simulate an 802.1x 
authentication via eapol_test.
In special situations  I  want to send an Auth-Type:=Reject from the 
table radreply, although the EAP authentication succeeded. This  does 
not seem to work for me with freeradius 1.1.3.
freeradius -AX
....
modcall: leaving group authenticate (returns ok) for request 21
Sending Access-Accept of id 9 to 127.0.0.1 port 1226
        Framed-IP-Address = 1.2.3.4
        MS-MPPE-Recv-Key = 
0xd8a5e8adaa368def127716024634cf6d7633ed034d8206e376ab21f408771f31
        MS-MPPE-Send-Key = 
0x7e67cb055071a333c28c7e462914bcfba12208c6a547ef8740c939f9c3be5173
        EAP-Message = 0x03090004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "host/de7018tc.ww901.siemens.net"
Finished request 21
Going to the next request
Waking up in 6 seconds...

where the ip 1.2.3.4 is definitely from that table and the select 
freeradius starts, gives the correct result in mysql client itself:

mysql> SELECT id, UserName, Attribute, Value, op           FROM 
radreply           WHERE Username = 
'host/de7018tc.ww901.siemens.net'       ORDER BY id;
+----+---------------------------------+-------------------+---------+----+
| id | UserName                        | Attribute         | Value   | op |
+----+---------------------------------+-------------------+---------+----+
| 32 | host/de7018tc.ww901.siemens.net | Auth-Type         | Reject  | := |
| 33 | host/de7018tc.ww901.siemens.net | Framed-IP-Address | 1.2.3.4 | =  |
+----+---------------------------------+-------------------+---------+----+

The operator ==,+= or = do not work either.

The database contains the following:
mysql> select * from usergroup;
+----------+---------------------------------+-----------+---------------------+---------------------+---------+
| id       | UserName                        | GroupName | 
loaddate            | validto             | konftyp |
+----------+---------------------------------+-----------+---------------------+---------------------+---------+
| 16148296 | HOST/de7018tc.ww901.siemens.net | vl1       | 2006-10-12 
14:17:22 | 2006-10-13 00:00:00 | NULL    |
+----------+---------------------------------+-----------+---------------------+---------------------+---------+
1 row in set (0.00 sec)

The following entry is only there to get the attributes from radreply later:

mysql> select * from radcheck;
+----------+---------------------------------+--------------+----+-------+---------------------+
| id       | UserName                        | Attribute    | op | Value 
| validto             |
+----------+---------------------------------+--------------+----+-------+---------------------+
| 12131722 | HOST/de7018tc.ww901.siemens.net | Idle-Timeout | += | 12345 
| 2006-10-13 00:00:00 |
+----------+---------------------------------+--------------+----+-------+---------------------+
1 row in set (0.00 sec)

mysql> select * from radreply;
+----+---------------------------------+-------------------+----+---------+------------+--------------+---------+
| id | UserName                        | Attribute         | op | 
Value   | ra_nasname | ra_GroupName | validto |
+----+---------------------------------+-------------------+----+---------+------------+--------------+---------+
| 32 | host/de7018tc.ww901.siemens.net | Auth-Type         | :=  | 
Reject  | 4711       | NULL         | NULL    |
| 33 | host/de7018tc.ww901.siemens.net | Framed-IP-Address | =  | 
1.2.3.4 | 0815       | NULL         | NULL    |
+----+---------------------------------+-------------------+----+---------+------------+--------------+---------+
2 rows in set (0.00 sec)

The complete logfile can be found at
http://www.wegener-net.de/fr/

What do I have to change to make that work?


Thanks
Norbert Wegener





More information about the Freeradius-Users mailing list