mysql and Auth-Type:=Reject Problem
Norbert Wegener
nw at sbs.de
Thu Oct 12 17:03:34 CEST 2006
I am using a mysql database with user information and simulate an 802.1x
authentication via eapol_test.
In special situations I want to send an Auth-Type:=Reject from the
table radreply, although the EAP authentication succeeded. This does
not seem to work for me with freeradius 1.1.3.
freeradius -AX
....
modcall: leaving group authenticate (returns ok) for request 21
Sending Access-Accept of id 9 to 127.0.0.1 port 1226
Framed-IP-Address = 1.2.3.4
MS-MPPE-Recv-Key =
0xd8a5e8adaa368def127716024634cf6d7633ed034d8206e376ab21f408771f31
MS-MPPE-Send-Key =
0x7e67cb055071a333c28c7e462914bcfba12208c6a547ef8740c939f9c3be5173
EAP-Message = 0x03090004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "host/de7018tc.ww901.siemens.net"
Finished request 21
Going to the next request
Waking up in 6 seconds...
where the ip 1.2.3.4 is definitely from that table and the select
freeradius starts, gives the correct result in mysql client itself:
mysql> SELECT id, UserName, Attribute, Value, op FROM
radreply WHERE Username =
'host/de7018tc.ww901.siemens.net' ORDER BY id;
+----+---------------------------------+-------------------+---------+----+
| id | UserName | Attribute | Value | op |
+----+---------------------------------+-------------------+---------+----+
| 32 | host/de7018tc.ww901.siemens.net | Auth-Type | Reject | := |
| 33 | host/de7018tc.ww901.siemens.net | Framed-IP-Address | 1.2.3.4 | = |
+----+---------------------------------+-------------------+---------+----+
The operator ==,+= or = do not work either.
The database contains the following:
mysql> select * from usergroup;
+----------+---------------------------------+-----------+---------------------+---------------------+---------+
| id | UserName | GroupName |
loaddate | validto | konftyp |
+----------+---------------------------------+-----------+---------------------+---------------------+---------+
| 16148296 | HOST/de7018tc.ww901.siemens.net | vl1 | 2006-10-12
14:17:22 | 2006-10-13 00:00:00 | NULL |
+----------+---------------------------------+-----------+---------------------+---------------------+---------+
1 row in set (0.00 sec)
The following entry is only there to get the attributes from radreply later:
mysql> select * from radcheck;
+----------+---------------------------------+--------------+----+-------+---------------------+
| id | UserName | Attribute | op | Value
| validto |
+----------+---------------------------------+--------------+----+-------+---------------------+
| 12131722 | HOST/de7018tc.ww901.siemens.net | Idle-Timeout | += | 12345
| 2006-10-13 00:00:00 |
+----------+---------------------------------+--------------+----+-------+---------------------+
1 row in set (0.00 sec)
mysql> select * from radreply;
+----+---------------------------------+-------------------+----+---------+------------+--------------+---------+
| id | UserName | Attribute | op |
Value | ra_nasname | ra_GroupName | validto |
+----+---------------------------------+-------------------+----+---------+------------+--------------+---------+
| 32 | host/de7018tc.ww901.siemens.net | Auth-Type | := |
Reject | 4711 | NULL | NULL |
| 33 | host/de7018tc.ww901.siemens.net | Framed-IP-Address | = |
1.2.3.4 | 0815 | NULL | NULL |
+----+---------------------------------+-------------------+----+---------+------------+--------------+---------+
2 rows in set (0.00 sec)
The complete logfile can be found at
http://www.wegener-net.de/fr/
What do I have to change to make that work?
Thanks
Norbert Wegener
More information about the Freeradius-Users
mailing list