Problem with MySQL + system auth
William
azander at netonecom.net
Wed Jan 23 18:44:01 CET 2008
Greetings,
In working to get my new radius server working I have run into a snag. I
need to authenticate using a SQL database or system password file depending
on where the request comes from, however the user may exist in both, with
different passwords. How do I tell it to use the MySQL username/password
pairs 'only' when it comes from a specific NAS?
I have tried specifing the "Auth-Type := LOCAL" in my SQL reply tables, I have
tried Autz-Type... I just don't seem to be able to get it working right.
Debug output from last try is below. Currently I am not specifying a
Auth-Type, but setting it to CHAP, PAP, or LOCAL doesn't work.
Suggestions, pointers to documentation I may have missed, etc are gladly
welcomed.
---begin DEBUG---
rad_recv: Access-Request packet from host 192.168.1.64 port 32780, id=20,
length=59
User-Name = "azander"
User-Password = "test321"
NAS-IP-Address = 127.0.0.2
NAS-Port = 8
+- entering group authorize
++[preprocess] returns ok
rlm_realm: No '@' in User-Name = "azander", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
++[chap] returns noop
++[mschap] returns noop
++[unix] returns updated
WARNING: Deprecated conditional expansion ":-". See "man unlang" for details
expand: %{Stripped-User-Name:-%{User-Name}} -> azander
++[files] returns noop
expand: %{Stripped-User-Name} ->
expand: %{User-Name} -> azander
expand: %{%{Stripped-User-Name}:-%{User-Name}} -> azander
rlm_sql (sql): sql_set_user escaped user --> 'azander'
rlm_sql (sql): Reserving sql socket id: 4
expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY
id -> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'azander' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'azander' ORDER BY id
rlm_sql (sql): User found in radcheck table
expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER BY
id -> SELECT id, username, attribute, value, op FROM radreply
WHERE username = 'azander' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op
FROM radreply WHERE username = 'azander' ORDER BY id
expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname
FROM radusergroup WHERE username = 'azander' ORDER BY
priority
rlm_sql_mysql: query: SELECT groupname FROM radusergroup
WHERE username = 'azander' ORDER BY priority
expand: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER
BY id -> SELECT id, groupname, attribute, Value, op FROM
radgroupcheck WHERE groupname = 'staff' ORDER BY id
rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = 'staff' ORDER BY id
rlm_sql (sql): User found in group staff
expand: SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER
BY id -> SELECT id, groupname, attribute, value, op FROM
radgroupreply WHERE groupname = 'staff' ORDER BY id
rlm_sql_mysql: query: SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = 'staff' ORDER BY id
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[pap] returns updated
rad_check_password: Found Auth-Type
auth: type "PAP"
+- entering group PAP
rlm_pap: login attempt with password "test321"
rlm_pap: Using CRYPT encryption.
rlm_pap: Passwords don't match
++[pap] returns reject
auth: Failed to validate the user.
Login incorrect (rlm_pap: CRYPT password check failed): [azander/test321]
(from client flyer port 8)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> azander
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
More information about the Freeradius-Users
mailing list