FreeRadius and MySql custom attributes

Aaron Seibert aaron at awseibert.net
Wed Nov 5 20:58:23 CET 2008 

Posting relevant sections along with an explanation - 

I was doing some fiddling in between posting and responding here.  Here
is the current setup, as I was trying to make it work:

dictionary.slipstream -

VENDOR Slipstream 7000
ATTRIBUTE Profile 1 string Slipstream

reply query in mssql.conf -

authorize_reply_query = "SELECT '',Username,'Profile',Profiles,':=' FROM
radius_auth WHERE Username = '%{SQL-User-Name}'"


Relevant output when running radiusd -X -
 Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
    rlm_realm: Looking up realm "evenlink.com" for User-Name =
"aseibert at evenlink.com"
    rlm_realm: No such realm "evenlink.com"
  modcall[authorize]: module "suffix" returns noop for request 0
radius_xlat:  'aseibert at evenlink.com'
rlm_sql (sql): sql_set_user escaped user --> 'aseibert at evenlink.com'
radius_xlat:  'SELECT '',Username,'Cleartext-Password',Password,':='
FROM radius_auth WHERE Username = 'aseibert at evenlink.com''
rlm_sql (sql): Reserving sql socket id: 4
query:  SELECT '',Username,'Cleartext-Password',Password,':=' FROM
radius_auth WHERE Username = 'aseibert at evenlink.com'
radius_xlat:  ''
radius_xlat:  'SELECT '',Username,'Profile',Profiles,':=' FROM
radius_auth WHERE Username = 'aseibert at evenlink.com''
query:  SELECT '',Username,'Profile',Profiles,':=' FROM radius_auth
WHERE Username = 'aseibert at evenlink.com'
radius_xlat:  ''
rlm_sql (sql): Released sql socket id: 4
  modcall[authorize]: module "sql" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
auth: type Local
auth: user supplied User-Password matches local User-Password
Sending Access-Accept of id 46 to 206.174.130.217 port 40278
	Profile := "Slip"
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 46 with timestamp 4911f770
Nothing to do.  Sleeping until we see a request.

This doesn't allow the slip user to connect to the slip service.
However, if I change everything to the following:

dictionary.slipstream:

VENDOR Slipstream 7000
ATTRIBUTE Slipstream-Auth 1 string Slipstream

mssql query:

authorize_reply_query = "SELECT
'',Username,'Slipstream-Auth','true',':=' FROM radius_auth WHERE
Username = '%{SQL-User-Name}'"


Output:

  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
    rlm_realm: Looking up realm "evenlink.com" for User-Name =
"aseibert at evenlink.com"
    rlm_realm: No such realm "evenlink.com"
  modcall[authorize]: module "suffix" returns noop for request 0
radius_xlat:  'aseibert at evenlink.com'
rlm_sql (sql): sql_set_user escaped user --> 'aseibert at evenlink.com'
radius_xlat:  'SELECT '',Username,'Cleartext-Password',Password,':='
FROM radius_auth WHERE Username = 'aseibert at evenlink.com''
rlm_sql (sql): Reserving sql socket id: 4
query:  SELECT '',Username,'Cleartext-Password',Password,':=' FROM
radius_auth WHERE Username = 'aseibert at evenlink.com'
radius_xlat:  ''
radius_xlat:  'SELECT '',Username,'Slipstream-Auth','true',':=' FROM
radius_auth WHERE Username = 'aseibert at evenlink.com''
query:  SELECT '',Username,'Slipstream-Auth','true',':=' FROM
radius_auth WHERE Username = 'aseibert at evenlink.com'
radius_xlat:  ''
rlm_sql (sql): Released sql socket id: 4
  modcall[authorize]: module "sql" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
auth: type Local
auth: user supplied User-Password matches local User-Password
Sending Access-Accept of id 230 to 206.174.130.217 port 56427
	Slipstream-Auth := "true"
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 230 with timestamp 4911fa44
Nothing to do.  Sleeping until we see a request.


As you can see, what I need to do is basically say if the Profiles
column in the sql database has a value of Slip, then Slipstream-Auth =
"true" needs to be passed back in the reply query.  I just can't figure
out how to do that...

On Wed, 2008-11-05 at 13:56 -0500, Stephen Bowman wrote:
> 
> 
>          have created a dictionary.slipstream file with the following:
>         
>         VENDOR Slipstream 7000
>         ATTRIBUTE SlipStream-Auth True string Slipstream
>         
>         However, that will not authenticate the slip client.  If I
>         "hardcode"
>         the attribute into the auth_reply query, the client is then
>         authenticated. (Query = authorize_reply_query = "SELECT
>         '','Slipstream-Auth','true',':-' FROM radius_auth WHERE
>         Username =
>         '%{SQL-User-Name}'"
>         
>         Any ideas where to go to get this working correctly?
> 
>  
> Post the output of radiusd -X.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list