Freeradius + mysql Auth-Type error...
Todd Bateman
wtab at comcast.net
Sat Dec 18 02:04:38 CET 2010
I changed the /etc/raddb/sites-available/default to the following and
changed Auth-Type to SQL in the radcheck table, and it still rejects the
user.
authorize {
preprocess
mschap
sql
}
authenticate {
Auth-Type MS-CHAP {
mschap
}
}
preacct {
account_unique
}
accounting {
radutmp
sql
}
session {
sql
}
post-auth {
Post-Auth-Type REJECT {
sql
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
}
> and add the information to clients.conf and sql.conf, and it seems to
> be working for I get database requests when I run radiusd -X and run
> radtest. My mysql tables look like the following:
>
> mysql> select * from radcheck;
> +----+----------+--------------+----+----------------------------------+
> | id | username | attribute | op | value |
> +----+----------+--------------+----+----------------------------------+
> | 1 | testuser | MD5-Password | := | 179ad45c6ce2cb97cf1029e212046e81 |
> +----+----------+--------------+----+----------------------------------+
> 1 row in set (0.00 sec)
>
> I have also tried this with Attribute set to Cleartext-Password and op
> set to == with the same result.
>
> mysql> select * from radgroupcheck;
> +----+-------------+-----------+----+---------+
> | id | groupname | attribute | op | value |
> +----+-------------+-----------+----+---------+
> | 1 | normalusers | Auth-Type | := | MS-CHAP |
> +----+-------------+-----------+----+---------+
> 1 row in set (0.00 sec)
>
Changed Auth-Tyle to SQL
> mysql> select * from radgroupreply;
> +----+-------------+--------------------+----+---------------------+
> | id | groupname | attribute | op | value |
> +----+-------------+--------------------+----+---------------------+
> | 1 | normalusers | Framed-Compression | = | Van-Jacobson-TCP-IP |
> +----+-------------+--------------------+----+---------------------+
> 1 row in set (0.00 sec)
>
> mysql> select * from radpostauth;
> +----+----------+--------------+---------------+---------------------+
> | id | username | pass | reply | authdate |
> +----+----------+--------------+---------------+---------------------+
> | 1 | testuser | testuserpass | Access-Reject | 2010-12-16 23:45:22 |
> | 2 | testuser | testuserpass | Access-Reject | 2010-12-16 23:52:18 |
> | 3 | testuser | testuserpass | Access-Reject | 2010-12-17 00:24:07 |
> | 4 | root | changed | Access-Accept | 2010-12-17 01:28:43 |
> | 5 | user1 | password1 | Access-Reject | 2010-12-17 01:29:01 |
> | 6 | root | changed | Access-Accept | 2010-12-17 01:38:59 |
> | 7 | todd | changed | Access-Accept | 2010-12-17 01:41:16 |
> | 8 | user1 | password1 | Access-Reject | 2010-12-17 02:06:47 |
> | 9 | user1 | password1 | Access-Reject | 2010-12-17 02:18:37 |
> | 10 | testuser | testpass | Access-Reject | 2010-12-17 05:05:05 |
> | 11 | testuser | testpass | Access-Reject | 2010-12-17 05:10:04 |
> | 12 | testuser | testpass | Access-Reject | 2010-12-17 05:24:06 |
> | 13 | testuser | testpass | Access-Reject | 2010-12-17 05:35:10 |
> | 14 | testuser | testpass | Access-Reject | 2010-12-17 06:09:40 |
> | 15 | testuser | testpass | Access-Reject | 2010-12-17 06:28:45 |
> | 16 | testuser | testpass | Access-Reject | 2010-12-17 06:43:24 |
> +----+----------+--------------+---------------+---------------------+
> 16 rows in set (0.00 sec)
>
> The Access-Accepts that I got here is when I switched it to use the
> /etc/passwd file.
>
> mysql> select * from radreply;
> +----+----------+-------------------+----+-----------+
> | id | username | attribute | op | value |
> +----+----------+-------------------+----+-----------+
> | 1 | testuser | Framed-IP-Address | = | 127.0.0.1 |
> +----+----------+-------------------+----+-----------+
> 1 row in set (0.00 sec)
>
> mysql> select * from radusergroup;
> +----------+-------------+----------+
> | username | groupname | priority |
> +----------+-------------+----------+
> | testuser | normalusers | 1 |
> +----------+-------------+----------+
> 1 row in set (0.00 sec)
>
When I start radiusd in debug mode and test from another window I get
this output.
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 58605, id=234,
length=60
User-Name = "testuser"
User-Password = "testpass"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[sql] expand: %{Stripped-User-Name} ->
[sql] sql_set_user escaped user --> ''
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER
BY id -> SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value,
op FROM radcheck WHERE username = '' ORDER
BY id
[sql] expand: SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}' ORDER BY priority ->
SELECT groupname FROM radusergroup WHERE username =
'' ORDER BY priority
rlm_sql_mysql: query: SELECT groupname FROM
radusergroup WHERE username = '' ORDER BY priority
[sql] Checking profile DEFAULT
[sql] sql_set_user escaped user --> 'DEFAULT'
[sql] expand: SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}' ORDER BY priority ->
SELECT groupname FROM radusergroup WHERE username =
'DEFAULT' ORDER BY priority
rlm_sql_mysql: query: SELECT groupname FROM
radusergroup WHERE username = 'DEFAULT' ORDER BY
priority
rlm_sql (sql): Released sql socket id: 3
[sql] User not found
++[sql] returns notfound
ERROR: No authenticate method (Auth-Type) found for the request:
Rejecting the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[sql] expand: %{Stripped-User-Name} ->
[sql] sql_set_user escaped user --> ''
[sql] expand: %{User-Password} -> testpass
[sql] expand: INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES
( '%{User-Name}',
'%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S') -> INSERT INTO
radpostauth (username, pass, reply,
authdate) VALUES (
'testuser',
'testpass', 'Access-Reject', '2010-12-17
20:03:34')
[sql] expand: /var/log/radius/sqltrace.sql -> /var/log/radius/sqltrace.sql
rlm_sql (sql) in sql_postauth: query is INSERT INTO
radpostauth (username, pass, reply,
authdate) VALUES (
'testuser',
'testpass', 'Access-Reject', '2010-12-17
20:03:34')
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql_mysql: query: INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES
( 'testuser',
'testpass', 'Access-Reject', '2010-12-17
20:03:34')
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
[attr_filter.access_reject] expand: %{User-Name} -> testuser
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 234 to 127.0.0.1 port 58605
Waking up in 4.9 seconds.
Cleaning up request 0 ID 234 with timestamp +9
Ready to process requests.
> And in the window where I ran radtest I get a Access-Reject
>
root at krazy:/etc/raddb# radtest testuser testpass localhost 1812 testing123
Sending Access-Request of id 234 to 127.0.0.1 port 1812
User-Name = "testuser"
User-Password = "testpass"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=234,
length=20
> radtest testuser testpass localhost 1812 testing123
> Sending Access-Request of id 90 to 127.0.0.1 port 1812
> User-Name = "testuser"
> User-Password = "testpass"
> NAS-IP-Address = 127.0.0.1
> NAS-Port = 1812
> rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=90,
> length=20
>
> I not sure how to fix this I been searching for days with no luck.
More information about the Freeradius-Users
mailing list