Freeradius is unable to read NAS table in mysql db

Tim Sylvester tim.sylvester at networkradius.com
Thu Jun 10 19:58:11 CEST 2010


>Hi.
>Sorry 'cause i'm late. Some troubles.
>Well i worked as following explained to perform a test (problem we talk
about) but also to check if password would have been passed encrypted in
>the internet.
>
>|--------------------|
>|NAS-USG100|( USGWAN -79.xxx.xxx.xxx )---(INTERNET)----(78.yyy.yyy.yyy)
RADIUS
>|--------------------|
> ( USGLAN:172.16.68.253) 
>        |
> (WEB-HTTPS)
>       |    
>       |
>172.16.68.16
>
>I mirrored both of WAN ports of USG, say WAN1 and WAN2 and had something to
give to wireshark :-)
>
>I open Web LogIN page of USG and provide fake user and password (not
present on ActiveDirectory or local USBdb), say gigino / 12345678
>
>I obtaint this (USG)
>
>79.xxx.xxx.xxx    78.yyy.yyy.yyy    RADIUS    Access-Request(1) ....
>AVP: l=8  t=User-Name(1): gigino
>AVP: l=18  t=User-Password(2): Encrypted            <-  Yippieeeee
>AVP: l=6  t=NAS-IP-Address(4): 172.16.68.10         <- (PDC of my internal
domain)
>AVP: l=10  t=NAS-Identifier(32): weblogin
>AVP: l=6  t=NAS-Port(5): 20915
>AVP: l=6  t=NAS-Port-Type(61): Virtual(5)
>AVP: l=6  t=Service-Type(6): Authenticate-Only(8)
>AVP: l=14  t=Calling-Station-Id(31): 172.16.68.16
>
>. . . on remote radius server i obtain
>
>Ready to process requests.
>rad_recv: Access-Request packet from host 79.xxx.xxx.xxx ...
>        User-Name = "gigino"
>        User-Password = "gigino"
>        NAS-IP-Address = 172.16.68.10
>        NAS-Identifier = "weblogin"
>        NAS-Port = 20915
>        NAS-Port-Type = Virtual
>        Service-Type = Authenticate-Only
>        Calling-Station-Id = "172.16.68.16"
>
>+- entering group authorize {...}
>++[preprocess] returns ok
>++[chap] returns noop
>++[mschap] returns noop
> [suffix] No '@' in User-Name = "gigino", looking up realm NULL
>[suffix] No such realm "NULL"
>++[suffix] returns noop
>[eap] No EAP-Message, not doing EAP
>++[eap] returns noop
>++[unix] returns notfound
>
>--------------------------------------------------------------
>
>I presumed NAS-IP-Address: 172.16.68.253 !!!!!!!!
>
>What do you think?
>

<tim> What do I think? The USG is sending the RADIUS request and is setting
the NAS-IP-Address attribute to the IP Address of the PDC. FreeRADIUS uses
the source IP address of the RADIUS packet to determine the IP address of
the NAS, not the NAS-IP-Address attribute. The IP addresses in the
clients.conf file and the nas table in MySQL are checked using the source IP
address of the RADIUS packet.

So, you can either ignore this or talk to Facetime about configuring RADIUS
client.

Based on your messages, everything seems to work.

Congratulations!

Tim





More information about the Freeradius-Users mailing list