RES: again .. mac based auth + user/password for pppoe
Listas Angelo
angelo-listas at prolinx.com.br
Thu Feb 23 11:47:43 CET 2012
Hello,
I have a environment with this situation, follow my confs:
mysql> select * from radcheck WHERE `username` = 'joao';
+----+----------+--------------------+----+---------+-------------------+-------------+----------+--------+
| id | username | attribute | op | value | macaddress | ip | download | upload |
+----+----------+--------------------+----+---------+-------------------+-------------+----------+--------+
| 1 | joao | Cleartext-Password | := | prolinx | 78:44:76:07:f7:47 | 172.16.0.31 | 600 | 600 |
+----+----------+--------------------+----+---------+-------------------+-------------+----------+--------+
1 row in set (0.00 sec)
mysql> select * from radreply WHERE `username` = 'joao';
+----+----------+-------------------+----+-------------+
| id | username | attribute | op | value |
+----+----------+-------------------+----+-------------+
| 1 | joao | Framed-IP-Address | := | 172.16.0.31 |
+----+----------+-------------------+----+-------------+
1 row in set (0.00 sec)
/etc/raddb/sql/mysql/dialup.conf (Specific check of Mac):
authorize_check_query = "SELECT id, username, attribute, value, op \
FROM ${authcheck_table} \
WHERE username = '%{SQL-User-Name}' AND UPPER(macaddress) = UPPER('%{Calling-Station-Id}')\
ORDER BY id"
authorize_reply_query = "SELECT id, username, attribute, value, op \
FROM ${authreply_table} \
WHERE username = '%{SQL-User-Name}' \
ORDER BY id"
-----Mensagem original-----
De: freeradius-users-bounces+angelo-listas=prolinx.com.br at lists.freeradius.org [mailto:freeradius-users-bounces+angelo-listas=prolinx.com.br at lists.freeradius.org] Em nome de S Adrian
Enviada em: quarta-feira, 22 de fevereiro de 2012 18:57
Para: freeradius-users at lists.freeradius.org
Assunto: again .. mac based auth + user/password for pppoe
Hey again,
I've searched the list for my old conversation here but couldn't find
it .. still.. here it goes...
I have rp-pppoe started in kernel mode ( the calling-station-id gets
sent as I can see it )
You'll notice that even though I added in radcheck Calling-Station-Id
to be 11:22:33:44:55:66,
trying with radclient got me accepted ( even though I specified
11:22:33:44:55:77 )
The idea is that I want to also do a mac check ( if the
Calling-Station-Id is present in sql ..)
I don't want to bind the username/password combination to the mac
address for all the users
PPPoE ~ # cat dexter | radclient -x 127.0.0.1 auth r4d1usP4ssw0rd
Sending Access-Request of id 61 to 127.0.0.1 port 1812
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "dexter"
User-Password = "250896"
Calling-Station-Id = "11:22:33:44:55:77"
NAS-IP-Address = 127.0.0.1
NAS-Port = 242
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=61, length=50
Framed-Protocol = PPP
Service-Type = Framed-User
Framed-Compression = Van-Jacobson-TCP-IP
Framed-MTU = 1500
Framed-IP-Address = 10.10.0.82
mysql> select * from radcheck WHERE `username` = 'dexter';
+------+----------+--------------------+----+-------------------+
| id | username | attribute | op | value |
+------+----------+--------------------+----+-------------------+
| 2298 | dexter | Cleartext-Password | := | 250896 |
| 2299 | dexter | Simultaneous-Use | := | 1 |
| 2300 | dexter | Pool-Name | := | main |
| 2301 | dexter | Calling-Station-Id | := | 11:22:33:44:55:66 |
+------+----------+--------------------+----+-------------------+
4 rows in set (0.01 sec)
mysql> select * from radreply WHERE `username` = 'dexter';
+------+----------+--------------------+----+---------------------+
| id | username | attribute | op | value |
+------+----------+--------------------+----+---------------------+
| 4461 | dexter | Framed-MTU | := | 1500 |
| 4459 | dexter | Service-Type | := | Framed-User |
| 4458 | dexter | Framed-Protocol | := | PPP |
| 4460 | dexter | Framed-Compression | := | Van-Jacobsen-TCP-IP |
+------+----------+--------------------+----+---------------------+
radiusd -X reports this:
rad_recv: Access-Request packet from host 127.0.0.1 port 52468, id=61, length=89
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "dexter"
User-Password = "250896"
Calling-Station-Id = "11:22:33:44:55:77"
NAS-IP-Address = 127.0.0.1
NAS-Port = 242
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radius/radacct/127.0.0.1/auth-detail-20120222
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20120222
[auth_log] expand: %t -> Wed Feb 22 22:36:07 2012
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[sql] expand: %{User-Name} -> dexter
[sql] sql_set_user escaped user --> 'dexter'
rlm_sql (sql): Reserving sql socket id: 2
[sql] expand: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = '%{SQL-User-Name}'
ORDER BY id -> SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'dexter' ORDER BY
id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op
FROM radreply WHERE username = '%{SQL-User-Name}'
ORDER BY id -> SELECT id, username, attribute, value, op
FROM radreply WHERE username = 'dexter' ORDER BY
id
[sql] expand: SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}' ORDER BY priority ->
SELECT groupname FROM radusergroup WHERE username
= 'dexter' ORDER BY priority
[sql] expand: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = '%{Sql-Group}'
ORDER BY id -> SELECT id, groupname, attribute,
Value, op FROM radgroupcheck WHERE groupname =
'dynamic' ORDER BY id
[sql] User found in group dynamic
[sql] expand: SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = '%{Sql-Group}'
ORDER BY id -> SELECT id, groupname, attribute,
value, op FROM radgroupreply WHERE groupname =
'dynamic' ORDER BY id
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
WARNING: Please update your configuration, and remove 'Auth-Type = Local'
WARNING: Use the PAP or CHAP modules instead.
User-Password in the request is correct.
+- entering group session {...}
[radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
[radutmp] expand: %{User-Name} -> dexter
++[radutmp] returns ok
Login OK: [dexter/250896] (from client localhost port 242 cli 11:22:33:44:55:77)
+- entering group post-auth {...}
[reply_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d ->
/var/log/radius/radacct/127.0.0.1/reply-detail-20120222
[reply_log] /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d
expands to /var/log/radius/radacct/127.0.0.1/reply-detail-20120222
[reply_log] expand: %t -> Wed Feb 22 22:36:07 2012
++[reply_log] returns ok
[sql] expand: %{User-Name} -> dexter
[sql] sql_set_user escaped user --> 'dexter'
[sql] expand: %{User-Password} -> 250896
[sql] expand: INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES (
'%{User-Name}',
'%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth
(username, pass, reply, authdate)
VALUES ( 'dexter',
'250896', 'Access-Accept', '2012-02-22
22:36:07')
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth
(username, pass, reply, authdate)
VALUES ( 'dexter',
'250896', 'Access-Accept',
'2012-02-22 22:36:07')
rlm_sql (sql): Reserving sql socket id: 1
rlm_sql (sql): Released sql socket id: 1
++[sql] returns ok
[sql_log] Processing sql_log_postauth
[sql_log] expand: %{User-Name} -> dexter
[sql_log] expand: %{%{User-Name}:-DEFAULT} -> dexter
[sql_log] sql_set_user escaped user --> 'dexter'
[sql_log] WARNING: Deprecated conditional expansion ":-". See "man
unlang" for details
[sql_log] expand: INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES
('%{User-Name}', '%{User-Password:-Chap-Password}',
'%{reply:Packet-Type}', '%S'); -> INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES
('dexter', '250896', 'Access-Accept', '2012-02-22
22:36:07');
[sql_log] expand: /var/log/radius/radacct/sql-relay ->
/var/log/radius/radacct/sql-relay
++[sql_log] returns ok
rlm_sql (sql): Reserving sql socket id: 0
[sqlippool] expand: %{User-Name} -> dexter
[sqlippool] sql_set_user escaped user --> 'dexter'
[sqlippool] expand: START TRANSACTION -> START TRANSACTION
[sqlippool] expand: UPDATE radippool SET nasipaddress = '',
pool_key = 0, callingstationid = '', username = '', expiry_time =
NULL WHERE expiry_time <= NOW() - INTERVAL 1 SECOND AND
nasipaddress = '%{Nas-IP-Address}' -> UPDATE radippool SET
nasipaddress = '', pool_key = 0, callingstationid = '', username =
'', expiry_time = NULL WHERE expiry_time <= NOW() - INTERVAL 1
SECOND AND nasipaddress = '127.0.0.1'
[sqlippool] expand: SELECT framedipaddress FROM radippool WHERE
pool_name = '%{control:Pool-Name}' AND expiry_time IS NULL ORDER
BY RAND() LIMIT 1 FOR UPDATE -> SELECT framedipaddress FROM
radippool WHERE pool_name = 'main' AND expiry_time IS NULL ORDER
BY RAND() LIMIT 1 FOR UPDATE
[sqlippool] expand: UPDATE radippool SET nasipaddress =
'%{NAS-IP-Address}', pool_key = '%{NAS-Port}', callingstationid =
'%{Calling-Station-Id}', username = '%{User-Name}', expiry_time =
NOW() + INTERVAL 604800 SECOND WHERE framedipaddress = '10.10.0.82'
AND expiry_time IS NULL -> UPDATE radippool SET nasipaddress =
'127.0.0.1', pool_key = '242', callingstationid =
'11:22:33:44:55:77', username = 'dexter', expiry_time = NOW() +
INTERVAL 604800 SECOND WHERE framedipaddress = '10.10.0.82' AND
expiry_time IS NULL
[sqlippool] Allocated IP 10.10.0.82 [780fe5bc]
[sqlippool] expand: COMMIT -> COMMIT
rlm_sql (sql): Released sql socket id: 0
[sqlippool] expand: Allocated IP: %{reply:Framed-IP-Address} from
%{control:Pool-Name} (did %{Called-Station-Id} cli
%{Calling-Station-Id} port %{NAS-Port} user %{User-Name}) -> Allocated
IP: 10.10.0.82 from main (did cli 11:22:33:44:55:77 port 242 user
dexter)
Allocated IP: 10.10.0.82 from main (did cli 11:22:33:44:55:77 port
242 user dexter)
++[sqlippool] returns ok
Sending Access-Accept of id 61 to 127.0.0.1 port 52468
Framed-Protocol := PPP
Service-Type := Framed-User
Framed-Compression := Van-Jacobson-TCP-IP
Framed-MTU := 1500
Framed-IP-Address = 10.10.0.82
Finished request 3.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list