Accounting in MySQL - Password

P K getpkme at gmail.com
Mon Jan 13 13:25:24 CET 2014


Thanks Alan & Alan. That change seemed to work. I did some testing
today with the accounting on sql. Please could you explain this so
that I can understand the logging better?

My clients use TTLS/PAP and PEAP/MSCHAP.


+----+-----------------------+----------+---------------+---------------------+
| id | username              | pass     | reply         | authdate            |
+----+-----------------------+----------+---------------+---------------------+
| 15 | basil                 | _hidden_ | Access-Reject | 2014-01-13 10:57:20 |
| 18 | basil                 | _hidden_ | Access-Accept | 2014-01-13 11:13:58 |
| 19 | anonymous       | _hidden_ | Access-Accept | 2014-01-13 11:13:58 |
| 20 | basil                 | _hidden_ | Access-Accept | 2014-01-13 11:15:11 |
| 21 | basil                 | _hidden_ | Access-Accept | 2014-01-13 11:15:11 |
| 25 | anonymous       | _hidden_ | Access-Reject | 2014-01-13 11:22:52 |
| 27 | basil at moo.com | _hidden_ | Access-Reject | 2014-01-13 11:51:03 |
| 28 | basil                 | _hidden_ | Access-Accept | 2014-01-13 11:55:28 |
| 29 | basil at moo.com| _hidden_ | Access-Accept | 2014-01-13 11:55:28 |
+----+-----------------------+----------+---------------+---------------------+


15     - PEAP/MSCHAP  (Invalid credentials)
18/19 - TTLS/PAP  (Valid Credentials with privacy on)
20/21 - TTLS/PAP  (Valid Credentials with privacy off)
25     -  TTLS/PAP  (Invalid credentials with privacy on)
27     -  TTLS/PAP  (Invalid credentials with privacy on and
basil at moo.com as anonymous user)
28/29 -  TTLS/PAP (Valid credentials with privacy on and basil at moo.com
as anonymous user and basil as actual user)

Will "accept" always result in two entries? Is there anything I can do
to stop clients from using anonymous or changing anonymous id to
anything else like basil at moo.com in the test above? Is there anything
I can do to log the actual user that was rejected as in the case of
(25)?

Thanks.



On 10 January 2014 19:42,  <A.L.M.Buxey at lboro.ac.uk> wrote:
> Hi,
>
>> This may be a simple question but I was not able to find a setting for
>> this. Basically, I'm using freeradius with LDAP for my user base and
>> MySQL for accounting. I've loaded schema on MySQL, configured
>> freeradius and my two tables get populated properly (radacct and
>> radpostauth).
>
> the default config has this in the dialup.conf file (the configuration that
> mysql module uses)
>
>         postauth_query = "INSERT INTO ${postauth_table} \
>                           (username, pass, reply, authdate) \
>                           VALUES ( \
>                           '%{User-Name}', \
>                           '%{%{User-Password}:-%{Chap-Password}}', \
>                           '%{reply:Packet-Type}', '%S')"
>
> edit that appropriately - eg change it to
>
>         postauth_query = "INSERT INTO ${postauth_table} \
>                           (username, pass, reply, authdate) \
>                           VALUES ( \
>                           '%{User-Name}', \
>                           'PASSWORD', \
>                           '%{reply:Packet-Type}', '%S')"
>
> its what I did years ago before putting the service into production....we moved to postgresql
> in the end for production - so made same change for the postgresql config.
>
> alan
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list