question about mac auth, vlans and mysql queries.

Nazzareno Taborgna nazzareno.taborgna at lngs.infn.it
Wed Nov 18 12:06:35 CET 2015


> Hi,
>     I have a LAN with several switches ( mostly hp procurve and 
> a-series ) and a freeradius server which  is performing mac 
> authentication. In case of successfully authentication, the freeradius 
> send back to the switch the VLAN to set on the switch port and this 
> works fine.
>
> My problem is:
> I would like to propagate to the switches all VLANs because there are 
> other things (i.e.: stp protocol configuration) that became easier to 
> manage, but I want that on a given switch some VLANs are not available.
>
> Unluckily, it seems that it is not possible to configure this 
> behaviour on the switch.
> If the unwanted VLAN is propagated from the uplink to the switch and 
> the radius tell that the VLAN should be that, the switch sets up the 
> unwanted VLAN on the port.
>
> So I performed a try on my:  FreeRADIUS Version 2.2.5, for host 
> x86_64-pc-linux-gnu (debian 8).
> Since it uses a local mysql database, I tried to modify:
>
> /etc/freeradius/sql/mysql/dialup.conf
>
> by changing authorize_check_query from:
>
>     authorize_check_query = "SELECT id, username, attribute, value, op \
>           FROM ${authcheck_table} \
>           WHERE username = '%{SQL-User-Name}'  \
>           ORDER BY id"
>
> to
>
> #       authorize_check_query = "SELECT radcheck.id, radcheck.username, \
> #    radcheck.attribute, radcheck.value, radcheck.op, \
> #    radusergroup.groupname,radgroupreply.value, ptrnas, nasname \
> #     FROM ${authcheck_table}  LEFT JOIN radusergroup ON 
> radcheck.username=radusergroup.username \
> #        LEFT JOIN radgroupreply on 
> radusergroup.groupname=radgroupreply.groupname \
> #             LEFT JOIN nasvlan  on radgroupreply.value=vlan \
> #             LEFT JOIN nas on nasvlan.ptrnas=nas.id         \
> #               WHERE radcheck.username='%{SQL-User-Name}'   \
> #                   AND 
> radgroupreply.attribute='Tunnel-Private-Group-ID' \
> #                           AND nasname = '%{NAS-IP-Address}' ORDER BY 
> radcheck.id"
>
> that now is commented out because the server deads for "unterminated 
> string", perhaps because the query is too big to fit inside 
> authorize_check_query.
> In the fields I had to put the table name to fix the fieldnames 
> ambiguities. After radcheck.op,  there are some other fields and I 
> don't know if this could cause other kind of problems.
> This query uses only the nasvlan additional table and works fine when 
> given at the interactive mysql command prompt:
>
> root at radiuslan4:~/import# more test.sql
> SELECT radcheck.id, radcheck.username, radcheck.attribute, 
> radcheck.value, radcheck.op, radusergroup.groupname,
>       radgroupreply.value, ptrnas, nasname   \
>           FROM radcheck  LEFT JOIN radusergroup ON 
> radcheck.username=radusergroup.username \
>                      LEFT JOIN radgroupreply on 
> radusergroup.groupname=radgroupreply.groupname \
>              LEFT JOIN nasvlan  on radgroupreply.value=vlan \
>              LEFT JOIN nas on nasvlan.ptrnas=nas.id         \
>                  WHERE radcheck.username='00d059cf752c' AND 
> radgroupreply.attribute='Tunnel-Private-Group-ID' \
>                       AND nasname='172.17.1.87';
>
> root at radiuslan4:~/import# mysql -u root -p radius < ./test.sql
> Enter password:
> id    username    attribute    value    op    groupname    value 
> ptrnas    nasname
> 11021    00d059cf752c    Cleartext-Password    00d059cf752c    := 
> mac-addr-008    8    71    172.17.1.87
>
> My questions are:
>
> Is there in freeradius an easier way to get the desired result? or, 
> should be possible in a next release to allow a larger
> authorize_check_query? 
Just by shortening the above query:

     authorize_check_query = "SELECT radcheck.id, radcheck.username, 
radcheck.attribute, radcheck.value, radcheck.op, \
     radusergroup.groupname,radgroupreply.value, ptrnas, nasname FROM 
${authcheck_table}  LEFT JOIN radusergroup ON 
radcheck.username=radusergroup.username LEFT JOIN radgroupreply on 
radusergroup.groupname=radgroupreply.groupname \
              LEFT JOIN nasvlan  on radgroupreply.value=vlan LEFT JOIN 
nas on nasvlan.ptrnas=nas.id         \
                WHERE radcheck.username='%{SQL-User-Name}' AND 
radgroupreply.attribute='Tunnel-Private-Group-ID' \
                            AND nasname = '%{NAS-IP-Address}' ORDER BY 
radcheck.id"

there are less backslashes breaking the string to the next line, now I 
got the freeradius working.

However,  I have a shorter query  by using the table aliases that works 
at the mysql command prompt:

root at radiuslan4:~/import# more ./test2.sql
SELECT r.id, r.username, r.attribute, r.value, r.op, rg.groupname,
           ry.value, ptrnas, nasname   \
           FROM radcheck r    LEFT JOIN radusergroup rg ON 
r.username=rg.username \
                          LEFT JOIN radgroupreply ry on 
rg.groupname=ry.groupname \
                          LEFT JOIN nasvlan  on ry.value=vlan \
                          LEFT JOIN nas on nasvlan.ptrnas=nas.id         \
                                 WHERE r.username='00d059cf752c' AND 
ry.attribute='Tunnel-Private-Group-ID' \
                                       AND nasname='172.17.1.87';

root at radiuslan4:~/import# mysql -u root -p radius < ./test2.sql
Enter password:
id    username    attribute    value    op    groupname    value 
ptrnas    nasname
11021    00d059cf752c    Cleartext-Password    00d059cf752c    := 
mac-addr-011    11    71    172.17.1.87

but when it is in the file dialup.conf:

#   authorize_check_query = "SELECT r.id, r.username, r.attribute, 
r.value, r.op, rg.groupname, ry.value, ptrnas, nasname   \
         FROM  radcheck r  LEFT JOIN radusergroup rg ON 
r.username=rg.username \
                 LEFT JOIN radgroupreply ry on rg.groupname=ry.groupname \
                 LEFT JOIN nasvlan  on ry.value=vlan \
                 LEFT JOIN nas on nasvlan.ptrnas=nas.id         \
                 WHERE r.username='%{NAS-IP-Address}' AND 
ry.attribute='Tunnel-Private-Group-ID' \
                                       AND nasname='%{NAS-IP-Address}' 
ORDER BY radcheck.id "
#
the freeradius deads:
/usr/sbin/freeradius -X
...
including configuration file /etc/freeradius/sql/mysql/dialup.conf
/etc/freeradius/sql/mysql/dialup.conf[130]: Expecting section start 
brace '{' after "FROM radcheck"
Errors reading or parsing /etc/freeradius/radiusd.conf

It seems that from the freeradius parser point of view, the above 
working sql is not good. Why?


More information about the Freeradius-Users mailing list