Radius and MYSQL
Alexandre Vilarinho
vilarinhomail-dev at yahoo.com.br
Tue Sep 8 18:18:03 CEST 2015
Em Terça-feira, 8 de Setembro de 2015 12:24, Alan DeKok <aland at deployingradius.com> escreveu:
On Sep 8, 2015, at 11:15 AM, Alexandre Vilarinho <vilarinhomail-dev at yahoo.com.br> wrote:
> I've read the documentation, but is not clear for me.
> For example:
> in the Radacct database there is no configuration.
Because that table is populated by the server when it receives accounting packets.
> in the radchack database i've added the following configuration:
> username - rafael
> attribute - Cleartext-Password
> op - :=
> value - teste
>
> I think that is this case, I configuring a user and specifying the password right?
Yes.
> In the radgroupcheck database i've added the following configuration:
> 1st row groupname - privilegio_15
> Attribute - Service-Type
> op - == Value - Nas-Prompt-User
That's wrong. The "op" is the same field as "op" from radcheck. It should be "==" for comparisons.
The "value" should be set to NAS-Prompt-User. The "value" field has the same meaning as the value field for radcheck.
> 2nd row
> groupname - privilegio_15
> Attribute - Cisco_AVPair
> op == Value - shell:priv-lvl=15
You've made the same mistake here. See my previous comments.
And the "radgroupcheck" table has the same functionality as "radcheck". Only that it operates on groups, not users.
Are you SURE you want to check for "Service-Type == NAS-Prompt-User"? Or do you want to send this attribute in a reply?
Alex - I want to send this attribute as a reply. Since, iI want to send some information to the NAS do I need to configure this parameters here?
> In the radgroupreply database there is no configuration
So... you don't want to REPLY to the NAS with any attributes?
Alex - I want to reply some user information to the NAS (Cisco Router), so have to add to the radgroupreply database the following configuration line, right?
1st row username - rafael attribute - Service-Type op - = Value - NAS-Prompt-User
2nd row username - rafel
attribute - Cisco-AVPair
op - =
Value - shell:priv-lvl=15
should the value - shell:priv-lvl=15 be configured between ""?
The user conf file, have the following configuration, and it is send do the cisso router (NAS)
rafael Cleartext-Password := "teste" Service-type = NAS-Prompt-User, Cisco-AVPair = "shell:priv-lvl=15"
This information is send to the NAS.
> in the radpostauth database there is no configuration
Because that table is populated by the server when it sends an Access-Accept.
> in the radrepy database 1st row
> username - rafael
> attribute - Fall-Through
> op - =
> Value - Yes
That looks good.
> in the radusergrupo database username - rafael
> groupname - privilegio_15
> priority - 1
That looks good.
> in the radusergroup database there is no option to delete, edit or any thing. Is this correct?
Yes. It just lists users, and the groups that user is a member of.
Alex - If I need to change the user from group, how can I do it if its not possible to edit this database. Shouldn't it be editable?
> with this configuration added I tried to authenticate the radius user:
> Follow the command and the reply
> root at Radius-LDAP-Server:~# /etc/init.d/freeradius stop * Stopping FreeRADIUS daemon freeradius * /var/run/freeradius/freeradius.pid not found... [ OK ] root at Radius-LDAP-Server:~# /etc/init.d/freeradius start * Starting FreeRADIUS daemon freeradius [ OK ]
<sigh> Formatting helps. Posting randomly formatted crap is annoying.
And run the server in debug mode as suggested in the FAQ, "man" page, web pages, and daily on this list. REALLY.
There is NO EXCUSE for failing to run the server in debugging mode.
> root at Radius-LDAP-Server:~# radtest rafael teste localhost 1812 testing123
> Sending Access-Request of id 190 to 127.0.0.1 port 1812 User-Name = "rafael" User-Password = "teste" NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 Message-Authenticator = 0x00000000000000000000000000000000rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=190, length=20
> root at Radius-LDAP-Server:~#
> There authentication failed. I presume there is something wrong this my configuration.
> Can you help me and explain what i'm doing wrong?
Fix your SQL tables, and *RUN THE SERVER IN DEBUGGING MODE*.
Alex - I used the following command's to start freeradius in debugging mode
/etc/init.d/freeradius stopfreeradius -XA the end it sowed the following lines:
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linkedrlm_sql (sql): Attempting to connect to radius at localhost:/radiusrlm_sql (sql): starting 0rlm_sql (sql): Attempting to connect rlm_sql_mysql #0rlm_sql_mysql: Starting connect to MySQL server for #0rlm_sql (sql): Connected new DB handle, #0rlm_sql (sql): starting 1rlm_sql (sql): Attempting to connect rlm_sql_mysql #1rlm_sql_mysql: Starting connect to MySQL server for #1rlm_sql (sql): Connected new DB handle, #1rlm_sql (sql): starting 2rlm_sql (sql): Attempting to connect rlm_sql_mysql #2rlm_sql_mysql: Starting connect to MySQL server for #2rlm_sql (sql): Connected new DB handle, #2rlm_sql (sql): starting 3rlm_sql (sql): Attempting to connect rlm_sql_mysql #3rlm_sql_mysql: Starting connect to MySQL server for #3rlm_sql (sql): Connected new DB handle, #3rlm_sql (sql): starting 4rlm_sql (sql): Attempting to connect rlm_sql_mysql #4rlm_sql_mysql: Starting connect to MySQL server for #4rlm_sql (sql): Connected new DB handle, #4rlm_sql (sql): Processing generate_sql_clientsrlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret, server FROM nasrlm_sql (sql): Reserving sql socket id: 4rlm_sql (sql): Read entry nasname=192.168.10.1,shortname=R1,secret=networkrlm_sql (sql): Adding client 192.168.10.1 (R1, server=<none>) to clients listWARNING: Ignoring duplicate client 192.168.10.1rlm_sql (sql): Released sql socket id: 4 Module: Checking accounting {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules} # serverradiusd: #### Opening IP addresses and Ports ####listen { type = "auth" ipaddr = * port = 0Failed binding to authentication address * port 1812: Address already in use /etc/freeradius/radiusd.conf[240]: Error binding to port for 0.0.0.0 port 1812
root at Radius-LDAP-Server:~# radtest rafael teste localhost 1812 testing123Sending Access-Request of id 158 to 127.0.0.1 port 1812 User-Name = "rafael" User-Password = "teste" NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 Message-Authenticator = 0x00000000000000000000000000000000rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=158, length=20
Regards
Alex
Alan DeKok.
More information about the Freeradius-Users
mailing list