Accept all Auth requests while replying individual parameters
Alan DeKok
aland at deployingradius.com
Sat Feb 20 19:33:04 CET 2016
On Feb 20, 2016, at 9:19 AM, Pavel Uhliar <pavel.uhliar at gmail.com> wrote:
> I am trying to modify existing FreeRADIUS setup (version 2.1.12) to accept
> all Auth requests, while responding to them with individual parameters
> (Framed-IP-Address and Framed-Route) based on Calling-Station-Id.
You should really upgrade.
> I am in a running environment, where until now login requests are
> authorized by User-Name/Password based on radcheck table and individual
> parameters are sent based on the User-Name from radreply table and combined
> with group parameters from radgroupreply table (all MySQL). Users are
> paired to groups by individual entries in usergroup table
OK...
> I would like to keep intact as much of the structure as possible, I just
> need to stop verifying User-Name/Password (because now whoever is able to
> access physical infrastructure is authorized to use it) and change the
> individual responses to be based on Calling-Station-Id instead of User-Name.
So put Calling-Station-Id into the "name" field in SQL, and update the SQL queries to use Calling-Station-Id instead of the User-Name
> First I thought the solution will be quite simple:
> 1) I change the SQL query selecting from radreply table to be based on
> Calling-Station-Id
Yes.
> 2) I add "DEFAULT Auth-Type := Accept" and "Fall-Through=Yes" in
> /etc/raddb/users file
Yes.
> Step 1 is OK, no problem (change in /etc/raddb/sql/mysql/dialup.conf)
>
> Problem is in Step 2. It does authorize all requests as expected (even
> those not matching User-Name/Password records in radcheck table), but when
> the User-Name/Password in request does not match User-Name/Password in
> radcheck, RADIUS skips querying the radreply table for additional
> parameters.
For one, you should NOT be putting User-Password into the radcheck table. It's been wrong for 10 years. We've recommended Cleartext-Password.
Two, if you're going to use Calling-Station-Id, then use it for *both* radcheck and radgroupicheck.
> This results in Auth response containing only parameters
> from radgroupreply table, but none from radreply. Requests containing
> User-Name/Password matching to those in radcheck get full responses
> (with radgroupreply and radreply)
Then use Calling-Station-Id everywhere.
>
> WARNING: Found User-Password == "...".
> WARNING: Are you sure you don't mean Cleartext-Password?
> WARNING: See "man rlm_pap" for more information.
That's a big hint.
> I was trying to find some solution, did try "query_on_not_found"
> configuration directive, did play with "Fall-Through", but nothing seems to
> work. I was not able to force RADIUS to do the radreply query for
> not-matched credentials.
You don't. If the radcheck doesn't match, then radreply isn't used. This is how the SQL module works.
> As other ways to solve the problem, I was trying to use policy to
> rewrite User-Name/Password in request to
> a Calling-Station-Id/<universal-password> to have all request authorized
> under my control, but this is not feasible as devices do not use only PAP,
> but also CHAP and MSCHAP, and password rewriting does not work for
> CHAP/MSCHAP requests.
Which is why you need to use Cleartext-Password in the database. So it can match for CHAP requests, when the packet doesn't contain User-Password.
The error message recommends reading "man rlm_pap". This all is explained there.
Alan DeKok.
More information about the Freeradius-Users
mailing list