User-Name Modification Assistance
Jeremy Lundquist
pmudan01 at gmail.com
Fri May 11 22:26:02 CEST 2018
So I've gotten further with the investigation, but I'm still experiencing 1
last issue.
This username/password works - 107b44c186e0/10-7b-44-c1-86-e0
This username/password fails - 107b44c186e0/107b44c186e0 and it's because
this password is used as the MD5 Password also in the request. So I'm
trying to see how I can use the first combination and have it pass.
It seems per the DEBUG snippet below that the issue is that the mysql query
returns the Cleartext-Password right before the failing EAP section, thus I
believe if I can override the returned value of the mysql query and return
it with dashes it should work. But there in lies my issue. Where can I do
that without modifying the raw sql queries.
The following will update the query return values:
update control {
Cleartext-Password := "%{sql:SELECT concat(left(value,2), \"-\"
,substring(value,3,2), \"-\" , substring(value,5,2),
\"-\",substring(value,7,2), \"-\",substring(value,9,2), \"-\",
right(value,2)) FROM radcheck WHERE username='%{Stripped-User-Name}'}"
}
But I don't know where to put it in order to override that below.
I cannot modify the raw sql queries as I have other NAS' that work fine and
cannot modify the SQL queries that work for them. Thus this will be a
unlang fix that is tied to a specific Called-Station-Id ultimately.
Any hints on where I could do this would be much appreciated.
Thxs
Jeremy
.
.
.
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "107b44c186e0", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 2 length 39
(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1) [eap] = updated
(1) sql: EXPAND %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}}
(1) sql: --> 107b44c186e0
(1) sql: SQL-User-Name set to '107b44c186e0'
rlm_sql (sql): Reserved connection (3)
(1) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck
WHERE username = '%{SQL-User-Name}' ORDER BY id
(1) sql: --> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = '107b44c186e0' ORDER BY id
(1) sql: Executing select query: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = '107b44c186e0' ORDER BY id
(1) sql: User found in radcheck table
(1) sql: Conditional check items matched, merging assignment check items
(1) sql: Cleartext-Password := "107b44c186e0"
(1) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply
WHERE username = '%{SQL-User-Name}' ORDER BY id
(1) sql: --> SELECT id, username, attribute, value, op FROM radreply
WHERE username = '107b44c186e0' ORDER BY id
(1) sql: Executing select query: SELECT id, username, attribute, value, op
FROM radreply WHERE username = '107b44c186e0' ORDER BY id
(1) sql: EXPAND SELECT groupname FROM radusergroup WHERE username =
'%{SQL-User-Name}' ORDER BY priority
(1) sql: --> SELECT groupname FROM radusergroup WHERE username =
'107b44c186e0' ORDER BY priority
(1) sql: Executing select query: SELECT groupname FROM radusergroup WHERE
username = '107b44c186e0' ORDER BY priority
(1) sql: User found in the group table
(1) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM
radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id
(1) sql: --> SELECT id, groupname, attribute, Value, op FROM
radgroupcheck WHERE groupname = 'saili_mdu_snjs_133_current' ORDER BY id
(1) sql: Executing select query: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = 'saili_mdu_snjs_133_current' ORDER BY
id
(1) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM
radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id
(1) sql: --> SELECT id, groupname, attribute, Value, op FROM
radgroupcheck WHERE groupname = 'saili_mdu_tower2_current' ORDER BY id
(1) sql: Executing select query: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = 'saili_mdu_tower2_current' ORDER BY id
(1) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM
radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id
(1) sql: --> SELECT id, groupname, attribute, Value, op FROM
radgroupcheck WHERE groupname = 'saili_mdu_tower3_current' ORDER BY id
(1) sql: Executing select query: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = 'saili_mdu_tower3_current' ORDER BY id
(1) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM
radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id
(1) sql: --> SELECT id, groupname, attribute, Value, op FROM
radgroupcheck WHERE groupname = 'saili_mdu_tower1_current' ORDER BY id
(1) sql: Executing select query: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = 'saili_mdu_tower1_current' ORDER BY id
(1) sql: Group "saili_mdu_tower1_current": Conditional check items matched
(1) sql: Group "saili_mdu_tower1_current": Merging assignment check items
(1) sql: EXPAND SELECT id, groupname, attribute, value, op FROM
radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id
(1) sql: --> SELECT id, groupname, attribute, value, op FROM
radgroupreply WHERE groupname = 'saili_mdu_tower1_current' ORDER BY id
(1) sql: Executing select query: SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = 'saili_mdu_tower1_current' ORDER BY id
(1) sql: Group "saili_mdu_tower1_current": Merging reply items
(1) sql: Tunnel-Type := VLAN
(1) sql: Tunnel-Medium-Type := IEEE-802
(1) sql: Tunnel-Private-Group-Id := "90"
rlm_sql (sql): Released connection (3)
(1) [sql] = ok
(1) [expiration] = noop
(1) [logintime] = noop
(1) pap: WARNING: Auth-Type already set. Not setting to PAP
(1) [pap] = noop
(1) } # authorize = updated
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) authenticate {
(1) eap: Expiring EAP session with state 0x839da8a8839facfd
(1) eap: Finished EAP session with state 0x839da8a8839facfd
(1) eap: Previous EAP request found for state 0x839da8a8839facfd, released
from the list
(1) eap: Peer sent packet with method EAP MD5 (4)
(1) eap: Calling submodule eap_md5 to process data
(1) eap: Sending EAP Failure (code 4) ID 2 length 4
(1) eap: Freeing handler
(1) [eap] = reject
(1) } # authenticate = reject
(1) Failed to authenticate the user
(1) Using Post-Auth-Type Reject
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) Post-Auth-Type REJECT {
(1) sql: EXPAND .query
.
.
.
On Fri, May 11, 2018 at 11:43 AM, Jeremy Lundquist <pmudan01 at gmail.com>
wrote:
> So I figured it out. The value of User-Name (MAC) in the Access-Request is
> also used as the EAP Password (determined through trial and error testing).
> So going back to my original reason for doing this work. I'd like to be
> able to have in my DB the username/password to be the MAC of the new HW and
> without dashes. Currently I have working the following - the username (MAC)
> without dashes but the password (MAC) still with dashes, as the EAP
> password is this value also. Thus I'm wondering, as the NAS passes over the
> EAP password with dashes, is there a way I can store in my Radius DB the
> password without dashes, but when EAP needs to query it for the hash
> comparison it does so but inserts dashes before using it?
>
> This all goes without saying I'm trying to work with the vendor to
> implement things differently on their end, but need to get this working now
> as we are using them in network.
>
> Thxs
> Jeremy
>
>
>
> On Fri, May 11, 2018 at 10:53 AM, Jeremy Lundquist <pmudan01 at gmail.com>
> wrote:
>
>> So by " you need to add to your SQL DB the value that the NAS is sending
>> in its EAP-MD5 auth request ", I'll need to contact the NAS vendor and get
>> the value as I believe in the auth request it's a hash value, correct?
>>
>> Jeremy
>>
>>
>> On Fri, May 11, 2018 at 10:36 AM, Alan Buxey <alan.buxey at gmail.com>
>> wrote:
>>
>>> there IS a password...its not a plain PAP user-Password though - its in
>>> that EAP-Message that you can see.
>>> so, you need to add to your SQL DB the value that the NAS is sending in
>>> its
>>> EAP-MD5 auth request
>>>
>>> you cannot just Access-Accept an EAP request, there needs to be a full,
>>> correct response.
>>>
>>> alan
>>>
>>> On 11 May 2018 at 18:22, Jeremy Lundquist <pmudan01 at gmail.com> wrote:
>>>
>>> > Here is the username/password from the mysql DB - note no password
>>> (blank).
>>> >
>>> > MariaDB [radiusdb]> select * from radcheck where
>>> username='107b44c186e0';
>>> > +------+--------------+--------------------+----+-------+
>>> > | id | username | attribute | op | value |
>>> > +------+--------------+--------------------+----+-------+
>>> > | 2308 | 107b44c186e0 | Cleartext-Password | := | |
>>> > +------+--------------+--------------------+----+-------+
>>> > 1 row in set (0.00 sec)
>>> >
>>> >
>>> > So when I tested using radclient (sending just username, no password)
>>> > without adding the following to my authorize section in
>>> > sites-enabled/default it failed (which I believe is expected? ).
>>> > update control {
>>> > Auth-Type := Accept
>>> > }
>>> >
>>> > Debug snippet:
>>> > .
>>> > .
>>> > rlm_sql (sql): Released connection (2)
>>> > (0) [sql] = ok
>>> > (0) [expiration] = noop
>>> > (0) [logintime] = noop
>>> > (0) pap: No User-Password attribute in the request. Cannot do PAP
>>> > (0) [pap] = noop
>>> > (0) } # authorize = updated
>>> > (0) WARNING: Please update your configuration, and remove 'Auth-Type =
>>> > Local'
>>> > (0) WARNING: Use the PAP or CHAP modules instead
>>> > (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type =
>>> > Reject
>>> > (0) Failed to authenticate the user
>>> > (0) Using Post-Auth-Type Reject
>>> > (0) # Executing group from file /etc/raddb/sites-enabled/default
>>> > (0) Post-Auth-Type REJECT {
>>> > (0) sql: EXPAND .query
>>> > .
>>> > .
>>> >
>>> > NOTE - I verified in my configs, I have not set "Auth-Type = Local"
>>> > anywhere.
>>> >
>>> > But when I added it, it passed (again, expected per one of your
>>> > instructions in previous email).
>>> >
>>> > Debug snippet:
>>> > .
>>> > .
>>> > (0) [sql] = ok
>>> > (0) [expiration] = noop
>>> > (0) [logintime] = noop
>>> > (0) pap: WARNING: Auth-Type already set. Not setting to PAP
>>> > (0) [pap] = noop
>>> > (0) } # authorize = updated
>>> > (0) Found Auth-Type = Accept
>>> > (0) Auth-Type = Accept, accepting the user
>>> > (0) # Executing section post-auth from file /etc/raddb/sites-enabled/
>>> > default
>>> > (0) post-auth {
>>> > (0) update {
>>> > (0) No attributes updated
>>> > (0) } # update = noop
>>> > .
>>> > .
>>> >
>>> > So going back to my using the test HW, you are saying even without a
>>> > password it should work as long as what's in the DB and what's passed
>>> via
>>> > the HW is the same. But there is no password passed in the
>>> Access-Request
>>> > and there is none in the DB, thus it should work, but it's not? That's
>>> were
>>> > I'm getting hung up. I'd expect it to work as both are the same
>>> (nothing),
>>> > but it's not, unless I'm not understanding properly what you are
>>> saying.
>>> >
>>> > Jeremy
>>> >
>>> >
>>> > On Fri, May 11, 2018 at 9:07 AM, Alan DeKok <aland at deployingradius.com
>>> >
>>> > wrote:
>>> >
>>> > > On May 11, 2018, at 12:02 PM, Jeremy Lundquist <pmudan01 at gmail.com>
>>> > wrote:
>>> > > >
>>> > > > Let me add an updated Debug output to be thorough:
>>> > >
>>> > > Reading it, and my messages would help.
>>> > >
>>> > > The reason there's no User-Password in the request is because the
>>> NAS
>>> > is
>>> > > doing EAP.
>>> > >
>>> > > As I said before, it's doing EAP-MD5. And EAP-MD5 is failing
>>> because
>>> > > the password is wrong.
>>> > >
>>> > > Stop trying to create a User-Password. It's not necessary. Test
>>> PAP
>>> > > with radclient. It should work.
>>> > >
>>> > > EAP-MD5 is basically CHAP. So if the user enters the same
>>> password as
>>> > > what's in the DB, it *will* work.
>>> > >
>>> > > The only reason it won't work is that the passwords *are not the
>>> same*.
>>> > >
>>> > > Alan DeKok.
>>> > >
>>> > >
>>> > > -
>>> > > List info/subscribe/unsubscribe? See http://www.freeradius.org/
>>> > > list/users.html
>>> > >
>>> > -
>>> > List info/subscribe/unsubscribe? See http://www.freeradius.org/
>>> > list/users.html
>>> >
>>> -
>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
>>> /users.html
>>>
>>
>>
>
More information about the Freeradius-Users
mailing list