Multiple Password Auth

Miguel Barrera miguel.barrera at datawifi.co
Thu Jun 18 21:45:20 CEST 2020 

Hi,

We have a captive portal integrated with freeradius for auth and
accounting, and I have a question, how can I handle multiple password (PAP
ClearText Password) with a single User?, for auth, we use the sql module so
the passwords are stored on a mysql database.

There are some scenarios where we need to store two or three password for
the same user, here is the log for one of these password and the radcheck
table registers of this user.

Ready to process requests
(8) Received Access-Request Id 4 from 186.154.58.197:41224 to
172.31.51.38:1812 length 345
(8)   User-Name = "a450460f6823"
(8)   User-Password = "a450460f6823"
(8)   Service-Type = Call-Check
(8)   NAS-IP-Address = 192.168.0.10
(8)   NAS-Identifier = "data-col-wifi"
(8)   Called-Station-Id = "dc085609e6d0:data-col-wifi1"
(8)   NAS-Port-Type = Wireless-802.11
(8)   NAS-Port = 4
(8)   NAS-Port-Id = "wifi-5G"
(8)   Calling-Station-Id = "a450460f6823"
(8)   Acct-Session-Id = "192.168.0.10_18/06/2020_11:49:11_a450460f6823"
(8)   Acct-Multi-Session-Id =
"192.168.0.10_18/06/2020_11:49:11_a450460f6823"
(8)   Framed-MTU = 1400
(8)   Xylan-Port-Desc = "data-col-wifi"
(8)   Xylan-Device-Name = "AP-Datawifi"
(8)   Xylan-Device-Location = "2c:fa:a2:99:d2:10"
(8)   Attr-26.800.154 = 0x41502d4441544157494649
(8)   Message-Authenticator = 0xc6c8ec4fc33b39e6f65e27b3f4a13605
(8) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(8)   authorize {
(8)     [chap] = noop
(8) sql: EXPAND %{User-Name}
(8) sql:    --> a450460f6823
(8) sql: SQL-User-Name set to 'a450460f6823'
rlm_sql (sql): Reserved connection (6)
(8) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck
WHERE username = '%{SQL-User-Name}' ORDER BY id
(8) sql:    --> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'a450460f6823' ORDER BY id
(8) sql: Executing select query: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'a450460f6823' ORDER BY id
(8) sql: User found in radcheck table
(8) sql: WARNING: check items do not match.
rlm_sql (sql): Reserved connection (9)
rlm_sql (sql): Released connection (9)
Need 3 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (12), 1 of 24 pending slots
used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on
dbdatawifi.cluster-cvxa7jznn96c.us-east-1.rds.amazonaws.com via TCP/IP,
server version 5.7.12, protocol version 10
(8) sql: EXPAND SELECT groupname FROM radusergroup WHERE username =
'%{SQL-User-Name}' ORDER BY priority
(8) sql:    --> SELECT groupname FROM radusergroup WHERE username =
'a450460f6823' ORDER BY priority
(8) sql: Executing select query: SELECT groupname FROM radusergroup WHERE
username = 'a450460f6823' ORDER BY priority
(8) sql: User found in the group table
(8) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM
radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id
(8) sql:    --> SELECT id, groupname, attribute, Value, op FROM
radgroupcheck WHERE groupname = 'google at monetizacion' ORDER BY id
(8) sql: Executing select query: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = 'google at monetizacion' ORDER BY id
(8) sql: Group "google at monetizacion": Conditional check items matched
(8) sql: Group "google at monetizacion": Merging assignment check items
(8) sql: EXPAND SELECT id, groupname, attribute, value, op FROM
radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id
(8) sql:    --> SELECT id, groupname, attribute, value, op FROM
radgroupreply WHERE groupname = 'google at monetizacion' ORDER BY id
(8) sql: Executing select query: SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = 'google at monetizacion' ORDER BY id
(8) sql: Group "google at monetizacion": Merging reply items
(8) sql:   Ruckus-Location = "https://www.google.com/"
(8) sql:   Session-Timeout = 600
(8) sql:   WISPr-Bandwidth-Max-Down = 3500000
(8) sql:   WISPr-Bandwidth-Max-Up = 3500000
(8) sql:   Maximum-Data-Rate-Downstream = 3500000
(8) sql:   Maximum-Data-Rate-Upstream = 3500000
rlm_sql (sql): Released connection (6)
(8)     [sql] = ok
(8)     [files] = noop
(8) pap: WARNING: No "known good" password found for the user.  Not setting
Auth-Type
(8) pap: WARNING: Authentication will fail unless a "known good" password
is available
(8)     [pap] = noop
(8)   } # authorize = ok
(8) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type =
Reject
(8) Failed to authenticate the user
(8) Using Post-Auth-Type Reject
(8) # Executing group from file /etc/freeradius/sites-enabled/default
(8)   REJECT { ... } # empty sub-section is ignored
(8) Login incorrect (No Auth-Type found: rejecting the user via
Post-Auth-Type = Reject): [a450460f6823/a450460f6823] (from client
private-network-1 port 4 cli a450460f6823)
(8) Delaying response for 1.000000 seconds
Waking up in 0.2 seconds.

[image: image.png]

Hope to hear from you soon, thank you very much.

Gracias, quedo atento.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 27804 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20200618/0fa96394/attachment-0001.png>

More information about the Freeradius-Users mailing list