Calling-Station-Id Issue
Ammad Ali
ammad.ali at rapidcompute.com
Thu Mar 10 16:28:53 UTC 2022
Hi Guys,
We are currently using FR 3.0.4 on CentOS7 with SQL backend. Now we are
planning to migrate it to 3.0.25 installed from
https://networkradius.com/packages/#:~:text=number%20of%20platforms-,UBUNTU,
-Add%20the%20APT
Currently the authentication is getting failed with below logs.
Thu Mar 10 13:47:43 2022 : Debug: rlm_sql (sql): Reserved connection (0)
Thu Mar 10 13:47:43 2022 : Debug: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = BINARY '%{SQL-User-Name}' ORDER BY id
Thu Mar 10 13:47:43 2022 : Debug: Parsed xlat tree:
Thu Mar 10 13:47:43 2022 : Debug: literal --> SELECT id, username,
attribute, value, op FROM radcheck WHERE username = BINARY '
Thu Mar 10 13:47:43 2022 : Debug: attribute --> SQL-User-Name
Thu Mar 10 13:47:43 2022 : Debug: literal --> ' ORDER BY id
Thu Mar 10 13:47:43 2022 : Debug: (0) sql: EXPAND SELECT id, username,
attribute, value, op FROM radcheck WHERE username = BINARY
'%{SQL-User-Name}' ORDER BY id
Thu Mar 10 13:47:43 2022 : Debug: (0) sql: --> SELECT id, username,
attribute, value, op FROM radcheck WHERE username = BINARY 'noctest' ORDER
BY id
Thu Mar 10 13:47:43 2022 : Debug: (0) sql: Executing select query: SELECT
id, username, attribute, value, op FROM radcheck WHERE username = BINARY
'noctest' ORDER BY id
Thu Mar 10 13:47:43 2022 : Debug: (0) sql: User found in radcheck table
Thu Mar 10 13:47:43 2022 : ERROR: (0) sql:
Thu Mar 10 13:47:43 2022 : ERROR: (0) sql: ^ Empty expression
Thu Mar 10 13:47:43 2022 : WARNING: (0) sql: check items do not match.
Thu Mar 10 13:47:43 2022 : Debug: (0) sql: ... falling-through to group
processing
Thu Mar 10 13:47:43 2022 : Debug: SELECT groupname FROM radusergroup WHERE
username = BINARY '%{SQL-User-Name}' ORDER BY priority
Thu Mar 10 13:47:43 2022 : Debug: Parsed xlat tree:
Thu Mar 10 13:47:43 2022 : Debug: literal --> SELECT groupname FROM
radusergroup WHERE username = BINARY '
...
Thu Mar 10 13:47:43 2022 : Debug: rlm_sql_mysql: Socket destructor called,
closing socket
Thu Mar 10 13:47:43 2022 : Debug: (0) modsingle[authorize]: returned
from sql (rlm_sql)
Thu Mar 10 13:47:43 2022 : Debug: (0) [sql] = ok
Thu Mar 10 13:47:43 2022 : Debug: (0) modsingle[authorize]: calling
expiration (rlm_expiration)
Thu Mar 10 13:47:43 2022 : Debug: (0) modsingle[authorize]: returned
from expiration (rlm_expiration)
Thu Mar 10 13:47:43 2022 : Debug: (0) [expiration] = noop
Thu Mar 10 13:47:43 2022 : Debug: (0) modsingle[authorize]: calling
logintime (rlm_logintime)
Thu Mar 10 13:47:43 2022 : Debug: (0) modsingle[authorize]: returned
from logintime (rlm_logintime)
Thu Mar 10 13:47:43 2022 : Debug: (0) [logintime] = noop
Thu Mar 10 13:47:43 2022 : Debug: (0) modsingle[authorize]: calling pap
(rlm_pap)
Thu Mar 10 13:47:43 2022 : WARNING: (0) pap: No "known good" password found
for the user. Not setting Auth-Type
Thu Mar 10 13:47:43 2022 : WARNING: (0) pap: Authentication will fail unless
a "known good" password is available
Thu Mar 10 13:47:43 2022 : Debug: (0) modsingle[authorize]: returned
from pap (rlm_pap)
Thu Mar 10 13:47:43 2022 : Debug: (0) [pap] = noop
Thu Mar 10 13:47:43 2022 : Debug: (0) } # authorize = ok
Thu Mar 10 13:47:43 2022 : ERROR: (0) No Auth-Type found: rejecting the user
via Post-Auth-Type = Reject
Thu Mar 10 13:47:43 2022 : Debug: (0) Failed to authenticate the user
The full logs are here.
https://pastebin.com/r1b2nZRc
I am using below values in radcheck table for user. I am using
Calling-Station-Id to restrict MAC as well.
mysql> SELECT id, username, attribute, value, op FROM radcheck WHERE
username = 'noctest' ORDER BY id
-> ;
+---------+----------+--------------------+---------+----+
| id | username | attribute | value | op |
+---------+----------+--------------------+---------+----+
| 2882016 | noctest | Cleartext-Password | noctest | := |
| 2882017 | noctest | Calling-Station-Id | | =~ |
+---------+----------+--------------------+---------+----+
I have tested by removing the Calling-Station-Id ROW from radcheck table.
The authentication goes successful
Thu Mar 10 18:04:04 2022 : Debug: Parsed xlat tree:
Thu Mar 10 18:04:04 2022 : Debug: literal --> SELECT id, username,
attribute, value, op FROM radcheck WHERE username = '
Thu Mar 10 18:04:04 2022 : Debug: attribute --> SQL-User-Name
Thu Mar 10 18:04:04 2022 : Debug: literal --> ' ORDER BY id
Thu Mar 10 18:04:04 2022 : Debug: (3) sql: EXPAND SELECT id, username,
attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER
BY id
Thu Mar 10 18:04:04 2022 : Debug: (3) sql: --> SELECT id, username,
attribute, value, op FROM radcheck WHERE username = 'noctest' ORDER BY id
Thu Mar 10 18:04:04 2022 : Debug: (3) sql: Executing select query: SELECT
id, username, attribute, value, op FROM radcheck WHERE username = 'noctest'
ORDER BY id
Thu Mar 10 18:04:04 2022 : Debug: (3) sql: User found in radcheck table
Thu Mar 10 18:04:04 2022 : Debug: (3) sql: Conditional check items matched,
merging assignment check items
Thu Mar 10 18:04:04 2022 : Debug: (3) sql: Cleartext-Password := "noctest"
Thu Mar 10 18:04:04 2022 : Debug: (3) sql: ::: FROM 1 TO 0 MAX 1
Thu Mar 10 18:04:04 2022 : Debug: (3) sql: ::: Examining Cleartext-Password
Thu Mar 10 18:04:04 2022 : Debug: (3) sql: ::: APPENDING Cleartext-Password
FROM 0 TO 0
Thu Mar 10 18:04:04 2022 : Debug: (3) sql: ::: TO in 0 out 0
Thu Mar 10 18:04:04 2022 : Debug: SELECT id, username, attribute, value, op
FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
Thu Mar 10 18:04:04 2022 : Debug: Parsed xlat tree:
..
Thu Mar 10 18:04:04 2022 : Debug: (3) modsingle[authorize]: returned
from sql (rlm_sql)
Thu Mar 10 18:04:04 2022 : Debug: (3) [sql] = ok
Thu Mar 10 18:04:04 2022 : Debug: (3) modsingle[authorize]: calling
expiration (rlm_expiration)
Thu Mar 10 18:04:04 2022 : Debug: (3) modsingle[authorize]: returned
from expiration (rlm_expiration)
Thu Mar 10 18:04:04 2022 : Debug: (3) [expiration] = noop
Thu Mar 10 18:04:04 2022 : Debug: (3) modsingle[authorize]: calling
logintime (rlm_logintime)
Thu Mar 10 18:04:04 2022 : Debug: (3) modsingle[authorize]: returned
from logintime (rlm_logintime)
Thu Mar 10 18:04:04 2022 : Debug: (3) [logintime] = noop
Thu Mar 10 18:04:04 2022 : Debug: (3) modsingle[authorize]: calling pap
(rlm_pap)
Thu Mar 10 18:04:04 2022 : Debug: (3) modsingle[authorize]: returned
from pap (rlm_pap)
Thu Mar 10 18:04:04 2022 : Debug: (3) [pap] = updated
Thu Mar 10 18:04:04 2022 : Debug: (3) } # authorize = updated
Thu Mar 10 18:04:04 2022 : Debug: (3) Found Auth-Type = PAP
Thu Mar 10 18:04:04 2022 : Debug: (3) # Executing group from file
/etc/freeradius/sites-enabled/default
Thu Mar 10 18:04:04 2022 : Debug: (3) Auth-Type PAP {
Thu Mar 10 18:04:04 2022 : Debug: (3) modsingle[authenticate]: calling
pap (rlm_pap)
Thu Mar 10 18:04:04 2022 : Debug: (3) pap: Login attempt with password
"noctest" (7)
Thu Mar 10 18:04:04 2022 : Debug: (3) pap: Comparing with "known good"
Cleartext-Password "noctest" (7)
Thu Mar 10 18:04:04 2022 : Debug: (3) pap: User authenticated successfully
Thu Mar 10 18:04:04 2022 : Debug: (3) modsingle[authenticate]: returned
from pap (rlm_pap)
Thu Mar 10 18:04:04 2022 : Debug: (3) [pap] = ok
Thu Mar 10 18:04:04 2022 : Debug: (3) } # Auth-Type PAP = ok
Thu Mar 10 18:04:04 2022 : Debug: (3) # Executing section session from file
/etc/freeradius/sites-enabled/default
Thu Mar 10 18:04:04 2022 : Debug: (3) session {
Full logs are here.
https://pastebin.com/7xvgukiq
With my current production setup I am using Calling-Station-Id to restrict
MAC for authentication and I want to use the same with 3.0.25. How to
achieve this ?
Ammad
More information about the Freeradius-Users
mailing list