Actually, I don't use users files, all users' information is kept in MySQL, the serveur will send a Acess-reject if the user is not in the DataBase
Regards,
ro0ot wrote:
So, it will reject users that is not in the /etc/raddb/users file?
Regards, ro0ot
NGUYEN Tuan Anh wrote:
It works!! Thank you very much Artur!! Ciao Artur Hecker wrote:
hi
ok, that's a bit messy though. take a look at the mysql config and the queries mentioned in the sql.conf file. see also the default profile. play with it and its options and add an Auth-Type := Reject to the default profile.
thus, every unknown user will be added an Auth-Type := Reject line and will be rejected without any EAP module interacting.
the only problem you will be left is are certified users who will still can connect as some other certified users.
ciao artur
NGUYEN Tuan Anh wrote:
What do you mean "explicitly REJECT"? How can I do it? Thanks a lot!
Ciao Tuan anh
Artur Hecker wrote:
yes, that's normal since the authentication works for ALL validly certified clients.
you have to explicitly REJECT the users NOT in your data base.
ciao artur
NGUYEN Tuan Anh wrote:
Hi, I'm trying to install a system with FreeRADIUS and MySQL and EAP-TLS as authentication protocol. Everything works, but I have a problem (I think it's a problem of configuration) : If I have a client with a valid certificate, even though the sql module doesn't regcognize the client (user-name doesn't existe in check list, the eap module always accept that client so the authorize section always return Acess-Accept!! Here 's part of the debug :
rad_recv: Access-Request packet from host 134.214.78.43:6001, id=134, length=1256
User-Name = "LEPILLEUR Benjamin"
NAS-IP-Address = 134.214.78.43
Called-Station-Id = "00-08-02-76-8d-32"
Calling-Station-Id = "00-04-23-71-13-4c"
NAS-Identifier = "PTSGSF3"
State = 0xc89112eb62ee9f6f95ca9d43f018c9378ff6b54098811a92e7909de796d82c6ebc2dc2c1
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0205043d0d800000043316030104030b0002f30002f00002ed308202e930820252a00302010202020805300d06092a864886f70d01010505003045310b300906035504061302465231153013060355040a130c54454c45434f4d2d4c444150311f301d060355040313164944582d504b49204f7065726174696f6e616c204341301e170d3034303332323135343634345a170d3035303332323135343634345a3051310b3009060355040613024652310d300b060355040a1304494e534131163014060355040b130d54656c65636f6d202d20475346311b3019060355040313124c4550494c4c4555522042656e6a616d696e30819f300d06092a8648
EAP-Message = 0x86f70d010101050003818d0030818902818100b951865a184af898f572fe6c23e93fc536026799577ba60d5b81de327bc451a7ff1d6caac19770ff8a02e0f407263edd970ddd4e15249f664c1cbd1283fd24dead1267fb166db68dc2de9f1cf9af8c9c9d10029d73156bec314ca8e24687401757ac92da50e1fc43d042e509a63b528d24e48891251026e21a1a8a6a911be6eb0203010001a381db3081d8301d0603551d0e041604140a3e625d09037edccffca0b769f7036177330814301f0603551d230418301680146b8d4761901ff704c5d8b7dc07051d49447e30e930280603551d1f0421301f301da01ba0198617687474703a2f2f74632d706b
EAP-Message = 0x692f4f7043524c2e63726c302a0603551d1104233021811f62656e6a616d696e2e6c6570696c6c65757240696e73612d6c796f6e2e6672300e0603551d0f0101ff0404030205a0301d0603551d250416301406082b0601050507030406082b06010505070302301106096086480186f84201010404030205a0300d06092a864886f70d010105050003818100a891927dc519f6f67fec7ffa5d18d58a2715145d9107903b109bfc8b35bc9e554796f83daf95d20bdf00a5e914a84f34d1eeda29a9d7d5541db2b6e67d65479d892bc98a9ae342a6b17b54bf1f2218913dbbfeb6cc93514e02d703afa762df2d43ede10b2e23631b94673374fd8acf338a
EAP-Message = 0xde8fb4f97b3bb969e68e4ab80c73bc100000820080111d7cb9d30649cac83e726c7c0d3f2513824e554db91feb1cc0c6d9188c625dab13d21750a259d6e53f6375f1687e529d55ae80079b007e163bcff10a6eaac9832d3ec16341eecc335044436e40d9ae4c5011cb6b3fd6730283be164eb76e9c71d5776947acaebda2efef9f5f5712fb222bef84f2fa392505ab50523c04f40b0f0000820080904cb7af1212010b2d9377082c19aed35a83cdc9cc4a0f8d630c88d7996a86ec897f499caa6cb077b2d31d717211544d9c5e8e813c8b152d2d23f1de6b390873d62b33d2088eb3161acc5ed71c2d7df759c99d231f4af4e92671b30fbd545ebdde10
EAP-Message = 0x8121e1559fea1e3bffa3f781d173bc9147524762908effca4d1e6cb7d83914030100010116030100202e9086427690428d6a55f8e7e92f92a81884b32d074bb23725aca664aedbde6e
Message-Authenticator = 0xbd5a866d0c2167835c811f8122ff9ada
modcall: entering group authorize for request 3
radius_xlat: 'LEPILLEUR Benjamin'
rlm_sql (sql): sql_set_user escaped user --> 'LEPILLEUR Benjamin'
radius_xlat: 'SELECT id,UserName,Attribute,UserName,op FROM radcheck WHERE Username = 'LEPILLEUR Benjamin' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 1
rlm_sql_mysql: query: SELECT id,UserName,Attribute,UserName,op FROM radcheck WHERE Username = 'LEPILLEUR Benjamin' ORDER BY id
rlm_sql (sql): User LEPILLEUR Benjamin not found in radcheck
radius_xlat: ''
radius_xlat: ''
rlm_sql (sql): Released sql socket id: 1
modcall[authorize]: module "sql" returns ok for request 3
radius_xlat: '/usr/local/var/log/radius/radacct//auth-detail-20040527'
rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct//auth-detail-20040527
modcall[authorize]: module "auth_log" returns ok for request 3
rlm_eap: EAP packet type notification id 5 length 1085
rlm_eap: EAP Start not found
modcall[authorize]: module "eap" returns updated for request 3
modcall: group authorize returns updated for request 3
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate for request 3
rlm_eap: EAP packet type notification id 5 length 1085
rlm_eap: EAP Start not found
rlm_eap: Request found, released from the list
rlm_eap: EAP_TYPE - tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: Length Included
rlm_eap_tls: <<< TLS 1.0 Handshake [length 02f7], Certificate
chain-depth=1,
error=0
--> User-Name = LEPILLEUR Benjamin
--> BUF-Name = IDX-PKI Operational CA
--> subject = /C=FR/O=TELECOM-LDAP/CN=IDX-PKI Operational CA
--> issuer = /C=FR/O=TELECOM-LDAP/CN=IDX-PKI Operational CA
--> verify return:1
chain-depth=0,
error=0
--> User-Name = LEPILLEUR Benjamin
--> BUF-Name = LEPILLEUR Benjamin
--> subject = /C=FR/O=INSA/OU=Telecom - GSF/CN=LEPILLEUR Benjamin
--> issuer = /C=FR/O=TELECOM-LDAP/CN=IDX-PKI Operational CA
--> verify return:1
TLS_accept: SSLv3 read client certificate A
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
TLS_accept: SSLv3 read client key exchange A
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], CertificateVerify
TLS_accept: SSLv3 read certificate verify A
rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 read finished A
rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
TLS_accept: SSLv3 write change cipher spec A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 write finished A
TLS_accept: SSLv3 flush data
undefined: SSL negotiation finished successfully
rlm_eap_tls: SSL_read Error
Error code is ..... 2
SSL Error ..... 2
modcall[authenticate]: module "eap" returns ok for request 3
modcall: group authenticate returns ok for request 3
Sending Access-Challenge of id 134 to 134.214.78.43:6001
EAP-Message = 0x010600350d800000002b1403010001011603010020de594f0d8a3c4e890ebc851dd0606065d93bec85e288446adcfda0cde8b17aa5
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x3105876e2eed4cedf334d0a27cc1cbc18ff6b54082707c416cc0524e218148dbfa8e1ef9
Finished request 3
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 134.214.78.43:6001, id=135, length=169
User-Name = "LEPILLEUR Benjamin"
NAS-IP-Address = 134.214.78.43
Called-Station-Id = "00-08-02-76-8d-32"
Calling-Station-Id = "00-04-23-71-13-4c"
NAS-Identifier = "PTSGSF3"
State = 0x3105876e2eed4cedf334d0a27cc1cbc18ff6b54082707c416cc0524e218148dbfa8e1ef9
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020600060d00
Message-Authenticator = 0xc56076023a86e56d0719b0ccf3288505
modcall: entering group authorize for request 4
radius_xlat: 'LEPILLEUR Benjamin'
rlm_sql (sql): sql_set_user escaped user --> 'LEPILLEUR Benjamin'
radius_xlat: 'SELECT id,UserName,Attribute,UserName,op FROM radcheck WHERE Username = 'LEPILLEUR Benjamin' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 0
rlm_sql_mysql: query: SELECT id,UserName,Attribute,UserName,op FROM radcheck WHERE Username = 'LEPILLEUR Benjamin' ORDER BY id
rlm_sql (sql): User LEPILLEUR Benjamin not found in radcheck
radius_xlat: ''
radius_xlat: ''
rlm_sql (sql): Released sql socket id: 0
modcall[authorize]: module "sql" returns ok for request 4
radius_xlat: '/usr/local/var/log/radius/radacct//auth-detail-20040527'
rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct//auth-detail-20040527
modcall[authorize]: module "auth_log" returns ok for request 4
rlm_eap: EAP packet type notification id 6 length 6
rlm_eap: EAP Start not found
modcall[authorize]: module "eap" returns updated for request 4
modcall: group authorize returns updated for request 4
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate for request 4
rlm_eap: EAP packet type notification id 6 length 6
rlm_eap: EAP Start not found
rlm_eap: Request found, released from the list
rlm_eap: EAP_TYPE - tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns ok for request 4
modcall: group authenticate returns ok for request 4
Sending Access-Accept of id 135 to 134.214.78.43:6001
MS-MPPE-Recv-Key = 0x0b8a9050cf92e7f27bd2b3c2f669d77a3d5aa6f4465d9e2d741eb74a93e921a6
MS-MPPE-Send-Key = 0x8cb2f6e450e16a84826a6ff22769c5fa9c576aae97a52a0f97899bab893ce9a5
EAP-Message = 0x03060004
Message-Authenticator = 0x00000000000000000000000000000000
Finished request 4
Going to the next request
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 131 with timestamp 40b5f68f
Cleaning up request 1 ID 132 with timestamp 40b5f68f
Cleaning up request 2 ID 133 with timestamp 40b5f68f
Cleaning up request 3 ID 134 with timestamp 40b5f68f
Cleaning up request 4 ID 135 with timestamp 40b5f68f
Nothing to do. Sleeping until we see a request.
What is the problem?? Can anybody help me? Thanks Tuan Anh
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
