Hi,
I have configured freeradius to check against a postgresql database and when the user is valid, execute an external script. (which works fine)
I have configured freeradius to store authentication results in a postgresql database which works fine if the user is either accepted or when the user is invalid (not found or incorrect password from the database).
When when the user is valid (correct username and password from the database), but the external script rejects the user, freeradius doesn't go through the post-auth section and doesn't store the info in the database.
Below you'll find debugging output and relevant configs:
rad_recv: Access-Request packet from host 127.0.0.1:1647, id=4, length=209
User-Name = "thor"
User-Password = "******"
NAS-IP-Address = 195.130.129.51
NAS-Port-Id = "195.130.135.101"
Called-Station-Id = "00:02:b3:a8:6a:8e"
Event-Timestamp = "Nov 29 2004 19:41:32 UTC"
Framed-IP-Address = 10.1.197.52
Service-Type = Login-User
Calling-Station-Id = "00:0C:29:E6:E2:71"
NAS-Identifier = "X"
NAS-Port-Type = Ethernet
Acct-Session-Id = "thor//1007c2fb606"
NAS-Port = 0
Proxy-State = 0x3833
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
modcall[authorize]: module "preprocess" returns ok for request 4
modcall[authorize]: module "chap" returns noop for request 4
modcall[authorize]: module "mschap" returns noop for request 4
rlm_realm: No '@' in User-Name = "thor", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 4
users: Matched DEFAULT at 216
users: Matched DEFAULT at 220
modcall[authorize]: module "files" returns ok for request 4
radius_xlat: 'thor'
rlm_sql (sql_auth): sql_set_user escaped user --> 'thor'
radius_xlat: 'SELECT 1,username,'User-Password',password,'==' FROM account WHERE username='thor''
rlm_sql (sql_auth): Reserving sql socket id: 0
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: affected rows =
radius_xlat: ''
radius_xlat: ''
radius_xlat: ''
rlm_sql (sql_auth): Released sql socket id: 0
modcall[authorize]: module "sql_auth" returns ok for request 4
modcall: group authorize returns ok for request 4
rad_check_password: Found Auth-Type Local
auth: type Local
auth: user supplied User-Password matches local User-Password
radius_xlat: '/opt/radhome/bin/auth.pl'
Exec-Program: /opt/radhome/bin/auth.pl
Exec-Program output: Reply-Message := "Service maintenance"
Exec-Program-Wait: value-pairs: Reply-Message := "Service maintenance"
Exec-Program: returned: 1
Login incorrect (external check failed): [thor] (from client proxy port 0 cli 00:0C:29:E6:E2:71)
Sending Access-Reject of id 4 to 127.0.0.1:1647
Reply-Message := "Service maintenance"
Proxy-State = 0x3833
Finished request 4
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 4 ID 4 with timestamp 41ab7b6c
Nothing to do. Sleeping until we see a request.
Here's the post-auth config:
post-auth {
sql_accept
Post-Auth-Type REJECT {
sql_reject
}
}And here's the postgresql.conf:
sql sql_accept {
driver = "rlm_sql_postgresql"
server = "127.0.0.1"
login = "username"
password = "password"
radius_db = "radius"
postauth_table = "postauth"
deletestalesessions = yes
# sqltrace = yes
# sqltracefile = ${logdir}/sqltrace_accept.sql
num_sql_socks = 2
connect_failure_retry_delay = 60
safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /,<>"
#######################################################################
# Query config: Username
#######################################################################
#sql_user_name = "%{Stripped-User-Name:-%{User-Name:-none}}"
sql_user_name = "%{User-Name}"
#######################################################################
# Authentication Logging Queries
#######################################################################
postauth_query = "INSERT into ${postauth_table} (username, result, \
callingstationid, calledstationid, nasipaddress, nasidentifier, \
replymessage, sessiontimeout) \
values ('%{User-Name}', '%{reply:Packet-Type}', \
'%{Calling-Station-Id}', '%{Called-Station-Id}', '%{Nas-Ip-Address}', '%{Nas-Identifier}', \
'%{reply:Reply-Message}', '%{reply:Session-Timeout}')"
}
sql sql_reject {
driver = "rlm_sql_postgresql"
server = "127.0.0.1"
login = "username"
password = "password"
radius_db = "radius"
postauth_table = "postauth"
deletestalesessions = yes
# sqltrace = yes
# sqltracefile = ${logdir}/sqltrace_reject.sql
num_sql_socks = 2
connect_failure_retry_delay = 60
safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /,<>"
#######################################################################
# Query config: Username
#######################################################################
#sql_user_name = "%{Stripped-User-Name:-%{User-Name:-none}}"
sql_user_name = "%{User-Name}"
#######################################################################
# Authentication Logging Queries
#######################################################################
postauth_query = "INSERT into ${postauth_table} (username, password, result, \
callingstationid, calledstationid, nasipaddress, nasidentifier, \
replymessage, sessiontimeout, wisprsessionterminatetime) \
values ('%{User-Name}', '%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', \
'%{Calling-Station-Id}', '%{Called-Station-Id}', '%{Nas-Ip-Address}', '%{Nas-Identifier}', \
'%{reply:Reply-Message}', '%{reply:Session-Timeout}', '%{reply:WISPR-Session-Terminate-Time}')"
}
-- Regards,
Thor Spruyt
E: [EMAIL PROTECTED]
W: www.thor-spruyt.com
M: +32 (0)475 67 22 65
Bestel nu uw exemplaar van Operationele verkoop (Walter Spruyt - Liesbeth Huysmans) via www.salesguide.be
Ontdek de Telenet Hotspot service op www.telenet.be/hotspots
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
