Despite reading everything I can find, performing many different
experiments, turning the issue over to a UNIX hack with 20 years of
experience, and asking questions on lots of different forums, I cannot
figure out a problem I have with RADIUS. I am sure it is due to my
ignorance, and not a bug - in fact, I suspect that this is very easy to
solve, but that no one has thought to offer up such a basic piece of info.
Any help would be appreciated.
We are a WISP, we have freeRadius running with mySQL. The NASs that
currently use RADIUS (SmartBridge XOs) transmit the CPE's MAC address as
both UserName and Password. We have new and better NASs (MikroTik) that
transmit the CPE's mac address as the UserName, but with a "null" password.
What we want is "simple" - for both NASs to validate off of RADIUS. BUT
because of the difference in Passwords, the same entry in RadCheck won't do
it.
There is a lot of debug output below, bracketed by "------------------"s,
and divided into three different approaches: two entries in radcheck,
rewriting the password attribute in the request, and using different
operators under both "password = mac" and "password = null" conditions.
First Approach:
I have tried to have 2 entries in RadCheck with the same username (one where
password = username,
one where password = <null>), however that causes neither NAS to be able to
authenticate a request. I thought that perhaps this was a function of "Fall
Through" (mentioned as living in the Users file), however I haven't been
able to find the mySQL-version of "Fall Through" and am not even sure that
would do what I want even.
Below I list Accepts and Rejects from both devices under two different
scenarios. After the fourth debug output, I continue describing other steps
I've tried.
This is an XO, getting an Accept, with only the one entry in radcheck:
-------------------------------
rad_recv: Access-Request packet from host 10.0.1.243:1812, id=15, length=52
User-Name = "00026f341586"
User-Password = "00026f341586"
rad_lowerpair: User-Name now '00026f341586'
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 57787
modcall[authorize]: module "preprocess" returns ok for request 57787
radius_xlat: ':'
rlm_attr_rewrite: No match found for attribute User-Name with value
'00026f341586'
modcall[authorize]: module "mac_colons" returns ok for request 57787
modcall[authorize]: module "chap" returns noop for request 57787
modcall[authorize]: module "mschap" returns noop for request 57787
rlm_realm: No '@' in User-Name = "00026f341586", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 57787
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 57787
users: Matched DEFAULT at 152
modcall[authorize]: module "files" returns ok for request 57787
radius_xlat: '00026f341586'
rlm_sql (sql): sql_set_user escaped user --> '00026f341586'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = '00026f341586' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck
WHERE Username = '00026f341586' ORDER BY id
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche
ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
usergroup.Username = '00026f341586' AND usergroup.GroupName =
radgroupcheck.GroupName ORDER BY radgroupcheck.id'
rlm_sql_mysql: query: SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche
ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
usergroup.Username = '00026f341586' AND usergroup.GroupName =
radgroupcheck.GroupName ORDER BY radgroupcheck.id
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Username = '00026f341586' ORDER BY id'
rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply
WHERE Username = '00026f341586' ORDER BY id
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep
ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
usergroup.Username = '00026f341586' AND usergroup.GroupName =
radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql_mysql: query: SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep
ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
usergroup.Username = '00026f341586' AND usergroup.GroupName =
radgroupreply.GroupName ORDER BY radgroupreply.id
rlm_sql (sql): Released sql socket id: 2
modcall[authorize]: module "sql" returns ok for request 57787
modcall: group authorize returns ok for request 57787
rad_check_password: Found Auth-Type Local
auth: type Local
auth: user supplied User-Password matches local User-Password
Sending Access-Accept of id 15 to 10.0.1.243:1812
Limit-Rate-Downlink = 5000
Limit-Rate-Uplink = 5000
Finished request 57787
-----------------------------
This is an XO, getting a reject, with two entries in radcheck - one with the
password filled with the actual password the XO is sending, and one with the
password as <null>:
------------------------------
rad_recv: Access-Request packet from host 10.0.0.243:1812, id=5, length=52
User-Name = "000d2f00f0e3"
User-Password = "000d2f00f0e3"
rad_lowerpair: User-Name now '000d2f00f0e3'
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 58582
modcall[authorize]: module "preprocess" returns ok for request 58582
radius_xlat: ':'
rlm_attr_rewrite: No match found for attribute User-Name with value
'000d2f00f0e3'
modcall[authorize]: module "mac_colons" returns ok for request 58582
modcall[authorize]: module "chap" returns noop for request 58582
modcall[authorize]: module "mschap" returns noop for request 58582
rlm_realm: No '@' in User-Name = "000d2f00f0e3", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 58582
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 58582
users: Matched DEFAULT at 152
modcall[authorize]: module "files" returns ok for request 58582
radius_xlat: '000d2f00f0e3'
rlm_sql (sql): sql_set_user escaped user --> '000d2f00f0e3'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = '000d2f00f0e3' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck
WHERE Username = '000d2f00f0e3' ORDER BY id
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche
ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
usergroup.Username = '000d2f00f0e3' AND usergroup.GroupName =
radgroupcheck.GroupName ORDER BY radgroupcheck.id'
rlm_sql_mysql: query: SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche
ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
usergroup.Username = '000d2f00f0e3' AND usergroup.GroupName =
radgroupcheck.GroupName ORDER BY radgroupcheck.id
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Username = '000d2f00f0e3' ORDER BY id'
rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply
WHERE Username = '000d2f00f0e3' ORDER BY id
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep
ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
usergroup.Username = '000d2f00f0e3' AND usergroup.GroupName =
radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql_mysql: query: SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep
ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
usergroup.Username = '000d2f00f0e3' AND usergroup.GroupName =
radgroupreply.GroupName ORDER BY radgroupreply.id
rlm_sql (sql): No matching entry in the database for request from user
[000d2f00f0e3]
rlm_sql (sql): Released sql socket id: 2
modcall[authorize]: module "sql" returns notfound for request 58582
modcall: group authorize returns ok for request 58582
rad_check_password: Found Auth-Type System
auth: type "System"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 58582
modcall[authenticate]: module "unix" returns notfound for request 58582
modcall: group authenticate returns notfound for request 58582
auth: Failed to validate the user.
Sending Access-Reject of id 5 to 10.0.0.243:1812
----------------------
This is a MikroTik, getting an Accept, with only one entry (password =
null):
----------------------
rad_recv: Access-Request packet from host 10.35.0.30:1481, id=131, length=60
Service-Type = Framed-User
NAS-Port-Id = "wlan1"
User-Name = "00:0A:E9:06:29:07"
User-Password = ""
NAS-IP-Address = 10.35.0.30
rad_lowerpair: User-Name now '00:0a:e9:06:29:07'
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 57452
modcall[authorize]: module "preprocess" returns ok for request 57452
radius_xlat: ':'
rlm_attr_rewrite: Changed value for attribute User-Name from
'00:0a:e9:06:29:07' to '000ae9062907'
modcall[authorize]: module "mac_colons" returns ok for request 57452
modcall[authorize]: module "chap" returns noop for request 57452
modcall[authorize]: module "mschap" returns noop for request 57452
rlm_realm: No '@' in User-Name = "000ae9062907", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 57452
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 57452
users: Matched DEFAULT at 152
users: Matched DEFAULT at 171
modcall[authorize]: module "files" returns ok for request 57452
radius_xlat: '000ae9062907'
rlm_sql (sql): sql_set_user escaped user --> '000ae9062907'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = '000ae9062907' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck
WHERE Username = '000ae9062907' ORDER BY id
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche
ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
usergroup.Username = '000ae9062907' AND usergroup.GroupName =
radgroupcheck.GroupName ORDER BY radgroupcheck.id'
rlm_sql_mysql: query: SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche
ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
usergroup.Username = '000ae9062907' AND usergroup.GroupName =
radgroupcheck.GroupName ORDER BY radgroupcheck.id
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Username = '000ae9062907' ORDER BY id'
rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply
WHERE Username = '000ae9062907' ORDER BY id
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep
ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
usergroup.Username = '000ae9062907' AND usergroup.GroupName =
radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql_mysql: query: SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep
ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
usergroup.Username = '000ae9062907' AND usergroup.GroupName =
radgroupreply.GroupName ORDER BY radgroupreply.id
rlm_sql (sql): Released sql socket id: 2
modcall[authorize]: module "sql" returns ok for request 57452
modcall: group authorize returns ok for request 57452
rad_check_password: Found Auth-Type Local
auth: type Local
auth: user supplied User-Password matches local User-Password
Sending Access-Accept of id 131 to 10.35.0.30:1481
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
Limit-Rate-Downlink = 5000
Limit-Rate-Uplink = 5000
Recv-Limit = 5000
Xmit-Limit = 5000
--------------------------
This is a MiroTik, getting a reject, with two entries in radcheck:
---------------------------
rad_recv: Access-Request packet from host 10.35.0.30:1337, id=118, length=60
Service-Type = Framed-User
NAS-Port-Id = "wlan1"
User-Name = "00:0A:E9:06:29:07"
User-Password = ""
NAS-IP-Address = 10.35.0.30
rad_lowerpair: User-Name now '00:0a:e9:06:29:07'
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 55957
modcall[authorize]: module "preprocess" returns ok for request 55957
radius_xlat: ':'
rlm_attr_rewrite: Changed value for attribute User-Name from
'00:0a:e9:06:29:07' to '000ae9062907'
modcall[authorize]: module "mac_colons" returns ok for request 55957
modcall[authorize]: module "chap" returns noop for request 55957
modcall[authorize]: module "mschap" returns noop for request 55957
rlm_realm: No '@' in User-Name = "000ae9062907", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 55957
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 55957
users: Matched DEFAULT at 152
users: Matched DEFAULT at 171
modcall[authorize]: module "files" returns ok for request 55957
radius_xlat: '000ae9062907'
rlm_sql (sql): sql_set_user escaped user --> '000ae9062907'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = '000ae9062907' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck
WHERE Username = '000ae9062907' ORDER BY id
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche
ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
usergroup.Username = '000ae9062907' AND usergroup.GroupName =
radgroupcheck.GroupName ORDER BY radgroupcheck.id'
rlm_sql_mysql: query: SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche
ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
usergroup.Username = '000ae9062907' AND usergroup.GroupName =
radgroupcheck.GroupName ORDER BY radgroupcheck.id
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Username = '000ae9062907' ORDER BY id'
rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply
WHERE Username = '000ae9062907' ORDER BY id
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep
ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
usergroup.Username = '000ae9062907' AND usergroup.GroupName =
radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql_mysql: query: SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep
ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
usergroup.Username = '000ae9062907' AND usergroup.GroupName =
radgroupreply.GroupName ORDER BY radgroupreply.id
rlm_sql (sql): No matching entry in the database for request from user
[000ae9062907]
rlm_sql (sql): Released sql socket id: 2
modcall[authorize]: module "sql" returns notfound for request 55957
modcall: group authorize returns ok for request 55957
rad_check_password: Found Auth-Type System
auth: type "System"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 55957
modcall[authenticate]: module "unix" returns notfound for request 55957
modcall: group authenticate returns notfound for request 55957
auth: Failed to validate the user.
Delaying request 55957 for 1 seconds
Finished request 55957
Going to the next request
Sending Access-Reject of id 118 to 10.35.0.30:1337
-------------------------------
Second Approach:
We have tried to use attr_rewrite to write the mac into the Auth Request's
Password attribute, but were unsuccessful. Seems like if it comes in as
anything BUT "null", it can be rewritten. The debug output when trying to
rewrite a null password is below:
"rlm_attr_rewrite: Attribute User-Password string value NULL or of zero
length"
" modcall[authorize]: module "blank_password"returns noop for request 10"
Don't see how it's possible to go the other way with this approach (strip
the XO's Password of everything so that it's null) because what would you
search for...?
Third Approach:
I read "man 5 users" and tried different operators. "Surely, I can just
tell it to accept if a password is in the request at all, whether it's
actually a string or not" - wrong.
I have tried different operators under two different scenarios - with the
Password populated, and with the Password blank - the results are below,
along with debug output.
Scenario 1: Password field has username in it
Password ==
MikroTik - Reject
XO - Accept (this is how we are setup right now)
-------------------------------------------------------
Password >=
MT - Reject
XO - Accept
Debug:
Waking up in 1 seconds...
rad_recv: Access-Request packet from host 10.35.0.30:1482, id=133, length=60
Service-Type = Framed-User
NAS-Port-Id = "wlan1"
User-Name = "00:0A:E9:06:29:07"
User-Password = ""
NAS-IP-Address = 10.35.0.30
rad_lowerpair: User-Name now '00:0a:e9:06:29:07'
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1324
modcall[authorize]: module "preprocess" returns ok for request 1324
radius_xlat: ':'
rlm_attr_rewrite: Changed value for attribute User-Name from
'00:0a:e9:06:29:07' to '000ae9062907'
modcall[authorize]: module "mac_colons" returns ok for request 1324
modcall[authorize]: module "chap" returns noop for request 1324
modcall[authorize]: module "mschap" returns noop for request 1324
rlm_realm: No '@' in User-Name = "000ae9062907", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 1324
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 1324
users: Matched DEFAULT at 152
users: Matched DEFAULT at 174
modcall[authorize]: module "files" returns ok for request 1324
radius_xlat: '000ae9062907'
rlm_sql (sql): sql_set_user escaped user --> '000ae9062907'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = '000ae9062907' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 0
rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck
WHERE Username = '000ae9062907' ORDER BY id
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche
ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
usergroup.Username = '000ae9062907' AND usergroup.GroupName =
radgroupcheck.GroupName ORDER BY radgroupcheck.id'
rlm_sql_mysql: query: SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche
ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
usergroup.Username = '000ae9062907' AND usergroup.GroupName =
radgroupcheck.GroupName ORDER BY radgroupcheck.id
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Username = '000ae9062907' ORDER BY id'
rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply
WHERE Username = '000ae9062907' ORDER BY id
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep
ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
usergroup.Username = '000ae9062907' AND usergroup.GroupName =
radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql_mysql: query: SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep
ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
usergroup.Username = '000ae9062907' AND usergroup.GroupName =
radgroupreply.GroupName ORDER BY radgroupreply.id
rlm_sql (sql): No matching entry in the database for request from user
[000ae9062907]
rlm_sql (sql): Released sql socket id: 0
modcall[authorize]: module "sql" returns notfound for request 1324
modcall: group authorize returns ok for request 1324
rad_check_password: Found Auth-Type System
auth: type "System"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1324
modcall[authenticate]: module "unix" returns notfound for request 1324
modcall: group authenticate returns notfound for request 1324
auth: Failed to validate the user.
----------------------------------------------------------------------------
-----------
Password =*
MT - Accept
XO - Reject
Based on this from man 5 users:
"Attribute =* Value
As a check item, it matches if the request contains the named
attribute, no matter what the value is. Not allowed as a reply item."
I thought for SURE that this would work. But notice how the XOs reject
this, while the MTs accept (different than the other two expressions under
this condition)...here's the debug of an XO being rejected with this
operator:
rad_recv: Access-Request packet from host 10.0.0.243:1812, id=3, length=52
User-Name = "00301a04a7e0"
User-Password = "00301a04a7e0"
rad_lowerpair: User-Name now '00301a04a7e0'
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1262
modcall[authorize]: module "preprocess" returns ok for request 1262
radius_xlat: ':'
rlm_attr_rewrite: No match found for attribute User-Name with value
'00301a04a7e0'
modcall[authorize]: module "mac_colons" returns ok for request 1262
modcall[authorize]: module "chap" returns noop for request 1262
modcall[authorize]: module "mschap" returns noop for request 1262
rlm_realm: No '@' in User-Name = "00301a04a7e0", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 1262
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 1262
users: Matched DEFAULT at 152
modcall[authorize]: module "files" returns ok for request 1262
radius_xlat: '00301a04a7e0'
rlm_sql (sql): sql_set_user escaped user --> '00301a04a7e0'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = '00301a04a7e0' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck
WHERE Username = '00301a04a7e0' ORDER BY id
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche
ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
usergroup.Username = '00301a04a7e0' AND usergroup.GroupName =
radgroupcheck.GroupName ORDER BY radgroupcheck.id'
rlm_sql_mysql: query: SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche
ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
usergroup.Username = '00301a04a7e0' AND usergroup.GroupName =
radgroupcheck.GroupName ORDER BY radgroupcheck.id
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Username = '00301a04a7e0' ORDER BY id'
rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply
WHERE Username = '00301a04a7e0' ORDER BY id
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep
ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
usergroup.Username = '00301a04a7e0' AND usergroup.GroupName =
radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql_mysql: query: SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep
ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
usergroup.Username = '00301a04a7e0' AND usergroup.GroupName =
radgroupreply.GroupName ORDER BY radgroupreply.id
rlm_sql (sql): Released sql socket id: 2
modcall[authorize]: module "sql" returns ok for request 1262
modcall: group authorize returns ok for request 1262
rad_check_password: Found Auth-Type Local
auth: type Local
auth: user supplied User-Password does NOT match local User-Password
auth: Failed to validate the user.
----------------------------------------------------------------------------
-----------
Password <=
MT - Reject
XO - Accept
rad_recv: Access-Request packet from host 10.35.0.30:1492, id=154, length=60
Service-Type = Framed-User
NAS-Port-Id = "wlan1"
User-Name = "00:0A:E9:06:29:07"
User-Password = ""
NAS-IP-Address = 10.35.0.30
rad_lowerpair: User-Name now '00:0a:e9:06:29:07'
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 128
modcall[authorize]: module "preprocess" returns ok for request 128
radius_xlat: ':'
rlm_attr_rewrite: Changed value for attribute User-Name from
'00:0a:e9:06:29:07' to '000ae9062907'
modcall[authorize]: module "mac_colons" returns ok for request 128
modcall[authorize]: module "chap" returns noop for request 128
modcall[authorize]: module "mschap" returns noop for request 128
rlm_realm: No '@' in User-Name = "000ae9062907", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 128
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 128
users: Matched DEFAULT at 152
users: Matched DEFAULT at 174
modcall[authorize]: module "files" returns ok for request 128
radius_xlat: '000ae9062907'
rlm_sql (sql): sql_set_user escaped user --> '000ae9062907'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = '000ae9062907' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 1
rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck
WHERE Username = '000ae9062907' ORDER BY id
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche
ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
usergroup.Username = '000ae9062907' AND usergroup.GroupName =
radgroupcheck.GroupName ORDER BY radgroupcheck.id'
rlm_sql_mysql: query: SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche
ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
usergroup.Username = '000ae9062907' AND usergroup.GroupName =
radgroupcheck.GroupName ORDER BY radgroupcheck.id
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Username = '000ae9062907' ORDER BY id'
rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply
WHERE Username = '000ae9062907' ORDER BY id
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep
ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
usergroup.Username = '000ae9062907' AND usergroup.GroupName =
radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql_mysql: query: SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep
ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
usergroup.Username = '000ae9062907' AND usergroup.GroupName =
radgroupreply.GroupName ORDER BY radgroupreply.id
rlm_sql (sql): Released sql socket id: 1
modcall[authorize]: module "sql" returns ok for request 128
modcall: group authorize returns ok for request 128
rad_check_password: Found Auth-Type Local
auth: type Local
auth: user supplied User-Password does NOT match local User-Password
auth: Failed to validate the user.
Scenario 2: Password field is null
Password ==
MT - Accept
XO - Reject (this would be our config if we didn't have
any XOs, and I
wouldn't have this issue)
--------------------------------------------------------------------
Password >=
MT - Accept
XO - Reject
rad_recv: Access-Request packet from host 10.0.0.243:1812, id=201, length=52
User-Name = "00301a04a7e0"
User-Password = "00301a04a7e0"
rad_lowerpair: User-Name now '00301a04a7e0'
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 484
modcall[authorize]: module "preprocess" returns ok for request 484
radius_xlat: ':'
rlm_attr_rewrite: No match found for attribute User-Name with value
'00301a04a7e0'
modcall[authorize]: module "mac_colons" returns ok for request 484
modcall[authorize]: module "chap" returns noop for request 484
modcall[authorize]: module "mschap" returns noop for request 484
rlm_realm: No '@' in User-Name = "00301a04a7e0", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 484
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 484
users: Matched DEFAULT at 152
modcall[authorize]: module "files" returns ok for request 484
radius_xlat: '00301a04a7e0'
rlm_sql (sql): sql_set_user escaped user --> '00301a04a7e0'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = '00301a04a7e0' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 0
rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck
WHERE Username = '00301a04a7e0' ORDER BY id
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche
ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
usergroup.Username = '00301a04a7e0' AND usergroup.GroupName =
radgroupcheck.GroupName ORDER BY radgroupcheck.id'
rlm_sql_mysql: query: SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche
ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
usergroup.Username = '00301a04a7e0' AND usergroup.GroupName =
radgroupcheck.GroupName ORDER BY radgroupcheck.id
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Username = '00301a04a7e0' ORDER BY id'
rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply
WHERE Username = '00301a04a7e0' ORDER BY id
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep
ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
usergroup.Username = '00301a04a7e0' AND usergroup.GroupName =
radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql_mysql: query: SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep
ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
usergroup.Username = '00301a04a7e0' AND usergroup.GroupName =
radgroupreply.GroupName ORDER BY radgroupreply.id
rlm_sql (sql): Released sql socket id: 0
modcall[authorize]: module "sql" returns ok for request 484
modcall: group authorize returns ok for request 484
rad_check_password: Found Auth-Type Local
auth: type Local
auth: user supplied User-Password does NOT match local User-Password
auth: Failed to validate the user.
----------------------------------------------------------------------------
----
Password =*
MT - Accept
XO - Reject
rad_recv: Access-Request packet from host 10.0.0.243:1812, id=8, length=52
User-Name = "00301a04a7e0"
User-Password = "00301a04a7e0"
rad_lowerpair: User-Name now '00301a04a7e0'
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 345
modcall[authorize]: module "preprocess" returns ok for request 345
radius_xlat: ':'
rlm_attr_rewrite: No match found for attribute User-Name with value
'00301a04a7e0'
modcall[authorize]: module "mac_colons" returns ok for request 345
modcall[authorize]: module "chap" returns noop for request 345
modcall[authorize]: module "mschap" returns noop for request 345
rlm_realm: No '@' in User-Name = "00301a04a7e0", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 345
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 345
users: Matched DEFAULT at 152
modcall[authorize]: module "files" returns ok for request 345
radius_xlat: '00301a04a7e0'
rlm_sql (sql): sql_set_user escaped user --> '00301a04a7e0'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = '00301a04a7e0' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck
WHERE Username = '00301a04a7e0' ORDER BY id
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche
ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
usergroup.Username = '00301a04a7e0' AND usergroup.GroupName =
radgroupcheck.GroupName ORDER BY radgroupcheck.id'
rlm_sql_mysql: query: SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche
ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
usergroup.Username = '00301a04a7e0' AND usergroup.GroupName =
radgroupcheck.GroupName ORDER BY radgroupcheck.id
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Username = '00301a04a7e0' ORDER BY id'
rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply
WHERE Username = '00301a04a7e0' ORDER BY id
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep
ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
usergroup.Username = '00301a04a7e0' AND usergroup.GroupName =
radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql_mysql: query: SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep
ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
usergroup.Username = '00301a04a7e0' AND usergroup.GroupName =
radgroupreply.GroupName ORDER BY radgroupreply.id
rlm_sql (sql): Released sql socket id: 4
modcall[authorize]: module "sql" returns ok for request 345
modcall: group authorize returns ok for request 345
rad_check_password: Found Auth-Type Local
auth: type Local
auth: user supplied User-Password does NOT match local User-Password
auth: Failed to validate the user.
Delaying request 345 for 1 seconds
Finished request 345
Going to the next request
----------------------------------------------------------------------------
--------------
Password <=
MT - Accept
XO - there are two components in an XO that query RADIUS,
a "Supervisor"
and a "Radio". With a null password, and the "<=" operator, the Supervisor
gets an Accept, but the Radio gets a Reject.
rad_recv: Access-Request packet from host 10.0.0.243:1812, id=226, length=52
User-Name = "00301a04a7e0"
User-Password = "00301a04a7e0"
rad_lowerpair: User-Name now '00301a04a7e0'
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 18
modcall[authorize]: module "preprocess" returns ok for request 18
radius_xlat: ':'
rlm_attr_rewrite: No match found for attribute User-Name with value
'00301a04a7e0'
modcall[authorize]: module "mac_colons" returns ok for request 18
modcall[authorize]: module "chap" returns noop for request 18
modcall[authorize]: module "mschap" returns noop for request 18
rlm_realm: No '@' in User-Name = "00301a04a7e0", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 18
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 18
users: Matched DEFAULT at 152
modcall[authorize]: module "files" returns ok for request 18
radius_xlat: '00301a04a7e0'
rlm_sql (sql): sql_set_user escaped user --> '00301a04a7e0'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = '00301a04a7e0' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 1
rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck
WHERE Username = '00301a04a7e0' ORDER BY id
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche
ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
usergroup.Username = '00301a04a7e0' AND usergroup.GroupName =
radgroupcheck.GroupName ORDER BY radgroupcheck.id'
rlm_sql_mysql: query: SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche
ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
usergroup.Username = '00301a04a7e0' AND usergroup.GroupName =
radgroupcheck.GroupName ORDER BY radgroupcheck.id
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Username = '00301a04a7e0' ORDER BY id'
rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply
WHERE Username = '00301a04a7e0' ORDER BY id
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep
ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
usergroup.Username = '00301a04a7e0' AND usergroup.GroupName =
radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql_mysql: query: SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep
ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
usergroup.Username = '00301a04a7e0' AND usergroup.GroupName =
radgroupreply.GroupName ORDER BY radgroupreply.id
rlm_sql (sql): No matching entry in the database for request from user
[00301a04a7e0]
rlm_sql (sql): Released sql socket id: 1
modcall[authorize]: module "sql" returns notfound for request 18
modcall: group authorize returns ok for request 18
rad_check_password: Found Auth-Type System
auth: type "System"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 18
modcall[authenticate]: module "unix" returns notfound for request 18
modcall: group authenticate returns notfound for request 18
auth: Failed to validate the user.
Delaying request 18 for 1 seconds
-------------------------------------------------
So...that's "it". I am a RADIUS novice but have got to assume that what I
want to do is possible...isn't it?
Brian Ammons
[EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
