I changed the /etc/raddb/sites-available/default to the following and
changed Auth-Type to SQL in the radcheck table, and it still rejects the
user.
authorize {
preprocess
mschap
sql
}
authenticate {
Auth-Type MS-CHAP {
mschap
}
}
preacct {
account_unique
}
accounting {
radutmp
sql
}
session {
sql
}
post-auth {
Post-Auth-Type REJECT {
sql
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
}
and add the information to clients.conf and sql.conf, and it seems to
be working for I get database requests when I run radiusd -X and run
radtest. My mysql tables look like the following:
mysql> select * from radcheck;
+----+----------+--------------+----+----------------------------------+
| id | username | attribute | op | value |
+----+----------+--------------+----+----------------------------------+
| 1 | testuser | MD5-Password | := | 179ad45c6ce2cb97cf1029e212046e81 |
+----+----------+--------------+----+----------------------------------+
1 row in set (0.00 sec)
I have also tried this with Attribute set to Cleartext-Password and op
set to == with the same result.
mysql> select * from radgroupcheck;
+----+-------------+-----------+----+---------+
| id | groupname | attribute | op | value |
+----+-------------+-----------+----+---------+
| 1 | normalusers | Auth-Type | := | MS-CHAP |
+----+-------------+-----------+----+---------+
1 row in set (0.00 sec)
Changed Auth-Tyle to SQL
mysql> select * from radgroupreply;
+----+-------------+--------------------+----+---------------------+
| id | groupname | attribute | op | value |
+----+-------------+--------------------+----+---------------------+
| 1 | normalusers | Framed-Compression | = | Van-Jacobson-TCP-IP |
+----+-------------+--------------------+----+---------------------+
1 row in set (0.00 sec)
mysql> select * from radpostauth;
+----+----------+--------------+---------------+---------------------+
| id | username | pass | reply | authdate |
+----+----------+--------------+---------------+---------------------+
| 1 | testuser | testuserpass | Access-Reject | 2010-12-16 23:45:22 |
| 2 | testuser | testuserpass | Access-Reject | 2010-12-16 23:52:18 |
| 3 | testuser | testuserpass | Access-Reject | 2010-12-17 00:24:07 |
| 4 | root | changed | Access-Accept | 2010-12-17 01:28:43 |
| 5 | user1 | password1 | Access-Reject | 2010-12-17 01:29:01 |
| 6 | root | changed | Access-Accept | 2010-12-17 01:38:59 |
| 7 | todd | changed | Access-Accept | 2010-12-17 01:41:16 |
| 8 | user1 | password1 | Access-Reject | 2010-12-17 02:06:47 |
| 9 | user1 | password1 | Access-Reject | 2010-12-17 02:18:37 |
| 10 | testuser | testpass | Access-Reject | 2010-12-17 05:05:05 |
| 11 | testuser | testpass | Access-Reject | 2010-12-17 05:10:04 |
| 12 | testuser | testpass | Access-Reject | 2010-12-17 05:24:06 |
| 13 | testuser | testpass | Access-Reject | 2010-12-17 05:35:10 |
| 14 | testuser | testpass | Access-Reject | 2010-12-17 06:09:40 |
| 15 | testuser | testpass | Access-Reject | 2010-12-17 06:28:45 |
| 16 | testuser | testpass | Access-Reject | 2010-12-17 06:43:24 |
+----+----------+--------------+---------------+---------------------+
16 rows in set (0.00 sec)
The Access-Accepts that I got here is when I switched it to use the
/etc/passwd file.
mysql> select * from radreply;
+----+----------+-------------------+----+-----------+
| id | username | attribute | op | value |
+----+----------+-------------------+----+-----------+
| 1 | testuser | Framed-IP-Address | = | 127.0.0.1 |
+----+----------+-------------------+----+-----------+
1 row in set (0.00 sec)
mysql> select * from radusergroup;
+----------+-------------+----------+
| username | groupname | priority |
+----------+-------------+----------+
| testuser | normalusers | 1 |
+----------+-------------+----------+
1 row in set (0.00 sec)
When I start radiusd in debug mode and test from another window I get
this output.
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 58605, id=234,
length=60
User-Name = "testuser"
User-Password = "testpass"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[sql] expand: %{Stripped-User-Name} ->
[sql] sql_set_user escaped user --> ''
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER
BY id -> SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value,
op FROM radcheck WHERE username = '' ORDER
BY id
[sql] expand: SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}' ORDER BY priority ->
SELECT groupname FROM radusergroup WHERE username =
'' ORDER BY priority
rlm_sql_mysql: query: SELECT groupname FROM
radusergroup WHERE username = '' ORDER BY priority
[sql] Checking profile DEFAULT
[sql] sql_set_user escaped user --> 'DEFAULT'
[sql] expand: SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}' ORDER BY priority ->
SELECT groupname FROM radusergroup WHERE username =
'DEFAULT' ORDER BY priority
rlm_sql_mysql: query: SELECT groupname FROM
radusergroup WHERE username = 'DEFAULT' ORDER BY
priority
rlm_sql (sql): Released sql socket id: 3
[sql] User not found
++[sql] returns notfound
ERROR: No authenticate method (Auth-Type) found for the request:
Rejecting the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[sql] expand: %{Stripped-User-Name} ->
[sql] sql_set_user escaped user --> ''
[sql] expand: %{User-Password} -> testpass
[sql] expand: INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES
( '%{User-Name}',
'%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S') -> INSERT INTO
radpostauth (username, pass, reply,
authdate) VALUES (
'testuser',
'testpass', 'Access-Reject', '2010-12-17
20:03:34')
[sql] expand: /var/log/radius/sqltrace.sql -> /var/log/radius/sqltrace.sql
rlm_sql (sql) in sql_postauth: query is INSERT INTO
radpostauth (username, pass, reply,
authdate) VALUES (
'testuser',
'testpass', 'Access-Reject', '2010-12-17
20:03:34')
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql_mysql: query: INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES
( 'testuser',
'testpass', 'Access-Reject', '2010-12-17
20:03:34')
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
[attr_filter.access_reject] expand: %{User-Name} -> testuser
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 234 to 127.0.0.1 port 58605
Waking up in 4.9 seconds.
Cleaning up request 0 ID 234 with timestamp +9
Ready to process requests.
And in the window where I ran radtest I get a Access-Reject
r...@krazy:/etc/raddb# radtest testuser testpass localhost 1812 testing123
Sending Access-Request of id 234 to 127.0.0.1 port 1812
User-Name = "testuser"
User-Password = "testpass"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=234,
length=20
radtest testuser testpass localhost 1812 testing123
Sending Access-Request of id 90 to 127.0.0.1 port 1812
User-Name = "testuser"
User-Password = "testpass"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=90,
length=20
I not sure how to fix this I been searching for days with no luck.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html