Re: MySQL Authentication Logging
On Mon, 18 Aug 2003, Adam Carmichael wrote: > Hi All! > > I'm currently running FreeRADIUS 0.9.0 on several *BSD boxes with MySQL4 for logging > accounting and retrieving authentication information. I am interested in knowing how > to log authentication attempts and even possibly why an attempt failled. > > For example, if we have a customer who thinks their dialup account is being > exploited - they can change their password, and then see if any authentication > requests are being made. (Actually, just thinking about it, the user would not need > to change their password, they could just see the times at which their logons (or > attempted logons) occur). > > I have made some Google searches on the list already, and I saw a few posts in which > Alan DeKok said that it is possible to do this - however the rest of the replies > seemed to wonder away from what I had hoped. Check out dialup_admin/bin/log_badlogins. It will do a tail -f on radius.log and log each failed login as a separate session in the radacct table. > > > > > Thanks in advance > > Adam > > > Adam Carmichael > Network Operations Manager > email: [EMAIL PROTECTED] > web: http://www.no1.com.au > icq: 2207644 > > #1 Computer Services, Empowerment Through Internet Communications. > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL Authentication Logging
- Original Message - From: "Nicolas Baradakis" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, August 20, 2003 6:57 PM Subject: Re: MySQL Authentication Logging > Adam Carmichael wrote: > > > I was considering relearning C/C++ all over again so I could help > > with this just because we need this feature quite badly. I'd love to > > finally submit something back to an opensource product, but I don't > > think my coding skills are quite up to scratch for this kind of > > challenge yet. I'd be more than happy to provide feedback and help > > with testing however, and I'll help patch what I can. > > Thanks for the offer of assistance but I can manage the coding part > alone. Since the architecture of FR is really clean it's not a big > problem. And of course it much better if you do more tests on your > side when it's done. > > > Users of this might need additional features, such as the ability to > > log other kinds of errors (such as RADIUS clients not in > > clients.conf (or the deprecated clients file) trying to > > authenticate, or if for example a particular NAS / LNS is running an > > old secret) so perhaps an auth_default_log() might also be required > > to log anything that doesn't match one of the other authentication > > types it could be logged into a kind of table that has a few BLOB or > > TEXT fields and places the entire log entry into that field. Another > > scenario is if you use ENCRYPT()'ed passwords within MySQL, and a > > user tries to log in using CHAP. > > While writing the patch I gave up about the "auth_badpass_table" and > the "auth_goodpass_table". Just one "authlog_table" is sufficient, and > you chose what you put inside with the "authlog_query". > > > What do you think? (with regards to the above outlined mysql logging > > scenarios). If you'd like to further development, then I'll > > subscribe to freeradius-developers and help out where I can. > > I think indeed we should follow the discussion in the freeradius-devel > mailing list. > > -- > Nicolas Baradakis Indeed, I'll subscribe to the list now :) -- Adam > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL Authentication Logging
Adam Carmichael wrote: > I was considering relearning C/C++ all over again so I could help > with this just because we need this feature quite badly. I'd love to > finally submit something back to an opensource product, but I don't > think my coding skills are quite up to scratch for this kind of > challenge yet. I'd be more than happy to provide feedback and help > with testing however, and I'll help patch what I can. Thanks for the offer of assistance but I can manage the coding part alone. Since the architecture of FR is really clean it's not a big problem. And of course it much better if you do more tests on your side when it's done. > Users of this might need additional features, such as the ability to > log other kinds of errors (such as RADIUS clients not in > clients.conf (or the deprecated clients file) trying to > authenticate, or if for example a particular NAS / LNS is running an > old secret) so perhaps an auth_default_log() might also be required > to log anything that doesn't match one of the other authentication > types it could be logged into a kind of table that has a few BLOB or > TEXT fields and places the entire log entry into that field. Another > scenario is if you use ENCRYPT()'ed passwords within MySQL, and a > user tries to log in using CHAP. While writing the patch I gave up about the "auth_badpass_table" and the "auth_goodpass_table". Just one "authlog_table" is sufficient, and you chose what you put inside with the "authlog_query". > What do you think? (with regards to the above outlined mysql logging > scenarios). If you'd like to further development, then I'll > subscribe to freeradius-developers and help out where I can. I think indeed we should follow the discussion in the freeradius-devel mailing list. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL Authentication Logging
Nic, I would love to help you test this!!! Adam - Original Message - From: "Nicolas Baradakis" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, August 20, 2003 6:16 PM Subject: Re: MySQL Authentication Logging > Alan DeKok wrote: > > > "Adam Carmichael" <[EMAIL PROTECTED]> wrote: > > > > > I'm currently running FreeRADIUS 0.9.0 on several *BSD boxes with MySQL4 > > > for logging accounting and retrieving authentication information. I am > > > interested in knowing how to log authentication attempts and even > > > possibly why an attempt failled. > > > > See the 'detail' module in the latest CVS snapshot. It will create > > "detail" style files for authentication requests, responses, proxied > > packets, and replies from a home server. > > > > It won't log all of the information you see in debugging mode, but > > it will log a fair amount of useful data. > > It's nice to get a lot of data in the detail files, but as I already > said before : > > <<<<< > When you have multiple freeradius servers, you want to store > authentication attempts in a database rather than a flat file. > >>>>> > > I'm doing a patch in rlm_sql to put information in a "authlog table" > after authentification. In fact it's nearly finished, but I want to > do more tests and add more commentaries in my source. > > -- > Nicolas Baradakis > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL Authentication Logging
Alan DeKok wrote: > "Adam Carmichael" <[EMAIL PROTECTED]> wrote: > > > I'm currently running FreeRADIUS 0.9.0 on several *BSD boxes with MySQL4 > > for logging accounting and retrieving authentication information. I am > > interested in knowing how to log authentication attempts and even > > possibly why an attempt failled. > > See the 'detail' module in the latest CVS snapshot. It will create > "detail" style files for authentication requests, responses, proxied > packets, and replies from a home server. > > It won't log all of the information you see in debugging mode, but > it will log a fair amount of useful data. It's nice to get a lot of data in the detail files, but as I already said before : < When you have multiple freeradius servers, you want to store authentication attempts in a database rather than a flat file. > I'm doing a patch in rlm_sql to put information in a "authlog table" after authentification. In fact it's nearly finished, but I want to do more tests and add more commentaries in my source. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL Authentication Logging
"Adam Carmichael" <[EMAIL PROTECTED]> wrote: > I'm currently running FreeRADIUS 0.9.0 on several *BSD boxes with MySQL4 > for logging accounting and retrieving authentication information. I am > interested in knowing how to log authentication attempts and even > possibly why an attempt failled. See the 'detail' module in the latest CVS snapshot. It will create "detail" style files for authentication requests, responses, proxied packets, and replies from a home server. It won't log all of the information you see in debugging mode, but it will log a fair amount of useful data. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL Authentication Logging
Hi Nicolas, I was considering relearning C/C++ all over again so I could help with this just because we need this feature quite badly. I'd love to finally submit something back to an opensource product, but I don't think my coding skills are quite up to scratch for this kind of challenge yet. I'd be more than happy to provide feedback and help with testing however, and I'll help patch what I can. Users of this might need additional features, such as the ability to log other kinds of errors (such as RADIUS clients not in clients.conf (or the deprecated clients file) trying to authenticate, or if for example a particular NAS / LNS is running an old secret) so perhaps an auth_default_log() might also be required to log anything that doesn't match one of the other authentication types it could be logged into a kind of table that has a few BLOB or TEXT fields and places the entire log entry into that field. Another scenario is if you use ENCRYPT()'ed passwords within MySQL, and a user tries to log in using CHAP. These are just two of the kinds of problems that have plagued the last week of my work. In the end, I just left a whole bunch of users with the Password attribute set, and another bunch with Crypt-Password. Not very good practise I know, but all scripts (both online and Windows based VB applications) update the attribute field when editing / inserting a password. What do you think? (with regards to the above outlined mysql logging scenarios). If you'd like to further development, then I'll subscribe to freeradius-developers and help out where I can. Adam. - Original Message - From: "Nicolas Baradakis" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, August 18, 2003 10:05 PM Subject: Re: MySQL Authentication Logging > Chris van Meerendonk wrote: > > > On Mon, 2003-08-18 at 05:30, Adam Carmichael wrote: > > > > > I'm currently running FreeRADIUS 0.9.0 on several *BSD boxes with > > > MySQL4 for logging accounting and retrieving authentication > > > information. I am interested in knowing how to log authentication > > > attempts and even possibly why an attempt failled. > > > > I'm using a simple script that reads radius.log and put that in a > > mysql table that can be accessed by our helpdesk by using a simple > > php-interface to help people with their dialin problems. Maybe you > > can do something with it. > > The situation isn't so easy when you have multiple freeradius servers, > and in that case you want to store authentication attempts in a > database rather than a flat file. > > For different reasons I need also logging connexion requests and I > already thought a little about it. > > I'm considering writing a patch for this problem, and I would like > advice from the developpers to do it the efficiently. Please correct > me if the following doesn't make sense. > > The extension should be made in module rlm_sql because here you have > all you need to connect the database and make a request (and the > administrator may store the authcheck_table, the acct_table and the > authentication attempts in the same db). > > Then in sql.conf you should add four lines with auth_badpass_table, > auth_goodpass_table, auth_badpass_query, auth_goodpass_query (or > something like that). > > We know in authentication whether the password is valid, so you have > to enter module rlm_sql at this time. It requires to add a function > rlm_sql_authenticate() to manage it... > > If I get something working from this idea I'll submit the patch in the > mailing list later. > > -- > Nicolas Baradakis > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL Authentication Logging
Chris van Meerendonk wrote: > On Mon, 2003-08-18 at 05:30, Adam Carmichael wrote: > > > I'm currently running FreeRADIUS 0.9.0 on several *BSD boxes with > > MySQL4 for logging accounting and retrieving authentication > > information. I am interested in knowing how to log authentication > > attempts and even possibly why an attempt failled. > > I'm using a simple script that reads radius.log and put that in a > mysql table that can be accessed by our helpdesk by using a simple > php-interface to help people with their dialin problems. Maybe you > can do something with it. The situation isn't so easy when you have multiple freeradius servers, and in that case you want to store authentication attempts in a database rather than a flat file. For different reasons I need also logging connexion requests and I already thought a little about it. I'm considering writing a patch for this problem, and I would like advice from the developpers to do it the efficiently. Please correct me if the following doesn't make sense. The extension should be made in module rlm_sql because here you have all you need to connect the database and make a request (and the administrator may store the authcheck_table, the acct_table and the authentication attempts in the same db). Then in sql.conf you should add four lines with auth_badpass_table, auth_goodpass_table, auth_badpass_query, auth_goodpass_query (or something like that). We know in authentication whether the password is valid, so you have to enter module rlm_sql at this time. It requires to add a function rlm_sql_authenticate() to manage it... If I get something working from this idea I'll submit the patch in the mailing list later. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL Authentication Logging
On Mon, 2003-08-18 at 05:30, Adam Carmichael wrote:
> Hi All!
>
> I'm currently running FreeRADIUS 0.9.0 on several *BSD boxes with
> MySQL4 for logging accounting and retrieving authentication
> information. I am interested in knowing how to log authentication
> attempts and even possibly why an attempt failled.
I'm using a simple script that reads radius.log and put that in a mysql
table that can be accessed by our helpdesk by using a simple
php-interface to help people with their dialin problems. Maybe you can
do something with it.
Succes, Chris
The db struct of radproblems is:
mysql> describe radproblems;
+--+--+--+-+-++
| Field| Type | Null | Key | Default |
Extra |
+--+--+--+-+-++
| RadProblemId | bigint(21) | | PRI | NULL|
auto_increment |
| UserName | varchar(255) | | MUL |
||
| Password | varchar(255) | | |
||
| AuthTime | datetime | | | -00-00 00:00:00
||
| Realm| varchar(64) | YES | |
||
| NASIPAddress | varchar(15) | | |
||
| CalledStationId | varchar(30) | | |
||
| CallingStationId | varchar(30) | | MUL |
||
| TerminateCause | varchar(64) | | |
||
+--+--+--+-+-++
9 rows in set (0.00 sec)
The import script:
cat /usr/local/bin/parse-radiuslog.sh
#!/bin/sh
# Input format:
# Mon Mar 10 11:07:06 2003 : Auth: Login incorrect (rlm_ldap: Bind as
user failed): [user/password] (from client nas port 16578 cli 012345678)
INFILE="/var/log/freeradius/radius.log"
TMPFILE="/var/log/freeradius/radius.tmp"
ADDTOFILE="/var/log/freeradius/radius.parsed"
SQLTMPFILE="/var/log/freeradius/radius.tmp.sql"
if [ -f $TMPFILE ]
then
rm $TMPFILE
fi
if [ -f $SQLTMPFILE ]
then
rm $SQLTMPFILE
fi
mv $INFILE $TMPFILE
check=`cat "${TMPFILE}" | grep 'Auth: Login incorrect'`
if [ -z "$check" ]
then echo " "; else
cat "${TMPFILE}" | grep 'Auth: Login incorrect' | while read LINE; do
P1=`echo ${LINE} | sed -e 's/^.*\[\([^/]*\).*$/\1/' -e s/\'/#/g
-e s/\"/#/g`
P2=`echo ${LINE} | sed -e 's/^.*\(\[.*\]\).*$/\1/' -e
's/^.*\/\(.*\)]$/\1/' -e s/\'/#/g -e s/\"/#/g`
# P1=`echo ${LINE} | sed 's/^.*\(\[.*\]\).*$/\1/'`
P3=`echo ${LINE} | awk '{print $5 "-" $2 "-" $3 " " $4}' | sed
-e 's/Jan/1/' -e 's/Feb/2/' -e 's/Mar/3/' -e 's/Apr/4/' -e 's/May/5/' -e
's/Jun/6/' -e 's/Jul/7/' -e 's/Aug/8/' -e 's/Sep/10/' -e 's/Oct/10/' -e
's/Nov/11/' -e 's/Dec/12/'`
P4=`echo ${LINE} | grep ' cli ' | sed 's/^.*cli
\b\([0-9]*\).*$/\1/'`
P5=`echo ${LINE} | grep 'rlm_ldap:' | sed 's/^.*rlm_ldap:
\([A-Za-z0-9 ]
*\).*$/\1/'`
echo "INSERT INTO radproblems VALUES
('','${P1}','${P2}','${P3}','','','
','${P4}','${P5}');" | sed 's/\\//' >> $SQLTMPFILE
done
mysql -hyour.mysql.host -usqluser -ppassword database < $SQLTMPFILE
fi
cat $TMPFILE >> $ADDTOFILE
> For example, if we have a customer who thinks their dialup account is
> being exploited - they can change their password, and then see if any
> authentication requests are being made. (Actually, just thinking about
> it, the user would not need to change their password, they could just
> see the times at which their logons (or attempted logons) occur).
>
> I have made some Google searches on the list already, and I saw a few
> posts in which Alan DeKok said that it is possible to do this -
> however the rest of the replies seemed to wonder away from what I had
> hoped.
>
>
>
>
> Thanks in advance
>
> Adam
>
>
> Adam Carmichael
> Network Operations Manager
> email: [EMAIL PROTECTED]
> web: http://www.no1.com.au
> icq: 2207644
>
> #1 Computer Services, Empowerment Through Internet Communications.
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MySQL Authentication Logging
Hi All! I'm currently running FreeRADIUS 0.9.0 on several *BSD boxes with MySQL4 for logging accounting and retrieving authentication information. I am interested in knowing how to log authentication attempts and even possibly why an attempt failled. For example, if we have a customer who thinks their dialup account is being exploited - they can change their password, and then see if any authentication requests are being made. (Actually, just thinking about it, the user would not need to change their password, they could just see the times at which their logons (or attempted logons) occur). I have made some Google searches on the list already, and I saw a few posts in which Alan DeKok said that it is possible to do this - however the rest of the replies seemed to wonder away from what I had hoped. Thanks in advance Adam Adam CarmichaelNetwork Operations Manageremail: [EMAIL PROTECTED] web: http://www.no1.com.auicq: 2207644#1 Computer Services, Empowerment Through Internet Communications. BEGIN:VCARD VERSION:2.1 N:Carmichael;Adam FN:Adam Carmichael - #1 NICKNAME:carneeki ORG:#1 Computer Services;Operations TITLE:Network Operations Manager ADR;WORK;ENCODING=QUOTED-PRINTABLE:;;1 Lowing Close=0D=0A;Forrestville;NSW;2087;Australia LABEL;WORK;ENCODING=QUOTED-PRINTABLE:1 Lowing Close=0D=0A=0D=0AForrestville, NSW 2087=0D=0AAustralia X-WAB-GENDER:2 URL;HOME:http://www.no1.com.au URL;WORK:http://www.no1.com.au EMAIL;INTERNET:[EMAIL PROTECTED] EMAIL;PREF;INTERNET:[EMAIL PROTECTED] EMAIL;INTERNET:[EMAIL PROTECTED] EMAIL;INTERNET:[EMAIL PROTECTED] EMAIL;INTERNET:[EMAIL PROTECTED] REV:20030818T033005Z END:VCARD
Mysql Authentication
I'm trying to pass wind value via dhcp to a remote client using mysql...every dhcp fields seems to be passed fine (dns,IP.)except wins ...during authentication on ras server I see the following 04:32:00: RADIUS: cisco AVPair ""ip:wins-servers=10.0.0.1"" not applied for ip the field in the radgroupreply is id GroupName Attribute op Value prio (???what is this ???) 1 adrtel cisco-avpair := "ip:wins-servers=10.0.0.1" 1 (just fill it out) any help ? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MySQL Authentication
OK, it's working now. Here is what I changed:
in sql.conf I changed from sql_user_name = "%{Stripped-User-Name}" to
sql_user_name = "%{User-Name}" Not sure there's a difference, but that's
what I did...
in radius.conf in the authorize section commented out all but preprocess,
chap, mschap, and sql.
in radius.conf in the authenticate section, commented out all but pap,
chap, mschap, and unix.
In my radcheck table:
mysql> select *from radcheck;
++--++++
| id | UserName | Attribute | op | Value |
++--++++
| 4 | foo | Crypt-Password | := | $1$HuWuTTVg$GqVJ5SOZfZqBn3F0gcAp//
|
| 3 | scotty | Password | == | testing |
++--++++
Both of which work just fine.
Now off to figure out how to get this to work with our Cisco VPN 3000, and
certificates...
Scott Mace
Network Administrator
TravelCenters of America
24601 Center Ridge Rd.
Westlake, OH 44145
440-808-4318
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MySQL Authentication
Scott, Hmmm Does your sqltrace file give any clues? That'll show the actual SQL which is executing against the database... Scott. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > Posted At: Monday, March 24, 2003 1:42 PM > Posted To: FreeRadius > Conversation: MySQL Authentication > Subject: RE: MySQL Authentication > > > Well, I used the Dialup Admin tool with the default setting > of using crypt > passwords. > > Here's my DB info, thanks for your help! > --- This message (and any associated files) is intended only for the use of the individual or entity to which it is addressed and may contain information that is confidential, subject to copyright or constitutes a trade secret. If you are not the intended recipient you are hereby notified that any dissemination, copying or distribution of this message, or files associated with this message, is strictly prohibited. If you have received this message in error, please notify us immediately by replying to the message and deleting it from your computer. Messages sent to and from us may be monitored. Internet communications cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Therefore, we do not accept responsibility for any errors or omissions that are present in this message, or any attachment, that have arisen as a result of e-mail transmission. If verification is required, please request a hard-copy version. Any views or opinions presented are solely those of the author and do not necessarily represent those of BTA Ltd. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MySQL Authentication
Well, I used the Dialup Admin tool with the default setting of using crypt
passwords.
Here's my DB info, thanks for your help!
mysql> select *from radcheck;
++--++++
| id | UserName | Attribute | op | Value |
++--++++
| 3 | scotty | Crypt-Password | := | $1$k.732Mhx$oNSh46n4YSq7NvAsGQnIu.
|
++--++++
1 row in set (0.00 sec)
mysql> select *from radreply;
++--+-++---+
| id | UserName | Attribute | op | Value |
++--+-++---+
| 1 | scotty | Framed-Protocol | = | PPP |
++--+-++---+
1 row in set (0.01 sec)
mysql> select *from radgroupcheck;
++---+---++---+
| id | GroupName | Attribute | op | Value |
++---+---++---+
| 1 | test | Auth-Type | := | Local |
++---+---++---+
1 row in set (0.01 sec)
mysql> select *from usergroup;
++--+---+
| id | UserName | GroupName |
++--+---+
| 2 | scotty | test |
++--+---+
1 row in set (0.00 sec)
mysql> select *from radgroupreply;
++---+++-+--+
| id | GroupName | Attribute | op | Value | prio |
++---+++-+--+
| 1 | test | Framed-Compression | := | Van-Jacobsen-TCP-IP |1 |
| 2 | test | Framed-Protocol| := | PPP |1 |
| 3 | test | Service-Type | := | Framed-User |1 |
++---+++-+--+
3 rows in set (0.00 sec)
Scott Mace
Network Administrator
TravelCenters of America
24601 Center Ridge Rd.
Westlake, OH 44145
440-808-4318
"Scott Bartlett" <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
03/22/2003 05:54 AM
Please respond to freeradius-users
To: <[EMAIL PROTECTED]>
cc:
Subject:RE: MySQL Authentication
Scott,
Your debug notes you've got PAP encryption set - is this the issue? I'd
try with it set to 'clear' first if I were you, then go from there once
that works...
Can you post examples of what you've got in the database?
SB
Scott Bartlett
BTA Limited, 100 High Street Wandsworth, London SW18 4LA, United Kingdom
e: [EMAIL PROTECTED]v: +44 (0)20 8871 4240 f: +44 (0)20 8871 4584
Network Consultancy and Support for Windows, MacOS and Linux.
Internet connectivity, solutions, web/database development and business
services.<http://www.bta.com>.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL Authentication
Would it be possible to let me look at your config? Maybe a sample user from your database? (No user id's/passwords/ip addresses of course) Scott Mace Network Administrator TravelCenters of America 24601 Center Ridge Rd. Westlake, OH 44145 440-808-4318 Pablo Veliz <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 03/21/2003 07:29 PM Please respond to freeradius-users To: [EMAIL PROTECTED] cc: Subject: Re: MySQL Authentication El Fri, 21 Mar 2003 17:31:16 -0500 [EMAIL PROTECTED] escribió: > I've seen quite a few messages in the archives regarding different issues > with MySQL authentication. I can get nothing to work. I tried this > patch, > http://www.mail-archive.com/[EMAIL PROTECTED]/msg12306.html > and this patch, > http://www.mail-archive.com/[EMAIL PROTECTED]/msg14684.html > (which wouldn't apply properly, I'm no programmer) and I still can't get > MySQL authentication to work. I used the instructions here: > http://www.frontios.com/freeradius.html and got authentication working > just fine with using the users file. I can get accounting info into my > database, but the rlm_mysql doesn't seem to be connecting to the db at > all, which indicates the port issue described in the second patch thread I > listed. > I don't know how to help you, but I can tell you that I installed freeRadius 0.8.1 in Mandrake 9.0 and I have it working without problem right now. I use only mysql for auth and acct, maybe my radius.conf can give you a clue. I must say that my "users" file is empty. I'm planning to move this to a RH7.0 server or maybe a RH8.0 -- Pablo Veliz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL Authentication
Ok, tried that, no change. Thanks anyway. BTW, am I incorrect in
assuming that these are tried in order until a) they all fail, or b) one
is successful?
Scott Mace
Network Administrator
TravelCenters of America
24601 Center Ridge Rd.
Westlake, OH 44145
440-808-4318
"Ed H" <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
03/21/2003 07:05 PM
Please respond to freeradius-users
To: [EMAIL PROTECTED]
cc:
Subject: Re: MySQL Authentication
Hello Scott:
It looks like you might be trying to use unix passwd/shadow authentication
and sql both. Make sure your radiusd.conf file comments out all
references
to unix, and file. Should like something similar to this (this is just an
example):
authenticate {
authtype PAP {
pap
}
authtype CHAP {
chap
}
# pam
# unix
# authtype LDAP {
# ldap
# }
# eap
}
preacct {
preprocess
suffix
# files
}
accounting {
# acct_unique
# detail
# counter
# unix# wtmp file
sql
# radutmp
# sradutmp
}
session {
# radutmp
sql
}
Ed
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MySQL Authentication
Scott, Your debug notes you've got PAP encryption set - is this the issue? I'd try with it set to 'clear' first if I were you, then go from there once that works... Can you post examples of what you've got in the database? SB Scott Bartlett BTA Limited, 100 High Street Wandsworth, London SW18 4LA, United Kingdom e: [EMAIL PROTECTED]v: +44 (0)20 8871 4240 f: +44 (0)20 8871 4584 Network Consultancy and Support for Windows, MacOS and Linux. Internet connectivity, solutions, web/database development and business services.<http://www.bta.com>. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Posted At: 21 March 2003 22:31 Posted To: FreeRadius Conversation: MySQL Authentication Subject: MySQL Authentication I've seen quite a few messages in the archives regarding different issues with MySQL authentication. I can get nothing to work. I tried this patch, http://www.mail-archive.com/[EMAIL PROTECTED]/msg12306.h tml and this patch, http://www.mail-archive.com/[EMAIL PROTECTED]/msg14684.h tml (which wouldn't apply properly, I'm no programmer) and I still can't get MySQL authentication to work. I used the instructions here: http://www.frontios.com/freeradius.html and got authentication working just fine with using the users file. I can get accounting info into my database, but the rlm_mysql doesn't seem to be connecting to the db at all, which indicates the port issue described in the second patch thread I listed. I tries the CVS snapshot from the ftp site, and the 0.8.1 release, both yield the exact results. I now am using the 0.8.1 release Other info: Module: Loaded PAP pap: encryption_scheme = "crypt" --- This message (and any associated files) is intended only for the use of the individual or entity to which it is addressed and may contain information that is confidential, subject to copyright or constitutes a trade secret. If you are not the intended recipient you are hereby notified that any dissemination, copying or distribution of this message, or files associated with this message, is strictly prohibited. If you have received this message in error, please notify us immediately by replying to the message and deleting it from your computer. Messages sent to and from us may be monitored. Internet communications cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Therefore, we do not accept responsibility for any errors or omissions that are present in this message, or any attachment, that have arisen as a result of e-mail transmission. If verification is required, please request a hard-copy version. Any views or opinions presented are solely those of the author and do not necessarily represent those of BTA Ltd. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL Authentication
El Fri, 21 Mar 2003 17:31:16 -0500
[EMAIL PROTECTED] escribió:
> I've seen quite a few messages in the archives regarding different issues
> with MySQL authentication. I can get nothing to work. I tried this
> patch,
> http://www.mail-archive.com/[EMAIL PROTECTED]/msg12306.html
> and this patch,
> http://www.mail-archive.com/[EMAIL PROTECTED]/msg14684.html
> (which wouldn't apply properly, I'm no programmer) and I still can't get
> MySQL authentication to work. I used the instructions here:
> http://www.frontios.com/freeradius.html and got authentication working
> just fine with using the users file. I can get accounting info into my
> database, but the rlm_mysql doesn't seem to be connecting to the db at
> all, which indicates the port issue described in the second patch thread I
> listed.
>
I don't know how to help you, but I can tell you that I installed freeRadius 0.8.1 in
Mandrake 9.0
and I have it working without problem right now. I use only mysql for auth and acct,
maybe my radius.conf can give you a clue.
I must say that my "users" file is empty.
--- radius.conf ---
prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = ${prefix}/var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions= yes
log_stripped_names = no
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = yes
usercollide = yes
lower_user = no
lower_pass = no
nospace_user = yes
nospace_pass = yes
checkrad = ${sbindir}/checkrad
security {
max_attributes = 1200
reject_delay = 1
status_server = no
}
proxy_requests = no
$INCLUDE ${confdir}/clients.conf
$INCLUDE ${confdir}/snmp.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
pap {
encryption_scheme = crypt
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
realm suffix {
format = suffix
delimiter = "@"
}
realm realmslash {
format = prefix
delimiter = "/"
}
realm realmpercent {
format = suffix
delimiter = "%"
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
compat = no
}
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
}
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address,
NAS-Port-Id"
}
$INCLUDE ${confdir}/sql.conf
radutmp {
filename = ${logdir}/radutmp
perm = 0600
callerid = "yes"
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
attr_filter {
attrsfile = ${confdir}/attrs
}
counter {
filename = ${raddbdir}/db.counter
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
expr {
}
}
instantiate {
expr
}
authorize {
preprocess
suffix
sql
files
}
authenticate {
authtype PAP {
pap
}
}
preacct {
preprocess
suffix
files
}
accounting {
acct_unique
Re: MySQL Authentication
Hello Scott:
It looks like you might be trying to use unix passwd/shadow authentication
and sql both. Make sure your radiusd.conf file comments out all references
to unix, and file. Should like something similar to this (this is just an
example):
authenticate {
authtype PAP {
pap
}
authtype CHAP {
chap
}
# pam
# unix
# authtype LDAP {
# ldap
# }
# eap
}
preacct {
preprocess
suffix
# files
}
accounting {
# acct_unique
# detail
# counter
# unix# wtmp file
sql
# radutmp
# sradutmp
}
session {
# radutmp
sql
}
Ed
From: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: MySQL Authentication
Date: Fri, 21 Mar 2003 17:31:16 -0500
I've seen quite a few messages in the archives regarding different issues
with MySQL authentication. I can get nothing to work. I tried this
patch,
http://www.mail-archive.com/[EMAIL PROTECTED]/msg12306.html
and this patch,
http://www.mail-archive.com/[EMAIL PROTECTED]/msg14684.html
(which wouldn't apply properly, I'm no programmer) and I still can't get
MySQL authentication to work. I used the instructions here:
http://www.frontios.com/freeradius.html and got authentication working
just fine with using the users file. I can get accounting info into my
database, but the rlm_mysql doesn't seem to be connecting to the db at
all, which indicates the port issue described in the second patch thread I
listed.
I tries the CVS snapshot from the ftp site, and the 0.8.1 release, both
yield the exact results. I now am using the 0.8.1 release
Other info:
RedHat 8.0
MySQL related:
mod_auth_mysql-1.11-10
mysql-server-3.23.54a-4
mysql-devel-3.23.54a-4
libdbi-dbd-mysql-0.6.5-2
mysql-3.23.54a-4
php-mysql-4.2.2-8.0.7
Any ideas?
Initialization log
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = "/usr"
main: localstatedir = "/var"
main: logdir = "/var/log/radius"
main: libdir = "/usr/lib"
main: radacctdir = "/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/var/log/radius/radius.log"
main: log_auth = no
main: log_auth_badpass = yes
main: log_auth_goodpass = no
main: pidfile = "/var/run/radiusd/radiusd.pid"
main: user = "radiusd"
main: group = "radiusd"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/sbin/checkrad"
main: proxy_requests = no
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: servers_per_realm = 15
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: ignore_password = no
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "/etc/shadow"
unix: group = "(null)"
unix: radwtmp = "/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded preprocess
preprocess: huntgroups = "/etc/raddb/huntgroups"
preprocess: hints = "/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = yes
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/etc/raddb/users"
files: acctusersfile = "/etc/r
MySQL Authentication
I've seen quite a few messages in the archives regarding different issues with MySQL authentication. I can get nothing to work. I tried this patch, http://www.mail-archive.com/[EMAIL PROTECTED]/msg12306.html and this patch, http://www.mail-archive.com/[EMAIL PROTECTED]/msg14684.html (which wouldn't apply properly, I'm no programmer) and I still can't get MySQL authentication to work. I used the instructions here: http://www.frontios.com/freeradius.html and got authentication working just fine with using the users file. I can get accounting info into my database, but the rlm_mysql doesn't seem to be connecting to the db at all, which indicates the port issue described in the second patch thread I listed. I tries the CVS snapshot from the ftp site, and the 0.8.1 release, both yield the exact results. I now am using the 0.8.1 release Other info: RedHat 8.0 MySQL related: mod_auth_mysql-1.11-10 mysql-server-3.23.54a-4 mysql-devel-3.23.54a-4 libdbi-dbd-mysql-0.6.5-2 mysql-3.23.54a-4 php-mysql-4.2.2-8.0.7 Any ideas? Initialization log Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = yes main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "radiusd" main: group = "radiusd" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = no proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: servers_per_realm = 15 security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: ignore_password = no mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "/etc/shadow" unix: group = "(null)" unix: radwtmp = "/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded preprocess preprocess: huntgroups = "/etc/raddb/huntgroups" preprocess: hints = "/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = yes Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/etc/raddb/users" files: acctusersfile = "/etc/raddb/acct_users" files: preproxy_usersfile = "/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded SQL sql: driver = "rlm_sql_mysql" sql: server = "lnxradius01.ta.com" sql: port = "" sql: login = "dialup_admin" sql: password = "" sql: radius_db = "radius" sql: acct_table = "radacct" sql: acct_table2 = "radacct" sql: authcheck_table = "radcheck" sql: authreply_table = "radreply" sql: groupcheck_table = "radgroupcheck" sql: groupreply_table = "radgroupreply" sql: usergroup_table = "usergroup" sql: nas_table = "nas" sql: dict_table = "dictionary" sql: sqltrace = yes sql: sqltracefile = "/var
Re: Mysql Authentication
Alan DeKok wrote: Ossama Suleiman <[EMAIL PROTECTED]> wrote: i am using freeradius 0.8.1 with Redhat 8.0, i wanted to use mysql authentication, the problem is that i want to authenticate users depending on Calling-Station-Id, so i added an entry (blank username) Why? What's wrong with the DEFAULT configuration? When using the DEFAULT entry with the users file there is no problem at all, but when using it with mysql i got the error message mentioned before below -i got the following error message that the user-name can't be blank: -- rlm_sql (sql): zero length username not permitted Exactly. Use DEFAULT. i tried the DEFAULT value, my table looks like this: ++--+--+--+--+ | id | UserName | Attribute | Value| op| ++--+--+--+--+ | 1 | DEFAULT | Auth-Type | Accept| := | | 2 | DEFAULT | Huntgroup-Name | test | == | ++--+--+--+--+ but as i said before, this configuration is not working and it still complains about zero length username. when i commented out that section in rlm_sql.c and replaced the default entry with an blank entry it worked correctly. my table looked like this in that case: ++--+--+--+--+ | id | UserName | Attribute | Value| op| ++--+--+--+--+ | 1 | | Auth-Type | Accept| := | | 2 | | Huntgroup-Name | test | == | ++--+--+--+--+ this is working fine, and checking the calling-station-id listed in the huntgroup file could somebody correct me if this contains mistakes?? You're doing too much work, and ignoring the examples which tell you about the DEFAULT user. Alan DeKok. sorry for all the trouble, and resending it Ossama - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mysql Authentication
Alan DeKok wrote: Ossama Suleiman <[EMAIL PROTECTED]> wrote: i am using freeradius 0.8.1 with Redhat 8.0, i wanted to use mysql authentication, the problem is that i want to authenticate users depending on Calling-Station-Id, so i added an entry (blank username) Why? What's wrong with the DEFAULT configuration? When using the DEFAULT entry with the users file there is no problem at all, but when using it with mysql i got the error message mentioned before below -i got the following error message that the user-name can't be blank: -- rlm_sql (sql): zero length username not permitted Exactly. Use DEFAULT. i tried the DEFAULT value, my table looks like this: ++--+--+--+--+ | id | UserName | Attribute | Value | op | ++--+--+--+--+ | 1 | DEFAULT | Auth-Type | Accept | := | | 2 | DEFAULT | Huntgroup-Name | test | == | ++--+--+--+--+ but as i said before, this configuration is not working and it still complains about zero length username. when i commented out that section in rlm_sql.c and replaced the default entry with an blank entry it worked correctly. my table looked like this in that case: ++--+--+--+--+ | id | UserName | Attribute | Value | op | ++--+--+--+--+ | 1 | | Auth-Type | Accept | := | | 2 | | Huntgroup-Name | test | == | ++--+--+--+--+ this is working fine, and checking the calling-station-id listed in the huntgroup file could somebody correct me if this contains mistakes?? You're doing too much work, and ignoring the examples which tell you about the DEFAULT user. Alan DeKok. sorry for all the trouble. Ossama - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mysql Authentication
Ossama Suleiman <[EMAIL PROTECTED]> wrote: > i am using freeradius 0.8.1 with Redhat 8.0, i wanted to use mysql > authentication, the problem is that i want to authenticate users > depending on Calling-Station-Id, so i added an entry (blank username) Why? What's wrong with the DEFAULT configuration? > -i got the following error message that the user-name can't be blank: > -- > rlm_sql (sql): zero length username not permitted Exactly. Use DEFAULT. > could somebody correct me if this contains mistakes?? You're doing too much work, and ignoring the examples which tell you about the DEFAULT user. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mysql Authentication
Hi,
i am using freeradius 0.8.1 with Redhat 8.0, i wanted to use mysql
authentication, the problem is that i want to authenticate users
depending on Calling-Station-Id, so i added an entry (blank username)
into the table radcheck with Auth-Type=Accept and added another
attribute Calling-Station-Id=123456, and tried to autenticate that user
using NTRadPing and Radius in debugging mode
-i got the following error message that the user-name can't be blank:
--
rlm_sql (sql): zero length username not permitted
modcall[authorize]: module "sql" returns invalid
modcall: group authorize returns invalid
--
-so i edited _src/modules/rlm_sql/rlm_sql.c_ an commented out the
following lines so not to check for a zero username, _lines: 468-472_
-
465:/*
466:*They MUST have a username to do SQL authorization.
467:*/
468://if ((request->username == NULL) ||
469://(request->username->length == 0)) {
470://radlog(L_ERR, "rlm_sql (%s): zero length username not
permitted\n", inst->config->xlat_name);
471://return RLM_MODULE_INVALID;
472://}
-the error message changed :
---
radius_xlat: ''
modcall[authorize]: module "sql" returns fail
modcall: group authorize returns fail
---
so i edited it once again and commented out lines: 483,484
--
483:// if (sql_set_user(inst, request, sqlusername,
NULL) *<* 0)
484:// return RLM_MODULE_INVALID
this seemd to be working correctly, everything else seems to be working too
could somebody correct me if this contains mistakes??
is it also please possible to add this as an option to the source code
of freeradius, cause i always upgrade to the lates version of freeradius
and don't want to edit the code everytime on a working environment
Thanks for your help
Best Regards
Ossama Suleiman
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mysql authentication with multiple CLIs
All, i'm using freeradius with mysql to authentication users based on username, password, and their calling station id. but now i have some users that wish to dial up from two or more different CLIs. I need a bit of help on setting up the database records in the radcheck table, this is what i am using at the moment, is this correct? +--+--+++--+ | id | UserName | Attribute | Value | op | +--+--+++--+ | 35 | 102523 | User-Password | password | NULL | | 36 | 102523 | Calling-Station-Id | 123456 | NULL | | 1152 | 102523 | Calling-Station-Id | 123457 | NULL | +--+--+++--+ or should it be like this, using two separate records: +--+--+++--+ | id | UserName | Attribute | Value | op | +--+--+++--+ | 35 | 102523 | User-Password | password | NULL | | 36 | 102523 | Calling-Station-Id | 123456 | NULL | | 1151 | 102523 | User-Password | password | NULL | | 1152 | 102523 | Calling-Station-Id | 123457 | NULL | +--+--+++--+ do i need a value in the last "op" field? thanks in advance. Mark -- http://www.thedumbterminal.co.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySql authentication fails
"Valakos Yorgos" <[EMAIL PROTECTED]> wrote: > I have a SuSe Linux 8.0 on Intel system and and 0.7.1 freeradius and > latest version of MySql . When I try to authenticate a user against my > passwd and shadow file it works but it doesn't when I try the same with > users inserted in radius database (radcheck , etc) and auth type = sql Don't use Auth-Type := SQL, there's no such thing. See the mailing list archives for lots more information. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MySql authentication fails
Dear friends
I am totally newbie -yet fascinated - in both the linux and Freeradius
stuff so I beg you to bare with me .
I have a SuSe Linux 8.0 on Intel system and and 0.7.1 freeradius and
latest version of MySql . When I try to authenticate a user against my
passwd and shadow file it works but it doesn't when I try the same with
users inserted in radius database (radcheck , etc) and auth type = sql
.Below is the output of the debugging .Any help ?
_
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = "/usr/local"
main: localstatedir = "/usr/local/var"
main: logdir = "/usr/local/var/log/radius"
main: libdir = "/usr/local/lib"
main: radacctdir = "/usr/local/var/log/radius/radacct"
main: hostname_lookups = no
read_config_files: reading dictionary
read_config_files: reading clients
read_config_files: reading realms
read_config_files: reading naslist
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_auth = no
main: log_auth_badpass = yes
main: log_auth_goodpass = no
main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: proxy_requests = no
security: max_attributes = 200
security: reject_delay = 1
main: debug_level = 0
read_config_files: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded System
unix: cache = yes
unix: passwd = "/etc/passwd"
unix: shadow = "/etc/shadow"
unix: group = "/etc/group"
unix: radwtmp = "/usr/local/var/log/radius/radwtmp"
unix: usegroup = no
Module: Instantiated unix (unix)
Module: Loaded MS-CHAP
mschap: ignore_password = no
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
Module: Instantiated mschap (mschap)
Module: Loaded PAP
pap: encryption_scheme = "clear"
Module: Instantiated pap (pap)
Module: Loaded preprocess
preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups"
preprocess: hints = "/usr/local/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/usr/local/etc/raddb/users"
files: acctusersfile = "/usr/local/etc/raddb/acct_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded detail
detail: detailfile =
"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded SQL
sql: driver = "rlm_sql_mysql"
sql: server = "localhost"
sql: port = ""
sql: login = "root"
sql: password = "myrootpasswd"
sql: radius_db = "radius"
sql: acct_table = "radacct"
sql: acct_table2 = "radacct"
sql: authcheck_table = "radcheck"
sql: authreply_table = "radreply"
sql: groupcheck_table = "radgroupcheck"
sql: groupreply_table = "radgroupreply"
sql: usergroup_table = "usergroup"
sql: nas_table = "nas"
sql: dict_table = "dictionary"
sql: sqltrace = yes
sql: sqltracefile = "/usr/local/var/log/radius/sqltrace.sql"
sql: deletestalesessions = yes
sql: num_sql_socks = 5
sql: sql_user_name = "%{User-Name}"
sql: authorize_check_query = "SELECT id,UserName,Attribute,Value,op
FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id"
sql: authorize_reply_query = "SELECT id,UserName,Attribute,Value,op
FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id"
sql: authorize_group_check_query = "SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgrou
pcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName =
radgroupcheck.GroupName ORDER BY radgroupcheck.id"
sql: authorize_group_reply_query = "SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrou
preply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName =
radgroupreply.GroupName ORDER BY radgroupreply.id"
sql: authenticate_query = "SELECT Value,Attribute FROM radcheck WHERE
UserName = '%{
Re: Freeradius/MySQL Authentication Problem
> > If you want it to look at the 'users' file, then, absolutely. > Since I didn't care for it to look at the 'users' file, then the entry of: | 3 | DialUp| Auth-Type| PAP | := | in the 'radgroupcheck' table should have taken care of the Auth-Type issue, correct? The list of my MySQL tables can be seen in the post to this list with subject 'freeradius/mysql unable to ascertain Auth-Type from mysql' Thanks, --Josh Snyder NetNITCO Systems Administration - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius/MySQL Authentication Problem
NetNITCO Systems Administration <[EMAIL PROTECTED]> wrote: > I was however under the impression that 'Auth-Type' would be > retrieved from the 'radgroupcheck' table for the group my test user > is associated with under MySQL rather than the users file. Is that > not the case? Yes. > Do I in fact need to add 'files' under the 'authorize' or > 'authenticate' sections? If you want it to look at the 'users' file, then, absolutely. Aaln DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius/MySQL Authentication Problem
> > I don't know. Read the debugging output of the server. Is it even > looking at that line from 'users'? > I have killed and restarted radius with debugging and tried authenticating. I have not seen any mention of the users file or the loading of any of the DEFAULT values specified in the users file. Just for testing sake, I manually ran all of the sql queries that were displayed during the login and they all returned what I believe to be the appropriate data from the MySQL database so I do not believe that is the issue. In reading the comments in radiusd.conf, it appears that the users file is defined in the 'files' module and looking at the comments under 'authenticate' in the 'authtype PAP' section, it states, "...extract user passwords...(LDAP,SQL, etc). You should use the 'files' module to set 'Auth-Type := PAP' for this to work." I was however under the impression that 'Auth-Type' would be retrieved from the 'radgroupcheck' table for the group my test user is associated with under MySQL rather than the users file. Is that not the case? Do I in fact need to add 'files' under the 'authorize' or 'authenticate' sections? Thanks, --Josh Snyder NetNITCO Systems Administration - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius/MySQL Authentication Problem
NetNITCO Systems Administration <[EMAIL PROTECTED]> wrote: > Ok, that is what I have. Do you have any ideas why radius appears > to still be unable to determine an Auth-Type when trying to > authenticate the user? I don't know. Read the debugging output of the server. Is it even looking at that line from 'users'? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius/MySQL Authentication Problem
> > Yes. > Ok, that is what I have. Do you have any ideas why radius appears to still be unable to determine an Auth-Type when trying to authenticate the user? --Josh Snyder NetNITCO Systems Administration - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius/MySQL Authentication Problem
etNITCO Systems Administration <[EMAIL PROTECTED]> wrote: > I currently have the following in the users file: > > DEFAULT Auth-Type := PAP > Fall-Through = 1 ... > Is this what you were talking about Alan? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius/MySQL Authentication Problem
> > Read the 'users' file that comes with the server. > > The Auth-Type attribute tells the server HOW the user is to be > authenticated. > I currently have the following in the users file: DEFAULT Auth-Type := PAP Fall-Through = 1 DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 1500, Service-Type = Framed-User, Fall-Through = Yes DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP Is this what you were talking about Alan? --Josh Snyder NetNITCO Systems Administration - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius/MySQL Authentication Problem
> Alright, everything seems to be working fine now from my previous > post regarding initial configuration of Freeradius 0.7 and MySQL, > however, now I cannot authenticate a user. I'm not sure what I'm > supposed to set Auth-Type to or where I'm supposed to set it. Read the 'users' file that comes with the server. The Auth-Type attribute tells the server HOW the user is to be authenticated. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius/MySQL Authentication Problem
Alright, everything seems to be working fine now from my previous post
regarding initial configuration of Freeradius 0.7 and MySQL, however, now I
cannot authenticate a user. I'm not sure what I'm supposed to set Auth-Type
to or where I'm supposed to set it. I want to just use PAP clear text
authentication for testing and use unix crypt later. I get the following
when trying to authenticate a user:
rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx:1645, id=30,
length=159
User-Name = "test1"
User-Password =
"Z\224\356\032\221\344\016\004\235\\|\007\025\210\016\240"
NAS-IP-Address = xxx.xxx.xxx.xxx
NAS-Port = 14081
Acct-Session-Id = "test11"
USR-Interface-Index = 0
USR-Supports-Tags = 0
USR-Chassis-Call-Slot = 56
USR-Chassis-Call-Span = 1
USR-Chassis-Call-Channel = 1
USR-Connect-Speed = NONE
Calling-Station-Id = ""
Called-Station-Id = ""
NAS-Port-Type = Virtual
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
rlm_realm: Looking up realm NULL for User-Name = "test1"
rlm_realm: No such realm NULL
modcall[authorize]: module "suffix" returns noop
radius_xlat: 'test1'
sql_set_user: escaped user --> 'test1'
radius_xlat:
radius_xlat:
radius_xlat:
radius_xlat:
rlm_sql: Pairs do not match [test1]
rlm_sql: Released sql socket id: 4
modcall[authorize]: module "sql" returns notfound
modcall: group authorize returns ok
auth: No authenticate method(Auth-Type) configuration found for the request:
Rejecting the user
auth: Failed to validate the user.
I have set the following in radiusd.conf:
pap {
encryption_scheme = clear
}
authorize {
preprocess
suffix
sql
}
authenticate {
authtype PAP {
pap
}
}
preacct {
preprocess
suffix
}
accounting {
detail
sql
radutmp
}
session {
sql
}
I have the following setup in users:
DEFAULT Auth-Type := PAP
I also have the following entry in the radgroupreply table for the group that
my test accounts are associated with:
| id | GroupName | Attribute | Value | op | prio |
++---++-+--+--+
| 8 | DialUp| Auth-Type | PAP | NULL |0 |
I'm not sure if any of this is correct. Anybody have any ideas? I apologize
if I included any unecessary log information, but I wasn't sure what would be
of importance.
Thanks,
--Josh Snyder
NetNITCO Systems Administration
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql authentication
At 02:07 AM 7/26/2002 +0800, Ador Dauz wrote: >thank's Chris... >I have a question again, In the table of radcheck, radgroupcheck >radreply thiers a field called "op" whats this for? and also in the >radgroupreply a field called "prio" I don't know what should I put >that fields. This field is for the operator. See the 'users' man page for a description of each operator. Or check the list archives. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql authentication
thank's Chris... I have a question again, In the table of radcheck, radgroupcheck radreply thiers a field called "op" whats this for? and also in the radgroupreply a field called "prio" I don't know what should I put that fields. Thanks again, -ador On Friday 26 July 2002 01:29, you wrote: > At 01:24 AM 7/26/2002 +0800, Ador Dauz wrote: > >Hello all, > >Need help please, I can't make it my MySql configuration. > >I got this mesages when I run radiusd -x > > > >Module: Instantiated sql (sql) > >radiusd.conf: "SQL" modules aren't allowed in 'authenticate' sections -- > > they have no such method. > > Yup, do what it says, and remove 'sql' from the 'authenticate' section > of your radiusd.conf file. > > -Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql authentication
At 01:24 AM 7/26/2002 +0800, Ador Dauz wrote: >Hello all, >Need help please, I can't make it my MySql configuration. >I got this mesages when I run radiusd -x > >Module: Instantiated sql (sql) >radiusd.conf: "SQL" modules aren't allowed in 'authenticate' sections -- they >have no such method. Yup, do what it says, and remove 'sql' from the 'authenticate' section of your radiusd.conf file. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mysql authentication
Hello all, Need help please, I can't make it my MySql configuration. I got this mesages when I run radiusd -x Starting - reading configuration files ... Module: Loaded System HASH: Reinitializing hash structures and lists for caching... HASH: Stored 31 entries from /etc/passwd HASH: Stored 40 entries from /etc/group Module: Instantiated unix (unix) Module: Loaded SQL rlm_sql: Driver rlm_sql_mysql loaded and linked rlm_sql: Attempting to connect to root@localhost:/radius rlm_sql: Connected new DB handle, #0 rlm_sql: Connected new DB handle, #1 rlm_sql: Connected new DB handle, #2 rlm_sql: Connected new DB handle, #3 rlm_sql: Connected new DB handle, #4 Module: Instantiated sql (sql) radiusd.conf: "SQL" modules aren't allowed in 'authenticate' sections -- they have no such method. Thanks alot, --ador - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with MySQL authentication
> > root@localhost# radtest radman2 testing localhost 10 2 > hostname> Sending Access-Request of id 128 to 127.0.0.1:1812 > > User-Name = "radman2" > > User-Password = "\2529M\234\353,\006w\2657K\346m\301\022@" > > NAS-IP-Address = > > NAS-Port-Id = "10" > > Framed-Protocol = PPP > > rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=128, > > length=20 rad_decode: Received Access-Reject packet from 127.0.0.1 with > > invalid signature! > > ^^^ > > ^ > > > output from radiusd -X > > [...] > > > WARNING: Unprintable characters in the password. ? Double-check the > > shared secret on the server and the NAS! > > > > > > This WARNING says check my secret, but I know that is correct for sure. > > From > > Are you _really really_ sure you have your shared secret correct? Both > the "invalid signature" error radtest gives and the warning from radiusd > indicate that the shared secrets don't match. > Could you paste the relevant section from raddb/clients.conf? You were correct in saying that I used an incorrect secret. I looked at my clients.conf and I saw that there are different secrets for localhost, and my NAS's. I guess I didn't understand that I needed to use the secret for localhost, I was using the secret for my NAS. Once, I used the secret for localhost, everything works great!! Thanks for the excellent support everyone! Nick -- Nick Davis Associate Systems Administrator [EMAIL PROTECTED] Internet Exposure, Inc. http://www.iexposure.com (612)676-1946 Web Development-Web Marketing-ISP Services - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with MySQL authentication was Re: Problems with MySQL Auth-Type
At 08:52 AM 5/31/2002 +0200, Simon wrote: >On Thu, May 30, 2002 at 07:14:14PM -0500, Nick Davis wrote: > >[...] > > > root@localhost# radtest radman2 testing localhost 10 2 hostname> > > Sending Access-Request of id 128 to 127.0.0.1:1812 > > User-Name = "radman2" > > User-Password = "\2529M\234\353,\006w\2657K\346m\301\022@" > > NAS-IP-Address = > > NAS-Port-Id = "10" > > Framed-Protocol = PPP > > rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=128, length=20 > > rad_decode: Received Access-Reject packet from 127.0.0.1 with invalid > > signature!^^^ > ^ > >Are you _really really_ sure you have your shared secret correct? Both >the "invalid signature" error radtest gives and the warning from radiusd >indicate that the shared secrets don't match. >Could you paste the relevant section from raddb/clients.conf? It is most likely just really old code on the NAS. Quite a few NAS in older code revs didn't sign Accounting-Request packets properly. Livingston Portmasters were one. I'd highly recommend looking at upgrading the NAS code as the suspect here. Also, if this is an older Ascend box, Ascend didn't quite follow the RFC method of encrypting PAP passwords when sending to the NAS ( they added additional NULL pads ). Newer Ascend/Lucent allow you to switch to an RFC compliant mode. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with MySQL authentication was Re: Problems with MySQL Auth-Type
On Thu, May 30, 2002 at 07:14:14PM -0500, Nick Davis wrote: [...] > root@localhost# radtest radman2 testing localhost 10 2 > Sending Access-Request of id 128 to 127.0.0.1:1812 > User-Name = "radman2" > User-Password = "\2529M\234\353,\006w\2657K\346m\301\022@" > NAS-IP-Address = > NAS-Port-Id = "10" > Framed-Protocol = PPP > rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=128, length=20 > rad_decode: Received Access-Reject packet from 127.0.0.1 with invalid > signature!^^^ ^ > output from radiusd -X [...] > WARNING: Unprintable characters in the password. ? Double-check the shared > secret on the server and the NAS! > > > This WARNING says check my secret, but I know that is correct for sure. From Are you _really really_ sure you have your shared secret correct? Both the "invalid signature" error radtest gives and the warning from radiusd indicate that the shared secrets don't match. Could you paste the relevant section from raddb/clients.conf? -- Simon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems with MySQL authentication was Re: Problems with MySQL Auth-Type
ok I think I am really close to getting this working (having everything in
mysql db).
as a side note. i use a table called user instead of radcheck with different
titles for the columns because this db is for other stuff too.. here are the
tables:
mysql> select * from user;
+--++-+--+--+---++
| useridnr | userid | passwd | clientid | maxmail_size | Attribute
| op |
+--++-+--+--+---++
| 30 | radman2| testing |0 | 2097152 |
User-Password | := |
+--++-+--+--+---++
mysql> select * from usergroup;
+++---+
| id | UserName | GroupName |
+++---+
| 2 | radman2| default |
+++---+
mysql> select * from radgroupcheck;
++---+--++--+
| id | GroupName | Attribute| Value | op |
++---+--++--+
| 10 | default | Simultaneous-Use | 1 | := |
| 9 | default | Auth-Type| PAP| := |
++---+--++--+
mysql> select * from radgroupreply;
++---+---+-+--+--+
| id | GroupName | Attribute | Value | op | prio |
++---+---+-+--+--+
| 2 | default | User-Service-Type | Framed-User | =|0 |
| 3 | default | Framed-Protocol | PPP | =|0 |
| 4 | default | Fall-Through | Yes | =|0 |
++---+---+-+--+--+
I have my radiusd.conf like this:
pap {
encryption_scheme = clear
}
authorize {
preprocess
sql
}
authenticate {
authtype PAP {
pap
}
}
preacct {
preprocess
}
accounting {
unix
sql
radutmp
}
session {
radutmp
}
When I run
radtest radman2 testing localhost 10 2
radtest seems to always encrypt my password, since I am storing pwds in
cleartext, the auth never works. Here is some output:
root@localhost# radtest radman2 testing localhost 10 2
Sending Access-Request of id 128 to 127.0.0.1:1812
User-Name = "radman2"
User-Password = "\2529M\234\353,\006w\2657K\346m\301\022@"
NAS-IP-Address =
NAS-Port-Id = "10"
Framed-Protocol = PPP
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=128, length=20
rad_decode: Received Access-Reject packet from 127.0.0.1 with invalid
signature!
*
output from radiusd -X
rad_recv: Access-Request packet from host 127.0.0.1:1087, id=128, length=63
User-Name = "radman2"
User-Password = "\2529M\234\353,\006w\2657K\346m\301\022@"
NAS-IP-Address = 255.255.255.255
NAS-Port-Id = "10"
Framed-Protocol = PPP
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
radius_xlat: 'radman2'
sql_escape in: 'radman2'
sql_escape out: 'radman2'
sql_set_user: escaped user --> 'radman2'
radius_xlat: 'SELECT useridnr,userid,Attribute,passwd,op FROM user WHERE
userid = 'radman2' ORDER BY useridnr'
rlm_sql: Reserving sql socket id: 4
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'radman2' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Username = 'radman2' ORDER BY id'
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = 'radman2' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
radius_xlat: 'SELECT passwd,Attribute FROM user WHERE userid = 'radman2' AND
( Attribute = 'User-Password' OR Attribute = 'Password' OR Attribute =
'Crypt-Password' ) ORDER BY Attribute DESC'
rlm_sql: Released sql socket id: 4
modcall[authorize]: module "sql" returns ok
modcall: group authorize returns ok
rad_check_password: Found Auth-Type PAP
auth: type "PAP"
modcall: entering group authtype
rlm_pap: login attempt by "radman2" with password à\z
rlm_pap: Using password testing for user radman2 authentication.
rlm_pap: Using clear text password.
rlm_pap: Passwords don't match
modcall[authenticate]: module "pap" returns reject
modcall: group authtype returns reject
auth: Failed to validate the user.
Login incorrect (rlm_pap: CLEAR TEXT password check failed): [radman2/\340\\z]
(from client localhost port 0)
WARNING: Unprintable characters in the password. ? Double-check the shared
secret on the server a
Re: checkrad don't work with freeradius-0.5 and mysql authentication
Thank you, it works! regards Dirk Tanneberger - Original Message - From: "Chris Parker" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, April 24, 2002 5:02 PM Subject: Re: checkrad don't work with freeradius-0.5 and mysql authentication > At 04:59 PM 4/24/2002 +0200, Dirk Tanneberger wrote: > >I have the following checkitems in radcheck-table: > >- > >id UserName AttributeValue op > >1 test password > >13test Simultaneous-Use 2 == > >- > > Simultaneous-Use needs to have the := operator, just like the examples > in the 'users' file and documentation. > > -Chris > -- > \\\|||/// \ StarNet Inc. \Chris Parker > \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering > | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 > oOo---(_)---oOo--\-- >\ Wholesale Internet Services - http://www.megapop.net > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: checkrad don't work with freeradius-0.5 and mysql authentication
At 04:59 PM 4/24/2002 +0200, Dirk Tanneberger wrote: >I have the following checkitems in radcheck-table: >- >id UserName AttributeValue op >1 test password >13test Simultaneous-Use 2 == >- Simultaneous-Use needs to have the := operator, just like the examples in the 'users' file and documentation. -Chris -- \\\|||/// \ StarNet Inc. \Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: checkrad don't work with freeradius-0.5 and mysql authentication
I have the following checkitems in radcheck-table: - id UserName AttributeValue op 1 test password 13test Simultaneous-Use 2 == - regards Dirk Tanneberger - Original Message - From: "Chris Parker" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, April 24, 2002 4:42 PM Subject: Re: checkrad don't work with freeradius-0.5 and mysql authentication > At 04:39 PM 4/24/2002 +0200, Dirk Tanneberger wrote: > >Hello all, > > > >I use freeradius-0.5 with mysql authentication and accounting. > >Normal authentication and accounting works fine, but > >when I use "Simutaneous-Use", it don't work. > >when I run Freeradius in debug mode, I see no entry that calling checkrad. > >I set checkrad with debugging also, but there is no entry in logfile. > >Why checkrad doesn't work? Has anybody the same problem or can help me? > > Do you have the operator set correctly? What do your checkitems look > like? > > -Chris > -- > \\\|||/// \ StarNet Inc. \Chris Parker > \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering > | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 > oOo---(_)---oOo--\-- >\ Wholesale Internet Services - http://www.megapop.net > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: checkrad don't work with freeradius-0.5 and mysql authentication
At 04:39 PM 4/24/2002 +0200, Dirk Tanneberger wrote: >Hello all, > >I use freeradius-0.5 with mysql authentication and accounting. >Normal authentication and accounting works fine, but >when I use "Simutaneous-Use", it don't work. >when I run Freeradius in debug mode, I see no entry that calling checkrad. >I set checkrad with debugging also, but there is no entry in logfile. >Why checkrad doesn't work? Has anybody the same problem or can help me? Do you have the operator set correctly? What do your checkitems look like? -Chris -- \\\|||/// \ StarNet Inc. \Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
checkrad don't work with freeradius-0.5 and mysql authentication
Hello all, I use freeradius-0.5 with mysql authentication and accounting. Normal authentication and accounting works fine, but when I use "Simutaneous-Use", it don't work. when I run Freeradius in debug mode, I see no entry that calling checkrad. I set checkrad with debugging also, but there is no entry in logfile. Why checkrad doesn't work? Has anybody the same problem or can help me? Thanks Dirk Tanneberger - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian - Freeradius MySQL Authentication
"chrisv" <[EMAIL PROTECTED]> wrote: > At this point, I restarted freeradius, so that the changes > to /etc/raddb/radiusd.conf would take effect. All appears to go > well as the radiusd comes up without error. > > Figuring that MySQL authentication was now configured, i issued > the following command: > > 'radtest testuser testpass localhost localhost testing123' > > and the system replies: ... with an access reject. Have you tried running the server in debugging mode, as described in the FAQ and the README? It produces voluminous output telling you exactly what it's doing, which helps enormously in debugging these problems. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Debian - Freeradius MySQL Authentication
Hello all..
I've been attempting to install a radiusd on a debian box for
quite some time now, but have run into several roadblocks. So
far, I've attempted to use both cistron and xtradius - both with
minimal success. After posting to the cistron mailing list, I was
informed that freeradius is really the best radiusd for me to use
considering my major concern is authenticating users from a MySQL
database, rather than from a flat config file.
I've installed and configured the following debian packages via
apt-get:
radiusd-freeradius (version 0.4-1)
radiusd-freeradius-mysql (version 0.4-1)
The machine i'm installing on is an debian (unstable) system
Linux terrapin 2.2.19pre17 #4 Tue Mar 13 22:37:59 EST 2001 i686
unknown
Everything appears to have installed correctly, and the radiusd
started up successfully
--- Begin Screen Output ---
root 234 0.0 3.0 13588 1852 ?S10:35
0:00 /usr/sbin/radiusd
root 236 0.0 3.0 13588 1852 ?S10:35
0:00 /usr/sbin/radiusd
root 237 0.0 3.0 13588 1852 ?S10:35
0:00 /usr/sbin/radiusd
root 238 0.0 3.0 13588 1852 ?S10:35
0:00 /usr/sbin/radiusd
root 239 0.0 3.0 13588 1852 ?S10:35
0:00 /usr/sbin/radiusd
root 240 0.0 3.0 13588 1852 ?S10:35
0:00 /usr/sbin/radiusd
root 241 0.0 3.0 13588 1852 ?S10:35
0:00 /usr/sbin/radiusd
--- End Screen Output ---
I then used radtest (authenticating from the /etc/passwd as is
default) and everything worked fine.
At that point, I went ahead and made changes to the radiusd
config file (/etc/raddb/radiusd.conf) - I added 'sql' to
the 'authorize {', 'authenticate {', and 'accounting {' sections.
Additionally, i #commented out 'unix' from the 'authenticate {'
section)
After saving radiusd.conf, i proceeded to edut sql.conf and
specify the proper username and password for mysql (i am running
mysql Ver 11.15 Distrib 3.23.47, for pc-linux-gnu (i686))
in /etc/raddb/sql.conf. I saved this file, and then went to work on
the MySql database. Since i installed via apt-get, i did not have
the database schema .sql file (db_mysql.sql), so i downloaded the
source and obtained db_mysql.sql. I applied the schema, and then
proceeded to add a test user. I did so by logging into the radius
database in MySQL, and running the following commands:
'INSERT INTO usergroup VALUES('0','testuser','testgroup');'
'INSERT INTO radcheck VALUES('0',testuser','Password','testpass');'
'INSERT INTO radreply VALUES('0','testuser','Framed-IP-
Address','255.255.255.254');'
'FLUSH PRIVILEGES;'
The changes were successful, here are the results:
--- Begin Screen Output ---
mysql> select * from usergroup;
++--+---+
| id | UserName | GroupName |
++--+---+
| 1 | testuser | testgroup |
++--+---+
1 row in set (0.01 sec)
mysql> select * from radcheck;
++--+---+--+
| id | UserName | Attribute | Value|
++--+---+--+
| 1 | testuser | Password | testpass |
++--+---+--+
1 row in set (0.00 sec)
mysql> select * from radreply;
++--+---+-+
| id | UserName | Attribute | Value |
++--+---+-+
| 1 | testuser | Framed-IP-Address | 255.255.255.254 |
++--+---+-+
1 row in set (0.00 sec)
--- End Screen Output ---
At this point, I restarted freeradius, so that the changes
to /etc/raddb/radiusd.conf would take effect. All appears to go
well as the radiusd comes up without error.
Figuring that MySQL authentication was now configured, i issued
the following command:
'radtest testuser testpass localhost localhost testing123'
and the system replies:
--- Begin Screen Output ---
Sending Access-Request of id 101 to 127.0.0.1:1812
User-Name = "testuser"
Password = "$\312\367[\205\271\273L\316h\257\264\20\347
\365"
NAS-IP-Address = terrapin
NAS-Port-Id = "localhost"
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=101,
length=20
--- End Screen Output ---
So it appears that the radiusd is up and running, but it is
obviously not properly authenticating from the MySQL database.
Additionally, when i attempt to connect to the machine from
elsewhere on the internal network with ntradping, it times out
from a lack of server response.
--- Begin NTRadPing Output ---
'Sending authentication request to server 192.168.1.111:1812'
'Transmitting packet, code=1 id=0 length=49'
'no response from s
