Re: MySQL Authentication Logging
On Mon, 18 Aug 2003, Adam Carmichael wrote: > Hi All! > > I'm currently running FreeRADIUS 0.9.0 on several *BSD boxes with MySQL4 for logging > accounting and retrieving authentication information. I am interested in knowing how > to log authentication attempts and even possibly why an attempt failled. > > For example, if we have a customer who thinks their dialup account is being > exploited - they can change their password, and then see if any authentication > requests are being made. (Actually, just thinking about it, the user would not need > to change their password, they could just see the times at which their logons (or > attempted logons) occur). > > I have made some Google searches on the list already, and I saw a few posts in which > Alan DeKok said that it is possible to do this - however the rest of the replies > seemed to wonder away from what I had hoped. Check out dialup_admin/bin/log_badlogins. It will do a tail -f on radius.log and log each failed login as a separate session in the radacct table. > > > > > Thanks in advance > > Adam > > > Adam Carmichael > Network Operations Manager > email: [EMAIL PROTECTED] > web: http://www.no1.com.au > icq: 2207644 > > #1 Computer Services, Empowerment Through Internet Communications. > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL Authentication Logging
- Original Message - From: "Nicolas Baradakis" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, August 20, 2003 6:57 PM Subject: Re: MySQL Authentication Logging > Adam Carmichael wrote: > > > I was considering relearning C/C++ all over again so I could help > > with this just because we need this feature quite badly. I'd love to > > finally submit something back to an opensource product, but I don't > > think my coding skills are quite up to scratch for this kind of > > challenge yet. I'd be more than happy to provide feedback and help > > with testing however, and I'll help patch what I can. > > Thanks for the offer of assistance but I can manage the coding part > alone. Since the architecture of FR is really clean it's not a big > problem. And of course it much better if you do more tests on your > side when it's done. > > > Users of this might need additional features, such as the ability to > > log other kinds of errors (such as RADIUS clients not in > > clients.conf (or the deprecated clients file) trying to > > authenticate, or if for example a particular NAS / LNS is running an > > old secret) so perhaps an auth_default_log() might also be required > > to log anything that doesn't match one of the other authentication > > types it could be logged into a kind of table that has a few BLOB or > > TEXT fields and places the entire log entry into that field. Another > > scenario is if you use ENCRYPT()'ed passwords within MySQL, and a > > user tries to log in using CHAP. > > While writing the patch I gave up about the "auth_badpass_table" and > the "auth_goodpass_table". Just one "authlog_table" is sufficient, and > you chose what you put inside with the "authlog_query". > > > What do you think? (with regards to the above outlined mysql logging > > scenarios). If you'd like to further development, then I'll > > subscribe to freeradius-developers and help out where I can. > > I think indeed we should follow the discussion in the freeradius-devel > mailing list. > > -- > Nicolas Baradakis Indeed, I'll subscribe to the list now :) -- Adam > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL Authentication Logging
Adam Carmichael wrote: > I was considering relearning C/C++ all over again so I could help > with this just because we need this feature quite badly. I'd love to > finally submit something back to an opensource product, but I don't > think my coding skills are quite up to scratch for this kind of > challenge yet. I'd be more than happy to provide feedback and help > with testing however, and I'll help patch what I can. Thanks for the offer of assistance but I can manage the coding part alone. Since the architecture of FR is really clean it's not a big problem. And of course it much better if you do more tests on your side when it's done. > Users of this might need additional features, such as the ability to > log other kinds of errors (such as RADIUS clients not in > clients.conf (or the deprecated clients file) trying to > authenticate, or if for example a particular NAS / LNS is running an > old secret) so perhaps an auth_default_log() might also be required > to log anything that doesn't match one of the other authentication > types it could be logged into a kind of table that has a few BLOB or > TEXT fields and places the entire log entry into that field. Another > scenario is if you use ENCRYPT()'ed passwords within MySQL, and a > user tries to log in using CHAP. While writing the patch I gave up about the "auth_badpass_table" and the "auth_goodpass_table". Just one "authlog_table" is sufficient, and you chose what you put inside with the "authlog_query". > What do you think? (with regards to the above outlined mysql logging > scenarios). If you'd like to further development, then I'll > subscribe to freeradius-developers and help out where I can. I think indeed we should follow the discussion in the freeradius-devel mailing list. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL Authentication Logging
Nic, I would love to help you test this!!! Adam - Original Message - From: "Nicolas Baradakis" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, August 20, 2003 6:16 PM Subject: Re: MySQL Authentication Logging > Alan DeKok wrote: > > > "Adam Carmichael" <[EMAIL PROTECTED]> wrote: > > > > > I'm currently running FreeRADIUS 0.9.0 on several *BSD boxes with MySQL4 > > > for logging accounting and retrieving authentication information. I am > > > interested in knowing how to log authentication attempts and even > > > possibly why an attempt failled. > > > > See the 'detail' module in the latest CVS snapshot. It will create > > "detail" style files for authentication requests, responses, proxied > > packets, and replies from a home server. > > > > It won't log all of the information you see in debugging mode, but > > it will log a fair amount of useful data. > > It's nice to get a lot of data in the detail files, but as I already > said before : > > <<<<< > When you have multiple freeradius servers, you want to store > authentication attempts in a database rather than a flat file. > >>>>> > > I'm doing a patch in rlm_sql to put information in a "authlog table" > after authentification. In fact it's nearly finished, but I want to > do more tests and add more commentaries in my source. > > -- > Nicolas Baradakis > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL Authentication Logging
Alan DeKok wrote: > "Adam Carmichael" <[EMAIL PROTECTED]> wrote: > > > I'm currently running FreeRADIUS 0.9.0 on several *BSD boxes with MySQL4 > > for logging accounting and retrieving authentication information. I am > > interested in knowing how to log authentication attempts and even > > possibly why an attempt failled. > > See the 'detail' module in the latest CVS snapshot. It will create > "detail" style files for authentication requests, responses, proxied > packets, and replies from a home server. > > It won't log all of the information you see in debugging mode, but > it will log a fair amount of useful data. It's nice to get a lot of data in the detail files, but as I already said before : < When you have multiple freeradius servers, you want to store authentication attempts in a database rather than a flat file. > I'm doing a patch in rlm_sql to put information in a "authlog table" after authentification. In fact it's nearly finished, but I want to do more tests and add more commentaries in my source. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL Authentication Logging
"Adam Carmichael" <[EMAIL PROTECTED]> wrote: > I'm currently running FreeRADIUS 0.9.0 on several *BSD boxes with MySQL4 > for logging accounting and retrieving authentication information. I am > interested in knowing how to log authentication attempts and even > possibly why an attempt failled. See the 'detail' module in the latest CVS snapshot. It will create "detail" style files for authentication requests, responses, proxied packets, and replies from a home server. It won't log all of the information you see in debugging mode, but it will log a fair amount of useful data. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL Authentication Logging
Hi Nicolas, I was considering relearning C/C++ all over again so I could help with this just because we need this feature quite badly. I'd love to finally submit something back to an opensource product, but I don't think my coding skills are quite up to scratch for this kind of challenge yet. I'd be more than happy to provide feedback and help with testing however, and I'll help patch what I can. Users of this might need additional features, such as the ability to log other kinds of errors (such as RADIUS clients not in clients.conf (or the deprecated clients file) trying to authenticate, or if for example a particular NAS / LNS is running an old secret) so perhaps an auth_default_log() might also be required to log anything that doesn't match one of the other authentication types it could be logged into a kind of table that has a few BLOB or TEXT fields and places the entire log entry into that field. Another scenario is if you use ENCRYPT()'ed passwords within MySQL, and a user tries to log in using CHAP. These are just two of the kinds of problems that have plagued the last week of my work. In the end, I just left a whole bunch of users with the Password attribute set, and another bunch with Crypt-Password. Not very good practise I know, but all scripts (both online and Windows based VB applications) update the attribute field when editing / inserting a password. What do you think? (with regards to the above outlined mysql logging scenarios). If you'd like to further development, then I'll subscribe to freeradius-developers and help out where I can. Adam. - Original Message - From: "Nicolas Baradakis" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, August 18, 2003 10:05 PM Subject: Re: MySQL Authentication Logging > Chris van Meerendonk wrote: > > > On Mon, 2003-08-18 at 05:30, Adam Carmichael wrote: > > > > > I'm currently running FreeRADIUS 0.9.0 on several *BSD boxes with > > > MySQL4 for logging accounting and retrieving authentication > > > information. I am interested in knowing how to log authentication > > > attempts and even possibly why an attempt failled. > > > > I'm using a simple script that reads radius.log and put that in a > > mysql table that can be accessed by our helpdesk by using a simple > > php-interface to help people with their dialin problems. Maybe you > > can do something with it. > > The situation isn't so easy when you have multiple freeradius servers, > and in that case you want to store authentication attempts in a > database rather than a flat file. > > For different reasons I need also logging connexion requests and I > already thought a little about it. > > I'm considering writing a patch for this problem, and I would like > advice from the developpers to do it the efficiently. Please correct > me if the following doesn't make sense. > > The extension should be made in module rlm_sql because here you have > all you need to connect the database and make a request (and the > administrator may store the authcheck_table, the acct_table and the > authentication attempts in the same db). > > Then in sql.conf you should add four lines with auth_badpass_table, > auth_goodpass_table, auth_badpass_query, auth_goodpass_query (or > something like that). > > We know in authentication whether the password is valid, so you have > to enter module rlm_sql at this time. It requires to add a function > rlm_sql_authenticate() to manage it... > > If I get something working from this idea I'll submit the patch in the > mailing list later. > > -- > Nicolas Baradakis > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL Authentication Logging
Chris van Meerendonk wrote: > On Mon, 2003-08-18 at 05:30, Adam Carmichael wrote: > > > I'm currently running FreeRADIUS 0.9.0 on several *BSD boxes with > > MySQL4 for logging accounting and retrieving authentication > > information. I am interested in knowing how to log authentication > > attempts and even possibly why an attempt failled. > > I'm using a simple script that reads radius.log and put that in a > mysql table that can be accessed by our helpdesk by using a simple > php-interface to help people with their dialin problems. Maybe you > can do something with it. The situation isn't so easy when you have multiple freeradius servers, and in that case you want to store authentication attempts in a database rather than a flat file. For different reasons I need also logging connexion requests and I already thought a little about it. I'm considering writing a patch for this problem, and I would like advice from the developpers to do it the efficiently. Please correct me if the following doesn't make sense. The extension should be made in module rlm_sql because here you have all you need to connect the database and make a request (and the administrator may store the authcheck_table, the acct_table and the authentication attempts in the same db). Then in sql.conf you should add four lines with auth_badpass_table, auth_goodpass_table, auth_badpass_query, auth_goodpass_query (or something like that). We know in authentication whether the password is valid, so you have to enter module rlm_sql at this time. It requires to add a function rlm_sql_authenticate() to manage it... If I get something working from this idea I'll submit the patch in the mailing list later. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL Authentication Logging
On Mon, 2003-08-18 at 05:30, Adam Carmichael wrote: > Hi All! > > I'm currently running FreeRADIUS 0.9.0 on several *BSD boxes with > MySQL4 for logging accounting and retrieving authentication > information. I am interested in knowing how to log authentication > attempts and even possibly why an attempt failled. I'm using a simple script that reads radius.log and put that in a mysql table that can be accessed by our helpdesk by using a simple php-interface to help people with their dialin problems. Maybe you can do something with it. Succes, Chris The db struct of radproblems is: mysql> describe radproblems; +--+--+--+-+-++ | Field| Type | Null | Key | Default | Extra | +--+--+--+-+-++ | RadProblemId | bigint(21) | | PRI | NULL| auto_increment | | UserName | varchar(255) | | MUL | || | Password | varchar(255) | | | || | AuthTime | datetime | | | -00-00 00:00:00 || | Realm| varchar(64) | YES | | || | NASIPAddress | varchar(15) | | | || | CalledStationId | varchar(30) | | | || | CallingStationId | varchar(30) | | MUL | || | TerminateCause | varchar(64) | | | || +--+--+--+-+-++ 9 rows in set (0.00 sec) The import script: cat /usr/local/bin/parse-radiuslog.sh #!/bin/sh # Input format: # Mon Mar 10 11:07:06 2003 : Auth: Login incorrect (rlm_ldap: Bind as user failed): [user/password] (from client nas port 16578 cli 012345678) INFILE="/var/log/freeradius/radius.log" TMPFILE="/var/log/freeradius/radius.tmp" ADDTOFILE="/var/log/freeradius/radius.parsed" SQLTMPFILE="/var/log/freeradius/radius.tmp.sql" if [ -f $TMPFILE ] then rm $TMPFILE fi if [ -f $SQLTMPFILE ] then rm $SQLTMPFILE fi mv $INFILE $TMPFILE check=`cat "${TMPFILE}" | grep 'Auth: Login incorrect'` if [ -z "$check" ] then echo " "; else cat "${TMPFILE}" | grep 'Auth: Login incorrect' | while read LINE; do P1=`echo ${LINE} | sed -e 's/^.*\[\([^/]*\).*$/\1/' -e s/\'/#/g -e s/\"/#/g` P2=`echo ${LINE} | sed -e 's/^.*\(\[.*\]\).*$/\1/' -e 's/^.*\/\(.*\)]$/\1/' -e s/\'/#/g -e s/\"/#/g` # P1=`echo ${LINE} | sed 's/^.*\(\[.*\]\).*$/\1/'` P3=`echo ${LINE} | awk '{print $5 "-" $2 "-" $3 " " $4}' | sed -e 's/Jan/1/' -e 's/Feb/2/' -e 's/Mar/3/' -e 's/Apr/4/' -e 's/May/5/' -e 's/Jun/6/' -e 's/Jul/7/' -e 's/Aug/8/' -e 's/Sep/10/' -e 's/Oct/10/' -e 's/Nov/11/' -e 's/Dec/12/'` P4=`echo ${LINE} | grep ' cli ' | sed 's/^.*cli \b\([0-9]*\).*$/\1/'` P5=`echo ${LINE} | grep 'rlm_ldap:' | sed 's/^.*rlm_ldap: \([A-Za-z0-9 ] *\).*$/\1/'` echo "INSERT INTO radproblems VALUES ('','${P1}','${P2}','${P3}','','',' ','${P4}','${P5}');" | sed 's/\\//' >> $SQLTMPFILE done mysql -hyour.mysql.host -usqluser -ppassword database < $SQLTMPFILE fi cat $TMPFILE >> $ADDTOFILE > For example, if we have a customer who thinks their dialup account is > being exploited - they can change their password, and then see if any > authentication requests are being made. (Actually, just thinking about > it, the user would not need to change their password, they could just > see the times at which their logons (or attempted logons) occur). > > I have made some Google searches on the list already, and I saw a few > posts in which Alan DeKok said that it is possible to do this - > however the rest of the replies seemed to wonder away from what I had > hoped. > > > > > Thanks in advance > > Adam > > > Adam Carmichael > Network Operations Manager > email: [EMAIL PROTECTED] > web: http://www.no1.com.au > icq: 2207644 > > #1 Computer Services, Empowerment Through Internet Communications. > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MySQL Authentication Logging
Hi All! I'm currently running FreeRADIUS 0.9.0 on several *BSD boxes with MySQL4 for logging accounting and retrieving authentication information. I am interested in knowing how to log authentication attempts and even possibly why an attempt failled. For example, if we have a customer who thinks their dialup account is being exploited - they can change their password, and then see if any authentication requests are being made. (Actually, just thinking about it, the user would not need to change their password, they could just see the times at which their logons (or attempted logons) occur). I have made some Google searches on the list already, and I saw a few posts in which Alan DeKok said that it is possible to do this - however the rest of the replies seemed to wonder away from what I had hoped. Thanks in advance Adam Adam CarmichaelNetwork Operations Manageremail: [EMAIL PROTECTED] web: http://www.no1.com.auicq: 2207644#1 Computer Services, Empowerment Through Internet Communications. BEGIN:VCARD VERSION:2.1 N:Carmichael;Adam FN:Adam Carmichael - #1 NICKNAME:carneeki ORG:#1 Computer Services;Operations TITLE:Network Operations Manager ADR;WORK;ENCODING=QUOTED-PRINTABLE:;;1 Lowing Close=0D=0A;Forrestville;NSW;2087;Australia LABEL;WORK;ENCODING=QUOTED-PRINTABLE:1 Lowing Close=0D=0A=0D=0AForrestville, NSW 2087=0D=0AAustralia X-WAB-GENDER:2 URL;HOME:http://www.no1.com.au URL;WORK:http://www.no1.com.au EMAIL;INTERNET:[EMAIL PROTECTED] EMAIL;PREF;INTERNET:[EMAIL PROTECTED] EMAIL;INTERNET:[EMAIL PROTECTED] EMAIL;INTERNET:[EMAIL PROTECTED] EMAIL;INTERNET:[EMAIL PROTECTED] REV:20030818T033005Z END:VCARD
Mysql Authentication
I'm trying to pass wind value via dhcp to a remote client using mysql...every dhcp fields seems to be passed fine (dns,IP.)except wins ...during authentication on ras server I see the following 04:32:00: RADIUS: cisco AVPair ""ip:wins-servers=10.0.0.1"" not applied for ip the field in the radgroupreply is id GroupName Attribute op Value prio (???what is this ???) 1 adrtel cisco-avpair := "ip:wins-servers=10.0.0.1" 1 (just fill it out) any help ? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MySQL Authentication
OK, it's working now. Here is what I changed: in sql.conf I changed from sql_user_name = "%{Stripped-User-Name}" to sql_user_name = "%{User-Name}" Not sure there's a difference, but that's what I did... in radius.conf in the authorize section commented out all but preprocess, chap, mschap, and sql. in radius.conf in the authenticate section, commented out all but pap, chap, mschap, and unix. In my radcheck table: mysql> select *from radcheck; ++--++++ | id | UserName | Attribute | op | Value | ++--++++ | 4 | foo | Crypt-Password | := | $1$HuWuTTVg$GqVJ5SOZfZqBn3F0gcAp// | | 3 | scotty | Password | == | testing | ++--++++ Both of which work just fine. Now off to figure out how to get this to work with our Cisco VPN 3000, and certificates... Scott Mace Network Administrator TravelCenters of America 24601 Center Ridge Rd. Westlake, OH 44145 440-808-4318 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MySQL Authentication
Scott, Hmmm Does your sqltrace file give any clues? That'll show the actual SQL which is executing against the database... Scott. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > Posted At: Monday, March 24, 2003 1:42 PM > Posted To: FreeRadius > Conversation: MySQL Authentication > Subject: RE: MySQL Authentication > > > Well, I used the Dialup Admin tool with the default setting > of using crypt > passwords. > > Here's my DB info, thanks for your help! > --- This message (and any associated files) is intended only for the use of the individual or entity to which it is addressed and may contain information that is confidential, subject to copyright or constitutes a trade secret. If you are not the intended recipient you are hereby notified that any dissemination, copying or distribution of this message, or files associated with this message, is strictly prohibited. If you have received this message in error, please notify us immediately by replying to the message and deleting it from your computer. Messages sent to and from us may be monitored. Internet communications cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Therefore, we do not accept responsibility for any errors or omissions that are present in this message, or any attachment, that have arisen as a result of e-mail transmission. If verification is required, please request a hard-copy version. Any views or opinions presented are solely those of the author and do not necessarily represent those of BTA Ltd. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MySQL Authentication
Well, I used the Dialup Admin tool with the default setting of using crypt passwords. Here's my DB info, thanks for your help! mysql> select *from radcheck; ++--++++ | id | UserName | Attribute | op | Value | ++--++++ | 3 | scotty | Crypt-Password | := | $1$k.732Mhx$oNSh46n4YSq7NvAsGQnIu. | ++--++++ 1 row in set (0.00 sec) mysql> select *from radreply; ++--+-++---+ | id | UserName | Attribute | op | Value | ++--+-++---+ | 1 | scotty | Framed-Protocol | = | PPP | ++--+-++---+ 1 row in set (0.01 sec) mysql> select *from radgroupcheck; ++---+---++---+ | id | GroupName | Attribute | op | Value | ++---+---++---+ | 1 | test | Auth-Type | := | Local | ++---+---++---+ 1 row in set (0.01 sec) mysql> select *from usergroup; ++--+---+ | id | UserName | GroupName | ++--+---+ | 2 | scotty | test | ++--+---+ 1 row in set (0.00 sec) mysql> select *from radgroupreply; ++---+++-+--+ | id | GroupName | Attribute | op | Value | prio | ++---+++-+--+ | 1 | test | Framed-Compression | := | Van-Jacobsen-TCP-IP |1 | | 2 | test | Framed-Protocol| := | PPP |1 | | 3 | test | Service-Type | := | Framed-User |1 | ++---+++-+--+ 3 rows in set (0.00 sec) Scott Mace Network Administrator TravelCenters of America 24601 Center Ridge Rd. Westlake, OH 44145 440-808-4318 "Scott Bartlett" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 03/22/2003 05:54 AM Please respond to freeradius-users To: <[EMAIL PROTECTED]> cc: Subject:RE: MySQL Authentication Scott, Your debug notes you've got PAP encryption set - is this the issue? I'd try with it set to 'clear' first if I were you, then go from there once that works... Can you post examples of what you've got in the database? SB Scott Bartlett BTA Limited, 100 High Street Wandsworth, London SW18 4LA, United Kingdom e: [EMAIL PROTECTED]v: +44 (0)20 8871 4240 f: +44 (0)20 8871 4584 Network Consultancy and Support for Windows, MacOS and Linux. Internet connectivity, solutions, web/database development and business services.<http://www.bta.com>. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL Authentication
Would it be possible to let me look at your config? Maybe a sample user from your database? (No user id's/passwords/ip addresses of course) Scott Mace Network Administrator TravelCenters of America 24601 Center Ridge Rd. Westlake, OH 44145 440-808-4318 Pablo Veliz <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 03/21/2003 07:29 PM Please respond to freeradius-users To: [EMAIL PROTECTED] cc: Subject: Re: MySQL Authentication El Fri, 21 Mar 2003 17:31:16 -0500 [EMAIL PROTECTED] escribió: > I've seen quite a few messages in the archives regarding different issues > with MySQL authentication. I can get nothing to work. I tried this > patch, > http://www.mail-archive.com/[EMAIL PROTECTED]/msg12306.html > and this patch, > http://www.mail-archive.com/[EMAIL PROTECTED]/msg14684.html > (which wouldn't apply properly, I'm no programmer) and I still can't get > MySQL authentication to work. I used the instructions here: > http://www.frontios.com/freeradius.html and got authentication working > just fine with using the users file. I can get accounting info into my > database, but the rlm_mysql doesn't seem to be connecting to the db at > all, which indicates the port issue described in the second patch thread I > listed. > I don't know how to help you, but I can tell you that I installed freeRadius 0.8.1 in Mandrake 9.0 and I have it working without problem right now. I use only mysql for auth and acct, maybe my radius.conf can give you a clue. I must say that my "users" file is empty. I'm planning to move this to a RH7.0 server or maybe a RH8.0 -- Pablo Veliz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL Authentication
Ok, tried that, no change. Thanks anyway. BTW, am I incorrect in assuming that these are tried in order until a) they all fail, or b) one is successful? Scott Mace Network Administrator TravelCenters of America 24601 Center Ridge Rd. Westlake, OH 44145 440-808-4318 "Ed H" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 03/21/2003 07:05 PM Please respond to freeradius-users To: [EMAIL PROTECTED] cc: Subject: Re: MySQL Authentication Hello Scott: It looks like you might be trying to use unix passwd/shadow authentication and sql both. Make sure your radiusd.conf file comments out all references to unix, and file. Should like something similar to this (this is just an example): authenticate { authtype PAP { pap } authtype CHAP { chap } # pam # unix # authtype LDAP { # ldap # } # eap } preacct { preprocess suffix # files } accounting { # acct_unique # detail # counter # unix# wtmp file sql # radutmp # sradutmp } session { # radutmp sql } Ed - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MySQL Authentication
Scott, Your debug notes you've got PAP encryption set - is this the issue? I'd try with it set to 'clear' first if I were you, then go from there once that works... Can you post examples of what you've got in the database? SB Scott Bartlett BTA Limited, 100 High Street Wandsworth, London SW18 4LA, United Kingdom e: [EMAIL PROTECTED]v: +44 (0)20 8871 4240 f: +44 (0)20 8871 4584 Network Consultancy and Support for Windows, MacOS and Linux. Internet connectivity, solutions, web/database development and business services.<http://www.bta.com>. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Posted At: 21 March 2003 22:31 Posted To: FreeRadius Conversation: MySQL Authentication Subject: MySQL Authentication I've seen quite a few messages in the archives regarding different issues with MySQL authentication. I can get nothing to work. I tried this patch, http://www.mail-archive.com/[EMAIL PROTECTED]/msg12306.h tml and this patch, http://www.mail-archive.com/[EMAIL PROTECTED]/msg14684.h tml (which wouldn't apply properly, I'm no programmer) and I still can't get MySQL authentication to work. I used the instructions here: http://www.frontios.com/freeradius.html and got authentication working just fine with using the users file. I can get accounting info into my database, but the rlm_mysql doesn't seem to be connecting to the db at all, which indicates the port issue described in the second patch thread I listed. I tries the CVS snapshot from the ftp site, and the 0.8.1 release, both yield the exact results. I now am using the 0.8.1 release Other info: Module: Loaded PAP pap: encryption_scheme = "crypt" --- This message (and any associated files) is intended only for the use of the individual or entity to which it is addressed and may contain information that is confidential, subject to copyright or constitutes a trade secret. If you are not the intended recipient you are hereby notified that any dissemination, copying or distribution of this message, or files associated with this message, is strictly prohibited. If you have received this message in error, please notify us immediately by replying to the message and deleting it from your computer. Messages sent to and from us may be monitored. Internet communications cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Therefore, we do not accept responsibility for any errors or omissions that are present in this message, or any attachment, that have arisen as a result of e-mail transmission. If verification is required, please request a hard-copy version. Any views or opinions presented are solely those of the author and do not necessarily represent those of BTA Ltd. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL Authentication
El Fri, 21 Mar 2003 17:31:16 -0500 [EMAIL PROTECTED] escribió: > I've seen quite a few messages in the archives regarding different issues > with MySQL authentication. I can get nothing to work. I tried this > patch, > http://www.mail-archive.com/[EMAIL PROTECTED]/msg12306.html > and this patch, > http://www.mail-archive.com/[EMAIL PROTECTED]/msg14684.html > (which wouldn't apply properly, I'm no programmer) and I still can't get > MySQL authentication to work. I used the instructions here: > http://www.frontios.com/freeradius.html and got authentication working > just fine with using the users file. I can get accounting info into my > database, but the rlm_mysql doesn't seem to be connecting to the db at > all, which indicates the port issue described in the second patch thread I > listed. > I don't know how to help you, but I can tell you that I installed freeRadius 0.8.1 in Mandrake 9.0 and I have it working without problem right now. I use only mysql for auth and acct, maybe my radius.conf can give you a clue. I must say that my "users" file is empty. --- radius.conf --- prefix = /usr/local exec_prefix = ${prefix} sysconfdir = ${prefix}/etc localstatedir = ${prefix}/var sbindir = ${exec_prefix}/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd log_file = ${logdir}/radius.log libdir = ${exec_prefix}/lib pidfile = ${run_dir}/radiusd.pid max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = * port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions= yes log_stripped_names = no log_auth = yes log_auth_badpass = yes log_auth_goodpass = yes usercollide = yes lower_user = no lower_pass = no nospace_user = yes nospace_pass = yes checkrad = ${sbindir}/checkrad security { max_attributes = 1200 reject_delay = 1 status_server = no } proxy_requests = no $INCLUDE ${confdir}/clients.conf $INCLUDE ${confdir}/snmp.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { pap { encryption_scheme = crypt } chap { authtype = CHAP } pam { pam_auth = radiusd } realm suffix { format = suffix delimiter = "@" } realm realmslash { format = prefix delimiter = "/" } realm realmpercent { format = suffix delimiter = "%" } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users compat = no } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 } acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port-Id" } $INCLUDE ${confdir}/sql.conf radutmp { filename = ${logdir}/radutmp perm = 0600 callerid = "yes" } radutmp sradutmp { filename = ${logdir}/sradutmp perm = 0644 callerid = "no" } attr_filter { attrsfile = ${confdir}/attrs } counter { filename = ${raddbdir}/db.counter key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User cache-size = 5000 } always fail { rcode = fail } always reject { rcode = reject } always ok { rcode = ok simulcount = 0 mpp = no } expr { } } instantiate { expr } authorize { preprocess suffix sql files } authenticate { authtype PAP { pap } } preacct { preprocess suffix files } accounting { acct_unique
Re: MySQL Authentication
Hello Scott: It looks like you might be trying to use unix passwd/shadow authentication and sql both. Make sure your radiusd.conf file comments out all references to unix, and file. Should like something similar to this (this is just an example): authenticate { authtype PAP { pap } authtype CHAP { chap } # pam # unix # authtype LDAP { # ldap # } # eap } preacct { preprocess suffix # files } accounting { # acct_unique # detail # counter # unix# wtmp file sql # radutmp # sradutmp } session { # radutmp sql } Ed From: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: MySQL Authentication Date: Fri, 21 Mar 2003 17:31:16 -0500 I've seen quite a few messages in the archives regarding different issues with MySQL authentication. I can get nothing to work. I tried this patch, http://www.mail-archive.com/[EMAIL PROTECTED]/msg12306.html and this patch, http://www.mail-archive.com/[EMAIL PROTECTED]/msg14684.html (which wouldn't apply properly, I'm no programmer) and I still can't get MySQL authentication to work. I used the instructions here: http://www.frontios.com/freeradius.html and got authentication working just fine with using the users file. I can get accounting info into my database, but the rlm_mysql doesn't seem to be connecting to the db at all, which indicates the port issue described in the second patch thread I listed. I tries the CVS snapshot from the ftp site, and the 0.8.1 release, both yield the exact results. I now am using the 0.8.1 release Other info: RedHat 8.0 MySQL related: mod_auth_mysql-1.11-10 mysql-server-3.23.54a-4 mysql-devel-3.23.54a-4 libdbi-dbd-mysql-0.6.5-2 mysql-3.23.54a-4 php-mysql-4.2.2-8.0.7 Any ideas? Initialization log Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = yes main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "radiusd" main: group = "radiusd" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = no proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: servers_per_realm = 15 security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: ignore_password = no mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "/etc/shadow" unix: group = "(null)" unix: radwtmp = "/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded preprocess preprocess: huntgroups = "/etc/raddb/huntgroups" preprocess: hints = "/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = yes Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/etc/raddb/users" files: acctusersfile = "/etc/r
MySQL Authentication
I've seen quite a few messages in the archives regarding different issues with MySQL authentication. I can get nothing to work. I tried this patch, http://www.mail-archive.com/[EMAIL PROTECTED]/msg12306.html and this patch, http://www.mail-archive.com/[EMAIL PROTECTED]/msg14684.html (which wouldn't apply properly, I'm no programmer) and I still can't get MySQL authentication to work. I used the instructions here: http://www.frontios.com/freeradius.html and got authentication working just fine with using the users file. I can get accounting info into my database, but the rlm_mysql doesn't seem to be connecting to the db at all, which indicates the port issue described in the second patch thread I listed. I tries the CVS snapshot from the ftp site, and the 0.8.1 release, both yield the exact results. I now am using the 0.8.1 release Other info: RedHat 8.0 MySQL related: mod_auth_mysql-1.11-10 mysql-server-3.23.54a-4 mysql-devel-3.23.54a-4 libdbi-dbd-mysql-0.6.5-2 mysql-3.23.54a-4 php-mysql-4.2.2-8.0.7 Any ideas? Initialization log Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = yes main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "radiusd" main: group = "radiusd" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = no proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: servers_per_realm = 15 security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: ignore_password = no mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "/etc/shadow" unix: group = "(null)" unix: radwtmp = "/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded preprocess preprocess: huntgroups = "/etc/raddb/huntgroups" preprocess: hints = "/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = yes Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/etc/raddb/users" files: acctusersfile = "/etc/raddb/acct_users" files: preproxy_usersfile = "/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded SQL sql: driver = "rlm_sql_mysql" sql: server = "lnxradius01.ta.com" sql: port = "" sql: login = "dialup_admin" sql: password = "" sql: radius_db = "radius" sql: acct_table = "radacct" sql: acct_table2 = "radacct" sql: authcheck_table = "radcheck" sql: authreply_table = "radreply" sql: groupcheck_table = "radgroupcheck" sql: groupreply_table = "radgroupreply" sql: usergroup_table = "usergroup" sql: nas_table = "nas" sql: dict_table = "dictionary" sql: sqltrace = yes sql: sqltracefile = "/var
Re: Mysql Authentication
Alan DeKok wrote: Ossama Suleiman <[EMAIL PROTECTED]> wrote: i am using freeradius 0.8.1 with Redhat 8.0, i wanted to use mysql authentication, the problem is that i want to authenticate users depending on Calling-Station-Id, so i added an entry (blank username) Why? What's wrong with the DEFAULT configuration? When using the DEFAULT entry with the users file there is no problem at all, but when using it with mysql i got the error message mentioned before below -i got the following error message that the user-name can't be blank: -- rlm_sql (sql): zero length username not permitted Exactly. Use DEFAULT. i tried the DEFAULT value, my table looks like this: ++--+--+--+--+ | id | UserName | Attribute | Value| op| ++--+--+--+--+ | 1 | DEFAULT | Auth-Type | Accept| := | | 2 | DEFAULT | Huntgroup-Name | test | == | ++--+--+--+--+ but as i said before, this configuration is not working and it still complains about zero length username. when i commented out that section in rlm_sql.c and replaced the default entry with an blank entry it worked correctly. my table looked like this in that case: ++--+--+--+--+ | id | UserName | Attribute | Value| op| ++--+--+--+--+ | 1 | | Auth-Type | Accept| := | | 2 | | Huntgroup-Name | test | == | ++--+--+--+--+ this is working fine, and checking the calling-station-id listed in the huntgroup file could somebody correct me if this contains mistakes?? You're doing too much work, and ignoring the examples which tell you about the DEFAULT user. Alan DeKok. sorry for all the trouble, and resending it Ossama - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mysql Authentication
Alan DeKok wrote: Ossama Suleiman <[EMAIL PROTECTED]> wrote: i am using freeradius 0.8.1 with Redhat 8.0, i wanted to use mysql authentication, the problem is that i want to authenticate users depending on Calling-Station-Id, so i added an entry (blank username) Why? What's wrong with the DEFAULT configuration? When using the DEFAULT entry with the users file there is no problem at all, but when using it with mysql i got the error message mentioned before below -i got the following error message that the user-name can't be blank: -- rlm_sql (sql): zero length username not permitted Exactly. Use DEFAULT. i tried the DEFAULT value, my table looks like this: ++--+--+--+--+ | id | UserName | Attribute | Value | op | ++--+--+--+--+ | 1 | DEFAULT | Auth-Type | Accept | := | | 2 | DEFAULT | Huntgroup-Name | test | == | ++--+--+--+--+ but as i said before, this configuration is not working and it still complains about zero length username. when i commented out that section in rlm_sql.c and replaced the default entry with an blank entry it worked correctly. my table looked like this in that case: ++--+--+--+--+ | id | UserName | Attribute | Value | op | ++--+--+--+--+ | 1 | | Auth-Type | Accept | := | | 2 | | Huntgroup-Name | test | == | ++--+--+--+--+ this is working fine, and checking the calling-station-id listed in the huntgroup file could somebody correct me if this contains mistakes?? You're doing too much work, and ignoring the examples which tell you about the DEFAULT user. Alan DeKok. sorry for all the trouble. Ossama - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mysql Authentication
Ossama Suleiman <[EMAIL PROTECTED]> wrote: > i am using freeradius 0.8.1 with Redhat 8.0, i wanted to use mysql > authentication, the problem is that i want to authenticate users > depending on Calling-Station-Id, so i added an entry (blank username) Why? What's wrong with the DEFAULT configuration? > -i got the following error message that the user-name can't be blank: > -- > rlm_sql (sql): zero length username not permitted Exactly. Use DEFAULT. > could somebody correct me if this contains mistakes?? You're doing too much work, and ignoring the examples which tell you about the DEFAULT user. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mysql Authentication
Hi, i am using freeradius 0.8.1 with Redhat 8.0, i wanted to use mysql authentication, the problem is that i want to authenticate users depending on Calling-Station-Id, so i added an entry (blank username) into the table radcheck with Auth-Type=Accept and added another attribute Calling-Station-Id=123456, and tried to autenticate that user using NTRadPing and Radius in debugging mode -i got the following error message that the user-name can't be blank: -- rlm_sql (sql): zero length username not permitted modcall[authorize]: module "sql" returns invalid modcall: group authorize returns invalid -- -so i edited _src/modules/rlm_sql/rlm_sql.c_ an commented out the following lines so not to check for a zero username, _lines: 468-472_ - 465:/* 466:*They MUST have a username to do SQL authorization. 467:*/ 468://if ((request->username == NULL) || 469://(request->username->length == 0)) { 470://radlog(L_ERR, "rlm_sql (%s): zero length username not permitted\n", inst->config->xlat_name); 471://return RLM_MODULE_INVALID; 472://} -the error message changed : --- radius_xlat: '' modcall[authorize]: module "sql" returns fail modcall: group authorize returns fail --- so i edited it once again and commented out lines: 483,484 -- 483:// if (sql_set_user(inst, request, sqlusername, NULL) *<* 0) 484:// return RLM_MODULE_INVALID this seemd to be working correctly, everything else seems to be working too could somebody correct me if this contains mistakes?? is it also please possible to add this as an option to the source code of freeradius, cause i always upgrade to the lates version of freeradius and don't want to edit the code everytime on a working environment Thanks for your help Best Regards Ossama Suleiman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mysql authentication with multiple CLIs
All, i'm using freeradius with mysql to authentication users based on username, password, and their calling station id. but now i have some users that wish to dial up from two or more different CLIs. I need a bit of help on setting up the database records in the radcheck table, this is what i am using at the moment, is this correct? +--+--+++--+ | id | UserName | Attribute | Value | op | +--+--+++--+ | 35 | 102523 | User-Password | password | NULL | | 36 | 102523 | Calling-Station-Id | 123456 | NULL | | 1152 | 102523 | Calling-Station-Id | 123457 | NULL | +--+--+++--+ or should it be like this, using two separate records: +--+--+++--+ | id | UserName | Attribute | Value | op | +--+--+++--+ | 35 | 102523 | User-Password | password | NULL | | 36 | 102523 | Calling-Station-Id | 123456 | NULL | | 1151 | 102523 | User-Password | password | NULL | | 1152 | 102523 | Calling-Station-Id | 123457 | NULL | +--+--+++--+ do i need a value in the last "op" field? thanks in advance. Mark -- http://www.thedumbterminal.co.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySql authentication fails
"Valakos Yorgos" <[EMAIL PROTECTED]> wrote: > I have a SuSe Linux 8.0 on Intel system and and 0.7.1 freeradius and > latest version of MySql . When I try to authenticate a user against my > passwd and shadow file it works but it doesn't when I try the same with > users inserted in radius database (radcheck , etc) and auth type = sql Don't use Auth-Type := SQL, there's no such thing. See the mailing list archives for lots more information. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MySql authentication fails
Dear friends I am totally newbie -yet fascinated - in both the linux and Freeradius stuff so I beg you to bare with me . I have a SuSe Linux 8.0 on Intel system and and 0.7.1 freeradius and latest version of MySql . When I try to authenticate a user against my passwd and shadow file it works but it doesn't when I try the same with users inserted in radius database (radcheck , etc) and auth type = sql .Below is the output of the debugging .Any help ? _ Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no read_config_files: reading dictionary read_config_files: reading clients read_config_files: reading realms read_config_files: reading naslist main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_auth = no main: log_auth_badpass = yes main: log_auth_goodpass = no main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: proxy_requests = no security: max_attributes = 200 security: reject_delay = 1 main: debug_level = 0 read_config_files: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded System unix: cache = yes unix: passwd = "/etc/passwd" unix: shadow = "/etc/shadow" unix: group = "/etc/group" unix: radwtmp = "/usr/local/var/log/radius/radwtmp" unix: usegroup = no Module: Instantiated unix (unix) Module: Loaded MS-CHAP mschap: ignore_password = no mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" Module: Instantiated mschap (mschap) Module: Loaded PAP pap: encryption_scheme = "clear" Module: Instantiated pap (pap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" preprocess: hints = "/usr/local/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/usr/local/etc/raddb/users" files: acctusersfile = "/usr/local/etc/raddb/acct_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded detail detail: detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded SQL sql: driver = "rlm_sql_mysql" sql: server = "localhost" sql: port = "" sql: login = "root" sql: password = "myrootpasswd" sql: radius_db = "radius" sql: acct_table = "radacct" sql: acct_table2 = "radacct" sql: authcheck_table = "radcheck" sql: authreply_table = "radreply" sql: groupcheck_table = "radgroupcheck" sql: groupreply_table = "radgroupreply" sql: usergroup_table = "usergroup" sql: nas_table = "nas" sql: dict_table = "dictionary" sql: sqltrace = yes sql: sqltracefile = "/usr/local/var/log/radius/sqltrace.sql" sql: deletestalesessions = yes sql: num_sql_socks = 5 sql: sql_user_name = "%{User-Name}" sql: authorize_check_query = "SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id" sql: authorize_reply_query = "SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id" sql: authorize_group_check_query = "SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgrou pcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id" sql: authorize_group_reply_query = "SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrou preply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id" sql: authenticate_query = "SELECT Value,Attribute FROM radcheck WHERE UserName = '%{
Re: Freeradius/MySQL Authentication Problem
> > If you want it to look at the 'users' file, then, absolutely. > Since I didn't care for it to look at the 'users' file, then the entry of: | 3 | DialUp| Auth-Type| PAP | := | in the 'radgroupcheck' table should have taken care of the Auth-Type issue, correct? The list of my MySQL tables can be seen in the post to this list with subject 'freeradius/mysql unable to ascertain Auth-Type from mysql' Thanks, --Josh Snyder NetNITCO Systems Administration - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius/MySQL Authentication Problem
NetNITCO Systems Administration <[EMAIL PROTECTED]> wrote: > I was however under the impression that 'Auth-Type' would be > retrieved from the 'radgroupcheck' table for the group my test user > is associated with under MySQL rather than the users file. Is that > not the case? Yes. > Do I in fact need to add 'files' under the 'authorize' or > 'authenticate' sections? If you want it to look at the 'users' file, then, absolutely. Aaln DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius/MySQL Authentication Problem
> > I don't know. Read the debugging output of the server. Is it even > looking at that line from 'users'? > I have killed and restarted radius with debugging and tried authenticating. I have not seen any mention of the users file or the loading of any of the DEFAULT values specified in the users file. Just for testing sake, I manually ran all of the sql queries that were displayed during the login and they all returned what I believe to be the appropriate data from the MySQL database so I do not believe that is the issue. In reading the comments in radiusd.conf, it appears that the users file is defined in the 'files' module and looking at the comments under 'authenticate' in the 'authtype PAP' section, it states, "...extract user passwords...(LDAP,SQL, etc). You should use the 'files' module to set 'Auth-Type := PAP' for this to work." I was however under the impression that 'Auth-Type' would be retrieved from the 'radgroupcheck' table for the group my test user is associated with under MySQL rather than the users file. Is that not the case? Do I in fact need to add 'files' under the 'authorize' or 'authenticate' sections? Thanks, --Josh Snyder NetNITCO Systems Administration - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius/MySQL Authentication Problem
NetNITCO Systems Administration <[EMAIL PROTECTED]> wrote: > Ok, that is what I have. Do you have any ideas why radius appears > to still be unable to determine an Auth-Type when trying to > authenticate the user? I don't know. Read the debugging output of the server. Is it even looking at that line from 'users'? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius/MySQL Authentication Problem
> > Yes. > Ok, that is what I have. Do you have any ideas why radius appears to still be unable to determine an Auth-Type when trying to authenticate the user? --Josh Snyder NetNITCO Systems Administration - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius/MySQL Authentication Problem
etNITCO Systems Administration <[EMAIL PROTECTED]> wrote: > I currently have the following in the users file: > > DEFAULT Auth-Type := PAP > Fall-Through = 1 ... > Is this what you were talking about Alan? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius/MySQL Authentication Problem
> > Read the 'users' file that comes with the server. > > The Auth-Type attribute tells the server HOW the user is to be > authenticated. > I currently have the following in the users file: DEFAULT Auth-Type := PAP Fall-Through = 1 DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 1500, Service-Type = Framed-User, Fall-Through = Yes DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP Is this what you were talking about Alan? --Josh Snyder NetNITCO Systems Administration - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius/MySQL Authentication Problem
> Alright, everything seems to be working fine now from my previous > post regarding initial configuration of Freeradius 0.7 and MySQL, > however, now I cannot authenticate a user. I'm not sure what I'm > supposed to set Auth-Type to or where I'm supposed to set it. Read the 'users' file that comes with the server. The Auth-Type attribute tells the server HOW the user is to be authenticated. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius/MySQL Authentication Problem
Alright, everything seems to be working fine now from my previous post regarding initial configuration of Freeradius 0.7 and MySQL, however, now I cannot authenticate a user. I'm not sure what I'm supposed to set Auth-Type to or where I'm supposed to set it. I want to just use PAP clear text authentication for testing and use unix crypt later. I get the following when trying to authenticate a user: rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx:1645, id=30, length=159 User-Name = "test1" User-Password = "Z\224\356\032\221\344\016\004\235\\|\007\025\210\016\240" NAS-IP-Address = xxx.xxx.xxx.xxx NAS-Port = 14081 Acct-Session-Id = "test11" USR-Interface-Index = 0 USR-Supports-Tags = 0 USR-Chassis-Call-Slot = 56 USR-Chassis-Call-Span = 1 USR-Chassis-Call-Channel = 1 USR-Connect-Speed = NONE Calling-Station-Id = "" Called-Station-Id = "" NAS-Port-Type = Virtual modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok rlm_realm: Looking up realm NULL for User-Name = "test1" rlm_realm: No such realm NULL modcall[authorize]: module "suffix" returns noop radius_xlat: 'test1' sql_set_user: escaped user --> 'test1' radius_xlat: radius_xlat: radius_xlat: radius_xlat: rlm_sql: Pairs do not match [test1] rlm_sql: Released sql socket id: 4 modcall[authorize]: module "sql" returns notfound modcall: group authorize returns ok auth: No authenticate method(Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. I have set the following in radiusd.conf: pap { encryption_scheme = clear } authorize { preprocess suffix sql } authenticate { authtype PAP { pap } } preacct { preprocess suffix } accounting { detail sql radutmp } session { sql } I have the following setup in users: DEFAULT Auth-Type := PAP I also have the following entry in the radgroupreply table for the group that my test accounts are associated with: | id | GroupName | Attribute | Value | op | prio | ++---++-+--+--+ | 8 | DialUp| Auth-Type | PAP | NULL |0 | I'm not sure if any of this is correct. Anybody have any ideas? I apologize if I included any unecessary log information, but I wasn't sure what would be of importance. Thanks, --Josh Snyder NetNITCO Systems Administration - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql authentication
At 02:07 AM 7/26/2002 +0800, Ador Dauz wrote: >thank's Chris... >I have a question again, In the table of radcheck, radgroupcheck >radreply thiers a field called "op" whats this for? and also in the >radgroupreply a field called "prio" I don't know what should I put >that fields. This field is for the operator. See the 'users' man page for a description of each operator. Or check the list archives. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql authentication
thank's Chris... I have a question again, In the table of radcheck, radgroupcheck radreply thiers a field called "op" whats this for? and also in the radgroupreply a field called "prio" I don't know what should I put that fields. Thanks again, -ador On Friday 26 July 2002 01:29, you wrote: > At 01:24 AM 7/26/2002 +0800, Ador Dauz wrote: > >Hello all, > >Need help please, I can't make it my MySql configuration. > >I got this mesages when I run radiusd -x > > > >Module: Instantiated sql (sql) > >radiusd.conf: "SQL" modules aren't allowed in 'authenticate' sections -- > > they have no such method. > > Yup, do what it says, and remove 'sql' from the 'authenticate' section > of your radiusd.conf file. > > -Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql authentication
At 01:24 AM 7/26/2002 +0800, Ador Dauz wrote: >Hello all, >Need help please, I can't make it my MySql configuration. >I got this mesages when I run radiusd -x > >Module: Instantiated sql (sql) >radiusd.conf: "SQL" modules aren't allowed in 'authenticate' sections -- they >have no such method. Yup, do what it says, and remove 'sql' from the 'authenticate' section of your radiusd.conf file. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mysql authentication
Hello all, Need help please, I can't make it my MySql configuration. I got this mesages when I run radiusd -x Starting - reading configuration files ... Module: Loaded System HASH: Reinitializing hash structures and lists for caching... HASH: Stored 31 entries from /etc/passwd HASH: Stored 40 entries from /etc/group Module: Instantiated unix (unix) Module: Loaded SQL rlm_sql: Driver rlm_sql_mysql loaded and linked rlm_sql: Attempting to connect to root@localhost:/radius rlm_sql: Connected new DB handle, #0 rlm_sql: Connected new DB handle, #1 rlm_sql: Connected new DB handle, #2 rlm_sql: Connected new DB handle, #3 rlm_sql: Connected new DB handle, #4 Module: Instantiated sql (sql) radiusd.conf: "SQL" modules aren't allowed in 'authenticate' sections -- they have no such method. Thanks alot, --ador - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with MySQL authentication
> > root@localhost# radtest radman2 testing localhost 10 2 > hostname> Sending Access-Request of id 128 to 127.0.0.1:1812 > > User-Name = "radman2" > > User-Password = "\2529M\234\353,\006w\2657K\346m\301\022@" > > NAS-IP-Address = > > NAS-Port-Id = "10" > > Framed-Protocol = PPP > > rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=128, > > length=20 rad_decode: Received Access-Reject packet from 127.0.0.1 with > > invalid signature! > > ^^^ > > ^ > > > output from radiusd -X > > [...] > > > WARNING: Unprintable characters in the password. ? Double-check the > > shared secret on the server and the NAS! > > > > > > This WARNING says check my secret, but I know that is correct for sure. > > From > > Are you _really really_ sure you have your shared secret correct? Both > the "invalid signature" error radtest gives and the warning from radiusd > indicate that the shared secrets don't match. > Could you paste the relevant section from raddb/clients.conf? You were correct in saying that I used an incorrect secret. I looked at my clients.conf and I saw that there are different secrets for localhost, and my NAS's. I guess I didn't understand that I needed to use the secret for localhost, I was using the secret for my NAS. Once, I used the secret for localhost, everything works great!! Thanks for the excellent support everyone! Nick -- Nick Davis Associate Systems Administrator [EMAIL PROTECTED] Internet Exposure, Inc. http://www.iexposure.com (612)676-1946 Web Development-Web Marketing-ISP Services - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with MySQL authentication was Re: Problems with MySQL Auth-Type
At 08:52 AM 5/31/2002 +0200, Simon wrote: >On Thu, May 30, 2002 at 07:14:14PM -0500, Nick Davis wrote: > >[...] > > > root@localhost# radtest radman2 testing localhost 10 2 hostname> > > Sending Access-Request of id 128 to 127.0.0.1:1812 > > User-Name = "radman2" > > User-Password = "\2529M\234\353,\006w\2657K\346m\301\022@" > > NAS-IP-Address = > > NAS-Port-Id = "10" > > Framed-Protocol = PPP > > rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=128, length=20 > > rad_decode: Received Access-Reject packet from 127.0.0.1 with invalid > > signature!^^^ > ^ > >Are you _really really_ sure you have your shared secret correct? Both >the "invalid signature" error radtest gives and the warning from radiusd >indicate that the shared secrets don't match. >Could you paste the relevant section from raddb/clients.conf? It is most likely just really old code on the NAS. Quite a few NAS in older code revs didn't sign Accounting-Request packets properly. Livingston Portmasters were one. I'd highly recommend looking at upgrading the NAS code as the suspect here. Also, if this is an older Ascend box, Ascend didn't quite follow the RFC method of encrypting PAP passwords when sending to the NAS ( they added additional NULL pads ). Newer Ascend/Lucent allow you to switch to an RFC compliant mode. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with MySQL authentication was Re: Problems with MySQL Auth-Type
On Thu, May 30, 2002 at 07:14:14PM -0500, Nick Davis wrote: [...] > root@localhost# radtest radman2 testing localhost 10 2 > Sending Access-Request of id 128 to 127.0.0.1:1812 > User-Name = "radman2" > User-Password = "\2529M\234\353,\006w\2657K\346m\301\022@" > NAS-IP-Address = > NAS-Port-Id = "10" > Framed-Protocol = PPP > rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=128, length=20 > rad_decode: Received Access-Reject packet from 127.0.0.1 with invalid > signature!^^^ ^ > output from radiusd -X [...] > WARNING: Unprintable characters in the password. ? Double-check the shared > secret on the server and the NAS! > > > This WARNING says check my secret, but I know that is correct for sure. From Are you _really really_ sure you have your shared secret correct? Both the "invalid signature" error radtest gives and the warning from radiusd indicate that the shared secrets don't match. Could you paste the relevant section from raddb/clients.conf? -- Simon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems with MySQL authentication was Re: Problems with MySQL Auth-Type
ok I think I am really close to getting this working (having everything in mysql db). as a side note. i use a table called user instead of radcheck with different titles for the columns because this db is for other stuff too.. here are the tables: mysql> select * from user; +--++-+--+--+---++ | useridnr | userid | passwd | clientid | maxmail_size | Attribute | op | +--++-+--+--+---++ | 30 | radman2| testing |0 | 2097152 | User-Password | := | +--++-+--+--+---++ mysql> select * from usergroup; +++---+ | id | UserName | GroupName | +++---+ | 2 | radman2| default | +++---+ mysql> select * from radgroupcheck; ++---+--++--+ | id | GroupName | Attribute| Value | op | ++---+--++--+ | 10 | default | Simultaneous-Use | 1 | := | | 9 | default | Auth-Type| PAP| := | ++---+--++--+ mysql> select * from radgroupreply; ++---+---+-+--+--+ | id | GroupName | Attribute | Value | op | prio | ++---+---+-+--+--+ | 2 | default | User-Service-Type | Framed-User | =|0 | | 3 | default | Framed-Protocol | PPP | =|0 | | 4 | default | Fall-Through | Yes | =|0 | ++---+---+-+--+--+ I have my radiusd.conf like this: pap { encryption_scheme = clear } authorize { preprocess sql } authenticate { authtype PAP { pap } } preacct { preprocess } accounting { unix sql radutmp } session { radutmp } When I run radtest radman2 testing localhost 10 2 radtest seems to always encrypt my password, since I am storing pwds in cleartext, the auth never works. Here is some output: root@localhost# radtest radman2 testing localhost 10 2 Sending Access-Request of id 128 to 127.0.0.1:1812 User-Name = "radman2" User-Password = "\2529M\234\353,\006w\2657K\346m\301\022@" NAS-IP-Address = NAS-Port-Id = "10" Framed-Protocol = PPP rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=128, length=20 rad_decode: Received Access-Reject packet from 127.0.0.1 with invalid signature! * output from radiusd -X rad_recv: Access-Request packet from host 127.0.0.1:1087, id=128, length=63 User-Name = "radman2" User-Password = "\2529M\234\353,\006w\2657K\346m\301\022@" NAS-IP-Address = 255.255.255.255 NAS-Port-Id = "10" Framed-Protocol = PPP modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok radius_xlat: 'radman2' sql_escape in: 'radman2' sql_escape out: 'radman2' sql_set_user: escaped user --> 'radman2' radius_xlat: 'SELECT useridnr,userid,Attribute,passwd,op FROM user WHERE userid = 'radman2' ORDER BY useridnr' rlm_sql: Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'radman2' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'radman2' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'radman2' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' radius_xlat: 'SELECT passwd,Attribute FROM user WHERE userid = 'radman2' AND ( Attribute = 'User-Password' OR Attribute = 'Password' OR Attribute = 'Crypt-Password' ) ORDER BY Attribute DESC' rlm_sql: Released sql socket id: 4 modcall[authorize]: module "sql" returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type PAP auth: type "PAP" modcall: entering group authtype rlm_pap: login attempt by "radman2" with password à\z rlm_pap: Using password testing for user radman2 authentication. rlm_pap: Using clear text password. rlm_pap: Passwords don't match modcall[authenticate]: module "pap" returns reject modcall: group authtype returns reject auth: Failed to validate the user. Login incorrect (rlm_pap: CLEAR TEXT password check failed): [radman2/\340\\z] (from client localhost port 0) WARNING: Unprintable characters in the password. ? Double-check the shared secret on the server a
Re: checkrad don't work with freeradius-0.5 and mysql authentication
Thank you, it works! regards Dirk Tanneberger - Original Message - From: "Chris Parker" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, April 24, 2002 5:02 PM Subject: Re: checkrad don't work with freeradius-0.5 and mysql authentication > At 04:59 PM 4/24/2002 +0200, Dirk Tanneberger wrote: > >I have the following checkitems in radcheck-table: > >- > >id UserName AttributeValue op > >1 test password > >13test Simultaneous-Use 2 == > >- > > Simultaneous-Use needs to have the := operator, just like the examples > in the 'users' file and documentation. > > -Chris > -- > \\\|||/// \ StarNet Inc. \Chris Parker > \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering > | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 > oOo---(_)---oOo--\-- >\ Wholesale Internet Services - http://www.megapop.net > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: checkrad don't work with freeradius-0.5 and mysql authentication
At 04:59 PM 4/24/2002 +0200, Dirk Tanneberger wrote: >I have the following checkitems in radcheck-table: >- >id UserName AttributeValue op >1 test password >13test Simultaneous-Use 2 == >- Simultaneous-Use needs to have the := operator, just like the examples in the 'users' file and documentation. -Chris -- \\\|||/// \ StarNet Inc. \Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: checkrad don't work with freeradius-0.5 and mysql authentication
I have the following checkitems in radcheck-table: - id UserName AttributeValue op 1 test password 13test Simultaneous-Use 2 == - regards Dirk Tanneberger - Original Message - From: "Chris Parker" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, April 24, 2002 4:42 PM Subject: Re: checkrad don't work with freeradius-0.5 and mysql authentication > At 04:39 PM 4/24/2002 +0200, Dirk Tanneberger wrote: > >Hello all, > > > >I use freeradius-0.5 with mysql authentication and accounting. > >Normal authentication and accounting works fine, but > >when I use "Simutaneous-Use", it don't work. > >when I run Freeradius in debug mode, I see no entry that calling checkrad. > >I set checkrad with debugging also, but there is no entry in logfile. > >Why checkrad doesn't work? Has anybody the same problem or can help me? > > Do you have the operator set correctly? What do your checkitems look > like? > > -Chris > -- > \\\|||/// \ StarNet Inc. \Chris Parker > \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering > | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 > oOo---(_)---oOo--\-- >\ Wholesale Internet Services - http://www.megapop.net > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: checkrad don't work with freeradius-0.5 and mysql authentication
At 04:39 PM 4/24/2002 +0200, Dirk Tanneberger wrote: >Hello all, > >I use freeradius-0.5 with mysql authentication and accounting. >Normal authentication and accounting works fine, but >when I use "Simutaneous-Use", it don't work. >when I run Freeradius in debug mode, I see no entry that calling checkrad. >I set checkrad with debugging also, but there is no entry in logfile. >Why checkrad doesn't work? Has anybody the same problem or can help me? Do you have the operator set correctly? What do your checkitems look like? -Chris -- \\\|||/// \ StarNet Inc. \Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
checkrad don't work with freeradius-0.5 and mysql authentication
Hello all, I use freeradius-0.5 with mysql authentication and accounting. Normal authentication and accounting works fine, but when I use "Simutaneous-Use", it don't work. when I run Freeradius in debug mode, I see no entry that calling checkrad. I set checkrad with debugging also, but there is no entry in logfile. Why checkrad doesn't work? Has anybody the same problem or can help me? Thanks Dirk Tanneberger - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian - Freeradius MySQL Authentication
"chrisv" <[EMAIL PROTECTED]> wrote: > At this point, I restarted freeradius, so that the changes > to /etc/raddb/radiusd.conf would take effect. All appears to go > well as the radiusd comes up without error. > > Figuring that MySQL authentication was now configured, i issued > the following command: > > 'radtest testuser testpass localhost localhost testing123' > > and the system replies: ... with an access reject. Have you tried running the server in debugging mode, as described in the FAQ and the README? It produces voluminous output telling you exactly what it's doing, which helps enormously in debugging these problems. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Debian - Freeradius MySQL Authentication
Hello all.. I've been attempting to install a radiusd on a debian box for quite some time now, but have run into several roadblocks. So far, I've attempted to use both cistron and xtradius - both with minimal success. After posting to the cistron mailing list, I was informed that freeradius is really the best radiusd for me to use considering my major concern is authenticating users from a MySQL database, rather than from a flat config file. I've installed and configured the following debian packages via apt-get: radiusd-freeradius (version 0.4-1) radiusd-freeradius-mysql (version 0.4-1) The machine i'm installing on is an debian (unstable) system Linux terrapin 2.2.19pre17 #4 Tue Mar 13 22:37:59 EST 2001 i686 unknown Everything appears to have installed correctly, and the radiusd started up successfully --- Begin Screen Output --- root 234 0.0 3.0 13588 1852 ?S10:35 0:00 /usr/sbin/radiusd root 236 0.0 3.0 13588 1852 ?S10:35 0:00 /usr/sbin/radiusd root 237 0.0 3.0 13588 1852 ?S10:35 0:00 /usr/sbin/radiusd root 238 0.0 3.0 13588 1852 ?S10:35 0:00 /usr/sbin/radiusd root 239 0.0 3.0 13588 1852 ?S10:35 0:00 /usr/sbin/radiusd root 240 0.0 3.0 13588 1852 ?S10:35 0:00 /usr/sbin/radiusd root 241 0.0 3.0 13588 1852 ?S10:35 0:00 /usr/sbin/radiusd --- End Screen Output --- I then used radtest (authenticating from the /etc/passwd as is default) and everything worked fine. At that point, I went ahead and made changes to the radiusd config file (/etc/raddb/radiusd.conf) - I added 'sql' to the 'authorize {', 'authenticate {', and 'accounting {' sections. Additionally, i #commented out 'unix' from the 'authenticate {' section) After saving radiusd.conf, i proceeded to edut sql.conf and specify the proper username and password for mysql (i am running mysql Ver 11.15 Distrib 3.23.47, for pc-linux-gnu (i686)) in /etc/raddb/sql.conf. I saved this file, and then went to work on the MySql database. Since i installed via apt-get, i did not have the database schema .sql file (db_mysql.sql), so i downloaded the source and obtained db_mysql.sql. I applied the schema, and then proceeded to add a test user. I did so by logging into the radius database in MySQL, and running the following commands: 'INSERT INTO usergroup VALUES('0','testuser','testgroup');' 'INSERT INTO radcheck VALUES('0',testuser','Password','testpass');' 'INSERT INTO radreply VALUES('0','testuser','Framed-IP- Address','255.255.255.254');' 'FLUSH PRIVILEGES;' The changes were successful, here are the results: --- Begin Screen Output --- mysql> select * from usergroup; ++--+---+ | id | UserName | GroupName | ++--+---+ | 1 | testuser | testgroup | ++--+---+ 1 row in set (0.01 sec) mysql> select * from radcheck; ++--+---+--+ | id | UserName | Attribute | Value| ++--+---+--+ | 1 | testuser | Password | testpass | ++--+---+--+ 1 row in set (0.00 sec) mysql> select * from radreply; ++--+---+-+ | id | UserName | Attribute | Value | ++--+---+-+ | 1 | testuser | Framed-IP-Address | 255.255.255.254 | ++--+---+-+ 1 row in set (0.00 sec) --- End Screen Output --- At this point, I restarted freeradius, so that the changes to /etc/raddb/radiusd.conf would take effect. All appears to go well as the radiusd comes up without error. Figuring that MySQL authentication was now configured, i issued the following command: 'radtest testuser testpass localhost localhost testing123' and the system replies: --- Begin Screen Output --- Sending Access-Request of id 101 to 127.0.0.1:1812 User-Name = "testuser" Password = "$\312\367[\205\271\273L\316h\257\264\20\347 \365" NAS-IP-Address = terrapin NAS-Port-Id = "localhost" rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=101, length=20 --- End Screen Output --- So it appears that the radiusd is up and running, but it is obviously not properly authenticating from the MySQL database. Additionally, when i attempt to connect to the machine from elsewhere on the internal network with ntradping, it times out from a lack of server response. --- Begin NTRadPing Output --- 'Sending authentication request to server 192.168.1.111:1812' 'Transmitting packet, code=1 id=0 length=49' 'no response from s