Re: [Patch] SQL authentication logging
Paul Hampson wrote: I think it'd be better to have a separate patch to fix sql_finish_query() usage everywhere and not only in rlm_sql_postauth() SOunds good. Are you going to make it call it always? I expect such a function would be safe to call at any time... From memory, the mySQL provides such a function, but its not implemented in rlm_sql_mysql at the moment. I'll also have to look into that sometime. mySQL provides a mysql_free_result() that you're supposed to call after a mysql_store_result(). So I'm thinking that: * sql_select_query() calls mysql_store_result() and therefore sql_finish_select_query() calls mysql_free_result() * sql_query() don't allocate supplementary resources so sql_finish_query() does nothing and it's just fine. Moreover (now that I read the entire source code) if you really want to call sql_finish_query() after a failed sql_query() I think the best place to do it is the function rlm_sql_query() in sql.c and not in a lot of different places in rlm_sql.c Since this issue has nothing to do with rlm_sql_postauth() I think you could safely commit the patch now. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [Patch] SQL authentication logging
From: Nicolas Baradakis Sent: Monday, 22 September 2003 11:48 PM Paul Hampson wrote: I think it'd be better to have a separate patch to fix sql_finish_query() usage everywhere and not only in rlm_sql_postauth() SOunds good. Are you going to make it call it always? I expect such a function would be safe to call at any time... From memory, the mySQL provides such a function, but its not implemented in rlm_sql_mysql at the moment. I'll also have to look into that sometime. mySQL provides a mysql_free_result() that you're supposed to call after a mysql_store_result(). So I'm thinking that: * sql_select_query() calls mysql_store_result() and therefore sql_finish_select_query() calls mysql_free_result() * sql_query() don't allocate supplementary resources so sql_finish_query() does nothing and it's just fine. Moreover (now that I read the entire source code) if you really want to call sql_finish_query() after a failed sql_query() I think the best place to do it is the function rlm_sql_query() in sql.c and not in a lot of different places in rlm_sql.c Bah. More reading to do before I can buy fully into or out of that one. (It makes a tempting kind of sense... Do we want the callers of rlm_sql_query to only have to call sql_finish_query on successful queries? I suspect so.) Since this issue has nothing to do with rlm_sql_postauth() I think you could safely commit the patch now. Now that I go to do that, I find even the attached version has barfed. I hope this isn't pscp doing something whacky. :-( Oh, turns out _something's_ doing something whacky... ASCII-mode ftp upload from Win32 to Linux fixed the patch... Comitted. At last. :-) -- = Paul TBBle Hampson Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] On a sidewalk near Portland State University someone wrote `Trust Jesus', and someone else wrote `But Cut the Cards'. - Random signature generator 3.0 by Paul TBBle Hampson = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [Patch] SQL authentication logging
From: Nicolas Baradakis Sent: Friday, 19 September 2003 6:28 PM Paul Hampson wrote: The following patch allow for SQL logging after authentication. It extends the rlm_sql module so now you can put one more query in your sql.conf file. I'll commit this once either you tell me that it doesn't depend on Post-Auth-Type, or I commit the Post-Auth-Type patch. (Which I'm going to look at now.) Well, the patch will apply without a problem but it is much less interesting because you can query the db only if the authentication step is successful. True. That's not a dependancy though. To me, a patch dependancy means that it won't apply cleanly (or will work surprisingly) without the other patch. With one minor change, to call (inst-module-sql_finish_query)(sqlsocket, inst-config); even for failed queries. (As is done in _some_ of the other sql_ function in rlm_sql.c. And PostgresSQL's docs also do it... Only postgres and Sybase (off hand, Oracle too maybe) actually implement the function anyway. I don't understand. There is a return RLM_MODULE_FAIL just above, so sql_finish_query() is not called on failed query. That's my point. My reading says it _should_ be. This certainly needs to be cleaned up in other places too. -- = Paul TBBle Hampson Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] On a sidewalk near Portland State University someone wrote `Trust Jesus', and someone else wrote `But Cut the Cards'. - Random signature generator 3.0 by Paul TBBle Hampson = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [Patch] SQL authentication logging
Paul Hampson wrote: With one minor change, to call (inst-module-sql_finish_query)(sqlsocket, inst-config); even for failed queries. (As is done in _some_ of the other sql_ function in rlm_sql.c. And PostgresSQL's docs also do it... Only postgres and Sybase (off hand, Oracle too maybe) actually implement the function anyway. I don't understand. There is a return RLM_MODULE_FAIL just above, so sql_finish_query() is not called on failed query. That's my point. My reading says it _should_ be. This certainly needs to be cleaned up in other places too. I'm sorry, I've completely misunderstood your previous post. The fact is it's unclear when you should call sql_finish_query(). Looking more closely at rlm_sql.c I observed that: (i) after a failed rlm_sql_query() there no call to sql_finish_query() except in rlm_sql_accounting() (ii) sql_finish_query() may sometimes be called 2 times (see lines 812 and 815 for example) I think it'd be better to have a separate patch to fix sql_finish_query() usage everywhere and not only in rlm_sql_postauth() -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [Patch] SQL authentication logging
From: Nicolas Baradakis Sent: Monday, 22 September 2003 1:30 AM Paul Hampson wrote: With one minor change, to call (inst-module-sql_finish_query)(sqlsocket, inst-config); even for failed queries. (As is done in _some_ of the other sql_ function in rlm_sql.c. And PostgresSQL's docs also do it... Only postgres and Sybase (off hand, Oracle too maybe) actually implement the function anyway. I don't understand. There is a return RLM_MODULE_FAIL just above, so sql_finish_query() is not called on failed query. That's my point. My reading says it _should_ be. This certainly needs to be cleaned up in other places too. I'm sorry, I've completely misunderstood your previous post. The fact is it's unclear when you should call sql_finish_query(). Looking more closely at rlm_sql.c I observed that: (i) after a failed rlm_sql_query() there no call to sql_finish_query() except in rlm_sql_accounting() (ii) sql_finish_query() may sometimes be called 2 times (see lines 812 and 815 for example) I think it'd be better to have a separate patch to fix sql_finish_query() usage everywhere and not only in rlm_sql_postauth() SOunds good. Are you going to make it call it always? I expect such a function would be safe to call at any time... From memory, the mySQL provides such a function, but its not implemented in rlm_sql_mysql at the moment. I'll also have to look into that sometime. -- = Paul TBBle Hampson Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] On a sidewalk near Portland State University someone wrote `Trust Jesus', and someone else wrote `But Cut the Cards'. - Random signature generator 3.0 by Paul TBBle Hampson = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Patch] SQL authentication logging
Paul Hampson wrote: The following patch allow for SQL logging after authentication. It extends the rlm_sql module so now you can put one more query in your sql.conf file. I'll commit this once either you tell me that it doesn't depend on Post-Auth-Type, or I commit the Post-Auth-Type patch. (Which I'm going to look at now.) Well, the patch will apply without a problem but it is much less interesting because you can query the db only if the authentication step is successful. For the hotline service for example (ie the bad guys who made me write this patch ^_^) it is much more useful to gather information about failed attempts. With one minor change, to call (inst-module-sql_finish_query)(sqlsocket, inst-config); even for failed queries. (As is done in _some_ of the other sql_ function in rlm_sql.c. And PostgresSQL's docs also do it... Only postgres and Sybase (off hand, Oracle too maybe) actually implement the function anyway. I don't understand. There is a return RLM_MODULE_FAIL just above, so sql_finish_query() is not called on failed query. Bugger. That patch got boned as well. Can you either attach it to an email for me, or put it up on a website so I can wget it? It's troubling because I don't copy / paste from my terminal but I do a M-x insert-file in the message. Never mind, I'll send the attached file to you. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [Patch] SQL authentication logging
From: Nicolas Baradakis Sent: Wednesday, 17 September 2003 11:35 PM When you have multiple freeradius servers, you want to store authentication attempts in a database rather than a flat file. The following patch allow for SQL logging after authentication. It extends the rlm_sql module so now you can put one more query in your sql.conf file. The following patch depends on the the patch Post-Auth-Type I posted earlier. How? I'll commit this once either you tell me that it doesn't depend on Post-Auth-Type, or I commit the Post-Auth-Type patch. (Which I'm going to look at now.) With one minor change, to call (inst-module-sql_finish_query)(sqlsocket, inst-config); even for failed queries. (As is done in _some_ of the other sql_ function in rlm_sql.c. And PostgresSQL's docs also do it... Only postgres and Sybase (off hand, Oracle too maybe) actually implement the function anyway. -- = Paul TBBle Hampson Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] This is a one line proof...if we start sufficiently far to the left. -- Cambridge University Math Department - Random signature generator 3.0 by Paul TBBle Hampson = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [Patch] SQL authentication logging
From: Paul Hampson Sent: Friday, 19 September 2003 1:47 AM From: Nicolas Baradakis Sent: Wednesday, 17 September 2003 11:35 PM The following patch allow for SQL logging after authentication. It extends the rlm_sql module so now you can put one more query in your sql.conf file. I'll commit this once either you tell me that it doesn't depend on Post-Auth-Type, or I commit the Post-Auth-Type patch. (Which I'm going to look at now.) With one minor change, to call (inst-module-sql_finish_query)(sqlsocket, inst-config); even for failed queries. (As is done in _some_ of the other sql_ function in rlm_sql.c. And PostgresSQL's docs also do it... Only postgres and Sybase (off hand, Oracle too maybe) actually implement the function anyway. Bugger. That patch got boned as well. Can you either attach it to an email for me, or put it up on a website so I can wget it? Preferably with the above change, but if you don't, I will. -- = Paul TBBle Hampson Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] This is a one line proof...if we start sufficiently far to the left. -- Cambridge University Math Department - Random signature generator 3.0 by Paul TBBle Hampson = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[Patch] SQL authentication logging
When you have multiple freeradius servers, you want to store authentication attempts in a database rather than a flat file. The following patch allow for SQL logging after authentication. It extends the rlm_sql module so now you can put one more query in your sql.conf file. The following patch depends on the the patch Post-Auth-Type I posted earlier. $ cvs diff -u raddb/sql.conf src/modules/rlm_sql/drivers/rlm_sql_mysql/db_mysql.sql src/modules/rlm_sql/conf.h src/modules/rlm_sql/rlm_sql.c Index: raddb/sql.conf === RCS file: /source/radiusd/raddb/sql.conf,v retrieving revision 1.28 diff -u -r1.28 sql.conf --- raddb/sql.conf 30 Jul 2003 22:15:30 - 1.28 +++ raddb/sql.conf 17 Sep 2003 13:09:43 - @@ -32,7 +32,10 @@ # and stop table in acct_table2 acct_table1 = radacct acct_table2 = radacct - + + # Allow for storing data after authentication + postauth_table = radpostauth + authcheck_table = radcheck authreply_table = radreply @@ -179,4 +182,13 @@ ### group_membership_query = SELECT GroupName FROM ${usergroup_table} WHERE UserName='%{SQL-User-Name}' + + ### + # Authentication Logging Queries + ### + # postauth_query- Insert some info after authentication + ### + + postauth_query = INSERT into ${postauth_table} (id, user, pass, reply, date) values ('', '%{User-Name}', '%{User-Password}', '%{reply:Packet-Type}', NOW()) + } Index: src/modules/rlm_sql/drivers/rlm_sql_mysql/db_mysql.sql === RCS file: /source/radiusd/src/modules/rlm_sql/drivers/rlm_sql_mysql/db_mysql.sql,v retrieving revision 1.11 diff -u -r1.11 db_mysql.sql --- src/modules/rlm_sql/drivers/rlm_sql_mysql/db_mysql.sql 16 Jul 2003 17:35:41 - 1.11 +++ src/modules/rlm_sql/drivers/rlm_sql_mysql/db_mysql.sql 17 Sep 2003 13:09:43 - @@ -117,6 +117,19 @@ KEY UserName (UserName(32)) ) ; +# +# Table structure for table 'radpostauth' +# + +CREATE TABLE radpostauth ( + id int(11) NOT NULL auto_increment, + user varchar(64) NOT NULL default '', + pass varchar(64) NOT NULL default '', + reply varchar(32) NOT NULL default '', + date timestamp(14) NOT NULL, + PRIMARY KEY (id) +) ; + ## # # The next two tables are commented out because they are not Index: src/modules/rlm_sql/conf.h === RCS file: /source/radiusd/src/modules/rlm_sql/conf.h,v retrieving revision 1.16 diff -u -r1.16 conf.h --- src/modules/rlm_sql/conf.h 7 Sep 2002 13:23:01 - 1.16 +++ src/modules/rlm_sql/conf.h 17 Sep 2003 13:09:43 - @@ -46,6 +46,8 @@ int num_sql_socks; int connect_failure_retry_delay; int query_on_not_found; + char *sql_postauth_table; + char *postauth_query; /* individual driver config */ void*localcfg; Index: src/modules/rlm_sql/rlm_sql.c === RCS file: /source/radiusd/src/modules/rlm_sql/rlm_sql.c,v retrieving revision 1.119 diff -u -r1.119 rlm_sql.c --- src/modules/rlm_sql/rlm_sql.c 6 Aug 2003 17:05:47 - 1.119 +++ src/modules/rlm_sql/rlm_sql.c 17 Sep 2003 13:09:44 - @@ -121,6 +121,10 @@ offsetof(SQL_CONFIG,simul_count_query), NULL, }, {simul_verify_query, PW_TYPE_STRING_PTR, offsetof(SQL_CONFIG,simul_verify_query), NULL, }, + {postauth_table, PW_TYPE_STRING_PTR, +offsetof(SQL_CONFIG,sql_postauth_table), NULL, radpostauth}, + {postauth_query, PW_TYPE_STRING_PTR, +offsetof(SQL_CONFIG,postauth_query), NULL, }, {NULL, -1, 0, NULL, NULL} }; @@ -1072,6 +1076,47 @@ } +/* + * Execute postauth_query after authentication + */ +static int rlm_sql_postauth(void *instance, REQUEST *request) { + SQLSOCK *sqlsocket = NULL; + SQL_INST*inst = instance; + charquerystr[MAX_QUERY_LEN]; + + DEBUG(rlm_sql (%s): Processing sql_postauth, inst-config-xlat_name); + + /* If postauth_query is not defined, we stop here */ + if (inst-config-postauth_query[0] == '\0') + return RLM_MODULE_NOOP; + + /* Expand variables in the query */ + memset(querystr, 0, MAX_QUERY_LEN); + radius_xlat(querystr, sizeof(querystr), inst-config-postauth_query, + request, sql_escape_func); + query_log(request, inst, querystr); +
Re[2]: Sql authentication
Hello, Andrew. You wrote at 13.01.2003, : AP okay. i'm puzzled as to why you're using := and not ==, but it should AP still be a matching check item. Changing this had no effect! But you are right: that was my error :( AP that said, does authentication work if you attempt to use pap or AP cleartext passwords in the mysql database? getting it working at all is AP probably your first step, also, perhaps you could show us what other AP check and reply attributes you're setting in the database... I don't understand one thing: when I add a user to /etc/passwd, for example test:x:1000:65532::/dev/null:/dev/null all is going in order. Radius send Access-Accept packet with AV pairs from radreply and radgroupreply. So I think, that the problem is in authentication. Here are these sections from radiusd.conf: authorize { preprocess chap mschap # counter # attr_filter # eap suffix files # etc_smbpasswd sql # ldap } authenticate { authtype PAP { pap } authtype CHAP { chap } authtype MS-CHAP { mschap } # pam unix # authtype LDAP { # ldap # } # eap } If I commented 'unix' module nothing was working! But I can't add sql module to authenticate section(I have the 0.8 version of radius, so I've heard that it is not needed, thought...) AP Andrew Pilley -- Best regards, CEBKA mailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: Sql authentication
Hello, Andrew. You wrote at 12.01.2003, : AP okay AP rlm_chap: Could not find proper Chap-Password attribute in request AP Here, it looks like it's attempting to do chap, but that the opposite AP end isn't SENDING chap. make sure your authenticate section looks AP something like AP authenticate { AP authtype CHAP { AP chap AP } AP chap AP } It is done by default. AP keep in mind that i'm using pap here at my site, so i deal with AP Crypt-Password md5 hashes. Make sure that the dialup user is DEFINENTLY AP using chap. Yes, I've do this already too. For example such packet has been send with radclient: User-Name = test Chap-Password = testing Radiusd wrote the next: rad_recv: Access-Request packet from host 127.0.0.1:1025, id=162, length=46 User-Name = steve CHAP-Password = 0xa293ea0804b2a9fbffa25456449b43d219 rlm_chap: Adding Auth-Type = CHAP rlm_sql (sql): Reserving sql socket id: 4 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'steve' ORDER BY id rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'steve' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'steve' ORDER BY id rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'steve' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): Released sql socket id: 4 Login incorrect: [steve/CHAP-Password] (from client local port 0) rad_recv: Access-Request packet from host 127.0.0.1:1025, id=162, length=46 Sending Access-Reject of id 162 to 127.0.0.1:1025 But there is a reckord in mysql database in radcheck table: ID UserName Attribute Op Value 1 test Chap-Password := testing But authentication doesn`t go right! I even don't see the process. But if I'm working with unix passwd all works good, so I think, that problem is in working with mysql database. -- Best regards, CEBKA mailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sql authentication
On Sun, Jan 12, 2003 at 03:52:16PM +0300, CEBKA wrote: Hello, Andrew. But there is a reckord in mysql database in radcheck table: ID UserName Attribute Op Value 1 test Chap-Password := testing okay. i'm puzzled as to why you're using := and not ==, but it should still be a matching check item. that said, does authentication work if you attempt to use pap or cleartext passwords in the mysql database? getting it working at all is probably your first step, also, perhaps you could show us what other check and reply attributes you're setting in the database... other than that, i'm not sure what you're missing, unless it's part of the actual configuration file radiusd, but since it sounds like it's at least attempting rlm_sql, i'm not sure what you could be missing. have you tried running the queries manually, and seeing what they produce? make sure it's actually retreiving a useful set of attributes... Andrew Pilley -- Best regards, CEBKA mailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sql authentication
On Fri, Jan 10, 2003 at 07:50:35PM +0300, CEBKA wrote: Hello Sorry, if this question took place, but I want to know may rlm_mysql module make authentication. If I have a user in radcheck/radreply tables with correct AV values, when I use radtest with this username and password my server send Access-Reject pascket. This works well with local files. So can I do this without local authentication, using only MySQL database? run your freeradius server using the command radius -x, to get debug output. you may also want to examine sql.conf, and set some extra settings there, and make mysql log in fairly verbose terms. That should show you where the problem is coming from. i had to play with the exact name of the AV pairs for the password for a day or two to realise i wanted Crypt-Password for an md5/crypt hash password. make sure you set Auth-Type, and use the correct entry in the op field. Andrew 'ashridah' Pilley -- Best regards, CEBKAmailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL authentication
dear all, can i using sql module for authentication? Thanks. Regards, Tjenen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: SQL Authentication Failure
Hi, Sorry If i am disturbing a lot, Now following error is occured,after modifying the radiusd.conf with authenticate module(only PAP is enabled) rlm_sql (sql): Pairs do not match for user [vreddy]rlm_sql (sql): Released sql socket id: 2 modcall[authorize]: module "sql" returns notfound users: Matched DEFAULT at 152 modcall[authorize]: module "files" returns okmodcall: group authorize returns ok rad_check_password: Found Auth-Type PAPauth: type "PAP"modcall: entering group authtyperlm_pap: empty password supplied modcall[authenticate]: module "pap" returns invalidmodcall: group authtype returns invalidauth: Failed to validate the user. what should be the record in the radcheck table, so that radtest vreddy Password localhost 0 testing123client program need to work Thanks in Advance regards Vijay reddy -Original Message-From: Novel S Sidabutar [mailto:[EMAIL PROTECTED]]Sent: Friday, November 29, 2002 11:49 AMTo: [EMAIL PROTECTED]Subject: Re: SQL Authentication Failure You can try configure again your rlm_sqlfree radius source on /free~/src/modules/rlm_sql/ and do configure again, $./configure $./make $./make install Hi, I Installed FreeRadius and MySQL on Linux ,I inserted the record in the radcheck using query into the server Insert into radcheck(UserName,Attribute,Value) values ("vreddy","vreddy","test"); Now we started the Radius Server as radiusd -X,and when we started the test client with options as below radtest vreddy test localhost 0 testing123 client is sending resending the Access-Request packets,but server is not responding,the following error is occured at Server Side rad_recv: Access-Request packet from host 127.0.0.1:33380, id=72, length=58 User-Name = "vreddy" User-Password = "vreddy" NAS-IP-Address = 255.255.255.255 NAS-Port = 0modcall: entering group authorize modcall[authorize]: module "preprocess" returns okrlm_chap: Could not find proper Chap-Password attribute in request modcall[authorize]: module "chap" returns noop modcall[authorize]: module "mschap" returns notfound rlm_realm: No '@' in User-Name = "vreddy", looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module "suffix" returns noopradius_xlat: 'vreddy'rlm_sql (sql): sql_set_user escaped user -- 'vreddy'radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'vreddy' ORDER BY id'rlm_sql (sql): Reserving sql socket id: 4rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'vreddy' ORDER BY idrlm_sql: unknown attribute rlm_sql (sql): Error getting data from databaserlm_sql (sql): SQL query error; rejecting userrlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module "sql" returns failmodcall: group authorize returns failFinished request 0Going to the next request regards Vijay Reddy
Re: SQL Authentication Failure
Vijay Reddy [EMAIL PROTECTED] wrote: I Installed FreeRadius and MySQL on Linux ,I inserted the record in the radcheck using query into the server Insert into radcheck(UserName,Attribute,Value) values (vreddy,vreddy,test); That won't work. rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'vreddy' ORDER BY id rlm_sql: unknown attribute Upgrade to 0.8. It has a bit better error messages, and will tell you what you're doing wrong. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: SQL Authentication Failure
Try INSERT INTO radcheck ('Id','Username','Attribute','op','Value') ('','vreddy','Password','==','test'); That did the work for me at least . And I m a newcomer.in the gang ... :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL Authentication Failure
Hi, I Installed FreeRadius and MySQL on Linux ,I inserted the record in the radcheck using query into the server Insert into radcheck(UserName,Attribute,Value) values ("vreddy","vreddy","test"); Now we started the Radius Server as radiusd -X,and when we started the test client with options as below radtest vreddy test localhost 0 testing123 client is sending resending the Access-Request packets,but server is not responding,the following error is occured at Server Side rad_recv: Access-Request packet from host 127.0.0.1:33380, id=72, length=58 User-Name = "vreddy" User-Password = "vreddy" NAS-IP-Address = 255.255.255.255 NAS-Port = 0modcall: entering group authorize modcall[authorize]: module "preprocess" returns okrlm_chap: Could not find proper Chap-Password attribute in request modcall[authorize]: module "chap" returns noop modcall[authorize]: module "mschap" returns notfound rlm_realm: No '@' in User-Name = "vreddy", looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module "suffix" returns noopradius_xlat: 'vreddy'rlm_sql (sql): sql_set_user escaped user -- 'vreddy'radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'vreddy' ORDER BY id'rlm_sql (sql): Reserving sql socket id: 4rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'vreddy' ORDER BY idrlm_sql: unknown attribute rlm_sql (sql): Error getting data from databaserlm_sql (sql): SQL query error; rejecting userrlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module "sql" returns failmodcall: group authorize returns failFinished request 0Going to the next request regards Vijay Reddy
Problems Enabling SQL Authentication
Title: Problems Enabling SQL Authentication Hi, I'm having some problems getting RADIUS authentication with MySQL working. I'm using: FreeRADIUS Version 0.7.1 mysql-server-3.23.41 dialup_admin (latest) - slightly modified RedHat Linux 7.3 I've read through the documentation and the mailing list archives, but I haven't seen an answer to this problem. I also checked the ./configure script for FreeRADIUS to verify that I didn't miss an important option, but I saw nothing appropriate. When my radiusd.conf includes: authenticate { unix sql } Radius won't start up, giving me: radiusd.conf: SQL modules aren't allowed in 'authenticate' sections -- they have no such method. Don't I need SQL to be in my authenticate section? How do I get it there? When I remove sql from the authenticate section, radiusd will start, but my test user won't authenticate: [root@rherrellnix root]# radtest testuser2 testuser2 127.0.0.1 1 IForgot Sending Access-Request of id 123 to 127.0.0.1:1645 User-Name = testuser2 User-Password = \357\242k\354k%\027qV\207a\374\337\312Am NAS-IP-Address = rherrellnix NAS-Port-Id = 1 rad_recv: Access-Reject packet from host 127.0.0.1:1645, id=123, length=20 The related output of radiusd -X is: Listening on IP address *, ports 1645/udp and 1646/udp, with proxy on 1647/udp. Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:1025, id=123, length=58 User-Name = testuser2 User-Password = \357\242k\354k%\027qV\207a\374\337\312Am NAS-IP-Address = 255.255.255.255 NAS-Port-Id = 1 modcall: entering group authorize modcall[authorize]: module preprocess returns ok rlm_realm: Looking up realm NULL for User-Name = testuser2 rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop radius_xlat: 'testuser2' sql_set_user: escaped user -- 'testuser2' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'testuser2' ORDER BY id' rlm_sql: Reserving sql socket id: 4 query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'testuser2' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'testuser2' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'testuser2' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'testuser2' ORDER BY id' query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'testuser2' ORDER BY id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'testuser2' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'testuser2' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id radius_xlat: 'SELECT Value,Attribute FROM radcheck WHERE UserName = 'testuser2' AND ( Attribute = 'User-Password' OR Attribute = 'Password' OR Attribute = 'Crypt-Password' ) ORDER BY Attribute DESC' query: SELECT Value,Attribute FROM radcheck WHERE UserName = 'testuser2' AND ( Attribute = 'User-Password' OR Attribute = 'Password' OR Attribute = 'Crypt-Password' ) ORDER BY Attribute DESC rlm_sql: Released sql socket id: 4 modcall[authorize]: module sql returns ok users: Matched DEFAULT at 152 modcall[authorize]: module files returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type System auth: type System modcall: entering group authenticate modcall[authenticate]: module unix returns notfound modcall: group authenticate returns notfound auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 123 to 127.0.0.1:1025 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 123 with timestamp 3dcad955 Nothing to do. Sleeping until we see a request. The results probably aren't too surprising, because sql isn't in my authenticate section. However, I have verified that my test user in my database: mysql select * from userinfo; ++---+--+--++---+---++ | id | UserName | Name | Mail | Department | WorkPhone | HomePhone | Mobile
FreeRADIUS how to support Oracle SQL authentication
I want the FreeRADIUS support Oracle SQL authentication. My FreeRADIUS is running on RedHat 7.2 and Oracle SQL server is running on Solaris7 for SPARC. How can I realize it? Thanks. â²Ø§~ì¹»®Þþéì¹»®ÞI硶Úÿ0~·§bºÊ+ùb²ßî±êìÙ¥
SQL authentication with Auth-Type
Hi all... has anyone yet managed to set an Auth-Type as a check item in a MySQL database? For me no Auth-Type is working. I read in some older posting that the 'users' file supports an Auth-Type of 'sql'. But whenever I set an Auth-Type in the 'radcheck' table used for authentication (e.g. 'Local' or 'System') I receive an Access-Reject for no reason. I can even set Auth-Type to Local and it won't work. Just removing the Auth-Type record it works (with the Password entry alone). Is the 'users' file my destiny? Is the SQL authentication just not powerful enough to even support UNIX authentication? I'm sure there is a very simple solution. ;) Christoph - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL authentication with Auth-Type
At 18:48 2001-10-17 +0200, you wrote: Hi all... has anyone yet managed to set an Auth-Type as a check item in a MySQL database? For me no Auth-Type is working. I read in some older posting that the 'users' file supports an Auth-Type of 'sql'. But whenever I set an Auth-Type in the 'radcheck' table used for authentication (e.g. 'Local' or 'System') I receive an Access-Reject for no reason. I can even set Auth-Type to Local and it won't work. Just removing the Auth-Type record it works (with the Password entry alone). Is the 'users' file my destiny? Is the SQL authentication just not powerful enough to even support UNIX authentication? I'm sure there is a very simple solution. ;) i had to hack src/modules/rlm_sql/rlm_sql.c in the end i changed to module_t rlm_sql = { System, and now it works with 'DEFAULT Auth-Type := System' in the users file. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL authentication with Auth-Type
Fredrik Reite [EMAIL PROTECTED] wrote: i had to hack src/modules/rlm_sql/rlm_sql.c in the end i changed to module_t rlm_sql = { System, and now it works with 'DEFAULT Auth-Type := System' in the users file. Uh, NO, that is NOT a solution. All you're doing is making 'System' authentication into SQL authentication. That's REALLY not what you want. If you want to do SQL authentication, you should use 'Auth-Type := SQL' in the 'users' file. If you want to authenticate agains /etc/passwd, THEN you use 'Auth-Type := System'. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL authentication with Auth-Type
Joe Modjeski [EMAIL PROTECTED] wrote: From reading on the list I believe this to be a problem that will be solved when the SQL tables begin to support operators. Currently the tables only use the '==' operator and in that case you can only match attributes that are sent. Yes, exactly. Anyone want to offer corrections on my interpretation of the Authorize/Authentication process? It looks good to me. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html