Re: freeradius not reading Auth-Type from MySQL
I am still a little puzzeled why on mine, it will reject a user because no Auth-Type is designated? While others have the Auth-Type in radgroupreply and no Auth-Type in their users file, and everthing is fine. Has something changed in the src between builds?? I am curenty running the freeradius-0.8.1 Alan DeKok wrote: > > Robert Canary <[EMAIL PROTECTED]> wrote: > > Then there is a gross error in half of the documnetation. Even the > > O'Reilly Radius book is showing it in the regroupreply, as well as the > > infamous www.frontios.com/freeradius.html.but then agian half of the > > docs are spelling Jacobs*o*n, instead Jacobs*e*n.. > > From RFC 2865: > > [10] Jacobson, V., "Compressing TCP/IP headers for low-speed serial > links", RFC 1144, February 1990. > > > What your saying makes perfect sense, of course. You suggest it be put > > in the radcheck, or the radgroupcheck? > > Either one, depending on your local config. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius not reading Auth-Type from MySQL
Robert Canary <[EMAIL PROTECTED]> wrote: > Then there is a gross error in half of the documnetation. Even the > O'Reilly Radius book is showing it in the regroupreply, as well as the > infamous www.frontios.com/freeradius.html.but then agian half of the > docs are spelling Jacobs*o*n, instead Jacobs*e*n.. From RFC 2865: [10] Jacobson, V., "Compressing TCP/IP headers for low-speed serial links", RFC 1144, February 1990. > What your saying makes perfect sense, of course. You suggest it be put > in the radcheck, or the radgroupcheck? Either one, depending on your local config. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius not reading Auth-Type from MySQL
"Scott Bartlett" <[EMAIL PROTECTED]> wrote:
> My users file has nothing in it's DEFAULT section setting auth-type
> (only some PPP parameters (?)). I have an 'auth-type=local' entry in
> radgroupreply for each group we have. I removed the auth-type entry for
> a test group from the database ... and a user in that group can still
> log in just fine. Basically, there is now no auth-type set anywhere
> explicitly for that user, their group, or DEFAULT, but it still seems to
> work.
Yes. See 'src/main/auth.c'.
If you supply a User-Password from a back-end ('users' file, SQL,
etc), and the request has a User-Password or CHAP-Password, then
'Auth-Type := Local' is assumed.
I think it would be prudent to add a warning message about this
misconfiguration, since it may change in the future.
> Based on the feedback to this thread, I should probably adjust that web
> page to indicate that the auth-type should go in rad(group)check and not
> rad(group)reply, yes? (and I'm off to re-re-read the docs again...
> Heh...)
Yes.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius not reading Auth-Type from MySQL
On Thu, Feb 06, 2003 at 10:53:13AM -, Scott Bartlett wrote:
[...]
> Someone pls correct me if I'm wrong, but otherwise then if I'm guessing
> right then it seems that people *only* using MySQL can basically not
> worry about having auth-types set (at least until FR enforces checking
> one!).
If you want something other then 'local' authentication you need to set
the auth-type.
from src/main/files.c:
/*
* Fixup a check line.
* If User-Password or Crypt-Password is set, but there is no
* Auth-Type, add one (kludge!).
*/
static void auth_type_fixup(VALUE_PAIR **check)
{
[...]
if (vp->attribute == PW_PASSWORD) {
c = vp;
n = PW_AUTHTYPE_LOCAL;
}
if (vp->attribute == PW_CRYPT_PASSWORD) {
c = vp;
n = PW_AUTHTYPE_CRYPT;
}
[...]
As the 'kludge' comment shows, not setting an auth-type is rather ugly.
> I'm sure if you're doing more complex stuff you'll need to set it
> appropriately... but I'm not, so I can't be sure...
>
> Based on the feedback to this thread, I should probably adjust that web
> page to indicate that the auth-type should go in rad(group)check and not
> rad(group)reply, yes? (and I'm off to re-re-read the docs again...
> Heh...)
Yes, probably.
Wouldn't it infact in the long run be better to remove the 'local'
auth-type completely and force usage of PAP or CHAP instead?
The PAP and CHAP modules do everything and more that 'local' does, while
keeping the code in modules and not in the server core.
I could be missing something important done by 'local' though, i haven't
really looked that hard.
--
Simon
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius not reading Auth-Type from MySQL
> > Then there is a gross error in half of the documnetation. Even the
> > O'Reilly Radius book is showing it in the regroupreply, as
> > well as the infamous www.frontios.com/freeradius.html
(I'm 'infamous'... Wow...!)
www.frontios.com/freeradius.html was written a long time ago, based
purely on my own experiences and needs (i.e. learning, playing) getting
FreeRadius and MySQL working. It may well have been wrong at the time
(I was learning, still am), and as FreeRadius has progressed I'm sure
that any errors it has have been magnified... I really must re-write it
(or at least correct it when mistakes are known), but then there *is* a
book now too... ;-)
Admittedly, my own need is very limited (simple user and group auth with
MySQL holding all info, nothing else, no other fallback methods, no LDAP
or system auth etc) and the whole auth-type thing hurts when I think
about it... Heh...
Curious, I just did a quick test (FR 0.8.1):
My users file has nothing in it's DEFAULT section setting auth-type
(only some PPP parameters (?)). I have an 'auth-type=local' entry in
radgroupreply for each group we have. I removed the auth-type entry for
a test group from the database ... and a user in that group can still
log in just fine. Basically, there is now no auth-type set anywhere
explicitly for that user, their group, or DEFAULT, but it still seems to
work. I'm assuming that this is because, as it can't find one,
FreeRadius is defaulting to using an auth-type of 'local' (?) and thus
using the password returned by the only available authorisation module
('sql') for the user found (i.e the password held in radcheck) (?)
Someone pls correct me if I'm wrong, but otherwise then if I'm guessing
right then it seems that people *only* using MySQL can basically not
worry about having auth-types set (at least until FR enforces checking
one!).
I'm sure if you're doing more complex stuff you'll need to set it
appropriately... but I'm not, so I can't be sure...
Based on the feedback to this thread, I should probably adjust that web
page to indicate that the auth-type should go in rad(group)check and not
rad(group)reply, yes? (and I'm off to re-re-read the docs again...
Heh...)
SB
(scott at frontios dot com)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius not reading Auth-Type from MySQL
On Wed, Feb 05, 2003 at 05:59:41PM -0600, Robert Canary wrote: > Then there is a gross error in half of the documnetation. Even the > O'Reilly Radius book is showing it in the regroupreply, as well as the > infamous www.frontios.com/freeradius.html.but then agian half of the > docs are spelling Jacobs*o*n, instead Jacobs*e*n.. > > What your saying makes perfect sense, of course. You suggest it be put > in the radcheck, or the radgroupcheck? Either should work equally well, depending on how you order things putting it in radgroupcheck might help cut down on duplicate entries. -- Simon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius not reading Auth-Type from MySQL
05-Feb-03 at 17:59, Robert Canary ([EMAIL PROTECTED]) wrote : > Then there is a gross error in half of the documnetation. Even the > O'Reilly Radius book is showing it in the regroupreply, as well as the > infamous www.frontios.com/freeradius.html.but then agian half of the > docs are spelling Jacobs*o*n, instead Jacobs*e*n.. > > What your saying makes perfect sense, of course. You suggest it be put > in the radcheck, or the radgroupcheck? Funny... it's in radgroupreply in my SQL table (and only there) and it works here. So it must be luck that it works because # The default Auth-Type is Local. That is, whatever is not included # inside an authtype section will be called only if Auth-Type is set to # Local (from radiusd.conf) -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius not reading Auth-Type from MySQL
Then there is a gross error in half of the documnetation. Even the O'Reilly Radius book is showing it in the regroupreply, as well as the infamous www.frontios.com/freeradius.html.but then agian half of the docs are spelling Jacobs*o*n, instead Jacobs*e*n.. What your saying makes perfect sense, of course. You suggest it be put in the radcheck, or the radgroupcheck? Alan DeKok wrote: > > Robert Canary <[EMAIL PROTECTED]> wrote: > > Where do have the Auth-Type := Local listed at; in the radgroupreply? > > You don't. It's not an attribute which goes into the reply to the > NAS. > > There was a message yesterday on the list about this same issue. > > Put the Auth-Type into the check table. Read the 'users' file 'man' > page. Look at the 'users' file examples. The SQL configuration > attempts to mirror the same layout as the 'users' file. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius not reading Auth-Type from MySQL
Freeradius-0.8.1 on FreeBSD-4.7 with mysql 4.0.7 gamma-nt on NT. Have not gone live with the NASes yet, but they are Redback, Nomadix, and a box that is not released or in production yet. So far I have just been testing with tadtest and radclient. On Wed, Feb 05, 2003 at 08:07:11AM -0600, [EMAIL PROTECTED] wrote: > What veersion are using Mike? > > Michael Brininstool wrote: > > > > On Wed, Feb 05, 2003 at 01:51:43AM -0600, [EMAIL PROTECTED] wrote: > > > > > > Where do have the Auth-Type := Local listed at; in the radgroupreply? > > > It seems I can only make it work by designating it as local in the > > > DEFUALT Auth-Type := Local. > > > > I don't. Here are the radiud.conf & users files with comments and blank > > lines stripped out: [SNIP] -- Michael P. Brininstool [EMAIL PROTECTED] "We have a criminal jury system which is superior to any in the world, and its efficiency is only marred by the difficulty of finding twelve men every day who don't know anything and can't read." -- Mark Twain - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius not reading Auth-Type from MySQL
Robert Canary <[EMAIL PROTECTED]> wrote: > I finally commented out every insistance on Auth-Type from the user.conf There is no 'user.conf' file distributed with the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius not reading Auth-Type from MySQL
Robert Canary <[EMAIL PROTECTED]> wrote: > Where do have the Auth-Type := Local listed at; in the radgroupreply? You don't. It's not an attribute which goes into the reply to the NAS. There was a message yesterday on the list about this same issue. Put the Auth-Type into the check table. Read the 'users' file 'man' page. Look at the 'users' file examples. The SQL configuration attempts to mirror the same layout as the 'users' file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius not reading Auth-Type from MySQL
What veersion are using Mike?
Michael Brininstool wrote:
>
> On Wed, Feb 05, 2003 at 01:51:43AM -0600, [EMAIL PROTECTED] wrote:
> >
> > Where do have the Auth-Type := Local listed at; in the radgroupreply?
> > It seems I can only make it work by designating it as local in the
> > DEFUALT Auth-Type := Local.
>
> I don't. Here are the radiud.conf & users files with comments and blank
> lines stripped out:
>
> ### radiusd.conf #
> prefix = /usr/local
> exec_prefix = ${prefix}
> sysconfdir = /etc
> localstatedir = /var
> sbindir = ${exec_prefix}/sbin
> logdir = ${localstatedir}/log/radius
> raddbdir = ${sysconfdir}/raddb
> radacctdir = ${logdir}/radacct
> confdir = ${raddbdir}
> run_dir = ${localstatedir}/run/radiusd
> log_file = ${logdir}/radius.log
> libdir = ${exec_prefix}/lib
> pidfile = ${run_dir}/radiusd.pid
> user = radius
> group = radius
> max_request_time = 8
> delete_blocked_requests = no
> cleanup_delay = 5
> max_requests = 1024
> bind_address = *
> port = 0
> hostname_lookups = no
> allow_core_dumps = no
> regular_expressions = yes
> extended_expressions= yes
> log_stripped_names = no
> log_auth = yes
> log_auth_badpass = no
> log_auth_goodpass = no
> usercollide = no
> lower_user = no
> lower_pass = no
> nospace_user = no
> nospace_pass = no
> checkrad = ${sbindir}/checkrad
> security {
> max_attributes = 200
> reject_delay = 1
> status_server = no
> }
> proxy_requests = no
> $INCLUDE ${confdir}/clients.conf
> $INCLUDE ${confdir}/snmp.conf
> thread pool {
> start_servers = 5
> max_servers = 32
> min_spare_servers = 3
> max_spare_servers = 10
> max_requests_per_server = 0
> }
> modules {
> pap {
> encryption_scheme = clear
> authtype = PAP
> }
> realm suffix {
> format = suffix
> delimiter = "@"
> }
> realm realmslash {
> format = prefix
> delimiter = "/"
> }
> realm realmpercent {
> format = suffix
> delimiter = "%"
> }
>
> preprocess {
> huntgroups = ${confdir}/huntgroups
> hints = ${confdir}/hints
> with_ascend_hack = no
> ascend_channels_per_line = 23
> with_ntdomain_hack = no
> with_specialix_jetstream_hack = no
> with_cisco_vsa_hack = no
> }
> files {
> usersfile = ${confdir}/users
> acctusersfile = ${confdir}/acct_users
> compat = no
> }
> detail {
> detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
> detailperm = 0600
> }
> acct_unique {
> key = "User-Name, Acct-Session-Id, NAS-IP-Address,
>Client-IP-Address, NAS-Port-Id"
> }
> $INCLUDE ${confdir}/sql.conf
> radutmp {
> filename = ${logdir}/radutmp
> perm = 0600
> callerid = "yes"
> }
> radutmp sradutmp {
> filename = ${logdir}/sradutmp
> perm = 0644
> callerid = "no"
> }
> attr_filter {
> attrsfile = ${confdir}/attrs
> }
> counter {
> filename = ${raddbdir}/db.counter
> key = User-Name
> count-attribute = Acct-Session-Time
> reset = daily
> counter-name = Daily-Session-Time
> check-name = Max-Daily-Session
> allowed-servicetype = Framed-User
> cache-size = 5000
> }
> always fail {
> rcode = fail
> }
> always reject {
> rcode = reject
> }
> always ok {
> rcode = ok
> simulcount = 0
> mpp = no
> }
> expr {
> }
> }
> instantiate {
> expr
> }
> authorize {
> preprocess
> suffix
> sql
> files
> }
> authenticate {
> authtype PAP {
> pap
> }
> }
> preacct {
> preprocess
> suffix
> files
> }
> accounting {
> acct_unique
> detail
> sql
> radutmp
> }
> session {
> radutmp
> sql
> }
> post-auth {
> }
> ### radiusd.conf #
>
> ### users #
> DEFAULT Password = ""
> Service-Type = Outbound-User,
> Context-Name = "eth_customers",
> Rate_Limit_Rate = "3000",
> Rate_Limit_Burst = "5",
> Police_Rate = "128",
> Police_Burst = "15000"
> ### users #
>
> --
> Michael P. Brini
Re: freeradius not reading Auth-Type from MySQL
On Wed, Feb 05, 2003 at 01:51:43AM -0600, [EMAIL PROTECTED] wrote:
>
> Where do have the Auth-Type := Local listed at; in the radgroupreply?
> It seems I can only make it work by designating it as local in the
> DEFUALT Auth-Type := Local.
I don't. Here are the radiud.conf & users files with comments and blank
lines stripped out:
### radiusd.conf #
prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
user = radius
group = radius
max_request_time = 8
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions= yes
log_stripped_names = no
log_auth = yes
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = no
$INCLUDE ${confdir}/clients.conf
$INCLUDE ${confdir}/snmp.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
pap {
encryption_scheme = clear
authtype = PAP
}
realm suffix {
format = suffix
delimiter = "@"
}
realm realmslash {
format = prefix
delimiter = "/"
}
realm realmpercent {
format = suffix
delimiter = "%"
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
compat = no
}
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
}
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address,
NAS-Port-Id"
}
$INCLUDE ${confdir}/sql.conf
radutmp {
filename = ${logdir}/radutmp
perm = 0600
callerid = "yes"
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
attr_filter {
attrsfile = ${confdir}/attrs
}
counter {
filename = ${raddbdir}/db.counter
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
expr {
}
}
instantiate {
expr
}
authorize {
preprocess
suffix
sql
files
}
authenticate {
authtype PAP {
pap
}
}
preacct {
preprocess
suffix
files
}
accounting {
acct_unique
detail
sql
radutmp
}
session {
radutmp
sql
}
post-auth {
}
### radiusd.conf #
### users #
DEFAULT Password = ""
Service-Type = Outbound-User,
Context-Name = "eth_customers",
Rate_Limit_Rate = "3000",
Rate_Limit_Burst = "5",
Police_Rate = "128",
Police_Burst = "15000"
### users #
--
Michael P. Brininstool [EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius not reading Auth-Type from MySQL
Where do have the Auth-Type := Local listed at; in the radgroupreply? It seems I can only make it work by designating it as local in the DEFUALT Auth-Type := Local. Michael Brininstool wrote: > > On Wed, Feb 05, 2003 at 12:38:56AM -0600, [EMAIL PROTECTED] wrote: > > > > I finally figured out what was going on. > > > > Before I call this a bug, I'll racap and let the list hash it out. > > > > freeradius-2002-10-21 kept setting the Auth-Type to system causing the > > radius to use the system authentication and not the password pair on the > > mysql db. > > > > I finally commented out every insistance on Auth-Type from the user.conf > > in an effort to force it to stop falling through. I even added the > > Attribute "Fall-Through" to the radgroupreply and set it to "0". > > However, it ignored the Fall-Through (as I figured it would, because it > > is rather a moot attribute to have there), now the radius was rejecting > > authentication because "no authentication type found". Although it was > > listed in the radgroupreply, as all the examples show. > > > > When I went back and uncommented-out the "DEFAULT Auth-Type := System" > > and changed it from "System" to "Local" then it started > > workingauthenication via the MySql DB. > > > > Do we have bug, or am I still not configuring this correctly?? > > I commented files out of radiud.conf after someone pointed out the the > DEFAULT entry in the users files was doing that. > All is working fine for me now. > > -- > Michael P. Brininstool [EMAIL PROTECTED] > "If everyone is thinking alike, then somebody isn't thinking" > -- George S. Patton > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius not reading Auth-Type from MySQL
On Wed, Feb 05, 2003 at 12:38:56AM -0600, [EMAIL PROTECTED] wrote: > > I finally figured out what was going on. > > Before I call this a bug, I'll racap and let the list hash it out. > > freeradius-2002-10-21 kept setting the Auth-Type to system causing the > radius to use the system authentication and not the password pair on the > mysql db. > > I finally commented out every insistance on Auth-Type from the user.conf > in an effort to force it to stop falling through. I even added the > Attribute "Fall-Through" to the radgroupreply and set it to "0". > However, it ignored the Fall-Through (as I figured it would, because it > is rather a moot attribute to have there), now the radius was rejecting > authentication because "no authentication type found". Although it was > listed in the radgroupreply, as all the examples show. > > When I went back and uncommented-out the "DEFAULT Auth-Type := System" > and changed it from "System" to "Local" then it started > workingauthenication via the MySql DB. > > Do we have bug, or am I still not configuring this correctly?? I commented files out of radiud.conf after someone pointed out the the DEFAULT entry in the users files was doing that. All is working fine for me now. -- Michael P. Brininstool [EMAIL PROTECTED] "If everyone is thinking alike, then somebody isn't thinking" -- George S. Patton - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius not reading Auth-Type from MySQL
I finally figured out what was going on. Before I call this a bug, I'll racap and let the list hash it out. freeradius-2002-10-21 kept setting the Auth-Type to system causing the radius to use the system authentication and not the password pair on the mysql db. I finally commented out every insistance on Auth-Type from the user.conf in an effort to force it to stop falling through. I even added the Attribute "Fall-Through" to the radgroupreply and set it to "0". However, it ignored the Fall-Through (as I figured it would, because it is rather a moot attribute to have there), now the radius was rejecting authentication because "no authentication type found". Although it was listed in the radgroupreply, as all the examples show. When I went back and uncommented-out the "DEFAULT Auth-Type := System" and changed it from "System" to "Local" then it started workingauthenication via the MySql DB. Do we have bug, or am I still not configuring this correctly?? -- robert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
