postauth_query question
Hi
I'm trying to log authorization request to a postgres db.
My postauth query:
postauth_query = INSERT INTO authlog (where, who, reply,authdate)
VALUES ('%{NAS-IP-Address}','%{User-Name}','%{reply:Packet-Type}',
NOW())
Could I use another attribute rather than NAS-IP-Address that would
translate NAS-IP-Address into the shortname given i clients.conf?
Some info:
radiusd -X
snip
rad_recv: Access-Request packet from host 192.168.250.20:6001, id=12,
length=69
User-Name = 00-15-00-15-23-3f
User-Password = 28652865
NAS-IP-Address = 192.168.250.20
NAS-Port = 0
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
radius_xlat: '00-15-00-15-23-3f'
rlm_sql (sql): sql_set_user escaped user -- '00-15-00-15-23-3f'
snip
I have enabled log_auth = yes in radiusd.conf, and i get this in
radiusd.log:
Thu May 24 11:26:19 2007 : Auth: Login OK:
[00-15-00-15-23-3f/00-15-00-15-23-3f] (from client radiustest port 0)
I would like to log radiustest rather than 192.168.250.20
Christoffer
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP and domain logon
Hi! I have followed this excellent tutorial: http://homepages.lu/charlesschwartz/radius/freeRadius_AD_tutorial.pdf and it works perfect!! I have checked the option automatically use my windows logon name and password... on my XP Clients, but only users who has been logged in before can log in again, because of their cached credentials. To me is the chicken or the egg dilemma, does anyone have a solution for this issue? Thanks, Christoffer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Troubel with Cisco Aironet 1130 and MAC authentication
Hi!
I'm trying to get a Cisco Aironet 1130 to do MAC authentication with freeradius and a pgsql as backend.
I Have made my own table in the pgsql witch looks like this:
radius= select * from maskiner;
mid | mnavn | mmac | mpwd | mattr | mop
-+--+---++---+--++
9 | 0016cf0157f8 | 0016cf0157f8 | radius | Password | == |
where mnavn is the name of the machine, mmac is the MAC of the machine, mpwd is a password field, mattr is the attribute field, mop is the operator.
I have tried with an Avaya AP, and it works fine.
Here is the authorize table:
authorize_check_query = SELECT mid, mmac, mattr, mpwd, mop \
FROM maskiner WHERE LOWER(mmac) = LOWER('%{SQL-User-Name}') ORDER BY mid
Here is the authenticate table:
authenticate_query = select mpwd from maskiner where mmac = '%{User-Name}';
Here is the output from freeradius:
rad_recv: Access-Request packet from host 192.168.250.28:6001, id=3, length=112
User-Name = 0016cf0157f8
User-Password = radius
NAS-IP-Address = 192.168.250.28
Called-Station-Id = 00-20-a6-59-ce-93:GandrupII
Calling-Station-Id = 00-16-cf-01-57-f8
NAS-Port = 0
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql_postgresql: query: SELECT mid, mmac, mattr, mpwd, mop FROM maskiner
WHERE LOWER(mmac) = LOWER('0016cf0157f8') ORDER BY mid
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: affected rows =
rlm_sql (sql): Released sql socket id: 4
Login OK: [0016cf0157f8/radius] (from client Demo port 0 cli 00-16-cf-01-57-f8)
Sending Access-Accept of id 3 to 192.168.250.28:6001
Now since the Cisco AP is sending the User-Name and User-Password in another format we have change freeradius configuration.
Here is the authorize table:
authorize_check_query = SELECT mid, mmac, mattr, mmac, mop FROM maskiner \
WHERE LOWER(mmac) = LOWER('%{SQL-User-Name}') ORDER BY mid
Here is the authenticate table:
authenticate_query = select mmac from maskiner where mmac = '%{User-Name}';
Here is the output from freeradius:
rad_recv: Access-Request packet from host 192.168.250.35:1645, id=148, length=115
User-Name = 0016cf0157f8
User-Password = 0016cf0157f8
Called-Station-Id = 0017.0f84.8af0
Calling-Station-Id = 0016.cf01.57f8
Service-Type = Login-User
NAS-Port-Type = Wireless-802.11
NAS-Port = 531
NAS-IP-Address = 192.168.250.35
NAS-Identifier = AP-07
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql_postgresql: query: SELECT mid, mmac, mattr, mmac, mop FROM maskiner
WHERE LOWER(mmac) = LOWER('0016cf0157f8') ORDER BY mid
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: affected rows =
rlm_sql (sql): No matching entry in the database for request from user [0016cf0157f8]
rlm_sql (sql): Released sql socket id: 4
Login incorrect: [0016cf0157f8/0016cf0157f8] (from client Demo port 531 cli
0016.cf01.57f8)
Why won't it work with the Cisco, does it use another dictionary or
Any help is appreciated!!
Thanks in advance,
Christoffer
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius authentication agains Domino
tor, 30 03 2006 kl. 00:49 -0500, skrev Alan DeKok: If the domino server supplies a clear-text password, yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Hi Alan! Thanks for the quick reply!! Sorry for my ignorance, but how can I verify if the domino server supply the passwords in clear-text? Thanks -CP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius authentication agains Domino
Hi! I have a Domino (6.5.4FP3) ldap which I would like to use as a backend for freeradius. My clients (winxp) uses eap-mschapv2, would it be possible for freeradius to match the password from the domino with the one supplied by the client? If it ain't possible what would it take to achieve it? I'm sorry if the question has been asked too many times, but I can't find a answer on the net or in this list Thanks -CP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius+Postfresqk+MAC problem
Hi!
As I wrote earlier in this list, I'm trying to get Freeradius to authenticate my clients based on theirs NIC's MAC.
This works great as long as I use the users file:
DEFAULT Calling-Station-Id == CLIENT NIC, Auth-Type := Accept
Filter-ID=profile="">
Now I'm trying to use a Postgresql as backend, but it won't work.
Here is my radiusd.conf (the entire conf file is in the bottom of the mail):
$INCLUDE ${confdir}/postgresql.conf
authorize {
preprocess
sql
}
Here is my postgresql.conf:
sql {
driver = rlm_sql_postgresql
server = localhost
login = radius
password = 123456
radius_db = radius
acct_table1 = radacct
acct_table2 = radacct
authcheck_table = radcheck
authreply_table = radreply
groupcheck_table = radgroupcheck
groupreply_table = radgroupreply
usergroup_table = usergroup
deletestalesessions = yes
sqltrace = yes
sqltracefile = ${logdir}/sqltrace.sql
num_sql_socks = 5
sql_user_name = %{User-Name}
SQL_User_Name = %{User-Name}
authorize_check_query = SELECT id, UserName, Attribute, Value, Op \
FROM ${authcheck_table} WHERE username = '%{SQL-User-Name}' ORDER BY id
# authorize_reply_query = SELECT id, UserName, Attribute, Value, Op \
# FROM ${authreply_table} WHERE username = '%{SQL-User-Name}' ORDER BY id
# authenticate_query = SELECT Value,Attribute FROM ${authcheck_table} \
# WHERE UserName = '%{User-Name}' AND \
# ( Attribute = 'User-Password' OR Attribute = 'Crypt-Password' ) ORDER BY Attribute DESC
}
Here is a dump of my database:
[EMAIL PROTECTED] 172.16.0.10]# psql -U radius
radius= select * from radcheck;
id | username | attribute | op | value
+---+++-
1 | 00-04-23-4d-c4-3d | User-Password | == | 123456
2 | 00-20-e0-8d-05-94 | User-Password | == | 123456
(2 rows)
And here is what my log says:
Jul 12 14:39:02 linux radiusd: ^IUser-Name = 00-20-e0-8d-05-94
Jul 12 14:39:02 linux radiusd: ^IUser-Password = 123456
Jul 12 14:39:02 linux radiusd: ^INAS-IP-Address = 172.16.0.10
Jul 12 14:39:02 linux radiusd: ^INAS-Port = 0
Jul 12 14:39:02 linux radiusd: rlm_sql (sql): Reserving sql socket id: 3
Jul 12 14:39:02 linux radiusd: rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE username = '00-20-e0-8d-05-94' ORDER BY id
Jul 12 14:39:02 linux postgres[19980]: [5-1] LOG: 0: duration: 5.637 ms
Jul 12 14:39:02 linux postgres[19980]: [5-2] LOCATION: exec_simple_query, postgres.c:960
Jul 12 14:39:02 linux postgres[19980]: [6-1] LOG: 0: duration: 5.637 ms statement: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE username =
Jul 12 14:39:02 linux postgres[19980]: [6-2] '00-20-e0-8d-05-94' ORDER BY id
Jul 12 14:39:02 linux postgres[19980]: [6-3] LOCATION: exec_simple_query, postgres.c:974
Jul 12 14:39:02 linux radiusd: rlm_sql_postgresql: Status: PGRES_TUPLES_OK
Jul 12 14:39:02 linux radiusd: rlm_sql_postgresql: affected rows =
Jul 12 14:39:02 linux radiusd: rlm_sql (sql): No matching entry in the database for request from user [00-20-e0-8d-05-94]
Jul 12 14:39:02 linux radiusd: rlm_sql (sql): Released sql socket id: 3
Jul 12 14:39:02 linux radiusd: Login incorrect: [00-20-e0-8d-05-94/123456] (from client testap1 port 0)
Jul 12 14:39:05 linux radiusd: rad_recv: Access-Request packet from host 172.16.0.10:6001, id=63, length=69
Jul 12 14:39:05 linux radiusd: Sending Access-Reject of id 63 to 172.16.0.10:6001
I really don't know what I'm doing wrong - Could anyone of give me a hint?
If you need to see any other configuration files please let me know.
Thanks
Christoffer
Me entire radiusd.conf:
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = /usr/lib
pidfile = ${run_dir}/radiusd.pid
user = radiusd
group = radiusd
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = yes
regular_expressions = yes
extended_expressions = yes
log_stripped_names = no
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = yes
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
pap {
encryption_scheme = crypt
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
unix {
cache = no
cache_reload = 600
shadow = /etc/shadow
radwtmp = ${logdir}/radwtmp
}
eap {
default_eap_type = md5
timer_expire = 60
md5 {
}
leap {
}
}
mschap {
Re: Freeradius+Postfresqk+MAC problem
Hi again
1. It doesn't seem to be casesensitive.
2. I have tried to turn on the debug option on the pgsql, and I can see that the query is accepted and the db is returning a result set (with the information requested).
I'm not sure that I understand how the Freeradius works with a db as backend, could you (or anyone else) confirm that I'm on the right track:
As you can see in my earlier mail I have comment out authorize_reply_query and authenticate_query, which only leave the authorize_check_query back, when this query is tried against the db, it should return a result set, if the MAC is allowed to access my net.
So if result set != null Access-Accept
Is that right?
- Christoffer
tir, 2004-07-13 kl. 12:46 skrev Gary McKinney:
Hmmm,
Looks like most everything is correct - from what you have sent here...
A couple of things:
1. Is postgresql case sensitive ( I play with MySQL)??? If so check the case (caps or lower case) of the record field names to make sure the schema's match for the database and queries.
2. Check the debug logs for the database to see exactly what is being done on the database side!
From what I see here it looks like the Freeradius is doing it's job properly...
As an aside note: When you had the users file setup and the Auth-Type := Accept you were basically telling Freeradius to accept any default caller unconditionally - that is what the Accept means {grin}...
gm...
Is it possible to use the MAC as the key
Hi! I was wondering if it is possible to tell the Freeradius to use the MAC addr. as a validating key? I would like to store all my clients MAC addr. in a db, and use it as a backend for Freeradius, then when the clients starts, the AP sends the clients MAC addr. to Freeradius and the MAC addr. is used as a token for validating. / Christoffer
