RE: MAC auth won't work with SQL

2009-04-01 Thread tnt 
>Great, works now. Thanks!
>
>Is there a way to load the Database Value field with multiple MAC addresses,
>and freeradius check against themso I can specify multiple devices the
>user can use?
>

http://wiki.freeradius.org/SQL_Huntgroup_HOWTO

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: MAC auth won't work with SQL

2009-03-31 Thread Eric Geier 
Great, works now. Thanks!

Is there a way to load the Database Value field with multiple MAC addresses,
and freeradius check against themso I can specify multiple devices the
user can use?

- Eric

> -Original Message-
> From: freeradius-users-bounces+me=egeier@lists.freeradius.org
> [mailto:freeradius-users-bounces+me=egeier@lists.freeradius.org] On
> Behalf Of t...@kalik.net
> Sent: Tuesday, March 31, 2009 5:11 PM
> To: FreeRadius users mailing list
> Subject: Re: MAC auth won't work with SQL
> 
> >Hi, I've setup two different Linux machines with FR and still can't
> get MAC
> >authentication working with Calling-Station-Id in the radchk table.
> I've
> >checked FAQ and have googled for hours. I've tried a hosted and local
> mySQL
> >server.
> >
> 
> If you only bothered looking at debug and configuration files for the
> authentication method you are using. Outer request:
> 
> >rad_recv: Access-Request packet from host 192.168.0.1 port 41576,
> id=191,
> >length=230
> ..
> >Calling-Station-Id = "00-1C-B3-B1-3E-07"
> ..
> 
> has that attribute in it, and inner request (user is authenticated in
> inner tunnel):
> 
> >Sending tunneled request
> >
> >EAP-Message =
> >0x026c00491a026c00443177f318d460fc36f9cc77a41c0a4b3656
> 10538d
> >55c2badfcc4a85b41f875a5521f978d255be29a7d20065676569657240736b796e6574
> 73
> >
> >FreeRADIUS-Proxied-To = 127.0.0.1
> >
> >User-Name = "ege...@skynets"
> >
> >State = 0x8433f2b7845fe8463016d60fe5b8c67e
> 
> .. doesn't! You have a setting copy_request_to_tunnel in peap section
> of eap.conf. Enable it.
> 
> Ivan Kalik
> Kalik Informatika ISP
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MAC auth won't work with SQL

2009-03-31 Thread tnt 
>Hi, I've setup two different Linux machines with FR and still can't get MAC
>authentication working with Calling-Station-Id in the radchk table. I've
>checked FAQ and have googled for hours. I've tried a hosted and local mySQL
>server.
>

If you only bothered looking at debug and configuration files for the
authentication method you are using. Outer request:

>rad_recv: Access-Request packet from host 192.168.0.1 port 41576, id=191,
>length=230
..
>Calling-Station-Id = "00-1C-B3-B1-3E-07"
..

has that attribute in it, and inner request (user is authenticated in
inner tunnel):

>Sending tunneled request
>
>EAP-Message =
>0x026c00491a026c00443177f318d460fc36f9cc77a41c0a4b365610538d
>55c2badfcc4a85b41f875a5521f978d255be29a7d20065676569657240736b796e657473
>
>FreeRADIUS-Proxied-To = 127.0.0.1
>
>User-Name = "ege...@skynets"
>
>State = 0x8433f2b7845fe8463016d60fe5b8c67e

.. doesn't! You have a setting copy_request_to_tunnel in peap section
of eap.conf. Enable it.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

MAC auth won't work with SQL

2009-03-31 Thread Eric Geier 
Hi, I've setup two different Linux machines with FR and still can't get MAC
authentication working with Calling-Station-Id in the radchk table. I've
checked FAQ and have googled for hours. I've tried a hosted and local mySQL
server.

Right now I'm using FR 2.1.1 on openSUSE. I didn't install freeradius-mysql
on this new Linux machine, because I can't find it. However, I can still do
802.1X/PEAP authentication against my MySQL DB if I don't have the
Calling-Station-Id entry in the radchk table.

I can't get SQL xlat to work in the Clients file either.

I appreciate your help! Thanks!

Associated entries in the radchk table:

DEFAULT  Fall-Through   = yes  
ege...@skynets   Cleartext-Password:=
ege...@skynets   Calling-Station-Id ==
00-1C-B3-B1-3E-07 (if I remove this entry, I can get authenticated)

Here's most of the debug:
 

[eap] No EAP Start, assuming it's an on-going EAP conversation

++[eap] returns updated

++[unix] returns notfound

++[files] returns noop

[sql]   expand: %{User-Name} -> ege...@skynets

[sql] sql_set_user escaped user --> 'ege...@skynets'

rlm_sql (sql): Reserving sql socket id: 4

[sql]   expand: SELECT id, username, attribute, value, op   FROM
radcheck   WHERE username = '%{SQL-User-Name}'   ORDER BY id
-> SELECT id, username, attribute, value, op   FROM radcheck
WHERE username = 'ege...@skynets'   ORDER BY id

[sql] User found in radcheck table

[sql]   expand: SELECT id, username, attribute, value, op   FROM
radreply   WHERE username = '%{SQL-User-Name}'   ORDER BY id
-> SELECT id, username, attribute, value, op   FROM radreply
WHERE username = 'ege...@skynets'   ORDER BY id

[sql]   expand: SELECT groupname   FROM radusergroup   WHERE
username = '%{SQL-User-Name}'   ORDER BY priority -> SELECT
groupname   FROM radusergroup   WHERE username =
'ege...@skynets'   ORDER BY priority

rlm_sql (sql): Released sql socket id: 4

++[sql] returns ok

++[expiration] returns noop

++[logintime] returns noop

[pap] Found existing Auth-Type, not changing it.

++[pap] returns noop

Found Auth-Type = EAP

+- entering group authenticate {...}

[eap] EAP Identity

[eap] processing type tls

[tls] Initiate

[tls] Start returned 1

++[eap] returns handled

Sending Access-Challenge of id 190 to 192.168.0.1 port 41576

EAP-Message = 0x016600061920

Message-Authenticator = 0x

State = 0x887600b0881019123d77eed9ad3cef65

Finished request 0.

Going to the next request

Waking up in 4.9 seconds.

rad_recv: Access-Request packet from host 192.168.0.1 port 41576, id=191,
length=230

User-Name = "ege...@skynets"

NAS-IP-Address = 192.168.0.1

NAS-Port-Type = Wireless-802.11

Calling-Station-Id = "00-1C-B3-B1-3E-07"

State = 0x887600b0881019123d77eed9ad3cef65

EAP-Message =
0x0266007d19800073160301006e016a030149d245f8cc2cbd4fe33cdb07dc35b6c8
7acfcc21da980a70fa466c6e819bf49118002f00350005000ac009c00ac013c014003200
380013000401290013001101000e65676569657240736b796e657473000a00080006
001700180019000b00020100

Message-Authenticator = 0x15b99d469f497dd1de41e19b04d463d9

+- entering group authorize {...}

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

[suffix] Looking up realm "skynets" for User-Name = "ege...@skynets"

[suffix] No such realm "skynets"

++[suffix] returns noop

[eap] EAP packet type response id 102 length 125

[eap] Continuing tunnel setup.

++[eap] returns ok

Found Auth-Type = EAP

+- entering group authenticate {...}

[eap] Request found, released from the list

[eap] EAP/peap

[eap] processing type peap

[peap] processing EAP-TLS

  TLS Length 115

[peap] Length Included

[peap] eaptls_verify returned 11

[peap] (other): before/accept initialization

[peap] TLS_accept: before/accept initialization

[peap] <<< TLS 1.0 Handshake [length 006e], ClientHello

[peap] TLS_accept: SSLv3 read client hello A

[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello

[peap] TLS_accept: SSLv3 write server hello A

[peap] >>> TLS 1.0 Handshake [length 085e], Certificate

[peap] TLS_accept: SSLv3 write certificate A

[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone

[peap] TLS_accept: SSLv3 write server done A

[peap] TLS_accept: SSLv3 flush data

[peap] TLS_accept: Need to read more data: SSLv3 read client certificate
A

In SSL Handshake Phase

In SSL Accept mode

[peap] eaptls_process returned 13

[peap] EAPTLS_HANDLED

++[eap] returns handled

Sending Access-Challenge of id 191 to 192.168.0.1 port 41576

EAP-Message =
0x0167040019c0089b160301002a0226030149d245fcb6267b990aa260afc7ea5b36
69e5ee697512f85665761dad0e9b07762f00160301085e0b00085a0008570003a6308203
a2308202