In a previous post PAP what password encryption is used? I managed to get
authentication working with a msssql backend however I need to force
Auth-Type := PAP. I read it's bad practice to force the Auth-Type so I was
wondering what I could do to let freeradius figure the authentication
itself.
This is all done on freeradius 1.1.6 (OSS 10.3)
I've setup an sql module:
sql mssql {
driver = rlm_sql_unixodbc
# Connect info
server = test
login = Radius_User
password = blabla
radius_db = V2
# niet gebruikt wel geset!
acct_table1 = radacct
acct_table2 = radacct
authcheck_table = user
authreply_table = user
# niet gebruikt wel geset!
groupcheck_table = radgroupcheck
groupreply_table = radgroupreply
usergroup_table = usergroup
# Remove stale session if checkrad does not see a double login
deletestalesessions = yes
# Print all SQL statements when in debug mode (-x)
sqltrace = no
sqltracefile = ${logdir}/sqltrace.sql
# number of sql connections to make to server
num_sql_socks = 5
sql_user_name = %{Stripped-User-Name:-%{User-Name:-none}}
# Custom query die attributen klaar zet!
authorize_check_query = SELECT UserID,Usernaam,'SHA-Password' AS
Attribute, Wachtwoord, ':=' AS Op FROM ${authcheck_table} WHERE Usernaam =
'%{SQL-User-Name}' ORDER BY UserID
authorize_reply_query = SELECT UserID,Usernaam from {authreply_table}
WHERE Usernaam = '%{SQL-User-Name}' ORDER BY UserID
}
You can see I'm using a custom SQL query to get the right attributes. I can
only compare username and password in this database. I actually don't need
any groupcheck's etc.
I've setup its authorize entry:
Autz-Type mssql {
mssql
}
and finally in users file:
DEFAULT Realm == mssql.nl, Autz-Type := mssql
This setup doesn't work:
modcall: entering group authorize for request 1
modcall[authorize]: module preprocess returns ok for request 1
modcall[authorize]: module chap returns noop for request 1
modcall[authorize]: module mschap returns noop for request 1
rlm_realm: Looking up realm mssql.nl for User-Name = [EMAIL PROTECTED]
rlm_realm: Found realm DEFAULT
rlm_realm: Adding Stripped-User-Name = lsa
rlm_realm: Proxying request from user lsa to realm DEFAULT
rlm_realm: Adding Realm = DEFAULT
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module suffix returns noop for request 1
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 1
users: Matched entry DEFAULT at line 153
modcall[authorize]: module files returns ok for request 1
rlm_pap: WARNING! No known good password found for the user.
Authentication may fail because of this.
modcall[authorize]: module pap returns noop for request 1
modcall: leaving group authorize (returns ok) for request 1
Found Autz-Type mssql
Processing the authorize section of radiusd.conf
modcall: entering group mssql for request 1
radius_xlat: 'lsa'
rlm_sql (mssql): sql_set_user escaped user -- 'lsa'
radius_xlat: 'SELECT UserID,Usernaam,'SHA-Password' AS Attribute,
Wachtwoord, ':=' AS Op FROM bas_user WHERE Usernaam = 'lsa' ORDER BY UserID'
rlm_sql (mssql): Reserving sql socket id: 3
radius_xlat: ''
radius_xlat: 'SELECT UserID,Usernaam from {authreply_table} WHERE Usernaam
= 'lsa' ORDER BY UserID'
rlm_sql_getvpdata: database query error
radius_xlat: ''
rlm_sql (mssql): Released sql socket id: 3
modcall[authorize]: module mssql returns ok for request 1
modcall: leaving group mssql (returns ok) for request 1
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Delaying request 1 for 1 seconds
Finished request 1
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 223 to 127.0.0.1 port 32770
Waking up in 4 seconds...
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=223, length=20
If I add Auth-Type in users file it works:
DEFAULT Realm == mssql.nl, Autz-Type := mssql, Auth-Type := PAP
Rg,
Arnaud Loonstra
--
View this message in context:
http://www.nabble.com/Why-do-I-need-to-force-Auth-Type--tp18925418p18925418.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
