MySQL is working on the accounting side when Radius requests are sent out.
I have another group on which is using the VPN concentrators method of authentication, (only supports 500 users however, and we require 1500 or entries) and set that group up to pass all accounting information out to the Radius server on port 1813. It's logging VPN connections, so the MySQL module has to be configured properly I would think. I used the schema in /src/modules/rlm_sql/drivers/rlm_sql_mysql/ and it imported the correct tables. Is there a line that I'm missing my sql.conf or does it look like something is screwy in the radiusd.conf itself possibly?
I can copy paste the entire conf files but I figured I wouldn't start out with that for now to make this thread a bit smaller in case other people experience this.
Thanks,
Chris DeRamus
HQ VPN Administrator
Verizon
301-903-2093
-----Original Message-----
From: Simon [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, May 29, 2002 12:54 PM
To: [EMAIL PROTECTED]
Subject: Re: Problems with MySQL Auth-Type
On Wed, May 29, 2002 at 12:26:50PM -0400, Deramus, Chris wrote:
> I'm new to Free-Radius, I'll try to be as descriptive as possible. I have
> taken the advice of this board and read all documentation possible before
> asking this. I've searched on countless search engines for possible answers,
> and the only results I seem to come up with are pre Free Radius 0.5 answers.
>
>
> The current setup that we are running, is a Cisco 3030 Concentrator, which
> has dual-level authentication. First you have to authenticate with your
> group, and then you do individual level authentication. I set up my group
> table with a group name of TestRad and then setup a user TestUser which is
> affiliated to that group.
Not sure about this, but from what i've seen the group tables used in
sql with freeradius are only for easier 'grouping' of the users, to
be able to supply return attributes without setting them individually
etc. They're not used for any external types of groups.
> The big question is what do I put for an Auth-Type. On the net I have seen a
> lot of examples such as Auth-Type := Local however this is for Local
> authentication with the files such as clients, clients.conf, and users
> correct? I set the Auth-Type := sql and it is still doing the same thing. I
> tried setingt the Authentication section of radiusd.conf to use the sql
> module, however, that was disabled in 0.5
SQL doesn't do authentication, only authorization.
> I have the rlm_sql_mysql module loaded correctly, it seems that it attempts
> to access my SQL database, but then returns an error message saying:
>
> Modcall: entering group authorize
> Radius_xlat: 'TestRad'
> Sql_escape in: 'TestRad'
> Sql_escape out: 'TestRad'
> Sql_set_user: escaped user --> 'TestRad'
> Radius_xlat: ''
> Rlm_sql Reserving sql socket id: 4
> MYSQL Error: Cannot get result
> MYSQL Error: Query was empty
> Rlm_sql_getvpndata: database query error
> Rlm_sql: Released sql socket id: 4
> Modcall[authorize]: module "sql" returns noop
> Modcall: group authorize returns noop
> Auth: No Auth-Type configuration for the request, rejecting the user
> Auth: Failed to validate the user.
> Login incorrect: [TestRad]
Are you sure you have mysql setup correctly? The sql module doesn't seem
to be getting anything back from your mysql database, take a look at
the file src/modules/rlm_sql/drivers/rlm_sql_mysql from the radius
source, all the tables you need are there.
In the radcheck table, setting Attribute to Password, Value to a
plaintext password and Op to ':=' will use local authentication.
The same holds true for setting Attribute to Crypt-Password and doing a
'encrypt('password')' when you do an sql insert (so you don't have to
have plaintext passwords stored in the database).
You can also set a plaintext password then, for example, associate the
user with a group in the usergroup table and set an Auth-Type in the
radgroupcheck table, eg.:
mysql> select * from radgroupcheck;
+----+-----------+-----------+-------+------+
| id | GroupName | Attribute | Value | op |
+----+-----------+-----------+-------+------+
| 1 | test2 | Auth-Type | PAP | := |
+----+-----------+-----------+-------+------+
Would presumably work.
Taking a look at http://www.frontios.com/freeradius.html might help to.
Hope that helps.
--
Simon
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
