Simon,
For the record you are the man :). I'm *almost* there and I do appreciate you being in a good today...it must be my lucky day.
I made the changes you suggested and I am now a step further, it does check the password file it seems, however it is almost like it's checking the radcheck table and not radgroupcheck. It seems that it's taking TestRad as the username, and not the group name. This could be the Cisco VPN client or maybe I should switch up the query order in sql.conf ? The VPN client first logs into the Group, and then prompts the user to enter their username and password into a popup dialogue box. It seems that this takes both entries at once, any way to change this?
Thanks again Simon, I owe ya =)!
User-Name = "TestRad"
User-Password = "\255\014\020e\345\377rG\305\014\000n\351\317\0349"
NAS-Port = 0
Service-Type = Framed-User
Framed-Protocol = PPP
Tunnel-Client-Endpoint:0 = "63.188.96.2"
Attr-201588758 = "\000\000\000\005"
NAS-IP-Address = 172.16.0.2
NAS-Port-Type = Virtual
modcall: entering group authorize
radius_xlat: 'TestRad'
sql_escape in: 'TestRad'
sql_escape out: 'TestRad'
sql_set_user: escaped user --> 'TestRad'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE STRCMP(Username, 'TestRad') = 0 ORDER BY id'
rlm_sql: Reserving sql socket id: 9
SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE STRCMP(Username, 'TestRad') = 0 ORDER BY id
sql_escape in: 'DEFAULT'
sql_escape out: 'DEFAULT'
sql_set_user: escaped user --> 'DEFAULT'
radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'DEFAULT' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'DEFAULT' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id
radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'DEFAULT' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'DEFAULT' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id
rlm_sql: User DEFAULT not found and DEFAULT not found
rlm_sql: Released sql socket id: 9
modcall[authorize]: module "sql" returns notfound
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
modcall[authorize]: module "counter" returns noop
users: Matched DEFAULT at 148
modcall[authorize]: module "files" returns ok
modcall: group authorize returns ok
rad_check_password: Found Auth-Type pap
auth: type "PAP"
modcall: entering group authenticate
rlm_pap: login attempt by "TestRad" with password TestRad
rlm_pap: Could not find password for user TestRad
modcall[authenticate]: module "pap" returns invalid
modcall: group authenticate returns invalid
auth: Failed to validate the user.
Chris DeRamus
HQ VPN Administrator
Verizon
301-903-2093
-----Original Message-----
From: Simon [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, May 29, 2002 3:07 PM
To: [EMAIL PROTECTED]
Subject: Re: Problems with MySQL Auth-Type
While i'm in a posting mood :)
On Wed, May 29, 2002 at 02:00:55PM -0400, Deramus, Chris wrote:
> Alan,
>
> Thanks for your quick response, I will definitely give this a try. I like
> this product and I think it'll work out great once I can finish the
> configuration but let me ask you this. I realize this isn't your problem but
> I just wanted to see what you might suggest. If I set the Auth-Type to
> Local, and then use lets say PAP for example to internally authenticate.
If you set Auth-Type to Local you won't be using PAP to authenticate,
set Auth-Type to PAP if you wan't PAP.
Local will (i think) only let you use cleartext passwords (and CHAP?) if
i'm reading the source correctly.
> We're trying to set up a web front, where all of this stuff can be changed
> without having to know any linux commands or mysql commands. I have the web
> front basically done, but tying it into FreeRadius would be nearly
> impossible from what I'm understanding. That means the password needs to
> also be stored in one of the configuration files correct? Such as
> clients.conf? Or is PAP just used to verify the password stored in the SQL
> database?
Nono, you can store the password in the (per default) radcheck table in
the sql database. PAP (for example) is, like you said, only used to
verify the password returned from the sql module. PAP can check
cleartext, crypt and md5 passwords at the moment.
clients.conf is used for the secrets etc. for communicating with other
'clients', NAS'es etc, and has nothing to do with the actual user
authentication, i think you meant the 'users' file above.
You can also set the Auth-Type attribute in the radgroupcheck table if
you want to avoid the users file alltogether.
Ie. you never need to touch anything other then the sql database with
your web frontend.
--
Simon
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
