RE: Problems with MySQL Auth-Type

Deramus, Chris Thu, 30 May 2002 06:13:01 -0700

Title: RE: Problems with MySQL Auth-Type

Simon,

I follow what you are saying, I changed a few tables per your suggestions, no success. I'm going to copy paste what I have, I apologize in advanced for the length of this post.

mysql> select * from radgroupcheck;
+----+-----------+-----------------+-------------+------+
| id | GroupName | Attribute       | Value       | op   |
+----+-----------+-----------------+-------------+------+
| 1 | Radius    | Password        | TestRad     | :=   |
| 2 | Radius    | Auth-Type       | PAP         | :=   |
| 3 | Radius    | Framed-Protocol | PPP         | ==   |
| 4 | Radius    | Service-Type    | Framed-User | ==   |
+----+-----------+-----------------+-------------+------+
4 rows in set (0.00 sec)

mysql> select * from radgroupreply;
+----+-----------+--------------------+-------------+------+------+
| id | GroupName | Attribute          | Value       | op   | prio |
+----+-----------+--------------------+-------------+------+------+
| 2 | Radius    | Framed-Protocol    | PPP         | ==   |    0 |
| 3 | Radius    | Service-Type       | Framed-User | ==   |    0 |
| 1 | Radius    | Auth-Type          | PAP         | :=   |    0 |
| 4 | Radius    | Framed-Compression | None        | ==   |    0 |
+----+-----------+--------------------+-------------+------+------+
4 rows in set (0.00 sec)

I am trying to send out the first authorization/authentication request as part of the Radius group. Multiple users will have this group name and group password. Next I want the user TestRad to authenticate himself. After these two authentication requests pass through, everything *should* be okay.

Chris DeRamus
HQ VPN Administrator
Verizon
301-903-2093

-----Original Message-----
From: Simon [mailto:[EMAIL PROTECTED]]
Sent: Thursday, May 30, 2002 9:03 AM
To: [EMAIL PROTECTED]
Subject: Re: Problems with MySQL Auth-Type

On Thu, May 30, 2002 at 08:38:04AM -0400, Deramus, Chris wrote:
> Simon,
>
> I got Authentication to work with the method you described, but that's only
> the first level. I realize that I can't make username, the group name. I
> guess I am not wording it correctly, let me try better this time =).
>
> The Cisco VPN Dialer has a setup section where the user must enter their
> group name and group password. When they attempt to connect to our VPN, it
> passes the group name and group password to the concentrator. If that group
> name and pass is authenticated either via RADIUS or it's the VPN's internal
> database, it then prompts the user to enter their username and password for
> themselves (individual authorization/authentication). There's no real way to
> bypass this dual authentication, unless we used Digital Certificates which
> at this point we really can't. So my question is, can I somehow *trick*
> FreeRadius into realizing that the first authorization/authentication
> request is the Group Name and Pass, and then it will still listen for
> another request (Username/Pass)?

So the NAS is sending two auth requests to freeradius for every
connection? One for the groupname/grouppassword and one for the
username/password? Are the same groupnames/grouppasswords used by
multiple clients?
This doesn't look like it should really change anything, if the NAS
sends an "ordinary" auth request for the group authentication and
another auth request for the user authentication all you would need to
do is add an entry for the groupname/grouppassword in
radcheck/usergroup/radgroucpcheck
and another entry in the same tables for the username/password.

It would be easier to answer your question if we knew what attributes
were sent in the auth requests for the group authentication and user
authentication respectively.

--
Simon

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Problems with MySQL Auth-Type

Reply via email to