Hi,
I'm having some problems getting RADIUS authentication with MySQL working. I'm
using:
FreeRADIUS Version 0.7.1
mysql-server-3.23.41
dialup_admin (latest) - slightly modified
RedHat Linux 7.3
I've read through the documentation and the mailing list archives, but I haven't seen an answer to this problem. I also checked the "./configure" script for FreeRADIUS to verify that I didn't miss an important option, but I saw nothing appropriate.
When my radiusd.conf includes:
authenticate {
unix
sql
}
Radius won't start up, giving me:
radiusd.conf: "SQL" modules aren't allowed in 'authenticate' sections -- they have no such method.
Don't I need SQL to be in my "authenticate" section? How do I get it there?
When I remove "sql" from the authenticate section, radiusd will start, but my test user won't authenticate:
[root@rherrellnix root]# radtest testuser2 testuser2 127.0.0.1 1 IForgot
Sending Access-Request of id 123 to 127.0.0.1:1645
User-Name = "testuser2"
User-Password = "\357\242k\354k%\027qV\207a\374\337\312Am"
NAS-IP-Address = rherrellnix
NAS-Port-Id = "1"
rad_recv: Access-Reject packet from host 127.0.0.1:1645, id=123, length=20
The related output of "radiusd -X" is:
Listening on IP address *, ports 1645/udp and 1646/udp, with proxy on 1647/udp.
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1:1025, id=123, length=58
User-Name = "testuser2"
User-Password = "\357\242k\354k%\027qV\207a\374\337\312Am"
NAS-IP-Address = 255.255.255.255
NAS-Port-Id = "1"
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
rlm_realm: Looking up realm NULL for User-Name = "testuser2"
rlm_realm: No such realm NULL
modcall[authorize]: module "suffix" returns noop
radius_xlat: 'testuser2'
sql_set_user: escaped user --> 'testuser2'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'testuser2' ORDER BY id'
rlm_sql: Reserving sql socket id: 4
query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'testuser2' ORDER BY id
radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'testuser2' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'testuser2' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'testuser2' ORDER BY id'
query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'testuser2' ORDER BY id
radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'testuser2' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'testuser2' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id
radius_xlat: 'SELECT Value,Attribute FROM radcheck WHERE UserName = 'testuser2' AND ( Attribute = 'User-Password' OR Attribute = 'Password' OR Attribute = 'Crypt-Password' ) ORDER BY Attribute DESC'
query: SELECT Value,Attribute FROM radcheck WHERE UserName = 'testuser2' AND ( Attribute = 'User-Password' OR Attribute = 'Password' OR Attribute = 'Crypt-Password' ) ORDER BY Attribute DESC
rlm_sql: Released sql socket id: 4
modcall[authorize]: module "sql" returns ok
users: Matched DEFAULT at 152
modcall[authorize]: module "files" returns ok
modcall: group authorize returns ok
rad_check_password: Found Auth-Type System
auth: type "System"
modcall: entering group authenticate
modcall[authenticate]: module "unix" returns notfound
modcall: group authenticate returns notfound
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 123 to 127.0.0.1:1025
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 123 with timestamp 3dcad955
Nothing to do. Sleeping until we see a request.
The results probably aren't too surprising, because sql isn't in my authenticate section. However, I have verified that my test user in my database:
mysql> select * from userinfo;
+----+-----------+------+------+------------+-----------+-----------+--------+
| id | UserName | Name | Mail | Department | WorkPhone | HomePhone | Mobile |
+----+-----------+------+------+------------+-----------+-----------+--------+
| 1 | testuser2 | - | - | - | - | - | - |
+----+-----------+------+------+------------+-----------+-----------+--------+
1 row in set (0.00 sec)
mysql> select * from radcheck;
+----+-----------+---------------+------------------------------------+------+
| id | UserName | Attribute | Value | op |
+----+-----------+---------------+------------------------------------+------+
| 1 | testuser | User-Password | $1$8MarUKmw$Mq08/fAAo0s7fCOluHy.H1 | := |
| 2 | testuser2 | User-Password | $1$SetCnSFM$fcPuwCQ/fN85unIM6o70j/ | := |
+----+-----------+---------------+------------------------------------+------+
2 rows in set (0.01 sec)
Why can't I enable SQL authentication?
Regards,
Richard Herrell