On Wed, May 29, 2002 at 02:49:26PM -0400, Deramus, Chris wrote: > I reloaded the default sql.conf and made the necessary changes, in my > previous sql.conf I forgot I was commenting out a few queries therefore it > wasn't properly querying my database. With the default query's this is what > I get. Instead of taking in TestRad as a the groupname it takes it in as the > user-name. I'm not sql expert but there are a few around the workplace, is > this a problem with the query itself and the values just have to be toyed > with?
Erm, I'm not sure i follow you here. The NAS sends the attribute User-Name = "TestRad" and you want freeradius to use it as something other then a username? > The reason it says no password at the bottom is because I didn't want to > specify a password in the users / clients.conf files. I was really hoping to > figure out a way to have it authenticate through the radcheck / > radgroupcheck tables to authenticate, however, as Alan and you have told me > this isn't really possible. Was this possible in 0.4 or has it never been > possible? I said that? :) I think you may have missinterpeted both of us somewhat. The radcheck table is very happy to store passwords for you, infact that's pretty much the only thing it's good at. I think you have the authorization/authentication somewhat mixed up, the sql module is an authorization module, it's checks for the existance of a user, and also grabs any passwords that happen to be laying around in it's tables for that user on the way out the door. If the user exists, it happily tells freeradius that authorization went ok, you can go ahead and authenticate now. Another module is then needed to authenticate the password (or lack thereof) returned from the sql module. Though things get more complicated then this, that's basically what happens. A general workflow would be something like: * A request comes in. * rlm_sql is called. * rlm_sql checks for the existance of username defined in the User-Name attribute in radcheck. It also picks up the password defined in the same table. * rlm_sql checks if username exists in the usergroup table to see if username is in a group. * If username is associated with a group, radgroupcheck is checked for attributes. This could be attributes that have to match what came in with the auth request, ex. Framed-Protocol == PPP, or it can set attributes used internally, ex. Auth-Type := PAP. If the user existed, and a password was supplied in radcheck, this is passed back. Again, things get more complicated then this, but that's a general overview (somewhat) of what happens in the sql module. When you use the sql module, you can completely remove the users section from the authorize section of radiusd.conf if you want to. > Ready to process requests. > Thread 5 waiting to be assigned a request > rad_recv: Access-Request packet from host 172.16.0.2:3241, id=101, > length=102 > Thread 1 assigned request 0 > --- Walking the entire request list --- > Threads: total/active/spare threads = 5/1/4 > Nothing to do. Sleeping until we see a request. > Thread 1 handling request 0, (1 handled so far) > User-Name = "TestRad" > User-Password = "U\352\221\231A\026A\202\231\227aG\221\204\312\254" > NAS-Port = 0 > Service-Type = Framed-User > Framed-Protocol = PPP > Tunnel-Client-Endpoint:0 = "63.188.96.2" > Attr-201588758 = "\000\000\000\005" > NAS-IP-Address = 172.16.0.2 > NAS-Port-Type = Virtual > modcall: entering group authorize > radius_xlat: 'TestRad' > sql_escape in: 'TestRad' > sql_escape out: 'TestRad' > sql_set_user: escaped user --> 'TestRad' > radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE > STRCMP(Username, 'TestRad') = 0 ORDER BY id' > rlm_sql: Reserving sql socket id: 9 > SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE STRCMP(Username, > 'TestRad') = 0 ORDER BY id > sql_escape in: 'DEFAULT' > sql_escape out: 'DEFAULT' > sql_set_user: escaped user --> 'DEFAULT' > radius_xlat: 'SELECT > radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche > ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE > usergroup.Username = 'DEFAULT' AND usergroup.GroupName = > radgroupcheck.GroupName ORDER BY radgroupcheck.id' > SELECT > radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche > ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE > usergroup.Username = 'DEFAULT' AND usergroup.GroupName = > radgroupcheck.GroupName ORDER BY radgroupcheck.id > radius_xlat: 'SELECT > radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep > ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE > usergroup.Username = 'DEFAULT' AND usergroup.GroupName = > radgroupreply.GroupName ORDER BY radgroupreply.id' > SELECT > radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep > ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE > usergroup.Username = 'DEFAULT' AND usergroup.GroupName = > radgroupreply.GroupName ORDER BY radgroupreply.id > rlm_sql: User DEFAULT not found and DEFAULT not found > rlm_sql: Released sql socket id: 9 > modcall[authorize]: module "sql" returns notfound > rlm_counter: Entering module authorize code > rlm_counter: Could not find Check item value pair > modcall[authorize]: module "counter" returns noop > users: Matched DEFAULT at 148 > modcall[authorize]: module "files" returns ok > modcall: group authorize returns ok > rad_check_password: Found Auth-Type Local > auth: type Local > auth: No password configured for the user You need to add the user/password to radcheck, see my comments above. Examples: mysql> select * from radcheck; +----+----------+----------------+----------------------------------+------+ | id | UserName | Attribute | Value | op | +----+----------+----------------+----------------------------------+------+ | 2 | test2 | Password | ad0234829205b9033196ba818f7a872b | := | +----+----------+----------------+----------------------------------+------+ mysql> select * from usergroup; +----+----------+-----------+ | id | UserName | GroupName | +----+----------+-----------+ | 2 | test2 | bla | +----+----------+-----------+ mysql> select * from radgroupcheck; +----+-----------+-----------------+-------------+------+ | id | GroupName | Attribute | Value | op | +----+-----------+-----------------+-------------+------+ | 1 | bla | Auth-Type | PAP | := | | 2 | bla | Framed-Protocol | PPP | == | | 3 | bla | Service-Type | Framed-User | == | +----+-----------+-----------------+-------------+------+ Hope that helps. -- Simon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
