Alan,
That’s what I thought, but the definition of Authorization and Authentication got me a little confused. New question now...
I have the MySQL database set up with a test account (username test, password test). When I run “radiusd –xxp 1645” and try “radtest test test localhost:1645 0 testing”, it gives me a bunch of stuff, but the part that stands out is the following:
rad_recv: Access-Request packet from host 130.203.224.111:32769, id=167, length=56
Thread 2 assigned request 1
--- Walking the entire request list ---
Threads: total/active/spare threads = 5/1/4
Waking up in 5 seconds...
Thread 2 handling request 1, (1 handled so far)
User-Name = "test"
User-Password = "test"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
rlm_chap: Could not find proper Chap-Password attribute in request
modcall[authorize]: module "chap" returns noop
modcall[authorize]: module "mschap" returns notfound
rlm_realm: No '@' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module "suffix" returns noop
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '' ORDER BY id
rlm_sql (sql): User not found in radcheck
radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id
radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id
rlm_sql (sql): User not found in radgroupcheck
rlm_sql (sql): User not found
rlm_sql (sql): Released sql socket id: 2
modcall[authorize]: module "sql" returns notfound
users: Matched DEFAULT at 152
modcall[authorize]: module "files" returns ok
modcall: group authorize returns ok
rad_check_password: Found Auth-Type System
From what I can tell, it’s not passing the username (or password, for that matter) to the SQL database. Would that be a correct assumption? If so, do you have any suggestions on what to do to fix?
Thanks for your help!
Shannon
Shannon Johnson" <[EMAIL PROTECTED]> wrote:
> I need this radius server to authenticate / authorize (still a
> little hazy on the difference) console and ssh access to 10
> workstations. The requests would come in to the workstation, get
> routed to the server via a pam module, hit the freeradius server,
> verify the username and password in the database, and let the person
> on if their info is correct. First question, is this possible?
For username/password verification, yes. They'll still have to get
uid/gid/shell from somewhere, though.
> I just got done reading about the differences between authorization
> and authentication, and from what I gather, freeradius can't do
> authentication to an SQL database. Is that correct?
Yes. It won't try to log users into an SQL database.
> Ideally, what I would like, is to have a database holding all the
> usernames and passwords (holding in clear text, but transmitting
> encrypted, if that matters). Can I do that with freeradius?
Yes. That's storing the username/password in SQL, and letting
FreeRADIUS use trhat information to authenticate them.
Alan DeKok.
