I am attempting to set up an EAP-MD5 + rlm_sql system where the passwords have an expiry on them of only a few seconds.
The Expiration attribute seems to be the way to go, but my brief look at gettime() in valuepair.c seems to indicate that the attribute value only has a day of resolution. Is this correct? Can it be changed without modifying the code?
I tried to get around the limitation by rigging my password-returning-SQL-query to NOT return a password row when the current time exceeds the expiry time. This hack was thwarted by some apparent "caching" in FreeRADIUS; when I disconnected my wireless card after a successful authentication and went through another authentication a few seconds later, I get an Access-Reject even though the sql module did not return a password. Here is a relavent portion of the log:
<log>
XXXXXXXXXX sql found returned 0
rlm_sql (sql): User 15142629017 not found in radcheck
radius_xlat: ''
radius_xlat: ''
rlm_sql: check items
rlm_sql: reply items
rlm_sql (sql): Released sql socket id: 4
modcall[authorize]: module "sql" returns ok
modcall: group append returns ok
modcall: group authorize returns updated
XXXXXXXXXXXXX checking expiration
XXXXXXXXXXXXXXXX config item attr: 1000
XXXXXXXXXXXXXXXX Expiration attr: 1010
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate
rlm_eap: EAP packet type notification id 6 length 46
rlm_eap: EAP Start not found
rlm_eap: Request found, released from the list
rlm_eap: EAP_TYPE - md5
rlm_eap: processing type md5
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns ok
modcall: group authenticate returns ok
Sending Access-Accept of id 3 to 163.188.170.16:1027
EAP-Message = 0x03060004
Message-Authenticator = 0x00000000000000000000000000000000
Finished request 5
Going to the next request
Thread 1 waiting to be assigned a request
--- Walking the entire request list ---
Threads: total/active/spare threads = 5/0/5
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 4 ID 2 with timestamp 3f31595e
Cleaning up request 5 ID 3 with timestamp 3f31595e
Nothing to do. Sleeping until we see a request.
</log>Notice that "rlm_sql: check items" does not mention a User-Password attribute, because there isn't any. the eap authentication module should complain about this but does not. How can it send an Access-Accept if it has no password?
A few minutes later, I do another authentication, with the expected result:
<log>
XXXXXXXXXX sql found returned 0
rlm_sql (sql): User 15142629017 not found in radcheck
radius_xlat: ''
radius_xlat: ''
rlm_sql: check items
rlm_sql: reply items
rlm_sql (sql): Released sql socket id: 2
modcall[authorize]: module "sql" returns ok
modcall: group append returns ok
modcall: group authorize returns updated
XXXXXXXXXXXXX checking expiration
XXXXXXXXXXXXXXXX config item attr: 1000
XXXXXXXXXXXXXXXX Expiration attr: 1010
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate
rlm_eap: EAP packet type notification id 9 length 46
rlm_eap: EAP Start not found
rlm_eap: Request found, released from the list
rlm_eap: EAP_TYPE - md5
rlm_eap: processing type md5
rlm_eap_md5: No password configured for this user
modcall[authenticate]: module "eap" returns invalid
modcall: group authenticate returns invalid
auth: Failed to validate the user.
Delaying request 7 for 1 seconds
Finished request 7
Going to the next request
Thread 3 waiting to be assigned a request
--- Walking the entire request list ---
Threads: total/active/spare threads = 5/0/5
Sending Access-Reject of id 5 to 163.188.170.16:1029
EAP-Message = 0x04090004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 6 ID 4 with timestamp 3f315af7
Cleaning up request 7 ID 5 with timestamp 3f315af7
Nothing to do. Sleeping until we see a request.
</log>Note the "rlm_eap_md5: No password configured for this user" line, which is to be expected, and which isn't present in the first log excerpt. We get the expected Access-Reject.
Any thoughts?
Thanks in advance!
Desmond
_________________________________________________________________
MSN 8 with e-mail virus protection service: 2 months FREE* http://join.msn.com/?page=features/virus
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
