What we would like to do is this:
Take this request:
User-Name = "[email protected]"
CHAP-Password = 0x59db2896a9629a7a1296e8e3dc7751da58
NAS-IP-Address = 10.130.2.1
CHAP-Challenge = 0x022074534be2e8405c867f676b46b432
3GPP2-Attr-60 = 0x00000001
3GPP2-Attr-61 = 0x0106000000010209a0000029275c41
Message-Authenticator = 0x01f9054690c3a469fa1bf824dfba3bbe
Proxy-State = 0x3136
And instead of using chap to authenticate the user, we take the 3GPP2-Attr-61,
convert it to the password we want, set it into the cleartext-password, and
have the sql module query the DB for that new password.
Here is the perl code that we run prior to the pap module:
$retattr .= "Cleartext-Password := $meid";
$retattr .= ", CHAP-Password :=\"\" , CHAP-Challenge :=\"\" ";
$retattr .= ", Auth-Type := PAP ";
We return the retattr to freeradius.
Here is the output:
Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
[preprocess] expand: %{NAS-IP-Address} -> 10.130.2.1
[preprocess] expand: %{NAS-IP-Address} -> 10.130.2.1
++[preprocess] returns ok
[evdoesn] expand: %{User-Name} -> [email protected]
Exec-Program output: Cleartext-Password := 268435460102579521, CHAP-Password
:="" , CHAP-Challenge :="" , Auth-Type := PAP
Exec-Program-Wait: value-pairs: Cleartext-Password := 268435460102579521,
CHAP-Password :="" , CHAP-Challenge :="" , Auth-Type := PAP
Exec-Program: returned: 0
++[evdoesn] returns ok
[auth_log] expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/freeradius/radacct/10.55.42.32/auth-detail-20130118
[auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/10.55.42.32/auth-detail-20130118
[auth_log] expand: %t -> Fri Jan 18 11:06:43 2013
++[auth_log] returns ok
[sql] expand: %{User-Name} -> [email protected]
[sql] sql_set_user escaped user --> '[email protected]'
rlm_sql (sql): Reserving sql socket id: 50
[sql] expand: SELECT id, UserName, Attribute, Value, Op FROM
radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id
-> SELECT id, UserName, Attribute, Value, Op FROM radcheck
WHERE Username = '[email protected]' ORDER BY id
rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op
FROM radcheck WHERE Username = '[email protected]'
ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 5
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
[sql] User found in radcheck table
[sql] expand: SELECT id, UserName, Attribute, Value, Op FROM
radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id
-> SELECT id, UserName, Attribute, Value, Op FROM radreply
WHERE Username = '[email protected]' ORDER BY id
rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op
FROM radreply WHERE Username = '[email protected]'
ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 5
[sql] expand: SELECT GroupName FROM usergroup WHERE
UserName='%{SQL-User-Name}' -> SELECT GroupName FROM usergroup WHERE
UserName='[email protected]'
rlm_sql_postgresql: query: SELECT GroupName FROM usergroup WHERE
UserName='[email protected]'
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 1
[sql] expand: SELECT radgroupcheck.id, radgroupcheck.GroupName,
radgroupcheck.Attribute, radgroupcheck.Value,radgroupcheck.Op FROM
radgroupcheck, usergroup WHERE usergroup.Username =
'%{SQL-User-Name}' AND usergroup.GroupName = radgroupcheck.GroupName
ORDER BY radgroupcheck.id -> SELECT radgroupcheck.id,
radgroupcheck.GroupName, radgroupcheck.Attribute,
radgroupcheck.Value,radgroupcheck.Op FROM radgroupcheck, usergroup
WHERE usergroup.Username = '[email protected]' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY
radgroupcheck.id
rlm_sql_postgresql: query: SELECT radgroupcheck.id, radgroupcheck.GroupName,
radgroupcheck.Attribute, radgroupcheck.Value,radgroupcheck.Op
FROM radgroupcheck, usergroup WHERE usergroup.Username =
'[email protected]' AND usergroup.GroupName = radgroupcheck.GroupName
ORDER BY radgroupcheck.id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 5
[sql] User found in group evdo
[sql] expand: SELECT radgroupreply.id, radgroupreply.GroupName,
radgroupreply.Attribute, radgroupreply.Value, radgroupreply.Op
FROM radgroupreply,usergroup WHERE usergroup.Username =
'%{SQL-User-Name}' AND usergroup.GroupName = radgroupreply.GroupName
ORDER BY radgroupreply.id -> SELECT radgroupreply.id,
radgroupreply.GroupName, radgroupreply.Attribute,
radgroupreply.Value, radgroupreply.Op FROM radgroupreply,usergroup
WHERE usergroup.Username = '[email protected]' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY
radgroupreply.id
rlm_sql_postgresql: query: SELECT radgroupreply.id, radgroupreply.GroupName,
radgroupreply.Attribute, radgroupreply.Value, radgroupreply.Op FROM
radgroupreply,usergroup WHERE usergroup.Username =
'[email protected]' AND usergroup.GroupName = radgroupreply.GroupName
ORDER BY radgroupreply.id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 5
rlm_sql (sql): Released sql socket id: 50
++[sql] returns ok
[pap] No clear-text password in the request. Not performing PAP.
++[pap] returns noop
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Replacing User-Password in config items with Cleartext-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good" !!!
!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: Please update your configuration, and remove 'Auth-Type = Local'
WARNING: Use the PAP or CHAP modules instead.
CHAP-Password is incorrect.
Failed to authenticate the user.
Login incorrect: [[email protected]/<CHAP-Password>] (from client
radius08 port 0)
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
--
regards, Joseph
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
