I've been fighting through this more. Using Radiator 4.19. Here's a trace 4 capture (I'm using AuthByFREERADIUSSQL Mode). I have the password set correctly in the radcheck table but I get the following when I try to authenticate the SM against it. I've tred the := and == operators and get the same reply.
Tue Aug 4 08:32:27 2020: DEBUG: Query to 'dbi:mysql:hostname=localhost;database=radius_zt Connection id: 0-00000': 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username=? ORDER BY id': testuser Tue Aug 4 08:32:27 2020: DEBUG: Got user check row: 4925 testuser ClearText-Password testpass := Tue Aug 4 08:32:27 2020: DEBUG: Query to 'dbi:mysql:hostname=localhost;database=radius_zt Connection id: 0-00000': 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = ? ORDER BY id': testuser Tue Aug 4 08:32:27 2020: DEBUG: Got user reply row: 86289 testuser Framed-IP-Address 10.10.10.116 := Tue Aug 4 08:32:27 2020: DEBUG: Got user reply row: 86290 testuser Framed-IP-Netmask 255.255.255.240 := Tue Aug 4 08:32:27 2020: DEBUG: Got user reply row: 86291 testuser Cambium-Canopy-Gateway 10.10.10.113 := Tue Aug 4 08:32:27 2020: DEBUG: Got user reply row: 86292 testuser Cambium-Canopy-ULBR 3072 := Tue Aug 4 08:32:27 2020: DEBUG: Got user reply row: 86293 testuser Cambium-Canopy-ULMB 3072 := Tue Aug 4 08:32:27 2020: DEBUG: Got user reply row: 86294 testuser Cambium-Canopy-DLBR 5120 := Tue Aug 4 08:32:27 2020: DEBUG: Got user reply row: 86295 testuser Cambium-Canopy-DLMB 5120 := Tue Aug 4 08:32:27 2020: DEBUG: Got user reply row: 86296 testuser Cambium-Canopy-ULBL 128 := Tue Aug 4 08:32:27 2020: DEBUG: Got user reply row: 86297 testuser Cambium-Canopy-DLBL 128 := Tue Aug 4 08:32:27 2020: DEBUG: Got user reply row: 86298 testuser Cambium-Canopy-BCASTMIR 16 := Tue Aug 4 08:32:27 2020: DEBUG: Got user reply row: 86299 testuser Cambium-Canopy-ConfigFileImportUrl http://<URLRedacted> := Tue Aug 4 08:32:27 2020: DEBUG: Query to 'dbi:mysql:hostname=localhost;database=radius_zt Connection id: 0-00000': 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,radusergroup WHERE radusergroup.Username = ? AND radusergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id': testuser Tue Aug 4 08:32:27 2020: DEBUG: Query to 'dbi:mysql:hostname=localhost;database=radius_zt Connection id: 0-00000': 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,radusergroup WHERE radusergroup.Username = ? AND radusergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id': testuser Tue Aug 4 08:32:27 2020: DEBUG: Radius::AuthFREERADIUSSQL looks for match with testuser [testuser] Tue Aug 4 08:32:27 2020: DEBUG: Radius::AuthFREERADIUSSQL REJECT: Check item ClearText-Password expression 'testpass' does not match '' in request: testuser [testuser] Tue Aug 4 08:32:27 2020: DEBUG: AuthBy FREERADIUSSQL result: REJECT, Check item ClearText-Password expression 'testpass' does not match '' in request Tue Aug 4 08:32:27 2020: INFO: Access rejected for testuser: Check item ClearText-Password expression 'testpass' does not match '' in request Tue Aug 4 08:32:27 2020: DEBUG: Returned TTLS tunnelled Diameter Packet dump: When I use the same values and switch to a flat file the authentication works. Any ideas on what I'm doing wrong? The radio is also not accepting any of the Cambium attributes but Cambium-Canopy-Gateway and Cambium-Canopy-ConfigFileImportURL even though I have the vendor attributes loaded up in my config file. Thanks, Brandon Shiers, RF Engineer 937 West Main Street Riverton, WY 82501 307.857.6704 (o) 307.840.2366 (c) 307.856.1499 (f) [email protected] -----Original Message----- From: Brandon Shiers Sent: Monday, August 03, 2020 4:46 PM To: 'Heikki Vatiainen' <[email protected]>; [email protected] Subject: RE: [RADIATOR] AuthByFreeRaidusSQL and EAP authentication Heikki, Thank you for the reply! I did get the certificate issue sorted out. I am now having issues with getting reply attributes back to the radio. I am passing them back but the radio is only taking select options. I think it's a firmware issue as we've had to roll out new firmware since we started this project and unfortunately I'm waiting for the vendor. The odd thing (and I have their dictionary loaded), it will accept one of their VSA's but not the rest. Standard things like Framed-IP-Adddress works just fine. I am having an issue with the RADIUS DB for some reason over-writing the password when using the DB for the lookups I haven't figured that one out yet. Thanks, Brandon Shiers, RF Engineer 937 West Main Street Riverton, WY 82501 307.857.6704 (o) 307.840.2366 (c) 307.856.1499 (f) [email protected] -----Original Message----- From: radiator On Behalf Of Heikki Vatiainen Sent: Wednesday, July 29, 2020 6:34 AM To: [email protected] Subject: Re: [RADIATOR] AuthByFreeRaidusSQL and EAP authentication On 27.7.2020 19.16, Brandon Shiers wrote: > Will it support EAPTLS for authentication out in front of the actual > database lookup for the username, password and reply attributes? Is that EAP-TLS or EAP-TTLS? With EAP-TLS a password is not needed and SQL can be optionally be used to check that the certificate subject is known. It can also fetch reply attributes. I'm not sure I have used with Freeradius SQL but with AuthBy SQL it works. With EAP-TTLS it should also work with SQL backend, but I don't think I've yet tried with Freeradius specific module. The certificate problems are not related to this because they happen before SQL access. Thanks, Heikki -- Heikki Vatiainen <[email protected]> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory, EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc. _______________________________________________ radiator mailing list [email protected] https://lists.open.com.au/mailman/listinfo/radiator _______________________________________________ radiator mailing list [email protected] https://lists.open.com.au/mailman/listinfo/radiator
