Re: SQL Call-Check Authentication (again :( )

[florian broder]

Hi,On 12/5/05, Lewis Bergman <[EMAIL PROTECTED]> wrote:
>   sql_user_name = "%{Stripped-User-Name:-%{User-Name:-DEFAULT}}"Did you really mean to put in a :- instead of a := ?Yes. It's part of the standard sql.conf. Not edited by me!
I thought of commenting that part out, and recompiling it. But I think, without editing much deeper into the source code that won't work... :( But will try that, as soon as I get my VSys up and running. :)
Bye Flo
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: SQL Call-Check Authentication (again :( )

[Lewis Bergman]

florian broder wrote:

-->>#Else use hard-coded string "DEFAULT" as the user name.<<--
sql_user_name = "%{Stripped-User-Name:-%{User-Name:-DEFAULT}}"



So, it's really a limitation in sql, rather that a misconfiguration?

Would be nice, if anyone can confirm this!

Did you really mean to put in a :- instead of a := ?
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: SQL Call-Check Authentication (again :( )

[Seferovic Edvin]

Well - I am not a developer but it seems that is a restriction of the SQL
module. If you comment out that part of the code and recompile freeradius,
it should work as the file-based-auth ;)

Regards,

Edvin

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of florian
broder
Sent: Montag, 05. Dezember 2005 14:19
To: freeradius-users@lists.freeradius.org
Subject: SQL Call-Check Authentication (again :( )

Hi.

I'm still having a hard time of implementing the Calling-Station-Id
Authentication. Basis is a Cisco Catalyst with
"Mac-Authentication-Bypass" turned on.

Alan DeKok told me, that I can use sql.conf:

#Use Stripped-User-Name, if it's there.
#Else use User-Name, if it's there,
-->>#Else use hard-coded string "DEFAULT" as the user name.<<--
sql_user_name = "%{Stripped-User-Name:-%{User-Name:-DEFAULT}}"

To tell freeradius, that there is no user-name.
Ok, I've done that, but It gives me this error:

rad_recv: Access-Request packet from host 192.168.1.222:1038, id=13,
length=45
Service-Type = Call-Check
Calling-Station-Id = "11-22-33-44-55-66"
-->> rlm_sql (sql): zero length username not permitted <<--

That's basically the same packet, the Cisco Switch sends as
Auth-Request. Notice, that there is NO user-name in here at all.

The fact is also mentioned in the sql Source-Code:

/*
 *  They MUST have a user name to do SQL authorization.
 */
if ((request->username == NULL) ||
(request->username->length == 0)) {
radlog(L_ERR, "rlm_sql (%s): zero length username not
permitted\n",
inst->config->xlat_name);
return RLM_MODULE_INVALID;
}

Switching to "file-based-Authentication" (in radiusd.conf) it works
immediately:

rad_recv: Access-Request packet from host 192.168.1.222:1044, id=19,
length=45
Service-Type = Call-Check
Calling-Station-Id = "11-22-33-44-55-66"
Sending Access-Accept of id 19 to 192.168.1.222:1044
Reply-Message = "Hello"

So, it's really a limitation in sql, rather that a misconfiguration?

Would be nice, if anyone can confirm this!


Bye Flo

- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html