Re: sql auth problems with 2.0.0-pre
Hi, got cvs tree today. The read_groups configuration check is not included in rlm_sql.c for some reason. Adding: {read_groups, PW_TYPE_BOOLEAN, offsetof(SQL_CONFIG,read_groups), NULL, yes}, into static const CONF_PARSER module_config[] = { .. } helped a lot. Now my config from 1.1.6 is almost working. Thanks a lot. -- Sincerely Yours, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sql auth problems with 2.0.0-pre
Gurus, may be i'm pulling some common mistake with my configuration being tested against cvs snapshot, but no idea which one. I've an sql profile telling: some.dotted.user Cleartext-Password = cisco NAS-IP-Address =~ xxx.xxx.97.(85|86) authentication request: User-Name = some.dotted.user User-Password = cisco Calling-Station-Id = 000 Framed-Protocol = PPP Service-Type = Framed-User NAS-IP-Address = xxx.xxx.97.85 gives the access-reject for unknown (for me) reason: rlm_sql (sqlauth): sql_set_user escaped user -- 'some.dotted.user' rlm_sql (sqlauth): Reserving sql socket id: 3 radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'some.dotted.user' ORDER BY id' SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'some.dotted.user' ORDER BY id ... rlm_sql (sqlauth): Released sql socket id: 3 modcall[authorize]: module sqlauth returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type Local auth: type Local auth: No password configured for the user Login incorrect (No password configured for the user): [some.dotted.user/cisco] (from client localhost port 0 cli 00) auth: Failed to validate the user. I've checked the authorization sql query shown in debug - it properly returns the profile configured -- Sincerely Yours, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql auth problems with 2.0.0-pre
Alexander Serkin wrote: Gurus, may be i'm pulling some common mistake with my configuration being tested against cvs snapshot, but no idea which one. I've an sql profile telling: some.dotted.user Cleartext-Password = cisco NAS-IP-Address =~ xxx.xxx.97.(85|86) Hmm I don't know how Cleartext-Password is mapped, always thought it was a legacy attribute. Try User-Password ? Also it's == not = for check items . authentication request: User-Name = some.dotted.user User-Password = cisco Calling-Station-Id = 000 Framed-Protocol = PPP Service-Type = Framed-User NAS-IP-Address = xxx.xxx.97.85 gives the access-reject for unknown (for me) reason: rlm_sql (sqlauth): sql_set_user escaped user -- 'some.dotted.user' rlm_sql (sqlauth): Reserving sql socket id: 3 radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'some.dotted.user' ORDER BY id' SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'some.dotted.user' ORDER BY id ... rlm_sql (sqlauth): Released sql socket id: 3 modcall[authorize]: module sqlauth returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type Local auth: type Local auth: No password configured for the user Login incorrect (No password configured for the user): [some.dotted.user/cisco] (from client localhost port 0 cli 00) auth: Failed to validate the user. I've checked the authorization sql query shown in debug - it properly returns the profile configured -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication Authorisation Accounting Officer Infrastructure Services | ENG1 FF08 EXT:3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql auth problems with 2.0.0-pre
Arran Cudbard-Bell wrote: Alexander Serkin wrote: Gurus, may be i'm pulling some common mistake with my configuration being tested against cvs snapshot, but no idea which one. I've an sql profile telling: some.dotted.user Cleartext-Password = cisco NAS-IP-Address =~ xxx.xxx.97.(85|86) Hmm I don't know how Cleartext-Password is mapped, always thought it was a legacy attribute. Try User-Password ? Also it's == not = for check items . Doesn't matter, Arran. Tried User-Password and '==' with the same result: module sqlauth returns ok but then: rad_check_password: Found Auth-Type Local auth: type Local auth: No password configured for the user -- Sincerely Yours, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql auth problems with 2.0.0-pre
Arran Cudbard-Bell wrote: Hmm I don't know how Cleartext-Password is mapped, always thought it was a legacy attribute. No. It's new in 1.1.4 following. See man rlm_pap. Try User-Password ? Also it's == not = for check items . No. Use Cleartext-Password, and :=. Also check that the pap module is listed last in the authorize section. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql auth problems with 2.0.0-pre
Hi Alexander, On Thu, Apr 12, 2007 at 02:52:49PM +0400, Alexander Serkin wrote: Doesn't matter, Arran. Tried User-Password and '==' with the same result: module sqlauth returns ok but then: rad_check_password: Found Auth-Type Local auth: type Local auth: No password configured for the user == post your radiusd.conf; you probably explicitly overrides the result of sqlauth by setting the Auth-Type to Local somewhere in your config... -- Sincerely Yours, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Milan Holub holub (at) thenet (dot) ch -- TheNet-Internet Services AG, im Bernertechnopark, Morgenstr. 129 CH-3018, Bern, Switzerland 031 998 4333, Fax 031 998 4330 http://www.thenet.ch http://wlan.thenet.ch -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql auth problems with 2.0.0-pre
Alan DeKok wrote: Arran Cudbard-Bell wrote: Hmm I don't know how Cleartext-Password is mapped, always thought it was a legacy attribute. No. It's new in 1.1.4 following. See man rlm_pap. Try User-Password ? Also it's == not = for check items . No. Use Cleartext-Password, and :=. Oh oops. What was Cleartext-Password introduced for ? To support the output of the Auto header function in pap / ldap ? -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication Authorisation Accounting Officer Infrastructure Services | ENG1 FF08 EXT:3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql auth problems with 2.0.0-pre
Milan Holub wrote: Hi Alexander, On Thu, Apr 12, 2007 at 02:52:49PM +0400, Alexander Serkin wrote: Doesn't matter, Arran. Tried User-Password and '==' with the same result: module sqlauth returns ok but then: rad_check_password: Found Auth-Type Local auth: type Local auth: No password configured for the user == post your radiusd.conf; you probably explicitly overrides the result of sqlauth by setting the Auth-Type to Local somewhere in your config... yes i did. In users file: users: Matched entry DEFAULT at line 106: DEFAULTHuntgroup-Name == MSK, Realm == NULL, Auth-Type := Local Changed the line to DEFAULT Huntgroup-Name == MSK, Realm == NULL and added pap to the end of authorize section. Now with different negative result: modcall[authorize]: module sqlauth returns ok for request 0 rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. modcall[authorize]: module pap returns noop for request 0 modcall: group authorize returns ok for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. -- Sincerely Yours, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql auth problems with 2.0.0-pre
Arran Cudbard-Bell wrote: What was Cleartext-Password introduced for ? Because putting User-Password in the users file was wrong. User-Password is an attribute that goes in an Access-Request. Cleartext-Password does not go in any packet. Instead, is an internal server configuration, that tells the server what the users known good password is. The server then uses Cleartext-Password to compare to User-Password for PAP. Or, it hashes Cleartext-Password for CHAP. Or, it hashes it a different way for MS-CHAP. To support the output of the Auto header function in pap / ldap ? Partially, yes. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql auth problems with 2.0.0-pre
Alexander Serkin wrote: yes i did. In users file: users: Matched entry DEFAULT at line 106: DEFAULTHuntgroup-Name == MSK, Realm == NULL, Auth-Type := Local Don't set Auth-Type. It's wrong, and it's breaking the server. DO tell the server what the users known good password is. Changed the line to DEFAULT Huntgroup-Name == MSK, Realm == NULL and added pap to the end of authorize section. Now with different negative result: modcall[authorize]: module sqlauth returns ok for request 0 rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. modcall[authorize]: module pap returns noop for request 0 modcall: group authorize returns ok for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. This is because the server didn't find a Cleartext-Password for the request. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql auth problems with 2.0.0-pre
Alexander Serkin wrote: Gurus, may be i'm pulling some common mistake with my configuration being tested against cvs snapshot, but no idea which one. I've an sql profile telling: some.dotted.user Cleartext-Password = cisco NAS-IP-Address =~ xxx.xxx.97.(85|86) The problem is that regular expression check of NAS-IP-Address =~ xxx.xxx.97.(85|86) does not work. When i delete this check from sql it works, when i change the check to NAS-IP-Address == xxx.xxx.97.85 it works too. What has changed since 1.1.5? The construction NAS-IP-Address =~ xxx.xxx.97.(85|86) did work for me there. In radiusd.conf we have: regular_expressions = yes extended_expressions= yes -- Sincerely Yours, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql auth problems with 2.0.0-pre
Alexander Serkin wrote: The problem is that regular expression check of NAS-IP-Address =~ xxx.xxx.97.(85|86) does not work. In the CVS head? What has changed since 1.1.5? The CVS head is massively re-written. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql auth problems with 2.0.0-pre
Alan DeKok wrote: Alexander Serkin wrote: The problem is that regular expression check of NAS-IP-Address =~ xxx.xxx.97.(85|86) does not work. In the CVS head? Yes i played with CVS head today. Checked huge amount of regexp variants - none worked. -- Sincerely Yours, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql auth problems with 2.0.0-pre
Alexander Serkin wrote: Alan DeKok wrote: Alexander Serkin wrote: The problem is that regular expression check of NAS-IP-Address =~ xxx.xxx.97.(85|86) does not work. In the CVS head? Yes i played with CVS head today. Checked huge amount of regexp variants - none worked. Yep can confirm this, .* and .+ matches though, .{4} also matches but .{5} doesn't... strange. H. Seems only to be broken for ipaddr attributes. Still works with string attributes -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication Authorisation Accounting Officer Infrastructure Services | ENG1 FF08 EXT:3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql auth problems with 2.0.0-pre
Arran Cudbard-Bell wrote: Seems only to be broken for ipaddr attributes. Still works with string attributes OK, that helps. I did some profiling a while ago, and noticed that the server was printing IP addresses to strings all the time... even when they weren't used. The result was a significant waste of CPU time. The fix was to push the printing to the places that need it, like the regex matches. Maybe I missed one spot, I'll go check. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html