(RADIATOR) AuthBySQL - match something other than user/pass

Hugh Irvine hugh at open.com.au
Wed Oct 19 21:28:09 CDT 2005 

Hello Matt -

Thanks for sending the debug and so on.

The trace actually shows that the AuthBy MachineCache is actually  
returning an ACCEPT.

However as your AuthBy MachineCache is only checking the Calling- 
Station-Id, you should use NoEAP:


<AuthBy SQL>

         Identifier MachineCache
         NoEAP
         DBSource        DBI:mysql:radiator:127.0.0.1
         DBUsername      user
         DBAuth          pass
         AuthSelect select CALLINGSTATIONID from MACHINECACHE where  
CALLINGSTATIONID = "%{Calling-Station-Id}"
         AuthColumnDef 0, Calling-Station-Id, check

</AuthBy>


hope that helps

regards

Hugh


On 19 Oct 2005, at 17:57, Matthew Alexander wrote:

> Does anyone know if there a way to get Radiator to authenticate  
> against something besides the username?  I want it to authenticate  
> by looking for the calling-station-id in a database, but it keeps  
> failing.  From the log, it looks like Radiator is still trying to  
> match the username.  Or maybe something else is going on...
>
> Thanks,
> Matt
>
> Here is my AuthBySQL:
>
> <AuthBy SQL>
>
>         Identifier MachineCache
>         EAPType MSCHAP-V2
>         DBSource        DBI:mysql:radiator:127.0.0.1
>         DBUsername      user
>         DBAuth          pass
>         AuthSelect select CALLINGSTATIONID from MACHINECACHE where  
> CALLINGSTATIONID = "%{Calling-Station-Id}"
>         AuthColumnDef 0, Calling-Station-Id, check
>
> </AuthBy>
>
>
>
> My database looks like this:
>
> +---------------------+-------------------+
> | TIMESTAMP           | CALLINGSTATIONID  |
> +---------------------+-------------------+
> | 2005-10-19 15:48:38 | 00-09-6B-90-49-C8 |
> | 2005-10-19 15:49:43 | 00-09-6B-90-49-C8 |
> | 2005-10-19 15:51:19 | 00-09-6B-90-49-C8 |
> +---------------------+-------------------+
>
>
> The trace:
>
> Wed Oct 19 15:54:26 2005: DEBUG: Handling request with Handler  
> 'TunnelledByPEAP=1'
> Wed Oct 19 15:54:26 2005: DEBUG: Deleting session for HSCDOM\mra4d,  
> 10.4.250.8, 50009
> Wed Oct 19 15:54:26 2005: DEBUG: Handling with Radius::AuthSQL
> Wed Oct 19 15:54:26 2005: DEBUG: Handling with Radius::AuthSQL:  
> MachineCache
> Wed Oct 19 15:54:26 2005: DEBUG: Handling with EAP: code 2, 25, 67
> Wed Oct 19 15:54:26 2005: DEBUG: Response type 26
> Wed Oct 19 15:54:26 2005: DEBUG: Query is:
> 'select CALLINGSTATIONID from MACHINECACHE where CALLINGSTATIONID =  
> "00-09-6B-90-49-C8"':
> Wed Oct 19 15:54:26 2005: DEBUG: Radius::AuthSQL looks for match  
> with HSCDOM\mra4d [HSCDOM\mra4d]
> Wed Oct 19 15:54:26 2005: DEBUG: Radius::AuthSQL ACCEPT: : HSCDOM 
> \mra4d [HSCDOM\mra4d]
> Wed Oct 19 15:54:26 2005: DEBUG: EAP result: 1, EAP MSCHAP-V2  
> Authentication failure
> Wed Oct 19 15:54:26 2005: DEBUG: AuthBy SQL result: REJECT, EAP  
> MSCHAP-V2 Authentication failure
> Wed Oct 19 15:54:26 2005: INFO: Access rejected for HSCDOM\mra4d:  
> EAP MSCHAP-V2 Authentication failure
> Wed Oct 19 15:54:26 2005: DEBUG: Returned PEAP tunnelled packet dump:
> Code:       Access-Reject
>
>
> My entire config file:
>
> LogDir /var/log/radius/
> DbDir /etc/radiator/
>
> Trace           4
>
> AuthPort 1645,1812
> AcctPort 1646,1813
>
>
> <Client DEFAULT>
>         Secret  asdf
>         DupInterval 0
> </Client>
>
>
> <AuthBy NTLM>
>
> Identifier MachineAuth
> Domain HSCDOM
> EAPType MSCHAP-V2
>
> </AuthBy>
>
>
> <AuthBy NTLM>
>
> Identifier UserAuth
> Domain HSCDOM
> EAPType MSCHAP-V2
>
> </AuthBy>
>
>
> <AuthBy SQL>
>
>         Identifier MachineCache
>         EAPType MSCHAP-V2
>         DBSource        DBI:mysql:radiator:127.0.0.1
>         DBUsername      user
>         DBAuth          pass
>         AuthSelect select CALLINGSTATIONID from MACHINECACHE where  
> CALLINGSTATIONID = "%{Call
> ing-Station-Id}"
>         AuthColumnDef 0, Calling-Station-Id, check
>
> </AuthBy>
>
>
> <AuthBy FILE>
>
> Identifier PEAPOuterAuth
> EAPAnonymous %0
> Filename %D/users
> EAPType PEAP
> EAPTLS_CAFile %D/certificates/cacert.pem
> EAPTLS_CertificateFile %D/certificates/Lisa-cert.pem
> EAPTLS_CertificateType PEM
> EAPTLS_PrivateKeyFile %D/certificates/Lisa-key.pem
> EAPTLS_PrivateKeyPassword whatever
> AutoMPPEKeys
> SSLeayTrace 4
> EAPTLS_SessionResumptionLimit 0
> EAPTLS_PEAPVersion 0
>
> </AuthBy>
>
>
> <Handler TunnelledByPEAP=1,User-Name=/^host\//>
>
> AuthBy MachineAuth
> PostAuthHook file:"%D/writecache.pl"
>
> </Handler>
>
>
> <Handler TunnelledByPEAP=1>
>
> AuthByPolicy ContinueWhileAccept
> AuthBy MachineCache
> AuthBy UserAuth
>
> </Handler>
>
>
> <Handler>
>
> AuthBy PEAPOuterAuth
>
> </Handler>
>
>
>


NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.



--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list