(RADIATOR) AuthBySQL - match something other than user/pass

Frank Danielson fdanielson at csky.com
Wed Oct 19 21:53:14 CDT 2005 

If you look at the log the SQL query is successful but the MSCHAP-V2 fails.

Wed Oct 19 15:54:26 2005: DEBUG: Radius::AuthSQL ACCEPT: : HSCDOM\mra4d
[HSCDOM\mra4d]
Wed Oct 19 15:54:26 2005: DEBUG: EAP result: 1, EAP MSCHAP-V2 Authentication
failure
Wed Oct 19 15:54:26 2005: DEBUG: AuthBy SQL result: REJECT, EAP MSCHAP-V2
Authentication failure

If I am not mistaken a password is required to perform the MSCHAP-V2
authentication and your query does not return a password since you are
looking up machines and not users. I see that after the AuthBy SQL you're
doing an AuthBy NT which should be handling the user authentication.

In reading section 6.28.6 of the manual I found this gem-

"If the password (or encrypted password) column for a user is NULL in the
database, then any password will be accepted for that user."

So how about using this for your AuthBy SQL? It should accept any user whose
MAC address is in the MACHINECACHE table and reject those that don't. Of
course I could also be misunderstanding something in which case it won't
work or someone else on the list will have a better idea.

<AuthBy SQL>

        Identifier MachineCache
        EAPType MSCHAP-V2
        DBSource        DBI:mysql:radiator:127.0.0.1
        DBUsername      user
        DBAuth          pass
        AuthSelect select null from MACHINECACHE where CALLINGSTATIONID =
"%{Calling-Station-Id}"
        AuthColumnDef 0, User-Password, check

</AuthBy>


Frank Danielson
Infrastructure Architect

ClearSky Mobile Media
56 E. Pine St.
Orlando, FL 32801
USA

fdanielson at csky.com

-----Original Message-----
From: Matthew Alexander [mailto:mra4d at virginia.edu]
Sent: Wednesday, October 19, 2005 8:57 PM
To: radiator at open.com.au
Subject: (RADIATOR) AuthBySQL - match something other than user/pass


Does anyone know if there a way to get Radiator to authenticate against
something besides the username?  I want it to authenticate by looking for
the calling-station-id in a database, but it keeps failing.  From the log,
it looks like Radiator is still trying to match the username.  Or maybe
something else is going on... 

Thanks,
Matt

Here is my AuthBySQL:

<AuthBy SQL>

        Identifier MachineCache
        EAPType MSCHAP-V2
        DBSource        DBI:mysql:radiator:127.0.0.1
        DBUsername      user
        DBAuth          pass
        AuthSelect select CALLINGSTATIONID from MACHINECACHE where
CALLINGSTATIONID = "%{Calling-Station-Id}"
        AuthColumnDef 0, Calling-Station-Id, check

</AuthBy>



My database looks like this:

+---------------------+-------------------+
| TIMESTAMP           | CALLINGSTATIONID  |
+---------------------+-------------------+
| 2005-10-19 15:48:38 | 00-09-6B-90-49-C8 |
| 2005-10-19 15:49:43 | 00-09-6B-90-49-C8 |
| 2005-10-19 15:51:19 | 00-09-6B-90-49-C8 |
+---------------------+-------------------+


The trace:

Wed Oct 19 15:54:26 2005: DEBUG: Handling request with Handler
'TunnelledByPEAP=1'
Wed Oct 19 15:54:26 2005: DEBUG: Deleting session for HSCDOM\mra4d,
10.4.250.8, 50009
Wed Oct 19 15:54:26 2005: DEBUG: Handling with Radius::AuthSQL
Wed Oct 19 15:54:26 2005: DEBUG: Handling with Radius::AuthSQL: MachineCache
Wed Oct 19 15:54:26 2005: DEBUG: Handling with EAP: code 2, 25, 67
Wed Oct 19 15:54:26 2005: DEBUG: Response type 26
Wed Oct 19 15:54:26 2005: DEBUG: Query is: 
'select CALLINGSTATIONID from MACHINECACHE where CALLINGSTATIONID =
"00-09-6B-90-49-C8"': 
Wed Oct 19 15:54:26 2005: DEBUG: Radius::AuthSQL looks for match with
HSCDOM\mra4d [HSCDOM\mra4d]
Wed Oct 19 15:54:26 2005: DEBUG: Radius::AuthSQL ACCEPT: : HSCDOM\mra4d
[HSCDOM\mra4d]
Wed Oct 19 15:54:26 2005: DEBUG: EAP result: 1, EAP MSCHAP-V2 Authentication
failure
Wed Oct 19 15:54:26 2005: DEBUG: AuthBy SQL result: REJECT, EAP MSCHAP-V2
Authentication failure
Wed Oct 19 15:54:26 2005: INFO: Access rejected for HSCDOM\mra4d: EAP
MSCHAP-V2 Authentication failure
Wed Oct 19 15:54:26 2005: DEBUG: Returned PEAP tunnelled packet dump:
Code:       Access-Reject


My entire config file:

LogDir /var/log/radius/
DbDir /etc/radiator/

Trace           4

AuthPort 1645,1812
AcctPort 1646,1813


<Client DEFAULT>
        Secret  asdf
        DupInterval 0
</Client>


<AuthBy NTLM>

Identifier MachineAuth
Domain HSCDOM
EAPType MSCHAP-V2

</AuthBy>


<AuthBy NTLM>

Identifier UserAuth
Domain HSCDOM
EAPType MSCHAP-V2

</AuthBy>


<AuthBy SQL>

        Identifier MachineCache
        EAPType MSCHAP-V2
        DBSource        DBI:mysql:radiator:127.0.0.1
        DBUsername      user
        DBAuth          pass
        AuthSelect select CALLINGSTATIONID from MACHINECACHE where
CALLINGSTATIONID = "%{Call
ing-Station-Id}"
        AuthColumnDef 0, Calling-Station-Id, check

</AuthBy>


<AuthBy FILE>

Identifier PEAPOuterAuth
EAPAnonymous %0
Filename %D/users
EAPType PEAP
EAPTLS_CAFile %D/certificates/cacert.pem
EAPTLS_CertificateFile %D/certificates/Lisa-cert.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile %D/certificates/Lisa-key.pem
EAPTLS_PrivateKeyPassword whatever
AutoMPPEKeys
SSLeayTrace 4
EAPTLS_SessionResumptionLimit 0
EAPTLS_PEAPVersion 0

</AuthBy>


<Handler TunnelledByPEAP=1,User-Name=/^host\//>

AuthBy MachineAuth
PostAuthHook file:"%D/writecache.pl"

</Handler>


<Handler TunnelledByPEAP=1>

AuthByPolicy ContinueWhileAccept
AuthBy MachineCache
AuthBy UserAuth

</Handler>


<Handler>

AuthBy PEAPOuterAuth

</Handler>

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list