(RADIATOR) AuthBySQL - match something other than user/pass
Matthew Alexander
mra4d at virginia.edu
Thu Oct 20 08:32:06 CDT 2005
This is an interesting idea, but I could not get it to work. I would still
get EAP auth failure even though the password was null. Hugh Irvine got me
going by having me do NoEAP. All seems to be well now. Thanks for looking
into this though.
Matt
----- Original Message -----
From: "Frank Danielson" <fdanielson at csky.com>
To: "Matthew Alexander" <mra4d at virginia.edu>; <radiator at open.com.au>
Sent: Wednesday, October 19, 2005 10:53 PM
Subject: RE: (RADIATOR) AuthBySQL - match something other than user/pass
> If you look at the log the SQL query is successful but the MSCHAP-V2
> fails.
>
> Wed Oct 19 15:54:26 2005: DEBUG: Radius::AuthSQL ACCEPT: : HSCDOM\mra4d
> [HSCDOM\mra4d]
> Wed Oct 19 15:54:26 2005: DEBUG: EAP result: 1, EAP MSCHAP-V2
> Authentication
> failure
> Wed Oct 19 15:54:26 2005: DEBUG: AuthBy SQL result: REJECT, EAP MSCHAP-V2
> Authentication failure
>
> If I am not mistaken a password is required to perform the MSCHAP-V2
> authentication and your query does not return a password since you are
> looking up machines and not users. I see that after the AuthBy SQL you're
> doing an AuthBy NT which should be handling the user authentication.
>
> In reading section 6.28.6 of the manual I found this gem-
>
> "If the password (or encrypted password) column for a user is NULL in the
> database, then any password will be accepted for that user."
>
> So how about using this for your AuthBy SQL? It should accept any user
> whose
> MAC address is in the MACHINECACHE table and reject those that don't. Of
> course I could also be misunderstanding something in which case it won't
> work or someone else on the list will have a better idea.
>
> <AuthBy SQL>
>
> Identifier MachineCache
> EAPType MSCHAP-V2
> DBSource DBI:mysql:radiator:127.0.0.1
> DBUsername user
> DBAuth pass
> AuthSelect select null from MACHINECACHE where CALLINGSTATIONID =
> "%{Calling-Station-Id}"
> AuthColumnDef 0, User-Password, check
>
> </AuthBy>
>
>
> Frank Danielson
> Infrastructure Architect
>
> ClearSky Mobile Media
> 56 E. Pine St.
> Orlando, FL 32801
> USA
>
> fdanielson at csky.com
>
> -----Original Message-----
> From: Matthew Alexander [mailto:mra4d at virginia.edu]
> Sent: Wednesday, October 19, 2005 8:57 PM
> To: radiator at open.com.au
> Subject: (RADIATOR) AuthBySQL - match something other than user/pass
>
>
> Does anyone know if there a way to get Radiator to authenticate against
> something besides the username? I want it to authenticate by looking for
> the calling-station-id in a database, but it keeps failing. From the log,
> it looks like Radiator is still trying to match the username. Or maybe
> something else is going on...
>
> Thanks,
> Matt
>
> Here is my AuthBySQL:
>
> <AuthBy SQL>
>
> Identifier MachineCache
> EAPType MSCHAP-V2
> DBSource DBI:mysql:radiator:127.0.0.1
> DBUsername user
> DBAuth pass
> AuthSelect select CALLINGSTATIONID from MACHINECACHE where
> CALLINGSTATIONID = "%{Calling-Station-Id}"
> AuthColumnDef 0, Calling-Station-Id, check
>
> </AuthBy>
>
>
>
> My database looks like this:
>
> +---------------------+-------------------+
> | TIMESTAMP | CALLINGSTATIONID |
> +---------------------+-------------------+
> | 2005-10-19 15:48:38 | 00-09-6B-90-49-C8 |
> | 2005-10-19 15:49:43 | 00-09-6B-90-49-C8 |
> | 2005-10-19 15:51:19 | 00-09-6B-90-49-C8 |
> +---------------------+-------------------+
>
>
> The trace:
>
> Wed Oct 19 15:54:26 2005: DEBUG: Handling request with Handler
> 'TunnelledByPEAP=1'
> Wed Oct 19 15:54:26 2005: DEBUG: Deleting session for HSCDOM\mra4d,
> 10.4.250.8, 50009
> Wed Oct 19 15:54:26 2005: DEBUG: Handling with Radius::AuthSQL
> Wed Oct 19 15:54:26 2005: DEBUG: Handling with Radius::AuthSQL:
> MachineCache
> Wed Oct 19 15:54:26 2005: DEBUG: Handling with EAP: code 2, 25, 67
> Wed Oct 19 15:54:26 2005: DEBUG: Response type 26
> Wed Oct 19 15:54:26 2005: DEBUG: Query is:
> 'select CALLINGSTATIONID from MACHINECACHE where CALLINGSTATIONID =
> "00-09-6B-90-49-C8"':
> Wed Oct 19 15:54:26 2005: DEBUG: Radius::AuthSQL looks for match with
> HSCDOM\mra4d [HSCDOM\mra4d]
> Wed Oct 19 15:54:26 2005: DEBUG: Radius::AuthSQL ACCEPT: : HSCDOM\mra4d
> [HSCDOM\mra4d]
> Wed Oct 19 15:54:26 2005: DEBUG: EAP result: 1, EAP MSCHAP-V2
> Authentication
> failure
> Wed Oct 19 15:54:26 2005: DEBUG: AuthBy SQL result: REJECT, EAP MSCHAP-V2
> Authentication failure
> Wed Oct 19 15:54:26 2005: INFO: Access rejected for HSCDOM\mra4d: EAP
> MSCHAP-V2 Authentication failure
> Wed Oct 19 15:54:26 2005: DEBUG: Returned PEAP tunnelled packet dump:
> Code: Access-Reject
>
>
> My entire config file:
>
> LogDir /var/log/radius/
> DbDir /etc/radiator/
>
> Trace 4
>
> AuthPort 1645,1812
> AcctPort 1646,1813
>
>
> <Client DEFAULT>
> Secret asdf
> DupInterval 0
> </Client>
>
>
> <AuthBy NTLM>
>
> Identifier MachineAuth
> Domain HSCDOM
> EAPType MSCHAP-V2
>
> </AuthBy>
>
>
> <AuthBy NTLM>
>
> Identifier UserAuth
> Domain HSCDOM
> EAPType MSCHAP-V2
>
> </AuthBy>
>
>
> <AuthBy SQL>
>
> Identifier MachineCache
> EAPType MSCHAP-V2
> DBSource DBI:mysql:radiator:127.0.0.1
> DBUsername user
> DBAuth pass
> AuthSelect select CALLINGSTATIONID from MACHINECACHE where
> CALLINGSTATIONID = "%{Call
> ing-Station-Id}"
> AuthColumnDef 0, Calling-Station-Id, check
>
> </AuthBy>
>
>
> <AuthBy FILE>
>
> Identifier PEAPOuterAuth
> EAPAnonymous %0
> Filename %D/users
> EAPType PEAP
> EAPTLS_CAFile %D/certificates/cacert.pem
> EAPTLS_CertificateFile %D/certificates/Lisa-cert.pem
> EAPTLS_CertificateType PEM
> EAPTLS_PrivateKeyFile %D/certificates/Lisa-key.pem
> EAPTLS_PrivateKeyPassword whatever
> AutoMPPEKeys
> SSLeayTrace 4
> EAPTLS_SessionResumptionLimit 0
> EAPTLS_PEAPVersion 0
>
> </AuthBy>
>
>
> <Handler TunnelledByPEAP=1,User-Name=/^host\//>
>
> AuthBy MachineAuth
> PostAuthHook file:"%D/writecache.pl"
>
> </Handler>
>
>
> <Handler TunnelledByPEAP=1>
>
> AuthByPolicy ContinueWhileAccept
> AuthBy MachineCache
> AuthBy UserAuth
>
> </Handler>
>
>
> <Handler>
>
> AuthBy PEAPOuterAuth
>
> </Handler>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list