(RADIATOR) AuthBySQL - match something other than user/pass
Matthew Alexander
mra4d at virginia.edu
Thu Oct 20 08:27:25 CDT 2005
You guys seem to have a simple fix for everything. It works.
Thanks,
Matt
----- Original Message -----
From: "Hugh Irvine" <hugh at open.com.au>
To: "Matthew Alexander" <mra4d at virginia.edu>
Cc: <radiator at open.com.au>
Sent: Wednesday, October 19, 2005 10:28 PM
Subject: Re: (RADIATOR) AuthBySQL - match something other than user/pass
>
> Hello Matt -
>
> Thanks for sending the debug and so on.
>
> The trace actually shows that the AuthBy MachineCache is actually
> returning an ACCEPT.
>
> However as your AuthBy MachineCache is only checking the Calling-
> Station-Id, you should use NoEAP:
>
>
> <AuthBy SQL>
>
> Identifier MachineCache
> NoEAP
> DBSource DBI:mysql:radiator:127.0.0.1
> DBUsername user
> DBAuth pass
> AuthSelect select CALLINGSTATIONID from MACHINECACHE where
> CALLINGSTATIONID = "%{Calling-Station-Id}"
> AuthColumnDef 0, Calling-Station-Id, check
>
> </AuthBy>
>
>
> hope that helps
>
> regards
>
> Hugh
>
>
> On 19 Oct 2005, at 17:57, Matthew Alexander wrote:
>
>> Does anyone know if there a way to get Radiator to authenticate
>> against something besides the username? I want it to authenticate
>> by looking for the calling-station-id in a database, but it keeps
>> failing. From the log, it looks like Radiator is still trying to
>> match the username. Or maybe something else is going on...
>>
>> Thanks,
>> Matt
>>
>> Here is my AuthBySQL:
>>
>> <AuthBy SQL>
>>
>> Identifier MachineCache
>> EAPType MSCHAP-V2
>> DBSource DBI:mysql:radiator:127.0.0.1
>> DBUsername user
>> DBAuth pass
>> AuthSelect select CALLINGSTATIONID from MACHINECACHE where
>> CALLINGSTATIONID = "%{Calling-Station-Id}"
>> AuthColumnDef 0, Calling-Station-Id, check
>>
>> </AuthBy>
>>
>>
>>
>> My database looks like this:
>>
>> +---------------------+-------------------+
>> | TIMESTAMP | CALLINGSTATIONID |
>> +---------------------+-------------------+
>> | 2005-10-19 15:48:38 | 00-09-6B-90-49-C8 |
>> | 2005-10-19 15:49:43 | 00-09-6B-90-49-C8 |
>> | 2005-10-19 15:51:19 | 00-09-6B-90-49-C8 |
>> +---------------------+-------------------+
>>
>>
>> The trace:
>>
>> Wed Oct 19 15:54:26 2005: DEBUG: Handling request with Handler
>> 'TunnelledByPEAP=1'
>> Wed Oct 19 15:54:26 2005: DEBUG: Deleting session for HSCDOM\mra4d,
>> 10.4.250.8, 50009
>> Wed Oct 19 15:54:26 2005: DEBUG: Handling with Radius::AuthSQL
>> Wed Oct 19 15:54:26 2005: DEBUG: Handling with Radius::AuthSQL:
>> MachineCache
>> Wed Oct 19 15:54:26 2005: DEBUG: Handling with EAP: code 2, 25, 67
>> Wed Oct 19 15:54:26 2005: DEBUG: Response type 26
>> Wed Oct 19 15:54:26 2005: DEBUG: Query is:
>> 'select CALLINGSTATIONID from MACHINECACHE where CALLINGSTATIONID =
>> "00-09-6B-90-49-C8"':
>> Wed Oct 19 15:54:26 2005: DEBUG: Radius::AuthSQL looks for match
>> with HSCDOM\mra4d [HSCDOM\mra4d]
>> Wed Oct 19 15:54:26 2005: DEBUG: Radius::AuthSQL ACCEPT: : HSCDOM
>> \mra4d [HSCDOM\mra4d]
>> Wed Oct 19 15:54:26 2005: DEBUG: EAP result: 1, EAP MSCHAP-V2
>> Authentication failure
>> Wed Oct 19 15:54:26 2005: DEBUG: AuthBy SQL result: REJECT, EAP
>> MSCHAP-V2 Authentication failure
>> Wed Oct 19 15:54:26 2005: INFO: Access rejected for HSCDOM\mra4d:
>> EAP MSCHAP-V2 Authentication failure
>> Wed Oct 19 15:54:26 2005: DEBUG: Returned PEAP tunnelled packet dump:
>> Code: Access-Reject
>>
>>
>> My entire config file:
>>
>> LogDir /var/log/radius/
>> DbDir /etc/radiator/
>>
>> Trace 4
>>
>> AuthPort 1645,1812
>> AcctPort 1646,1813
>>
>>
>> <Client DEFAULT>
>> Secret asdf
>> DupInterval 0
>> </Client>
>>
>>
>> <AuthBy NTLM>
>>
>> Identifier MachineAuth
>> Domain HSCDOM
>> EAPType MSCHAP-V2
>>
>> </AuthBy>
>>
>>
>> <AuthBy NTLM>
>>
>> Identifier UserAuth
>> Domain HSCDOM
>> EAPType MSCHAP-V2
>>
>> </AuthBy>
>>
>>
>> <AuthBy SQL>
>>
>> Identifier MachineCache
>> EAPType MSCHAP-V2
>> DBSource DBI:mysql:radiator:127.0.0.1
>> DBUsername user
>> DBAuth pass
>> AuthSelect select CALLINGSTATIONID from MACHINECACHE where
>> CALLINGSTATIONID = "%{Call
>> ing-Station-Id}"
>> AuthColumnDef 0, Calling-Station-Id, check
>>
>> </AuthBy>
>>
>>
>> <AuthBy FILE>
>>
>> Identifier PEAPOuterAuth
>> EAPAnonymous %0
>> Filename %D/users
>> EAPType PEAP
>> EAPTLS_CAFile %D/certificates/cacert.pem
>> EAPTLS_CertificateFile %D/certificates/Lisa-cert.pem
>> EAPTLS_CertificateType PEM
>> EAPTLS_PrivateKeyFile %D/certificates/Lisa-key.pem
>> EAPTLS_PrivateKeyPassword whatever
>> AutoMPPEKeys
>> SSLeayTrace 4
>> EAPTLS_SessionResumptionLimit 0
>> EAPTLS_PEAPVersion 0
>>
>> </AuthBy>
>>
>>
>> <Handler TunnelledByPEAP=1,User-Name=/^host\//>
>>
>> AuthBy MachineAuth
>> PostAuthHook file:"%D/writecache.pl"
>>
>> </Handler>
>>
>>
>> <Handler TunnelledByPEAP=1>
>>
>> AuthByPolicy ContinueWhileAccept
>> AuthBy MachineCache
>> AuthBy UserAuth
>>
>> </Handler>
>>
>>
>> <Handler>
>>
>> AuthBy PEAPOuterAuth
>>
>> </Handler>
>>
>>
>>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/
> radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list