[RADIATOR] MySQL Authentication

Adam Gerson agersonl at cgps.org
Wed Jun 2 09:36:47 CDT 2010 

I have read the documentation for AuthBy SQL, AuthSelect, and AuthColumnDef.

AuthSelect says "This is an SQL select statement that will be used to 
find and fetch the password". My database does not contain passwords, 
only MACs. I know I can pass the MAC in as the username, but when it 
comes to interpretting the results, if I get a row back they are 
authorized, if results = 0 they are not. Can I do this with AuthColumnDef?

Is there a way to test if this cfg is working by just passing a MAC in 
with a specific command and get a YES or NO?

When I perform a test request from my network switch I get:

'User-Name' => '00:0a:95:de:a5:2a'
Failed authentication
Error: bad response authenticator

Nothing in the raditor logs after:
Wed Jun  2 10:23:52 2010: NOTICE: Server started: Radiator 4.6 on 
sidekick.cgps.org (LOCKED)

Here is my current config:

# radius.cfg
#
# Example Radiator configuration file.
# This very simple file will allow you to get started with
# a simple system. You can then add and change features.
# We suggest you start simple, prove to yourself that it
# works and then develop a more complicated configuration as required.
#
# This example will authenticate from a standard users file in
# DbDir/users and log accounting to LogDir/detail.
#
# It will accept requests from any client and try to handle request
# for any realm.
#
# You should consider this file to be a starting point only
# $Id: linux-radius.cfg,v 1.3 2002/03/24 23:07:49 mikem Exp $

#Foreground
#LogStdout
LogDir		/var/log/radius
DbDir		/etc/radiator
# Use a low trace level in production systems. Increase
# it to 4 or 5 for debugging, or use the -trace flag to radiusd
Trace 		4

# You will probably want to add other Clients to suit your site,
# one for each NAS you want to work with
<Client DEFAULT>
	Secret	******
	DupInterval 0
</Client>

<Realm DEFAULT>
     <AuthBy SQL>
	# Adjust DBSource, DBUsername, DBAuth to suit your DB
	
	DBSource	dbi:mysql:jamfsoftware
	DBUsername	jamfsoftware
	DBAuth		******

	# You can customise the SQL query used to get user details with the
         # AuthSelect parameter:
	AuthSelect SELECT computer_id FROM jamfsoftware.computers c WHERE 
mac_address = %0
	#AuthColumnDef 0, User-Password, check
     </AuthBy>
	# Log accounting to a detail file
	AcctLogFileName	%L/detail
</Realm>

On 6/1/10 2:19 PM, Andrew D. Clark wrote:
> You can handle this with<AuthBy SQL>  in a pretty straightforward fashion.
> Rather than having the SQL query return the full list of MAC addresses, you
> can simply select for the MAC address in question.
>
> sql.cfg in the "goodies" directory makes a good starting point and just
> consider the MAC address to be the username.  You might want to ensure the MAC
> address has a consistent format with RewriteUsername (in case one vendor
> delimits it with colons, another with dotted quads, yet another with hyphens,
> not to mention issues of case-sensitivity).
>

More information about the radiator mailing list