[RADIATOR] MySQL Authentication

Hugh Irvine hugh at open.com.au
Wed Jun 2 10:05:32 CDT 2010 

Hello Adam -

From what you show below, Radiator is not even seeing the RADIUS request(s), as there is nothing in the log.

This makes me think the switch is sending to a different IP address and/or port number.

In any case you should proceed as follows:


1. run radiusd from the command line with a simple configuration that just uses a flat file for authentication

	cd /your/Radiator/source/directory

	perl radiusd -foreground -log_stdout -trace 4 -config_file goodies/simple.cfg

	……

	in another terminal window check what is happening with radpwtst

	perl radpwtst …..

	…..

2. once you have a simple setup running with radpwtst you can set up an SQL configuration and test with radpwtst


	cd /your/Radiator/source/directory

	perl radiusd -foreground -log_stdout -trace 4 -config_file goodies/sql.cfg

	……

	in another terminal window check what is happening with radpwtst

	perl radpwtst …..

	…..

3. you can then modify the AuthBy SQL clause to suit what you are doing - rinse and repeat

	……


In answer to your question about AuthSelect and AuthColumnDef, you can do something like this:


	<AuthBy SQL>
		
		# check that the MAC address is present in the database

		…..

		AuthSelect select MACADDRESS from COMPUTERS where MACADDRESS = '%{Calling-Station-Id}"

		AuthColumnDef 0, %{Calling-Station-Id}, check

		…..
		
	</AuthBy>



hope that helps

regards

Hugh



On 2 Jun 2010, at 10:36, Adam Gerson wrote:

> I have read the documentation for AuthBy SQL, AuthSelect, and AuthColumnDef.
> 
> AuthSelect says "This is an SQL select statement that will be used to 
> find and fetch the password". My database does not contain passwords, 
> only MACs. I know I can pass the MAC in as the username, but when it 
> comes to interpretting the results, if I get a row back they are 
> authorized, if results = 0 they are not. Can I do this with AuthColumnDef?
> 
> Is there a way to test if this cfg is working by just passing a MAC in 
> with a specific command and get a YES or NO?
> 
> When I perform a test request from my network switch I get:
> 
> 'User-Name' => '00:0a:95:de:a5:2a'
> Failed authentication
> Error: bad response authenticator
> 
> Nothing in the raditor logs after:
> Wed Jun  2 10:23:52 2010: NOTICE: Server started: Radiator 4.6 on 
> sidekick.cgps.org (LOCKED)
> 
> Here is my current config:
> 
> # radius.cfg
> #
> # Example Radiator configuration file.
> # This very simple file will allow you to get started with
> # a simple system. You can then add and change features.
> # We suggest you start simple, prove to yourself that it
> # works and then develop a more complicated configuration as required.
> #
> # This example will authenticate from a standard users file in
> # DbDir/users and log accounting to LogDir/detail.
> #
> # It will accept requests from any client and try to handle request
> # for any realm.
> #
> # You should consider this file to be a starting point only
> # $Id: linux-radius.cfg,v 1.3 2002/03/24 23:07:49 mikem Exp $
> 
> #Foreground
> #LogStdout
> LogDir		/var/log/radius
> DbDir		/etc/radiator
> # Use a low trace level in production systems. Increase
> # it to 4 or 5 for debugging, or use the -trace flag to radiusd
> Trace 		4
> 
> # You will probably want to add other Clients to suit your site,
> # one for each NAS you want to work with
> <Client DEFAULT>
> 	Secret	******
> 	DupInterval 0
> </Client>
> 
> <Realm DEFAULT>
>     <AuthBy SQL>
> 	# Adjust DBSource, DBUsername, DBAuth to suit your DB
> 	
> 	DBSource	dbi:mysql:jamfsoftware
> 	DBUsername	jamfsoftware
> 	DBAuth		******
> 
> 	# You can customise the SQL query used to get user details with the
>         # AuthSelect parameter:
> 	AuthSelect SELECT computer_id FROM jamfsoftware.computers c WHERE 
> mac_address = %0
> 	#AuthColumnDef 0, User-Password, check
>     </AuthBy>
> 	# Log accounting to a detail file
> 	AcctLogFileName	%L/detail
> </Realm>
> 
> On 6/1/10 2:19 PM, Andrew D. Clark wrote:
>> You can handle this with<AuthBy SQL>  in a pretty straightforward fashion.
>> Rather than having the SQL query return the full list of MAC addresses, you
>> can simply select for the MAC address in question.
>> 
>> sql.cfg in the "goodies" directory makes a good starting point and just
>> consider the MAC address to be the username.  You might want to ensure the MAC
>> address has a consistent format with RewriteUsername (in case one vendor
>> delimits it with colons, another with dotted quads, yet another with hyphens,
>> not to mention issues of case-sensitivity).
>> 
> 
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



NB: 

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets), 
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

More information about the radiator mailing list