[RADIATOR] FreeRadius Issue

Hugh Irvine hugh at open.com.au
Mon May 21 23:41:30 UTC 2018


Hello Brandon -

The incoming request has “User-Password” in it, not “Cleartext-Password”.

regards

Hugh


> On 22 May 2018, at 09:13, Brandon Shiers <brandon.shiers at wyoming.com> wrote:
> 
> I'm using the FreeRadius module and testing some PPPoE authentication.  I have my Mikrotik setup as a PPPoE server and it's forwarding the requests over to RADIATOR.  
> 
> I receive the request but the password it says is null if I'm reading the output right?  I verified in the device that it DOES have the correct password entered.  Here is what's in my radcheck table for the user I'm testing with: 
> 
> MariaDB [fiber]> select * from radcheck;
> +----+-------------------+--------------------+----+--------------+
> | id | username          | attribute          | op | value        |
> +----+-------------------+--------------------+----+--------------+
> |  1 | fibertest         | Cleartext-Password | := | testpassword |
> 
> Here's the radreply table:
>  12 | fibertest         | Mikrotik-Rate-Limit   | := | 25M/50M 0/0 0/0 0/0 8 |
> | 13 | fibertest         | Mikrotik-Address-List | := | permitted_users       |
> | 14 | fibertest         | Session-Timeout       | := | 60        
> 
> Here is the error I'm getting:
> 
> Mon May 21 17:07:03 2018: DEBUG: Packet dump:
> *** Received from 216.67.161.1 port 39338 ....
> Code:       Access-Request
> Identifier: 141
> Authentic:  <189><140><240>|Q9GI5<30><20><127>dR;<28>
> Attributes:
> 	Service-Type = Framed-User
> 	Framed-Protocol = PPP
> 	NAS-Port = 15734819
> 	NAS-Port-Type = Ethernet
> 	User-Name = "fibertest"
> 	Calling-Station-Id = "78:32:1B:10:78:85"
> 	Called-Station-Id = "GPONPPPOE"
> 	NAS-Port-Id = "VLAN4 - GPON"
> 	User-Password = <133>2.<187><131><16>,<242>i<159><193><216>t:<163><244>
> 	NAS-Identifier = "Riverton - Century CO MKT01"
> 	NAS-IP-Address = 216.67.161.1
> 
> Mon May 21 17:07:03 2018: DEBUG: Rewrote user name to fibertest
> Mon May 21 17:07:03 2018: DEBUG: Handling request with Handler 'Client-Identifier=Fast-Fiber', Identifier ''
> Mon May 21 17:07:03 2018: DEBUG: SDB-cluster Deleting session for fibertest, 216.67.161.1, 15734819
> Mon May 21 17:07:03 2018: DEBUG: do query to 'dbi:mysql:hostname=localhost;database=radius Connection id: 0-00000': 'DELETE FROM radonline WHERE username='fibertest' AND nasidentifier='216.67.161.1'':
> Mon May 21 17:07:03 2018: DEBUG: Handling with Radius::AuthFREERADIUSSQL: Fast-Fiber
> Mon May 21 17:07:03 2018: DEBUG: Handling with Radius::AuthFREERADIUSSQL: Fast-Fiber
> Mon May 21 17:07:03 2018: DEBUG: Query to 'dbi:mysql:hostname=localhost;database=fiber Connection id: 3-00000': 'SELECT id, UserName, Attribute, Value, op FROM  radcheck WHERE Username=? ORDER BY id': fibertest
> Mon May 21 17:07:03 2018: DEBUG: Got user check row: 1 fibertest Cleartext-Password testpassword :=
> Mon May 21 17:07:03 2018: DEBUG: Query to 'dbi:mysql:hostname=localhost;database=fiber Connection id: 3-00000': 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = ? ORDER BY id': fibertest
> Mon May 21 17:07:03 2018: DEBUG: Got user reply row: 12 fibertest Mikrotik-Rate-Limit 25M/50M 0/0 0/0 0/0 8 :=
> Mon May 21 17:07:03 2018: DEBUG: Got user reply row: 13 fibertest Mikrotik-Address-List permitted_users :=
> Mon May 21 17:07:03 2018: DEBUG: Got user reply row: 14 fibertest Session-Timeout 60 :=
> Mon May 21 17:07:03 2018: DEBUG: Query to 'dbi:mysql:hostname=localhost;database=fiber Connection id: 3-00000': 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op  FROM radgroupcheck,radusergroup WHERE radusergroup.Username = ? AND radusergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id': fibertest
> Mon May 21 17:07:03 2018: DEBUG: Query to 'dbi:mysql:hostname=localhost;database=fiber Connection id: 3-00000': 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op  FROM radgroupreply,radusergroup WHERE radusergroup.Username = ? AND radusergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id': fibertest
> Mon May 21 17:07:03 2018: DEBUG: Radius::AuthFREERADIUSSQL looks for match with fibertest [fibertest]
> Mon May 21 17:07:03 2018: DEBUG: Radius::AuthFREERADIUSSQL REJECT: Check item Cleartext-Password expression 'testpassword' does not match '' in request: fibertest [fibertest]
> Mon May 21 17:07:03 2018: DEBUG: AuthBy FREERADIUSSQL result: REJECT, Check item Cleartext-Password expression 'testpassword' does not match '' in request
> Mon May 21 17:07:03 2018: INFO: Access rejected for fibertest: Check item Cleartext-Password expression 'testpassword' does not match '' in request
> Mon May 21 17:07:03 2018: DEBUG: Packet dump:
> *** Sending to 216.67.161.1 port 39338 ....
> Code:       Access-Reject
> Identifier: 141
> Authentic:  <139><233><17><215>6<31><183>d$d<138><135>T<242>~<234>
> Attributes:
> 	Reply-Message = "Request Denied"
> 
> I'm sure I'm missing something but I can't see it.  Is it since I have the op infront of value in the DB I need to do a custom SQL statement?  I'm using the default FreeRadius module stuff: 
> <Handler Client-Identifier=Fast-Fiber>
> <AuthBy FREERADIUSSQL>
>   Identifier Fast-Fiber
>   DBSource dbi:mysql:hostname=localhost;database=fiber
>   DBUsername foo
>   DBAuth bar
>   FailureBackoffTime 5
>   NoDefault
>   Timeout 10
> </AuthBy>
> </Handler>
> 
> This was working with a non-PPPoE setup (just using the MKT to authenticate DHCP requests when a MAC address was coming in as the username).  
> 
> I'd appreciate any feedback.  Like I said I'm sure it's something simple I'm missing :)
> _______________________________________________
> radiator mailing list
> radiator at lists.open.com.au
> http://lists.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
hugh at open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.



More information about the radiator mailing list