[RADIATOR] AuthByFreeRaidusSQL and EAP authentication

Brandon Shiers brandon.shiers at cerento.com
Tue Aug 4 14:52:41 UTC 2020 

I've been fighting through this more.  Using Radiator 4.19.  Here's a trace 4 capture (I'm using AuthByFREERADIUSSQL Mode).  I have the password set correctly in the radcheck table but I get the following when I try to authenticate the SM against it.  I've tred the := and == operators and get the same reply.  


Tue Aug  4 08:32:27 2020: DEBUG: Query to 'dbi:mysql:hostname=localhost;database=radius_zt Connection id: 0-00000': 'SELECT id, UserName, Attribute, Value, op FROM  radcheck WHERE Username=? ORDER BY id': testuser
Tue Aug  4 08:32:27 2020: DEBUG: Got user check row: 4925 testuser ClearText-Password testpass :=
Tue Aug  4 08:32:27 2020: DEBUG: Query to 'dbi:mysql:hostname=localhost;database=radius_zt Connection id: 0-00000': 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = ? ORDER BY id': testuser
Tue Aug  4 08:32:27 2020: DEBUG: Got user reply row: 86289 testuser Framed-IP-Address 10.10.10.116 :=
Tue Aug  4 08:32:27 2020: DEBUG: Got user reply row: 86290 testuser Framed-IP-Netmask 255.255.255.240 :=
Tue Aug  4 08:32:27 2020: DEBUG: Got user reply row: 86291 testuser Cambium-Canopy-Gateway 10.10.10.113 :=
Tue Aug  4 08:32:27 2020: DEBUG: Got user reply row: 86292 testuser Cambium-Canopy-ULBR 3072 :=
Tue Aug  4 08:32:27 2020: DEBUG: Got user reply row: 86293 testuser Cambium-Canopy-ULMB 3072 :=
Tue Aug  4 08:32:27 2020: DEBUG: Got user reply row: 86294 testuser Cambium-Canopy-DLBR 5120 :=
Tue Aug  4 08:32:27 2020: DEBUG: Got user reply row: 86295 testuser Cambium-Canopy-DLMB 5120 :=
Tue Aug  4 08:32:27 2020: DEBUG: Got user reply row: 86296 testuser Cambium-Canopy-ULBL 128 :=
Tue Aug  4 08:32:27 2020: DEBUG: Got user reply row: 86297 testuser Cambium-Canopy-DLBL 128 :=
Tue Aug  4 08:32:27 2020: DEBUG: Got user reply row: 86298 testuser Cambium-Canopy-BCASTMIR 16 :=
Tue Aug  4 08:32:27 2020: DEBUG: Got user reply row: 86299 testuser Cambium-Canopy-ConfigFileImportUrl http://<URLRedacted> :=
Tue Aug  4 08:32:27 2020: DEBUG: Query to 'dbi:mysql:hostname=localhost;database=radius_zt Connection id: 0-00000': 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op  FROM radgroupcheck,radusergroup WHERE radusergroup.Username = ? AND radusergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id': testuser
Tue Aug  4 08:32:27 2020: DEBUG: Query to 'dbi:mysql:hostname=localhost;database=radius_zt Connection id: 0-00000': 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op  FROM radgroupreply,radusergroup WHERE radusergroup.Username = ? AND radusergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id': testuser
Tue Aug  4 08:32:27 2020: DEBUG: Radius::AuthFREERADIUSSQL looks for match with testuser [testuser]
Tue Aug  4 08:32:27 2020: DEBUG: Radius::AuthFREERADIUSSQL REJECT: Check item ClearText-Password expression 'testpass' does not match '' in request: testuser [testuser]
Tue Aug  4 08:32:27 2020: DEBUG: AuthBy FREERADIUSSQL result: REJECT, Check item ClearText-Password expression 'testpass' does not match '' in request
Tue Aug  4 08:32:27 2020: INFO: Access rejected for testuser: Check item ClearText-Password expression 'testpass' does not match '' in request
Tue Aug  4 08:32:27 2020: DEBUG: Returned TTLS tunnelled Diameter Packet dump:

When I use the same values and switch to a flat file the authentication works.  Any ideas on what I'm doing wrong?  The radio is also not accepting any of the Cambium attributes but Cambium-Canopy-Gateway and Cambium-Canopy-ConfigFileImportURL even though I have the vendor attributes loaded up in my config file.  

Thanks,
Brandon Shiers, RF Engineer
937 West Main Street
Riverton, WY 82501
307.857.6704 (o)
307.840.2366 (c)
307.856.1499 (f)
brandon.shiers at cerento.com

-----Original Message-----
From: Brandon Shiers 
Sent: Monday, August 03, 2020 4:46 PM
To: 'Heikki Vatiainen' <hvn at open.com.au>; radiator at lists.open.com.au
Subject: RE: [RADIATOR] AuthByFreeRaidusSQL and EAP authentication

Heikki,

Thank you for the reply!  I did get the certificate issue sorted out.  I am now having issues with getting reply attributes back to the radio.  

I am passing them back but the radio is only taking select options.  I think it's a firmware issue as we've had to roll out new firmware since we started this project and unfortunately I'm waiting for the vendor.  The odd thing (and I have their dictionary loaded), it will accept one of their VSA's but not the rest.  Standard things like Framed-IP-Adddress works just fine.  I am having an issue with the RADIUS DB for some reason over-writing the password when using the DB for the lookups I haven't figured that one out yet.  

Thanks,
Brandon Shiers, RF Engineer
937 West Main Street
Riverton, WY 82501
307.857.6704 (o)
307.840.2366 (c)
307.856.1499 (f)
brandon.shiers at cerento.com

-----Original Message-----
From: radiator On Behalf Of Heikki Vatiainen
Sent: Wednesday, July 29, 2020 6:34 AM
To: radiator at lists.open.com.au
Subject: Re: [RADIATOR] AuthByFreeRaidusSQL and EAP authentication

On 27.7.2020 19.16, Brandon Shiers wrote:

> Will it support EAPTLS for authentication out in front of the actual 
> database lookup for the username, password and reply attributes?

Is that EAP-TLS or EAP-TTLS? With EAP-TLS a password is not needed and SQL can be optionally be used to check that the certificate subject is known. It can also fetch reply attributes. I'm not sure I have used with Freeradius SQL but with AuthBy SQL it works.

With EAP-TTLS it should also work with SQL backend, but I don't think I've yet tried with Freeradius specific module.

The certificate problems are not related to this because they happen before SQL access.

Thanks,
Heikki


--
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory, EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.
_______________________________________________
radiator mailing list
radiator at lists.open.com.au
https://lists.open.com.au/mailman/listinfo/radiator

More information about the radiator mailing list