Upgrade From 1 to 2 - problem with authorize
|
View:
New views
10 Messages
—
Rating Filter:
Alert me
|
 |
Upgrade From 1 to 2 - problem with authorize
by Robert White-8
::
Rate this Message:
Hi,
I'm trying to upgrade my setup from freeradius 1 to freeradius 2. I've been making little changes to the config as suggested in the doc and I managed to get my setup connecting to my mssql backend. However, when I try and authorize with a user/pass, I get an error - actually more of a warning. I've Googled about but although others have had this error I haven't really seen a good explanation of why it occurs let alone how to solve.
The warning is... rad_recv: Access-Request packet from host 10.152.0.7 port 20001, id=16, length=168 NAS-IP-Address = 10.152.0.7 User-Name = "999999999"
User-Password = "999999999" Service-Type = Login-User NAS-Port-Type = Async Calling-Station-Id = "1002" Quintum-h323-conf-id = "h323-conf-id=34616537 32353264 62350001 00080000"
Quintum-AVPair = "h323-ivr-out=ACCESSCODE:990006" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [suffix] No '@' in User-Name = "999999999", looking up realm NULL
[suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop
[sql] expand: %{User-Name} -> 999999999 [sql] sql_set_user escaped user --> '999999999' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: SELECT [id], UserName, Attribute, [Value], op FROM dbo.Rad_Authorize_User_Check('%{SQL-User-Name}') -> SELECT [id], UserName, Attribute, [Value], op FROM dbo.Rad_Authorize_User_Check('999999999')
query: SELECT [id], UserName, Attribute, [Value], op FROM dbo.Rad_Authorize_User_Check('999999999') WARNING: Found User-Password == "...". WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information. [sql] User found in radcheck table rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok ++[expiration] returns noop
++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +- entering group PAP {...} [pap] login attempt with password "999999999" [pap] Using clear text password "999999999"
[pap] User authenticated successfully ++[pap] returns ok Login OK: [999999999] (from client 10.152.0.7 port 0 cli 1002) +- entering group post-auth {...} ++[exec] returns noop
Sending Access-Accept of id 16 to 10.152.0.7 port 20001 Finished request 0. Although the last line there says 'Sending Access-Accept', I do not get authorized at the NAS end.
Here's how things play out on my old version 1 setup.... rad_recv: Access-Request packet from host 10.152.0.7:20001, id=31, length=168
NAS-IP-Address = 10.152.0.7 User-Name = "999999999" User-Password = "999999999" Service-Type = Login-User NAS-Port-Type = Async
Calling-Station-Id = "1002" Quintum-h323-conf-id = "h323-conf-id=34616537 32383034 62640001 00080000" Quintum-AVPair = "h323-ivr-out=ACCESSCODE:990006"
Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "999999999", looking up realm NULL rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0
users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 0 radius_xlat: '999999999' rlm_sql (sql): sql_set_user escaped user --> '999999999'
radius_xlat: 'SELECT [id], UserName, Attribute, [Value], op FROM dbo.Rad_Authorize_User_Check('999999999')' rlm_sql (sql): Reserving sql socket id: 49 query: SELECT [id], UserName, Attribute, [Value], op FROM dbo.Rad_Authorize_User_Check('999999999')
radius_xlat: 'SELECT * FROM dbo.Rad_Group_Check('999999999')' query: SELECT * FROM dbo.Rad_Group_Check('999999999') radius_xlat: '' radius_xlat: 'EXEC Rad_Authenticate @username = '999999999', @dialstring_from = '1002', @dialstring_to = '', @gw_session_id = '34616537 32383034 62640001 00080000', @ivr_out = 'h323-ivr-out=ACCESSCODE:990006', @gw_ip = '10.152.0.7', @call_origin = '', @gw_name = '' '
query: EXEC Rad_Authenticate @username = '999999999', @dialstring_from = '1002', @dialstring_to = '', @gw_session_id = '34616537 32383034 62640001 00080000', @ivr_out = 'h323-ivr-out=ACCESSCODE:990006', @gw_ip = '10.152.0.7', @call_origin = '', @gw_name = ''
rlm_sql (sql): Released sql socket id: 49 modcall[authorize]: module "sql" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type Local
auth: type Local auth: user supplied User-Password matches local User-Password Login OK: [999999999] (from client cms port 0 cli 1002) Processing the post-auth section of radiusd.conf
modcall: entering group post-auth for request 0 rlm_sql (sql): Processing sql_postauth radius_xlat: '999999999' rlm_sql (sql): sql_set_user escaped user --> '999999999'
modcall[post-auth]: module "sql" returns noop for request 0 modcall: leaving group post-auth (returns noop) for request 0 Sending Access-Accept of id 31 to 10.152.0.7 port 20001
h323-return-code = "h323-return-code=0" h323-billing-model = "h323-billing-model=0" h323-credit-amount = "h323-credit-amount=76.15" h323-currency = "h323-currency=AUD"
Finished request 0 Thanks for any assistance, Rob - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |
|
|
Re: Upgrade From 1 to 2 - problem with authorize
by Alan Buxey
::
Rate this Message:
Hi,
> managed to get my setup connecting to my mssql backend. However, when I try > and authorize with a user/pass, I get an error - actually more of a warning. > I've Googled about but although others have had this error I haven't really > seen a good explanation of why it occurs let alone how to solve. > > The warning is... the warning is fairly self-explanatory - you are using User-Password in your SQL your should be using Cleartext-Password (with correct Operator) I'm with Alan on this one - i dont know HOW the message could be any clearer!?! as for not authenticating - once again - look at your debug... here is your new server > Login OK: [999999999] (from client 10.152.0.7 port 0 cli 1002) > +- entering group post-auth {...} > ++[exec] returns noop > Sending Access-Accept of id 16 to 10.152.0.7 port 20001 > Finished request 0. and here is the old server > Sending Access-Accept of id 31 to 10.152.0.7 port 20001 > h323-return-code = "h323-return-code=0" > h323-billing-model = "h323-billing-model=0" > h323-credit-amount = "h323-credit-amount=76.15" > h323-currency = "h323-currency=AUD" > Finished request 0 spot the difference? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |
|
|
Re: Upgrade From 1 to 2 - problem with authorize
by Bjørn Mork
::
Rate this Message:
Robert White <rwhite@...> writes:
> I'm trying to upgrade my setup from freeradius 1 to freeradius 2. > > I've been making little changes to the config as suggested in the doc and I > managed to get my setup connecting to my mssql backend. However, when I try > and authorize with a user/pass, I get an error - actually more of a warning. > I've Googled about but although others have had this error I haven't really > seen a good explanation of why it occurs let alone how to solve. I believe the rlm_pap(5) man page explains the different password attribute and their usage pretty well. The point the server is trying to make you aware of is that you can't really do an equality check on the User-Password. The attribute received from the other end is encrypted: http://freeradius.org/rfc/rfc2865.html#User-Password That's why luser User-Password == "foo" is wrong. Don't do it. When you configure a user account, you will instead *set* another server configuration attribute which may be used by the authentication modules to verify the received User-Password. So you'll do luser Cleartext-Password := "foo" and the rlm_pap module will see both the Cleartext-Password you set and the User-Password the NAS sent and do whatever it needs to verify that they match. This concept might be even clearer if you instead configure luser Crypt-Password := "aaKNIEDOaueR6" The rlm_pap will still be able to verify the received password. > Sending Access-Accept of id 16 to 10.152.0.7 port 20001 Looks like your 2.x config doesn't have any reply attributes. > Sending Access-Accept of id 31 to 10.152.0.7 port 20001 > h323-return-code = "h323-return-code=0" > h323-billing-model = "h323-billing-model=0" > h323-credit-amount = "h323-credit-amount=76.15" > h323-currency = "h323-currency=AUD" while the 1.x config sends a number of them. Maybe that's why your NAS doesn't do what you expect, even if it gets an accept in both cases? Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |
|
|
Re: Upgrade From 1 to 2 - problem with authorize
by Robert White-8
::
Rate this Message:
I altered my SQL to ClearText-Password with the ":=" operator and I now get authenticated. Thanks guys - the warning message was clear about what it was referring to but I wasn't clear on what config i needed to change - whether it was with mssql or pap.
Anyway, I still have the problem that I'm not having attributes returned. It's because my two stored procedures are not being run. I have groupcheck_sp and groupreply_sp which used to get executed in my old 1.1.x setup in the authorize section but now that doesn't seem to happen.
I checked sql.conf and read_groups = yes. Is there some change in 2.x i should be aware of? I saw a message relating to something similar I think here http://readlist.com/lists/lists.freeradius.org/freeradius-users/4/24364.html but I couldn't figure out a resolution.
My output is similar to my earlier email but without the warning.... Ready to process requests. rad_recv: Access-Request packet from host 10.152.0.7 port 20001, id=43, length=168
NAS-IP-Address = 10.152.0.7 User-Name = "9999999999" User-Password = "9999999999" Service-Type = Login-User NAS-Port-Type = Async
Calling-Station-Id = "1002" Quintum-h323-conf-id = "h323-conf-id=34616632 66373463 31390038 00333300" Quintum-AVPair = "h323-ivr-out=ACCESSCODE:990006"
+- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [suffix] No '@' in User-Name = "9999999999", looking up realm NULL [suffix] No such realm "NULL"
++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop [sql] expand: %{User-Name} -> 9999999999
[sql] sql_set_user escaped user --> '9999999999' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: SELECT [id], UserName, Attribute, [Value], op FROM dbo.Rad_Authorize_User_Check('%{SQL-User-Name}') -> SELECT [id], UserName, Attribute, [Value], op FROM dbo.Rad_Authorize_User_Check('0498666931')
query: SELECT [id], UserName, Attribute, [Value], op FROM dbo.Rad_Authorize_User_Check('9999999999') [sql] User found in radcheck table rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password "9999999999"
[pap] Using clear text password "9999999999" [pap] User authenticated successfully ++[pap] returns ok Login OK: [0498666931] (from client 10.152.0.7 port 0 cli 1002)
+- entering group post-auth {...} [sql] expand: %{User-Name} -> 9999999999 [sql] sql_set_user escaped user --> '9999999999' ++[sql] returns noop ++[exec] returns noop
Sending Access-Accept of id 43 to 10.152.0.7 port 20001 Finished request 0. Thanks, Rob
2009/10/27 Bjørn Mork <bjorn@...>
-- Rob White Assistant IT Manager Core Infrastructure & System Development Global Gossip Group Address: 14 Wentworth Avenue, Sydney NSW 2010 Telephone: +61 292 630 460 Fax: +61 292 630 404 Mobile: +61 410 700 733 Email: rwhite@... Skype: robwhite83 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |
|
|
Re: Upgrade From 1 to 2 - problem with authorize
by Bjørn Mork
::
Rate this Message:
Robert White <rwhite@...> writes:
> Anyway, I still have the problem that I'm not having attributes returned. > It's because my two stored procedures are not being run. > > I have groupcheck_sp and groupreply_sp which used to get executed in my old > 1.1.x setup in the authorize section but now that doesn't seem to happen. > > I checked sql.conf and read_groups = yes. My guess would be that you are missing some of the other group config in sql.conf, but it would be easier to spot if we didn't have to guess... Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |
|
|
Re: Upgrade From 1 to 2 - problem with authorize
by Ivan Kalik
::
Rate this Message:
> I altered my SQL to ClearText-Password with the ":=" operator and I now
> get > authenticated. Thanks guys - the warning message was clear about what it > was referring to but I wasn't clear on what config i needed to change - > whether it was with mssql or pap. > > Anyway, I still have the problem that I'm not having attributes returned. > It's because my two stored procedures are not being run. > > I have groupcheck_sp and groupreply_sp which used to get executed in my > old > 1.1.x setup in the authorize section but now that doesn't seem to happen. > > I checked sql.conf and read_groups = yes. > > Is there some change in 2.x i should be aware of? Yes. You can't use 1.x group queries with 2.x. You need group_membership query in order to look up radgroupcheck and radgroupreply. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |
|
|
Re: Upgrade From 1 to 2 - problem with authorize
by Robert White-8
::
Rate this Message:
What's the difference?
Tbh, I don't even understand the what group queries are. Documentation seems to be kind of lacking. Not your fault I know, but I don't want you to think I haven't tried finding this out for myself!
I've attached my sql.conf and dialup.conf files. Thanks, Rob 2009/11/5 Ivan Kalik <tnt@...>
-- Rob White Assistant IT Manager Core Infrastructure & System Development Global Gossip Group Address: 14 Wentworth Avenue, Sydney NSW 2010 Telephone: +61 292 630 460 Fax: +61 292 630 404 Mobile: +61 410 700 733 Email: rwhite@... Skype: robwhite83 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |
|
|
Re: Upgrade From 1 to 2 - problem with authorize
by Bjørn Mork
::
Rate this Message:
Robert White <rwhite@...> writes:
> What's the difference? > > Tbh, I don't even understand the what group queries are. Documentation > seems to be kind of lacking. Not your fault I know, but I don't want you to > think I haven't tried finding this out for myself! > > I've attached my sql.conf and dialup.conf files. I believe you need a group_membership_query as well in 2.x, although I do notice that the mssql/dialup.conf example doesn't have one. That must be an error. Feel free to fix it if you get this working. rlm_sql_process_groups() will process the group list returned by sql_get_grouplist() and that won't be any unless you configure a group_membership_query: group_list_tmp = *group_list = NULL; if (!inst->config->groupmemb_query || (inst->config->groupmemb_query[0] == 0)) return 0; The other dialup.conf examples will tell you how it is supposed to look. It is a very simple query, so I assume you can convert this to mssql easily: group_membership_query = "SELECT groupname \ FROM ${usergroup_table} \ WHERE username = '%{SQL-User-Name}' \ ORDER BY priority" Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |
|
|
Re: Upgrade From 1 to 2 - problem with authorize
by Ivan Kalik
::
Rate this Message:
> What's the difference?
> > Tbh, I don't even understand the what group queries are. Documentation > seems to be kind of lacking. Not your fault I know, but I don't want you > to > think I haven't tried finding this out for myself! It's not "kind of lacking"! You have overwritten ooriginal dialup.conf and replaced 2.x queries with those from 1.x. You have original dialup.conf in downloaded source or you can find it on gitweb. In 2.x you need to use group_membership query which places groups in SQL-Group and uses that in group queries. If no sql groups are returned by group_membership query - group queries are not used. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |
|
|
Re: Upgrade From 1 to 2 - problem with authorize
by Bjørn Mork
::
Rate this Message:
tnt@... writes:
>> What's the difference? >> >> Tbh, I don't even understand the what group queries are. Documentation >> seems to be kind of lacking. Not your fault I know, but I don't want you >> to >> think I haven't tried finding this out for myself! > > It's not "kind of lacking"! You have overwritten ooriginal dialup.conf and > replaced 2.x queries with those from 1.x. You have original dialup.conf in > downloaded source or you can find it on gitweb. No, he's correct given that he uses *mssql*. That documentation is lacking a bit: The example mssql/dialup.conf is not 2.x compatible. Note: bjorn@canardo:/usr/local/src/git/freeradius$ grep -l group_memb raddb/sql/*/dialup.conf raddb/sql/mysql/dialup.conf raddb/sql/oracle/dialup.conf raddb/sql/postgresql/dialup.conf bjorn@canardo:/usr/local/src/git/freeradius$ ls -l raddb/sql/*/dialup.conf -rw-r--r-- 2 bjorn src 7867 2008-09-05 15:55 raddb/sql/mssql/dialup.conf -rw-r--r-- 2 bjorn src 14379 2008-09-05 15:55 raddb/sql/mysql/dialup.conf -rw-r--r-- 2 bjorn src 12318 2008-09-05 15:55 raddb/sql/oracle/dialup.conf -rw-r--r-- 2 bjorn src 13975 2008-09-05 15:55 raddb/sql/postgresql/dialup.conf I guess this is just because no mssql user has taken the time to update the example yet. > In 2.x you need to use group_membership query which places groups in > SQL-Group and uses that in group queries. If no sql groups are returned by > group_membership query - group queries are not used. Right. So my suggestion is that he makes it work by looking at the mysql or postgresql examples, and then sends a patch for the mssql/dialup.conf example. Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |
dialup.conf (13K) | Free embeddable forum powered by Nabble | Forum Help |
