# [SOLVED] Freeradius and mysql problem

## belrpr

Hi,

I am writing a tutorial for the dutch wiki http://nl.gentoo-wiki.com/HOWTO_FreeRadius_and_MySQL#Freeradius

on how to make a freeradius server work with mysql.

I based myself on:

http://gentoo-wiki.com/HOWTO_WPA_Enterprise_with_MySQL

I did the following things:

Made the database radius. And made the radiususer who has all the rights on the radius database. I configured freeradius file /etc/raddb/sql.conf  to use those login settings. I create a freeradius user in the the database

mysql> select * from radcheck

    -> ;

+----+---------------+-----------+----+---------------+

| id | UserName      | Attribute | op | Value         |

+----+---------------+-----------+----+---------------+

|  1 | mysqltestuser | Password  | == | mysqltestpass | 

+----+---------------+-----------+----+---------------+

1 row in set (0.00 sec)

I configured  /etc/raddb/radiusd.conf

to use mysql for the authorize and accounting section.

Then I fired up my radius server in a screen by

radiusd -X

Then I CTRL ALT A and CTRL ALT D

and I test the radius with:

radtest mysqltestuser mysqltestpass skynet 1812 testing

This results in:

```
Sending Access-Request of id 249 to 127.0.0.1 port 1812

        User-Name = "mysqltestuser"

        User-Password = "mysqltestpass"

        NAS-IP-Address = 255.255.255.255

        NAS-Port = 1812

rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=249, length=20
```

Output radiusd -x

```

skynet ~ # radiusd -X

Starting - reading configuration files ...

reread_config:  reading radiusd.conf

Config:   including file: /etc/raddb/proxy.conf

Config:   including file: /etc/raddb/clients.conf

Config:   including file: /etc/raddb/snmp.conf

Config:   including file: /etc/raddb/eap.conf

Config:   including file: /etc/raddb/sql.conf

 main: prefix = "/usr"

 main: localstatedir = "/var"

 main: logdir = "/var/log/radius"

 main: libdir = "/usr/lib"

 main: radacctdir = "/var/log/radius/radacct"

 main: hostname_lookups = no

 main: max_request_time = 30

 main: cleanup_delay = 5

 main: max_requests = 1024

 main: delete_blocked_requests = 0

 main: port = 0

 main: allow_core_dumps = no

 main: log_stripped_names = no

 main: log_file = "/var/log/radius/radius.log"

 main: log_auth = no

 main: log_auth_badpass = no

 main: log_auth_goodpass = no

 main: pidfile = "/var/run/radiusd/radiusd.pid"

 main: user = "radiusd"

 main: group = "radiusd"

 main: usercollide = no

 main: lower_user = "no"

 main: lower_pass = "no"

 main: nospace_user = "no"

 main: nospace_pass = "no"

 main: checkrad = "/usr/sbin/checkrad"

 main: proxy_requests = yes

 proxy: retry_delay = 5

 proxy: retry_count = 3

 proxy: synchronous = no

 proxy: default_fallback = yes

 proxy: dead_time = 120

 proxy: post_proxy_authorize = no

 proxy: wake_all_if_all_dead = no

 security: max_attributes = 200

 security: reject_delay = 1

 security: status_server = no

 main: debug_level = 0

read_config_files:  reading dictionary

read_config_files:  reading naslist

Using deprecated naslist file.  Support for this will go away soon.

read_config_files:  reading clients

read_config_files:  reading realms

radiusd:  entering modules setup

Module: Library search path is /usr/lib

Module: Loaded exec

 exec: wait = yes

 exec: program = "(null)"

 exec: input_pairs = "request"

 exec: output_pairs = "(null)"

 exec: packet_type = "(null)"

rlm_exec: Wait=yes but no output defined. Did you mean output=none?

Module: Instantiated exec (exec)

Module: Loaded expr

Module: Instantiated expr (expr)

Module: Loaded PAP

 pap: encryption_scheme = "crypt"

Module: Instantiated pap (pap)

Module: Loaded CHAP

Module: Instantiated chap (chap)

Module: Loaded MS-CHAP

 mschap: use_mppe = yes

 mschap: require_encryption = no

 mschap: require_strong = no

 mschap: with_ntdomain_hack = no

 mschap: passwd = "(null)"

 mschap: ntlm_auth = "(null)"

Module: Instantiated mschap (mschap)

Module: Loaded System

 unix: cache = no

 unix: passwd = "(null)"   

 unix: shadow = "(null)"

 unix: group = "(null)"

 unix: radwtmp = "/var/log/radius/radwtmp"

 unix: usegroup = no

 unix: cache_reload = 600

Module: Instantiated unix (unix)   

Module: Loaded eap

 eap: default_eap_type = "md5"  

 eap: timer_expire = 60

 eap: ignore_unknown_eap_types = no

 eap: cisco_accounting_username_bug = no

rlm_eap: Loaded and initialized type md5

rlm_eap: Loaded and initialized type leap

 gtc: challenge = "Password: "

 gtc: auth_type = "PAP"

rlm_eap: Loaded and initialized type gtc

 mschapv2: with_ntdomain_hack = no

rlm_eap: Loaded and initialized type mschapv2

Module: Instantiated eap (eap)

Module: Loaded preprocess

 preprocess: huntgroups = "/etc/raddb/huntgroups"

 preprocess: hints = "/etc/raddb/hints"

 preprocess: with_ascend_hack = no

 preprocess: ascend_channels_per_line = 23

 preprocess: with_ntdomain_hack = no

 preprocess: with_specialix_jetstream_hack = no

 preprocess: with_cisco_vsa_hack = no

 preprocess: with_alvarion_vsa_hack = no

Module: Instantiated preprocess (preprocess)

Module: Loaded realm

 realm: format = "suffix"

 realm: delimiter = "@"

 realm: ignore_default = no

 realm: ignore_null = no

Module: Instantiated realm (suffix)

Module: Loaded files

 files: usersfile = "/etc/raddb/users"

 files: acctusersfile = "/etc/raddb/acct_users"

 files: preproxy_usersfile = "/etc/raddb/preproxy_users"

 files: compat = "no"

Module: Instantiated files (files) 

Module: Loaded SQL

 sql: driver = "rlm_sql_mysql"  

 sql: server = "localhost"

 sql: port = ""

 sql: login = "radiususer"

 sql: password = "radiuspass"

 sql: radius_db = "radius"

 sql: nas_table = "nas"

 sql: sqltrace = no

 sql: sqltracefile = "/var/log/radius/sqltrace.sql"

 sql: readclients = no

 sql: deletestalesessions = yes

 sql: num_sql_socks = 5

 sql: sql_user_name = "%{User-Name}"

 sql: default_user_profile = ""

 sql: query_on_not_found = no

 sql: authorize_check_query = "SELECT id, UserName, Attribute, Value, op           FROM radcheck           WHERE Username = '%{SQL-User-Name}'           ORD$

 sql: authorize_reply_query = "SELECT id, UserName, Attribute, Value, op           FROM radreply           WHERE Username = '%{SQL-User-Name}'           ORD$

 sql: authorize_group_check_query = "SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op  FROM radg$

 sql: authorize_group_reply_query = "SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op  FROM radg$

 sql: accounting_onoff_query = "UPDATE radacct SET AcctStopTime='%S', AcctSessionTime=unix_timestamp('%S') - unix_timestamp(AcctStartTime), AcctTerminateCau$

 sql: accounting_update_query = "UPDATE radacct           SET FramedIPAddress = '%{Framed-IP-Address}',           AcctSessionTime = '%{Acct-Session-Time}', $

 sql: accounting_update_query_alt = "INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime,$

 sql: accounting_start_query = "INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, Acct$

 sql: accounting_start_query_alt = "UPDATE radacct SET AcctStartTime = '%S', AcctStartDelay = '%{Acct-Delay-Time}', ConnectInfo_start = '%{Connect-Info}' WH$

 sql: accounting_stop_query = "UPDATE radacct SET AcctStopTime = '%S', AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets = '%{Acct-Input-Octets}', A$

 sql: accounting_stop_query_alt = "INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, A$

 sql: group_membership_query = "SELECT GroupName FROM usergroup WHERE UserName='%{SQL-User-Name}'"

 sql: connect_failure_retry_delay = 60

 sql: simul_count_query = ""

 sql: simul_verify_query = "SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM radac$

 sql: postauth_query = "INSERT into radpostauth (id, user, pass, reply, date) values ('', '%{User-Name}', '%{User-Password:-Chap-Password}', '%{reply:Packet$

 sql: safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"

rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked

rlm_sql (sql): Attempting to connect to radiususer@localhost:/radius

rlm_sql (sql): starting 0

rlm_sql (sql): Attempting to connect rlm_sql_mysql #0

rlm_sql_mysql: Starting connect to MySQL server for #0

rlm_sql (sql): Connected new DB handle, #0

rlm_sql (sql): starting 1 

rlm_sql (sql): Attempting to connect rlm_sql_mysql #1

rlm_sql_mysql: Starting connect to MySQL server for #1

rlm_sql (sql): Connected new DB handle, #1

rlm_sql (sql): starting 2

rlm_sql (sql): Attempting to connect rlm_sql_mysql #2

rlm_sql_mysql: Starting connect to MySQL server for #2

rlm_sql (sql): Connected new DB handle, #2

rlm_sql (sql): starting 3

rlm_sql (sql): Attempting to connect rlm_sql_mysql #3

rlm_sql_mysql: Starting connect to MySQL server for #3

rlm_sql (sql): Connected new DB handle, #3

rlm_sql (sql): starting 4

rlm_sql (sql): Attempting to connect rlm_sql_mysql #4

rlm_sql_mysql: Starting connect to MySQL server for #4

rlm_sql (sql): Connected new DB handle, #4

Module: Instantiated sql (sql)

Module: Loaded Acct-Unique-Session-Id

 acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"

Module: Instantiated acct_unique (acct_unique)

Module: Loaded detail

 detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"

 detail: detailperm = 384

 detail: dirperm = 493

 detail: locking = no

Module: Instantiated detail (detail)

Module: Loaded radutmp

 radutmp: filename = "/var/log/radius/radutmp"

 radutmp: username = "%{User-Name}"

 radutmp: case_sensitive = yes

 radutmp: check_with_nas = yes

 radutmp: perm = 384

 radutmp: callerid = yes

Module: Instantiated radutmp (radutmp)

Listening on authentication *:1812

Listening on accounting *:1813

Ready to process requests.

rad_recv: Access-Request packet from host 127.0.0.1:32768, id=4, length=65

        User-Name = "mysqltestuser"

        User-Password = "mysqltestpass"

        NAS-IP-Address = 255.255.255.255

        NAS-Port = 1812

  Processing the authorize section of radiusd.conf

modcall: entering group authorize for request 0

  modcall[authorize]: module "preprocess" returns ok for request 0

  modcall[authorize]: module "chap" returns noop for request 0

  modcall[authorize]: module "mschap" returns noop for request 0

    rlm_realm: No '@' in User-Name = "mysqltestuser", looking up realm NULL

    rlm_realm: No such realm "NULL"

  modcall[authorize]: module "suffix" returns noop for request 0

  rlm_eap: No EAP-Message, not doing EAP  

  modcall[authorize]: module "eap" returns noop for request 0

    users: Matched entry DEFAULT at line 152

  modcall[authorize]: module "files" returns ok for request 0

   users: Matched entry DEFAULT at line 152

  modcall[authorize]: module "files" returns ok for request 0

radius_xlat:  'mysqltestuser'

rlm_sql (sql): sql_set_user escaped user --> 'mysqltestuser'

radius_xlat:  'SELECT id, UserName, Attribute, Value, op           FROM radcheck           WHERE Username = 'mysqltestuser'           ORDER BY id'

rlm_sql (sql): Reserving sql socket id: 4

radius_xlat:  'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op  FROM radgroupcheck,usergroup WH$

radius_xlat:  'SELECT id, UserName, Attribute, Value, op           FROM radreply           WHERE Username = 'mysqltestuser'           ORDER BY id'

radius_xlat:  'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op  FROM radgroupreply,usergroup WH$

rlm_sql (sql): Released sql socket id: 4

  modcall[authorize]: module "sql" returns ok for request 0

modcall: leaving group authorize (returns ok) for request 0

  rad_check_password:  Found Auth-Type System

auth: type "System"

  Processing the authenticate section of radiusd.conf

modcall: entering group authenticate for request 0

  modcall[authenticate]: module "unix" returns notfound for request 0

modcall: leaving group authenticate (returns notfound) for request 0

auth: Failed to validate the user.

Delaying request 0 for 1 seconds

Finished request 0

Going to the next request

--- Walking the entire request list ---

Waking up in 1 seconds...

--- Walking the entire request list ---

Waking up in 1 seconds...

--- Walking the entire request list ---

Sending Access-Reject of id 4 to 127.0.0.1 port 32768

Waking up in 4 seconds...

--- Walking the entire request list ---

Cleaning up request 0 ID 4 with timestamp 45a27493

Nothing to do.  Sleeping until we see a request.

```

Last edited by belrpr on Tue Jan 09, 2007 10:26 am; edited 1 time in total

----------

## belrpr

I noticed that the auth type for the mysql users is System.

When I use:

```
test Auth-Type := Local, User-Password == "testpass"      
```

in /etc/raddb/users

the auth is local and it works. If I change the Local to System I got exactly the same problem as with mysql.

So how can I change the authtype for the mysql user?

----------

## belrpr

Found it:

I can change the default in:

/etc/raddb/users

```
#

# The rest of this file contains the several DEFAULT entries.

# DEFAULT entries match with all login names.

# Note that DEFAULT entries can also Fall-Through (see first entry).

# A name-value pair from a DEFAULT entry will _NEVER_ override

# an already existing name-value pair.

#

#

# First setup all accounts to be checked against the UNIX /etc/passwd.

# (Unless a password was already given earlier in this file).

#

DEFAULT Auth-Type = System

```

If I change the default Auth-type to local it works. But can anyone explain me why this is to prevent security leaks.

----------

