FreeRadius different authorization and authentication methods

classic Classic list List threaded Threaded
7 messages Options
| Threaded
Open this post in threaded view
|

FreeRadius different authorization and authentication methods

Jason Carr
Hello,

I'm attempting to use a FreeRadius server for authentication of wireless
 using 802.1x.  I would also like to use a SQL database for
authorization.  I've done some limited testing without success.  It
looks like the authorization method also is the authentication method,
for example if I use sql for the authorization and eap for the
authentication, the authentication request fails:

modcall[authorize]: module "sql" returns ok for request 1
modcall: group authorize returns ok for request 1
auth: type Local
auth: No User-Password or CHAP-Password attribute in the request
auth: Failed to validate the user.

Even though the config file states:

...
authorize {
        preprocess
        sql
}

authenticate {
        eap
}
...

Any assistance would be greatly appreciated.

--
Jason Carr
Carnegie Mellon University
Network Development
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: FreeRadius different authorization and authentication methods

Alan DeKok
Jason Carr <[hidden email]> wrote:
> I'm attempting to use a FreeRadius server for authentication of wireless
>  using 802.1x.  I would also like to use a SQL database for
> authorization.  I've done some limited testing without success.  It
> looks like the authorization method also is the authentication method,

  No, they're completely independent.

> for example if I use sql for the authorization and eap for the
> authentication, the authentication request fails:
>
> modcall[authorize]: module "sql" returns ok for request 1
> modcall: group authorize returns ok for request 1
> auth: type Local

  Don't set "Auth-Type := Local".

  The server doesn't do this by default, so it must be something in
your site's configuration.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: FreeRadius different authorization and authentication methods

Jason Carr
Alan DeKok wrote:

> Jason Carr <[hidden email]> wrote:
>
>>I'm attempting to use a FreeRadius server for authentication of wireless
>> using 802.1x.  I would also like to use a SQL database for
>>authorization.  I've done some limited testing without success.  It
>>looks like the authorization method also is the authentication method,
>
>
>   No, they're completely independent.
>
>
>>for example if I use sql for the authorization and eap for the
>>authentication, the authentication request fails:
>>
>>modcall[authorize]: module "sql" returns ok for request 1
>>modcall: group authorize returns ok for request 1
>>auth: type Local
>
>
>   Don't set "Auth-Type := Local".
>
>   The server doesn't do this by default, so it must be something in
> your site's configuration.
>
>   Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

I grepped for local in the raddb directory, and I'm not seeing anything
related to Auth-Type := Local in any config file.  I saw that I'm not
supposed to explicitly define Auth-Type := EAP, but perhaps this is what
I want?

--
Jason Carr
Carnegie Mellon University
Network Development
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: FreeRadius different authorization and authentication methods

Alan DeKok
Jason Carr <[hidden email]> wrote:
> I grepped for local in the raddb directory, and I'm not seeing anything
> related to Auth-Type := Local in any config file.

  Did you set it in the SQL database?

> I saw that I'm not supposed to explicitly define Auth-Type := EAP,
> but perhaps this is what I want?

  No.  It's almost always wrong.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: FreeRadius different authorization and authentication methods

Jason Carr
Alan DeKok wrote:

> Jason Carr <[hidden email]> wrote:
>
>>I grepped for local in the raddb directory, and I'm not seeing anything
>>related to Auth-Type := Local in any config file.
>
>
>   Did you set it in the SQL database?
>
>
>>I saw that I'm not supposed to explicitly define Auth-Type := EAP,
>>but perhaps this is what I want?
>
>
>   No.  It's almost always wrong.
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

I don't see anything in the SQL database that would indicate which
authentication method to use.

--
Jason Carr
Carnegie Mellon University
Network Development
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: FreeRadius different authorization and authentication methods

Jason Carr
In reply to this post by Alan DeKok
Alan DeKok wrote:

> Jason Carr <[hidden email]> wrote:
>
>>I grepped for local in the raddb directory, and I'm not seeing anything
>>related to Auth-Type := Local in any config file.
>
>
>   Did you set it in the SQL database?
>
>
>>I saw that I'm not supposed to explicitly define Auth-Type := EAP,
>>but perhaps this is what I want?
>
>
>   No.  It's almost always wrong.
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>


Against recommendations, I've added DEFAULT Auth-Type := EAP and the
server still says it's trying to use local authentication.  Does the
server fall back to local if it doesn't know which method to use or if
there's an error?

- Jason


--
Jason Carr
Carnegie Mellon University
Network Development
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: FreeRadius different authorization and authentication methods

Alan DeKok
Jason Carr <[hidden email]> wrote:
> Against recommendations, I've added DEFAULT Auth-Type := EAP and the
> server still says it's trying to use local authentication.  Does the
> server fall back to local if it doesn't know which method to use or if
> there's an error?

  It uses Auth-Type = Local in one of two situations:

  a) There is a User-Password in the packet, AND there is a "known
     good" User-Password found in the configuration

  b) A configuration file tells it to use Auth-Type = Local.


  As I said in a previous message, the default configuration of the
server DOES NOT use Auth-Type = Local for EAP.  The ONLY reason it's
happening is that your local configuration is telling it to.

  This is doubly true, now that you've forced Auth-Type to EAP, and it
*still* doesn't work.  The server does not have magic code inside of
it to force Auth-Type = Local.  YOU are setting it somewhere in a
configuration.

  Go back, and read your configuration.  Odds are that one of the
things you put into SQL was Auth-Type = Local.

  If you still don't believe me, delete "sql" from the "authorize"
section, and add a user & password to the "users" file.  If you've
configured EAP, then EAP *will* work.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html