Multiple Password Auth

classic Classic list List threaded Threaded
2 messages Options
| Threaded
Open this post in threaded view
|

Multiple Password Auth

Miguel Barrera
Hi,

We have a captive portal integrated with freeradius for auth and
accounting, and I have a question, how can I handle multiple password (PAP
ClearText Password) with a single User?, for auth, we use the sql module so
the passwords are stored on a mysql database.

There are some scenarios where we need to store two or three password for
the same user, here is the log for one of these password and the radcheck
table registers of this user.

Ready to process requests
(8) Received Access-Request Id 4 from 186.154.58.197:41224 to
172.31.51.38:1812 length 345
(8)   User-Name = "a450460f6823"
(8)   User-Password = "a450460f6823"
(8)   Service-Type = Call-Check
(8)   NAS-IP-Address = 192.168.0.10
(8)   NAS-Identifier = "data-col-wifi"
(8)   Called-Station-Id = "dc085609e6d0:data-col-wifi1"
(8)   NAS-Port-Type = Wireless-802.11
(8)   NAS-Port = 4
(8)   NAS-Port-Id = "wifi-5G"
(8)   Calling-Station-Id = "a450460f6823"
(8)   Acct-Session-Id = "192.168.0.10_18/06/2020_11:49:11_a450460f6823"
(8)   Acct-Multi-Session-Id =
"192.168.0.10_18/06/2020_11:49:11_a450460f6823"
(8)   Framed-MTU = 1400
(8)   Xylan-Port-Desc = "data-col-wifi"
(8)   Xylan-Device-Name = "AP-Datawifi"
(8)   Xylan-Device-Location = "2c:fa:a2:99:d2:10"
(8)   Attr-26.800.154 = 0x41502d4441544157494649
(8)   Message-Authenticator = 0xc6c8ec4fc33b39e6f65e27b3f4a13605
(8) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(8)   authorize {
(8)     [chap] = noop
(8) sql: EXPAND %{User-Name}
(8) sql:    --> a450460f6823
(8) sql: SQL-User-Name set to 'a450460f6823'
rlm_sql (sql): Reserved connection (6)
(8) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck
WHERE username = '%{SQL-User-Name}' ORDER BY id
(8) sql:    --> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'a450460f6823' ORDER BY id
(8) sql: Executing select query: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'a450460f6823' ORDER BY id
(8) sql: User found in radcheck table
(8) sql: WARNING: check items do not match.
rlm_sql (sql): Reserved connection (9)
rlm_sql (sql): Released connection (9)
Need 3 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (12), 1 of 24 pending slots
used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on
dbdatawifi.cluster-cvxa7jznn96c.us-east-1.rds.amazonaws.com via TCP/IP,
server version 5.7.12, protocol version 10
(8) sql: EXPAND SELECT groupname FROM radusergroup WHERE username =
'%{SQL-User-Name}' ORDER BY priority
(8) sql:    --> SELECT groupname FROM radusergroup WHERE username =
'a450460f6823' ORDER BY priority
(8) sql: Executing select query: SELECT groupname FROM radusergroup WHERE
username = 'a450460f6823' ORDER BY priority
(8) sql: User found in the group table
(8) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM
radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id
(8) sql:    --> SELECT id, groupname, attribute, Value, op FROM
radgroupcheck WHERE groupname = 'google@monetizacion' ORDER BY id
(8) sql: Executing select query: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = 'google@monetizacion' ORDER BY id
(8) sql: Group "google@monetizacion": Conditional check items matched
(8) sql: Group "google@monetizacion": Merging assignment check items
(8) sql: EXPAND SELECT id, groupname, attribute, value, op FROM
radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id
(8) sql:    --> SELECT id, groupname, attribute, value, op FROM
radgroupreply WHERE groupname = 'google@monetizacion' ORDER BY id
(8) sql: Executing select query: SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = 'google@monetizacion' ORDER BY id
(8) sql: Group "google@monetizacion": Merging reply items
(8) sql:   Ruckus-Location = "https://www.google.com/"
(8) sql:   Session-Timeout = 600
(8) sql:   WISPr-Bandwidth-Max-Down = 3500000
(8) sql:   WISPr-Bandwidth-Max-Up = 3500000
(8) sql:   Maximum-Data-Rate-Downstream = 3500000
(8) sql:   Maximum-Data-Rate-Upstream = 3500000
rlm_sql (sql): Released connection (6)
(8)     [sql] = ok
(8)     [files] = noop
(8) pap: WARNING: No "known good" password found for the user.  Not setting
Auth-Type
(8) pap: WARNING: Authentication will fail unless a "known good" password
is available
(8)     [pap] = noop
(8)   } # authorize = ok
(8) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type =
Reject
(8) Failed to authenticate the user
(8) Using Post-Auth-Type Reject
(8) # Executing group from file /etc/freeradius/sites-enabled/default
(8)   REJECT { ... } # empty sub-section is ignored
(8) Login incorrect (No Auth-Type found: rejecting the user via
Post-Auth-Type = Reject): [a450460f6823/a450460f6823] (from client
private-network-1 port 4 cli a450460f6823)
(8) Delaying response for 1.000000 seconds
Waking up in 0.2 seconds.

[image: image.png]

Hope to hear from you soon, thank you very much.

Gracias, quedo atento.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

image.png (37K) Download Attachment
| Threaded
Open this post in threaded view
|

Re: Multiple Password Auth

Alan DeKok-2

On Jun 18, 2020, at 3:45 PM, Miguel Barrera <[hidden email]> wrote:
>
> We have a captive portal integrated with freeradius for auth and
> accounting, and I have a question, how can I handle multiple password (PAP
> ClearText Password) with a single User?, for auth, we use the sql module so
> the passwords are stored on a mysql database.
>
> There are some scenarios where we need to store two or three password for
> the same user, here is the log for one of these password and the radcheck
> table registers of this user.

  Do you mean that the one user has multiple passwords, and can log in with any of them?

  If so, it's possible.  But the default SQL queries aren't really set up to do that.

> Ready to process requests
> (8) Received Access-Request Id 4 from 186.154.58.197:41224 to 172.31.51.38:1812 length 345
> (8)   User-Name = "a450460f6823"
> (8)   User-Password = "a450460f6823"

  You're better off checking for that case specially, and allowing it.  And, only putting in the *other* password into SQL

  i.e.

authorize {
        ...
        sql

        # user was found in SQL, but we don't use that password
        if (found && (&User-Name == &User-Password)) {
                accept
        }
        else {
                pap # check Cleartext-Password from SQL
        }
        ...

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html