Problem with using MySQL for radius clients

Discussion:

Mik J

2013-11-09 11:03:41 UTC

Hello,

I know that by default you configure your radius clients in the file /etc/raddb/clients.conf
However I would like them to be entered in MySQL

I have modified the file /etc/raddb/sites-enabled/default and I expect
the Freeradius server to check the clients in MySQL instead of
clients.conf
authorize {
sql
#files
}

And added an input into the nas table
INSERT INTO nas VALUES (NULL , '192.168.0.1', 'myNAS', 'other', NULL , 'mysecret', NULL , NULL , 'RADIUS Client'
);

Unfortunately this doesn't work because
1) $ radtest testuser passsecret 127.0.0.1 1812 testing123 <= works and testing123 is what is specified in clients.conf
2) $ radtest testuser passsecret 127.0.0.1 1812 mysecret <= doesn't work and what's specified in the nas table

Since I have commented "files" I would also expect the freeradius server not to check clients.conf

Could someone point out my misunderstanding ?
Thank you

Arran Cudbard-Bell

2013-11-09 11:45:02 UTC

Permalink

Post by Mik J
Hello,
I know that by default you configure your radius clients in the file /etc/raddb/clients.conf
However I would like them to be entered in MySQL
I have modified the file /etc/raddb/sites-enabled/default and I expect the Freeradius server to check the clients in MySQL instead of clients.conf
authorize {
sql
#files
}

You have no basis for thinking that. None of the documentation states that, it's not even logical to query a database for client information on every request.

Look in the sql.conf file, the config option is pretty clearly marked in there. The server will then load all clients from your database ONCE on startup.

-Arran

Arran Cudbard-Bell <***@freeradius.org>
FreeRADIUS Development Team

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

A***@lboro.ac.uk

2013-11-09 12:01:56 UTC

Permalink

Hi,

Post by Mik J
I know that by default you configure your radius clients in the file
/etc/raddb/clients.conf

correct

Post by Mik J
However I would like them to be entered in MySQL

thats easy. add them to the NAS table in your MySQL DB and then simply read the
sql.conf file near the bottom and uncomment the readclients = yes line.

Post by Mik J
I have modified the file /etc/raddb/sites-enabled/default and I expect the
Freeradius server to check the clients in MySQL instead of clients.conf
authorize {
sql
#files
}

???? no. what you've done there is enable SQL in the authorise stage...so a
device attempting to use RADIUS will be checked against SQL. except that it wont
because the NAS trying to talk wont be allowed to talk (and commenting out
'files' means that the users file wont work anymore....thats what that option does!)

alan

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Mik J

2013-11-09 13:28:12 UTC

Permalink

Thank you both for your answers.
I had forgotten to specify in my first mail that I've restarted the radiusd numerous times and that my sql.conf file contains
readclients = yes
nas_table = "nas"

I've put a # in front of files because I wanted the radiusd to check the user's password only in MySQLAlan, sorry but I didn't understand what you wrote in your last sentence, about that.
And how to enable MySQL only without clients.conf ?

So I still have the problem and I don't understand what's wrong
mysql> select * from nas;
+----+----------------+-----------+-------+-------+-----------+--------+-----------+-------------------+
| id | nasname | shortname | type | ports | secret | server | community | description |
+----+----------------+-----------+-------+-------+-----------+--------+-----------+-------------------+
| 1 | 192.168.0.1 | myNAS | other | NULL | mysecret | NULL | NULL | RADIUS Client |

When I start the server with the -X option
rlm_sql_mysql: query: SELECT id, nasname, shortname, type, secret, server FROM nas
rlm_sql (sql): Read entry nasname=192.168.0.1,shortname=myNAS,secret=mysecret
rlm_sql (sql): Adding client 192.168.0.1 (myNAS, server=<none>) to clients list

Le Samedi 9 novembre 2013 13h02, "***@lboro.ac.uk" <***@lboro.ac.uk> a écrit :

Hi,

Post by A***@lboro.ac.uk

I know that by default you configure your radius clients in the file
/etc/raddb/clients.conf

correct

However I would like them to be entered in MySQL

thats easy. add them to the NAS table in your MySQL DB and then simply read the
sql.conf file near the bottom and uncomment the readclients = yes line.

I have modified the file /etc/raddb/sites-enabled/default and I expect the
Freeradius server to check the clients in MySQL instead of clients.conf
authorize {
sql
#files
}

A***@lboro.ac.uk

2013-11-09 14:23:31 UTC

Permalink

Hi,

Post by Mik J
And how to enable MySQL only without clients.conf ?

you've already done it.

Post by Mik J
rlm_sql (sql): Read entry
nasname=192.168.0.1,shortname=myNAS,secret=mysecret
rlm_sql (sql): Adding client 192.168.0.1 (myNAS, server=<none>) to clients list

read the above. 192.168.0.1 is a valid client.

the trouble is, you seem to be running radtest with 127.0.0.1 - and THAT isnt
in your tables...so isnt a valid client - its there by default in clients.conf
- so add it to your NAS table! beware, you cannot have duplicates.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Mik J

2013-11-10 22:44:42 UTC

Permalink

Hello Alan,

Test1

Where I do the command
$ radtest testuser passsecret 127.0.0.1 1812 testing1234
It works and testing1234 is what is configured in the clients.conf file. If I change the secret to testing12345 and restart the radiusd server it works with the command
$ radtest testuser passsecret 127.0.0.1 1812 testing12345

Also the radtest command output says
$ radtest testuser passsecret 127.0.0.1 1812 testing12345
Sending Access-Request of id 18 to 127.0.0.1 port 1812
        User-Name = "testuser"
        User-Password = "passsecret"
        NAS-IP-Address = x.x.x.x
        NAS-Port = 1812
        Message-Authenticator = 0x00000000000000000000000000000000
With x.x.x.x a public IP address (mine), that's why I supposed I didn't need an entry for 127.0.0.1

Test 2

When I start the radiusd server after adding an entry for 127.0.0.1 it says
rlm_sql (sql): Released sql socket id: 4
rlm_sql (sql): Failed to add client 127.0.0.1 (myNAS3x) to clients list. Maybe there's a duplicate?
Failed to load clients from SQL.
/etc/raddb/sql.conf[22]: Instantiation failed for module "sql"
/etc/raddb/sites-enabled/default[177]: Failed to find "sql" in the "modules" section.
/etc/raddb/sites-enabled/default[69]: Errors parsing authorize section.

As a conclusion I think clients.conf is still used because of test 1) when I change the secret. And that's why it finds a duplicate for 127.0.0.1 in Test 2. If I delete the entry in the mysql table it starts normally.

I think commenting the files doesn't work
authorize {
sql
#files
}
and radiusd still reads clients.conf, that should explain test 1 & 2

....

As I was writting this email I found the solution.
I've put a comment on
#$INCLUDE ${confdir}/clients.conf
in radiusd.conf

And normalised the section
authorize {
sql
files
}

Now it behaves as expected.

Thank you for your answers

Le Samedi 9 novembre 2013 15h23, "***@lboro.ac.uk" <***@lboro.ac.uk> a écrit :

Hi,

Post by A***@lboro.ac.uk

And how to enable MySQL only without clients.conf ?

you've already done it.

rlm_sql (sql): Read entry
nasname=192.168.0.1,shortname=myNAS,secret=mysecret
rlm_sql (sql): Adding client 192.168.0.1 (myNAS, server=<none>) to clients
list

read the above. 192.168.0.1 is a valid client.
the trouble is, you seem to be running radtest with 127.0.0.1 - and THAT isnt
in your tables...so isnt a valid client - its there by default in clients.conf
- so add it to your NAS table! beware, you cannot have duplicates.
alan