?
Solved

freeradius + MySQL

Posted on 2009-04-26
6
Medium Priority
?
2,073 Views
Last Modified: 2013-12-06
Hi! I have the two Debian packages, freeradius and freeradius-mysql installed.

The MySQL database is populated with some data for testing, and the freeradiusd.conf and sql.conf are configured.

The following test on localhost works:
~# radtest johndoe abc123 localhost 1812 testing123

The RADIUS server is able to connect with the MySQL database, and I can authenticate users from it. I also have a remote RADIUS client configured that is working with my captive portal and RADIUS server, however, it only works when I have the client's IP address configured in /etc/freeradius/clients.conf. It does not work using the MySQL 'nas' table.

In other words, freeradius does not seem to be querying my nas table from the MySQL database.

In my /etc/freeradius/sql.conf file I have following:

# Table to keep radius client info
nas_table = "nas"

# Set to 'yes' to read radius clients from the database ('nas' table)
readclients = yes

In my nas table I have following:

id       nasname       shortname       type       ports       secret       community       description
1       xx.xx.xx.xx       NULL       other       NULL       testing123       NULL       RADIUS Client

... where xx.xx.xx.xx is the correct IP address of my RADIUS client.

When I try to log in via the captive portal, with freeradius running in debug mode, I get the following:

rad_recv: Access-Request packet from host xx.xx.xx.xx:2326, id=126, length=341
Ignoring request from unknown client xx.xx.xx.xx:2326
--- Walking the entire request list ---
Nothing to do.  Sleeping until we see a request.

Any help would be greatly apprciated!
0
Comment
Question by:Julian Matz
  • 3
  • 3
6 Comments
 
LVL 81

Accepted Solution

by:
arnold earned 2000 total points
ID: 24240937
Put the IP in both the nasname and shortname to see whether a difference is seen.

Start freeradius in debug mode to see what configuration settings it loads.

I.e. does it load xx.xx.xx.xx as a client?
0
 
LVL 21

Author Comment

by:Julian Matz
ID: 24247370
Hi arnold,

That seems to have done the trick! Is that the normal/expected behaviour though?

Now that this seems to be working, do you know of an easy method to do this using dynamic client IPs?

If not, I'd probably have to write a bash script to update the IPs on my DNS servers periodically using cron...
0
 
LVL 81

Assisted Solution

by:arnold
arnold earned 2000 total points
ID: 24250204
I'm not sure whether the shortname or the nasname is the one that is read in as the IP.
The client list is only read in during startup of freeradius. If you have dynamic IPs, the restart of freeradius forced it to read in the client list such that the changes to shortname might not be what fixed it.  I.e. if you remove the entry for shortname and restart freeradius does it still work or it again reports the NAS as not a valid client?  This will answer whether the IP needs to be in the nasname or shortname column.
Why would you have dynamic IPs for the NAS?
You could setup static IP assignment in DHCP for the NAS.
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 
LVL 21

Author Comment

by:Julian Matz
ID: 24251781
The client (a Linksys WRT54GL) will have a static private IP - e.g. 192.168.2.1. It will use an Internet connection from another gateway at 192.168.1.1, which in turn is connected to a DSL modem. The DSL provider that's providing the WAN connection is assigns dynamic public IPs. It's the public IP that gets sent to the RADIUS server and that's why I need to figure out how to use RADIUS authentication with dynamic IPs. There will be lots of WRT54GL routers in different remote locations, and they will all have dynamic IPs assigned to them by the ISP. Basically, this is for a hotspot service.
0
 
LVL 81

Assisted Solution

by:arnold
arnold earned 2000 total points
ID: 24251975
In this case you have two options, one setup freeradius to treat any incoming packet as a valid client.
I.e. setup the nasname as 0.0.0.0/0 meaning all possible IPs are acceptable as clients.

Alternatively, get the possible segments for each location and set each up:
xx.xx.xx.xx/range
Then setup a process that monitors the log file for not client reports and add those into mysql's nas table.
reload/restart radiusd if a change was seen. ( not sure whether the reload forces the refresh of the valid clients.)

Any reason why the wrt54GL is not the first one?  Putting it first will protect the LAN behind the currently primary router from hotspot connected devices/systems.
0
 
LVL 21

Author Comment

by:Julian Matz
ID: 24342443
I decided to use a local cron job and a remote PHP script to periodically update the dynamic IP address with my nameservers. This way I was able to use a hostname instead of an IP.

Apparently the FQDN goes into nasname ( e.g. some.name.example.com ), and the shortname would then be "some.name". Not really sure why it's set up like that, but it seems to work.

Thanks for the help!
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Linux users are sometimes dumbfounded by the severe lack of documentation on a topic. Sometimes, the documentation is copious, but other times, you end up with some obscure "it varies depending on your distribution" over and over when searching for …
I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension (http://www.experts-exchange.com/discussions/210281/Attachments-with-no-extension.html). This reminded me of questions tha…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
Suggested Courses
Course of the Month14 days, 15 hours left to enroll

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question