FreeRADIUS Builds

Kwame — Tue, 02 Feb 2010 00:57:49 +0000

Have been helping people out with their FreeRADIUS deployments (usually for hotspots). As a result, I’ve started a little collection of Freeradius packages that I’ve built for Ubuntu. FreeRadius is available from the repositories but what you get sometimes is not the latest and greatest. I’m putting my builds up for download so that someone else doesn’t have to go through the stress of compiling.

These were compiled using version 2.1.6 of Freeradius.

Hardy amd64

freeradius-dbg_2.1.6-0_amd64.deb

freeradius-dialupadmin_2.1.6-0_all.deb

freeradius-iodbc_2.1.6-0_amd64.deb

freeradius-krb5_2.1.6-0_amd64.deb

freeradius-ldap_2.1.6-0_amd64.deb

freeradius-mysql_2.1.6-0_amd64.deb

freeradius-postgresql_2.1.6-0_amd64.deb

freeradius_2.1.6-0_amd64.deb

I’m getting really sleepy so I’ll add some more builds tomorrow. Coming soon, instructions on how to build your own packages.

Update: i386 builds for Hardy are also up. i386 builds for Karmic
will follow shortly.

Does your RADIUS server think "user" = "USER"?

Kwame — Tue, 20 Oct 2009 12:45:23 +0000

If you happen to manage a hotspot that uses Freeradius with the sql module for authentication, you might want to pay attention. The default queries used by Freeradius sql module are case-insensitive. So if user “kwame” is successfully authenticated, another user “Kwame” can also successfully autheticate. And so can “KWAME”, “kwamE”, “KwaMe” and so on for that matter. I guess you can see where I’m going with this: if any of your users should catch on to this… And to think, this hadn’t crossed my mind till a friend who runs a wireless isp pointed out some strange activity he had noticed in his logs.

You shouldn’t forget to make a small change to the /etc/freeradius/sql/mysql/dialup.conf(or /etc/freeradius/sql.conf) file. Somewhere around line 82 lies the following:

#######################################################################
        # Use these for case sensitive usernames.
#        authorize_check_query = "SELECT id, username, attribute, value, op \
#         FROM ${authcheck_table} \
#         WHERE username = BINARY '%{SQL-User-Name}' \
#         ORDER BY id"
#        authorize_reply_query = "SELECT id, username, attribute, value, op \
#         FROM ${authreply_table} \
#         WHERE username = BINARY '%{SQL-User-Name}' \
#         ORDER BY id"

        # The default queries are case insensitive. (for compatibility with
        # older versions of FreeRADIUS)
       authorize_check_query = "SELECT id, username, attribute, value, op \
          FROM ${authcheck_table} \
          WHERE username = '%{SQL-User-Name}' \
          ORDER BY id"
       authorize_reply_query = "SELECT id, username, attribute, value, op \
          FROM ${authreply_table} \
          WHERE username = '%{SQL-User-Name}' \
          ORDER BY id"

This should be:

#######################################################################
        # Use these for case sensitive usernames.
        authorize_check_query = "SELECT id, username, attribute, value, op \
         FROM ${authcheck_table} \
         WHERE username = BINARY '%{SQL-User-Name}' \
         ORDER BY id"
        authorize_reply_query = "SELECT id, username, attribute, value, op \
         FROM ${authreply_table} \
         WHERE username = BINARY '%{SQL-User-Name}' \
         ORDER BY id"

        # The default queries are case insensitive. (for compatibility with
        # older versions of FreeRADIUS)
#       authorize_check_query = "SELECT id, username, attribute, value, op \
#          FROM ${authcheck_table} \
#          WHERE username = '%{SQL-User-Name}' \
#          ORDER BY id"
#       authorize_reply_query = "SELECT id, username, attribute, value, op \
#          FROM ${authreply_table} \
#          WHERE username = '%{SQL-User-Name}' \
#          ORDER BY id"

And if you apply your attributes per group instead of per user, like I do, then this:

        # Use these for case sensitive usernames.
#        group_membership_query = "SELECT groupname \
#        FROM ${usergroup_table} \
#         WHERE username = BINARY '%{SQL-User-Name}' \
#        ORDER BY priority"

       group_membership_query = "SELECT groupname \
          FROM ${usergroup_table} \
          WHERE username = '%{SQL-User-Name}' \
          ORDER BY priority"

should become:

        # Use these for case sensitive usernames.
        group_membership_query = "SELECT groupname \
        FROM ${usergroup_table} \
         WHERE username = BINARY '%{SQL-User-Name}' \
        ORDER BY priority"

#       group_membership_query = "SELECT groupname \
#          FROM ${usergroup_table} \
#          WHERE username = '%{SQL-User-Name}' \
#          ORDER BY priority"

Reload the freeradius server and your usernames should be case sensitive. Now, go and buy yourself a beer in celebration of your valiant victory against the dark forces of computer insecurity.

HauntedShell » freeradius

FreeRADIUS Builds

Does your RADIUS server think "user" = "USER"?