Checking Service-Type with checkval and mysql

Guilhem MORE-CAUSSE guilhem.mc at wanadoo.fr
Wed Aug 30 12:32:05 CEST 2006


Hello

I am currently trying to have my FreeRadius server check the "Service-Type" values, and reject Login attempts from a user that should be used for service-type Outbound only.

My client equipment always send the "Service-Type" attribute in its requests. This attribute is defined into the check databases, but debug mode says:

>>Debug: rlm_checkval: Could not find attribute named Service-Type in check pairs

I really do not see what is wrong and why value checking is not done properly. It should find the attribute in the database, and reject the request. Can you help me out ?

Below is my radcheck table, relevant parts of my radiusd.config and the debug output. 

mysql> select * from radcheck;
+----+----------+--------------+----+----------+
| id | UserName | Attribute    | op | Value    |
+----+----------+--------------+----+----------+
|  3 | admin    | Password     | == | cisco    |
|  5 | admin    | Service-Type | == | Outbound |
+----+----------+--------------+----+----------+


        checkval {
                item-name = Service-Type
                check-name = Service-Type
                data-type = string
                notfound-reject = yes
        }
//...
authorize {
        preprocess
        chap
        suffix
        eap
        #files
        sql
        checkval
}
authenticate {
        Auth-Type PAP {
          pap
        }
        Auth-Type CHAP {
          chap
        }
        eap
}




rad_recv: Access-Request packet from host 10.10.107.68:1645, id=6, length=86
        NAS-IP-Address = 10.10.107.68
        NAS-Port = 500
        NAS-Port-Type = Virtual
        User-Name = "admin"
        Calling-Station-Id = "XXX.XXX.XXX.XXX"
        User-Password = "cisco"
        Service-Type = Login-User
Wed Aug 30 11:30:13 2006 : Debug:   Processing the authorize section of radiusd.conf
Wed Aug 30 11:30:13 2006 : Debug: modcall: entering group authorize for request 1
Wed Aug 30 11:30:13 2006 : Debug:   modsingle[authorize]: calling preprocess (rlm_preprocess) for request 1
Wed Aug 30 11:30:13 2006 : Debug:   modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 1
Wed Aug 30 11:30:13 2006 : Debug:   modcall[authorize]: module "preprocess" returns ok for request 1
Wed Aug 30 11:30:13 2006 : Debug:   modsingle[authorize]: calling chap (rlm_chap) for request 1
Wed Aug 30 11:30:13 2006 : Debug:   modsingle[authorize]: returned from chap (rlm_chap) for request 1
Wed Aug 30 11:30:13 2006 : Debug:   modcall[authorize]: module "chap" returns noop for request 1
Wed Aug 30 11:30:13 2006 : Debug:   modsingle[authorize]: calling suffix (rlm_realm) for request 1
Wed Aug 30 11:30:13 2006 : Debug:     rlm_realm: No '@' in User-Name = "admin", looking up realm NULL
Wed Aug 30 11:30:13 2006 : Debug:     rlm_realm: No such realm "NULL"
Wed Aug 30 11:30:13 2006 : Debug:   modsingle[authorize]: returned from suffix (rlm_realm) for request 1
Wed Aug 30 11:30:13 2006 : Debug:   modcall[authorize]: module "suffix" returns noop for request 1
Wed Aug 30 11:30:13 2006 : Debug:   modsingle[authorize]: calling eap (rlm_eap) for request 1
Wed Aug 30 11:30:13 2006 : Debug:   rlm_eap: No EAP-Message, not doing EAP
Wed Aug 30 11:30:13 2006 : Debug:   modsingle[authorize]: returned from eap (rlm_eap) for request 1
Wed Aug 30 11:30:13 2006 : Debug:   modcall[authorize]: module "eap" returns noop for request 1
Wed Aug 30 11:30:13 2006 : Debug:   modsingle[authorize]: calling sql (rlm_sql) for request 1
Wed Aug 30 11:30:13 2006 : Debug: radius_xlat:  'admin'
Wed Aug 30 11:30:13 2006 : Debug: rlm_sql (sql): sql_set_user escaped user --> 'admin'
Wed Aug 30 11:30:13 2006 : Debug: radius_xlat:  'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'admin' ORDER BY id'
Wed Aug 30 11:30:13 2006 : Debug: rlm_sql (sql): Reserving sql socket id: 3
Wed Aug 30 11:30:13 2006 : Debug: radius_xlat:  'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op  FROM radgroupcheck,usergroup WHERE usergroup.Username = 'admin' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
Wed Aug 30 11:30:13 2006 : Debug: radius_xlat:  'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'admin' ORDER BY id'
Wed Aug 30 11:30:13 2006 : Debug: radius_xlat:  'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op  FROM radgroupreply,usergroup WHERE usergroup.Username = 'admin' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
Wed Aug 30 11:30:13 2006 : Debug: rlm_sql (sql): Released sql socket id: 3
Wed Aug 30 11:30:13 2006 : Debug:   modsingle[authorize]: returned from sql (rlm_sql) for request 1
Wed Aug 30 11:30:13 2006 : Debug:   modcall[authorize]: module "sql" returns ok for request 1
Wed Aug 30 11:30:13 2006 : Debug:   modsingle[authorize]: calling checkval (rlm_checkval) for request 1
Wed Aug 30 11:30:13 2006 : Debug: rlm_checkval: Item Name: Service-Type, Value: Login-User
Wed Aug 30 11:30:13 2006 : Debug: rlm_checkval: Could not find attribute named Service-Type in check pairs
Wed Aug 30 11:30:13 2006 : Debug:   modsingle[authorize]: returned from checkval (rlm_checkval) for request 1
Wed Aug 30 11:30:13 2006 : Debug:   modcall[authorize]: module "checkval" returns notfound for request 1
Wed Aug 30 11:30:13 2006 : Debug: modcall: group authorize returns ok for request 1
Wed Aug 30 11:30:13 2006 : Debug: auth: type Local
Wed Aug 30 11:30:13 2006 : Debug: auth: user supplied User-Password matches local User-Password
Sending Access-Accept of id 6 to 10.10.107.68:1645
        Cisco-AVPair += "ipsec:tunnel-password=admin123"
        Cisco-AVPair == "ipsec:addr-pool=admin"
        Cisco-AVPair == "ipsec:inacl=admin"
        Service-Type == Outbound-User
        Cisco-AVPair += "shell:priv-lvl=0"
        Cisco-AVPair += "ipsec:key-exchange=ike"
        Cisco-AVPair += "ipsec:key-exchange=preshared-key"
        Tunnel-Type:0 == ESP
Wed Aug 30 11:30:13 2006 : Debug: Finished request 1
Wed Aug 30 11:30:13 2006 : Debug: Going to the next request



Thanks for your help !

G.




More information about the Freeradius-Users mailing list