Problem with NULL realm..

Mark J Elkins mje at posix.co.za
Mon Jul 9 16:01:20 CEST 2007


Phil Mayers wrote:
>> ... Username='%{Stripped-User-Name}' AND realm='%{Realm:-pop.co.za}' AND
>> ....
>>
>> ie - if the REALM is missing - it should default to 'pop.co.za'...
>>
>> Anyway - still getting incorrect logins....
>>
>> A radiusd -X shows me that   .."WHERE Username='mje' AND realm='NULL'
>> AND"...
>>     
>
> That's how it works. You'll need to refactor your SQL query e.g.
>
>   
grumble.... if people wanted the string 'NULL' - they should use
"%{Realm:-NULL}"
(user hides below the keyboard :-)
> select foo from bar where Username='%{Stripped-User-Name}' and realm=(
>  case
>   when '%{Realm}'='NULL' then 'pop.co.za'
>   else '%{Realm}'
>  end)
>
> The other and slightly easier alternative is to set "ignore_null = yes"
> on your realm module so that users without a realm won't match the
> module, and then use:
>
> select foo from bar where
>   Username='%{Stripped-User-Name:-%{User-Name}}'
> and
>   realm='${Realm:-pop.co.za}'
>
>   
Being lazy - I'm starting here. (Also - less impact on existing users)
Changed 'ignore_null' to yes..
Smiled - and tried to dial-in

rad_recv: Access-Request packet from host 160.124.0.97:1645, id=81,
length=106
    NAS-IP-Address = 160.124.0.97
    NAS-Port = 70
    Cisco-NAS-Port = "Async70"
    NAS-Port-Type = Async
    User-Name = "mje"
    Called-Station-Id = "0800"
    User-Password = "verysecret"
    Service-Type = Framed-User
    Framed-Protocol = PPP
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 7
  modcall[authorize]: module "preprocess" returns ok for request 7
  modcall[authorize]: module "chap" returns noop for request 7
  modcall[authorize]: module "mschap" returns noop for request 7
    rlm_realm: No '@' in User-Name = "mje", skipping NULL due to config.
*** Line above suggests the 'ignore_null' worked ***
  modcall[authorize]: module "suffix" returns noop for request 7
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 7
radius_xlat:  'mje'
rlm_sql (sql): sql_set_user escaped user --> 'mje'
radius_xlat:  'SELECT userid as id,UserName,'Password' as
Attribute,password as Value,'==' as op FROM useracct WHERE Username=''
AND realm='pop.co.za' AND .....

Something stole my username ???

I'm not too sure of the logic here.
I've left the NULL realm in "proxy.conf" uncommented - so its 'live'.
It seems that the 'NULL' realm matched... then skipped (?) - so I got a
null username and a null realm (all the other info got through!)

Looks like the SQL logic works though...
I just hate complicating the SQL queries even more than I already have!

I guess FreeRadius 2.xx will make things easier?
>   
>> ie - If there is no realm - its set to the string of four characters
>> 'NULL' rather than the string '\0' ..
>> not what I was hoping for...
>>
>> If the realm is missing - it can only refer to a user in the 'pop.co.za'
>> realm - and no other.
>>
>> Suggestions?
>>
>> ie - the equivalent of ...  if( ${Realm} == "NULL") Realm="pop.co.za"
>> ..put somewhere.
>>
>>
>> ps. It would be very useful if one could run radiusd in '-X' mode based
>> on some criteria - such as the Realm or the Nas,
>> especially on a busy server - just for matching packets.
>>
>> (in proxy.conf .. syntax of
>> realm myrealm.com {
>>     type        = radius
>>     authhost    = LOCAL
>>     accthost    = LOCAL
>>     debug       = yes
>> }
>>
>> or in clients.conf
>> client  access.pop.co.za {
>>     secret      = very
>>     shortname   = access
>>     nastype     = cisco
>>     debug       =  yes
>> }
>> )
>>
>>
>>
>>
>>
>>
>>     
>
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>   


-- 
  .  .     ___. .__      Posix Systems - Sth Africa
 /| /|       / /__       mje at posix.co.za  -  Mark J Elkins, SCO ACE, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496




More information about the Freeradius-Users mailing list