radgroupreply do not read (read_grous directive)

tnt at kalik.co.yu tnt at kalik.co.yu
Wed Jan 16 02:50:04 CET 2008 

There is a typo in usergroup table. Group is set as teste-pap, while
other tables have group test-pap.

Ivan Kalik
Kalik Informatika ISP


Dana 15/1/2008, "Arlinelson Fernandes dos Santos" <cytron at pop.com.br>
piše:

>Don't take your ball, not good. ;) Here's informations:##
>radcheck+----+-----------+--------------------+----+---------+|
>id  | UserName  | Attribute     
>       | op  | Value    |+----+-----------+--------------------+----+---------+|  3  |
>test-pap   | Cleartext-Password  | := | pw123  |+----+-----------+--------------------+----+---------+##
>radreply+----+-----------+---------------------+----+-------+| id
>  | UserName | Attribute          
>   | op  | Value  |+----+-----------+---------------------+----+-------+|  6  |
>test-pap   | Upstream-Speed     | =   | 800  
>||  7  | test-pap   | Downstream-Speed  |
>=   | 800   |+----+-----------+---------------------+----+-------+##
>radgroupcheck+----+----------------+--------------------+----+-------+| id   | GroupName    | Attribute     
>       | op   | Value |+----+----------------+--------------------+----+-------+| 
>5   | f_pppoe_250k | Auth-Type        
>  | =   | PAP    ||  6   | f_pppoe_250k |
>Simultaneous-Use | =   | 1       |+----+----------------+--------------------+----+-------+  ##
>radgroupreply
>+----+--------------+-----------------------+----+----------------------+|
>id | GroupName    | Attribute       
>         | op  |
>Value             
>      |+----+--------------+-----------------------+----+----------------------+|
>13 | f_pppoe_250k | Framed-Protocol        | =  |
>PPP               
>       || 14 | f_pppoe_250k |
>Framed-MTU           | =  |
>1492           
>         || 15 | f_pppoe_250k |
>Framed-Compression | =  | Van-Jacobsen-TCP-IP || 16 | f_pppoe_250k |
>Service-Type            | =  |
>Framed-User           |+---+----------------+----------------------+----+----------------------+
>## radusergroup (same usergroup table in 1.3 version freeradius, I have both
>tables) +-----------+----------------+----------+ | UserName |
>GroupName    | priority    |
>+-----------+----------------+----------+ | teste-pap  | f_pppoe_250k
>|        1    |
>+-----------+----------------+----------+  ## radiusd -X
> rad_recv: Access-Request packet from host 7.7.7.1 port 32790, id=163,
>length=73         Service-Type =
>Framed-User         Framed-Protocol =
>PPP         User-Name =
>"test-pap"         User-Password
>= "pw123"         NAS-IP-Address
>=          NAS-Port = 0  
>Processing the authorize section of radiusd.conf +- entering group
>authorize ++[preprocess] returns ok ++[chap] returns noop
>++[mschap] returns noop   rlm_eap: No EAP-Message, not doing EAP
>++[eap] returns noop radius_xlat:  'test-pap' rlm_sql (sql):
>sql_set_user escaped user --> 'test-pap' rlm_sql (sql): Reserving sql
>socket id: 3 radius_xlat:  'SELECT id, UserName, Attribute, Value,
>op           FROM
>radcheck           WHERE Username
>= 'test-pap'           ORDER BY
>id'    ######## loading radcheck table ########## rlm_sql
>(sql): User found in radcheck table radius_xlat:  'SELECT id, UserName,
>Attribute, Value, op          
>FROM radreply           WHERE
>Username = 'test-pap'          
>ORDER BY id'   ####### loading radreply table ########## rlm_sql
>(sql): Released sql socket id:
>3                                                                     
>#### if found "Fall-Through = Yes" attribute, radgroupcheck is loaded,
>but not radgroupreply ######### ++[sql] returns ok ++[expiration]
>returns noop ++[logintime] returns noop ++[pap] returns updated
>+- group authorize returns updated   rad_check_password:  Found
>Auth-Type auth: type "PAP"   Processing the authenticate
>section of radiusd.conf +- entering group PAP rlm_pap: login attempt
>with password ngc0bqi rlm_pap: Using clear text password. rlm_pap: User
>authenticated successfully ++[pap] returns ok +- group PAP returns
>ok   Processing the post-auth section of radiusd.conf +- entering
>group post-auth rlm_sql (sql): Processing sql_postauth rlm_sql (sql):
>sql_set_user escaped user --> 'test-pap' radius_xlat:  'INSERT into
>radpostauth (id, user, pass, reply, date) values ('', 'test-pap', 'ngc0bqi',
>'Access-Accept', '2008-01-15 20:33:58')' rlm_sql (sql) in sql_postauth: query
>is INSERT into radpostauth (id, user, pass, reply, date) values ('', 'test-pap',
>'pw123', 'Access-Accept', '2008-01-15 20:33:58') rlm_sql (sql): Reserving sql
>socket id: 2 rlm_sql (sql): Released sql socket id: 2 ++[sql] returns
>ok +- group post-auth returns ok Sending Access-Accept of id 163 to
>7.7.7.1 port 32790        ############# Here is
>when radius server send "items reply" to radiusclient
>#################         Upstream-Speed =
>800          ######## attribute in
>radreply ########         Downstream-Speed
>= 800     ###### attribute in radreply ######## Finished
>request 0 state 5 Going to the next request rad_recv:
>Accounting-Request packet from host 7.7.7.1 port 32790, id=164, length=101
>        Acct-Session-Id =
>"478D34D61E1F00"        
>User-Name = "test-pap"        
>Acct-Status-Type = Start        
>Service-Type = Framed-User        
>Framed-Protocol = PPP        
>Acct-Authentic = RADIUS        
>NAS-Port-Type = Virtual        
>Framed-IP-Address = 7.7.7.123        
>NAS-IP-Address = 7.7.7.1         NAS-Port
>= 0         Acct-Delay-Time = 0
>  Processing the preacct section of radiusd.conf +- entering group
>preacct ++[preprocess] returns ok rlm_acct_unique: Hashing 'NAS-Port =
>0,Framed-IP-Address = 7.7.7.123,NAS-IP-Address = 7.7.7.1,Acct-Session-Id =
>"478D34D61E1F00",User-Name = "test-pap"' rlm_acct_unique:
>Acct-Unique-Session-ID = "a5e052f9f07c2f6f". ++[acct_unique]
>returns ok +- group preacct returns ok   Processing the accounting
>section of radiusd.conf +- entering group accounting radius_xlat: 
>'/usr/local/var/log/radius/radacct/7.7.7.1/detail-20080115' rlm_detail:
>/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to
>/usr/local/var/log/radius/radacct/7.7.7.1/detail-20080115 radius_xlat: 
>'Tue Jan 15 20:33:58 2008' ++[detail] returns ok radius_xlat: 
>'/usr/local/var/log/radius/radutmp' radius_xlat:  'test-pap'
>++[radutmp] returns ok radius_xlat:  'test-pap' rlm_sql (sql):
>sql_set_user escaped user --> 'test-pap' radius_xlat:  'INSERT into
>radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId,
>NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic,
>ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets,
>CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol,
>FramedIPAddress, AcctStartDelay, AcctStopDelay) values('478D34D61E1F00',
>'a5e052f9f07c2f6f', 'test-pap', '', '7.7.7.1', '0', 'Virtual', '2008-01-15
>20:33:58', '0', '0', 'RADIUS', '', '', '0', '0', '', '', '', 'Framed-User', 'PPP',
>'7.7.7.123', '0', '0')' rlm_sql (sql): Reserving sql socket id: 1
>rlm_sql (sql): Released sql socket id: 1 ++[sql] returns ok
>radius_xlat:  'test-pap'  attr_filter: Matched entry DEFAULT at
>line 12 ++[attr_filter.accounting_response] returns updated +- group
>accounting returns updated Sending Accounting-Response of id 164 to 7.7.7.1
>port 32790 Finished request 1 state 6 Going to the next request
>Cleaning up request 1 ID 164 with timestamp +15 Waking up in 4 seconds... Cleaning up request 0 ID 163 with timestamp +15 Nothing to do. 
>Sleeping until we see a request. ################################ 
>In freeradius documentation say (http://wiki.freeradius.org/Rlm_sql):
>Search the radcheck table for any check attributes specific to the user
>If check attributes are found, and there's a match, pull the reply items
>from the radreply table for this user and add them to the reply Group
>processing then begins if any of the following conditions are met: The user
>IS NOT found in radcheck The user IS found in radcheck, but the check
>items don't match The user IS found in radcheck, the check items DO match
>AND Fall-Through is set in the radreply table The user IS found in
>radcheck, the check items DO match AND the read_groups
>directive is set to 'yes'  If groups are to be processed for
>this user, the first thing that is done is the list of groups this user is a member
>of is pulled from the usergroup table ordered by the priority field. The priority
>field of the usergroup table allows us to control the order in which groups are
>processed, so that we can emulate the ordering in the users file. 
>################### My case matches with last condition, the user is
>found in radcheck, the check items DO match AND the read_groups directive is set to
>'yes'. But... I've testing the read_groups and it don't work. I made an invalid
>directive and it is ignored by radiusd, it's not appers in debug log. read_groups
>don't too. I have testing the Fall-Through in radreply and it work, but
>don't load the radgroupreply table. I need this table, because its attributes are
>replied to radiusclient, and my scripts in NAS side can work it. Note: In
>freeradius 1.3 don't have read_groups directive, but all tables are loaded.
>-------------------------------------------------------------------------------- OK, can we see database entries for a user (and group he belongs to) and
>the debug of the access request? Or should I get my crystal ball back from
>the polisher?  Ivan Kalik Kalik Informatika ISP   Dana 15/1/2008, "Arlinelson Fernandes dos Santos"  pi¹e:
> >Yes! I did. And I put attributes into all tables ckeck and reply.
>--------------------------------------------------------------------------------
>Did you put something in usergroup table to link users and groups? 
>
>
>
>------------------------------------------------------------------------------------------------------
>Acelerador POP
>Acelere a sua conexão discada em até 19 x. Use o Acelerador POP. É grátis, pegue já o seu.
>http://www.pop.com.br/acelerador
>
>

More information about the Freeradius-Users mailing list