Checking NAS-Identifier in the radgroupcheck table
super_tomtom
super_tomtom at hotmail.com
Thu Oct 2 10:36:29 CEST 2008
Ok... so, here is my DB structure :
Table radgroupcheck :
+----+-----------+----------------+----+-------+
| id | groupname | attribute | op | value |
+----+-----------+----------------+----+-------+
| 4 | hotel1 | Auth-Type | := | Local |
| 5 | hotel1 | NAS-Identifier | == | LMS1 |
+----+-----------+----------------+----+-------+
Table radusergroup :
+----------+-----------+----------+
| username | groupname | priority |
+----------+-----------+----------+
| user1 | hotel1 | 1 |
+----------+-----------+----------+
Table radcheck:
+----+----------+--------------------+----+----------------------------------+
| id | username | attribute | op | value
|
+----+----------+--------------------+----+----------------------------------+
| 33 | user1 | Cleartext-Password | := | 5f4dcc3b5aa765d61d8327deb882cf99
|
+----+----------+--------------------+----+----------------------------------+
Now when I log in with user1 from a NAS identified by "LMS2", here is the
radius output :
rad_recv: Access-Request packet from host 127.0.0.1 port 32782, id=37,
length=225
Vendor-14559-Attr-8 = 0x312e302e3132
User-Name = "user1"
CHAP-Challenge = 0xdb7c1d07effaa75dc2a70e21957a6c16
CHAP-Password = 0x003d1437701d38d34412b7379d215605df
NAS-IP-Address = 10.101.0.1
Service-Type = Login-User
Framed-IP-Address = 10.101.101.1
Calling-Station-Id = "00-1D-09-50-17-B2"
Called-Station-Id = "00-1E-4F-DF-E2-58"
NAS-Identifier = "LMS2"
Acct-Session-Id = "48e484ab00000002"
NAS-Port-Type = Wireless-802.11
NAS-Port = 2
WISPr-Logoff-URL = "http://10.101.0.1:3990/logoff"
Message-Authenticator = 0x88ff270956703c81baa051c0bc3965fc
+- entering group authorize
++[preprocess] returns ok
rlm_chap: Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "user1", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
expand: %{User-Name} -> user1
rlm_sql (sql): sql_set_user escaped user --> 'user1'
rlm_sql (sql): Reserving sql socket id: 2
expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
-> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'user1' ORDER BY id
rlm_sql (sql): User found in radcheck table
expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
-> SELECT id, username, attribute, value, op FROM radreply
WHERE username = 'user1' ORDER BY id
expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
groupname FROM radusergroup WHERE username = 'user1'
ORDER BY priority
expand: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = '%{Sql-Group}'
ORDER BY id -> SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = 'hotel1' ORDER BY
id
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[noresetcounter] returns noop
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type CHAP
auth: type "CHAP"
+- entering group CHAP
rlm_chap: login attempt by "user1" with CHAP password
rlm_chap: Using clear text password "5f4dcc3b5aa765d61d8327deb882cf99" for
user user1 authentication.
rlm_chap: chap user user1 authenticated succesfully
++[chap] returns ok
+- entering group post-auth
++[exec] returns noop
Sending Access-Accept of id 37 to 127.0.0.1 port 32782
Now as you can see, the radgroupcheck parameter NAS-Identifier == LMS1 did
not mismatch... why ?
super_tomtom wrote:
>
> Hi !
> I am actually setting up a freeradius server that will manage
> authentication from different places (hotels actually).
> I am just a beginner toward that technology, and i have one problem :
> I need to create some accounts that can be enabled at different places:
> for example you have an account in a hotel in London, then you could use
> the same account in another hotel of the same chain in ... Madrid for
> example.
> But, you could not not use this account in another hotel using the same
> solution (all my hotels will talk to the same freeradius server).
> ... I hope you understand my English, sorry about that...
> So here is the point: I need to check for each account in the radcheck
> table where does the Access-Request comes from. As some of the NAS will
> get their IP dynamically from their ISP, I cannot use the NAS-IP-Address
> parameter, so I would like to use the NAS-Identifier.
> As some of my accounts could be active for requests coming from several
> NAS, I thought I could use the radgroupcheck table, in a way like that :
>
> radgroupcheck table :
> groupname | attribute | op | value
> myGroup | NAS-Identifier | == | myNASName
>
> This parameter works in the radcheck tables, if the request comes from a
> wrong NAS Identifier freeradius sends a Access-Reject, but in the
> radgroupcheck table, nothing happens ...
>
> Does anyone have an idea about that ?
> Thanks !
>
>
>
--
View this message in context: http://www.nabble.com/Checking-NAS-Identifier-in-the-radgroupcheck-table-tp19763949p19775361.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
More information about the Freeradius-Users
mailing list