Checkval

Vik21 vik.antunes at gmail.com
Thu Jun 4 15:26:47 CEST 2009 

Hello!

I am trying to put checkval to work with radgroupcheck however without
success. My problem is that in the radcheck if Calling-Station-Id is not met
he rejects the user (just like I want it to do) but in the radgroupcheck if
the Calling-Station-Id is not met freeradius send an Access-Accept anyway (I
want it to reject).

My checkval:

checkval {
        # The attribute to look for in the request
        item-name = Calling-Station-Id

        # The attribute to look for in check items. Can be multi valued
        check-name = Calling-Station-Id

        # The data type. Can be
        # string,integer,ipaddr,date,abinary,octets
        data-type = string

        # If set to yes and we dont find the item-name attribute in the
        # request then we send back a reject
        # DEFAULT is no
        notfound-reject = yes
}

Part of my radius log:

rlm_sql (sql): Released sql socket id: 1
++[sql] returns ok
rlm_checkval: Item Name: Calling-Station-Id, Value: 00-21-00-33-B1-88
rlm_checkval: Could not find attribute named Calling-Station-Id in check
pairs
++[checkval] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/md5
[eap] processing type md5
[eap] Freeing handler
++[eap] returns ok
+- entering group post-auth {...}
	expand: %{User-Name} -> vitor33
[sql] sql_set_user escaped user --> 'vitor33'
	expand: %{User-Password} -> 
	expand: INSERT INTO radpostauth (username, pass, reply, authdate)   VALUES
('%{User-Name}', '%{%{User-Password}:-Chap-Password}',
'%{reply:Packet-Type}', NOW()) -> INSERT INTO radpostauth (username, pass,
reply, authdate)   VALUES ('vitor33', 'Chap-Password', 'Access-Accept',
NOW())
	expand: /var/log/freeradius/sqltrace.sql ->
/var/log/freeradius/sqltrace.sql
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username,
pass, reply, authdate)   VALUES ('vitor33', 'Chap-Password',
'Access-Accept', NOW())
rlm_sql (sql): Reserving sql socket id: 0
rlm_sql_postgresql: query: INSERT INTO radpostauth (username, pass, reply,
authdate)   VALUES ('vitor33', 'Chap-Password', 'Access-Accept', NOW())
rlm_sql_postgresql: Status: PGRES_COMMAND_OK
rlm_sql_postgresql: query affected rows = 1
rlm_sql (sql): Released sql socket id: 0
++[sql] returns ok
} # server inner-tunnel
[ttls] Got tunneled reply code 2
	EAP-Message = 0x03010004
	Message-Authenticator = 0x00000000000000000000000000000000
	User-Name = "vitor33"
[ttls] Got tunneled Access-Accept
[eap] Freeing handler
rlm_eap_ttls: Freeing handler for user vitor33
++[eap] returns ok
+- entering group post-auth {...}
	expand: %{User-Name} -> vitor33
[sql] sql_set_user escaped user --> 'vitor33'
	expand: %{User-Password} -> 
	expand: INSERT INTO radpostauth (username, pass, reply, authdate)   VALUES
('%{User-Name}', '%{%{User-Password}:-Chap-Password}',
'%{reply:Packet-Type}', NOW()) -> INSERT INTO radpostauth (username, pass,
reply, authdate)   VALUES ('vitor33', 'Chap-Password', 'Access-Accept',
NOW())
	expand: /var/log/freeradius/sqltrace.sql ->
/var/log/freeradius/sqltrace.sql
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username,
pass, reply, authdate)   VALUES ('vitor33', 'Chap-Password',
'Access-Accept', NOW())
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql_postgresql: query: INSERT INTO radpostauth (username, pass, reply,
authdate)   VALUES ('vitor33', 'Chap-Password', 'Access-Accept', NOW())
rlm_sql_postgresql: Status: PGRES_COMMAND_OK
rlm_sql_postgresql: query affected rows = 1
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[exec] returns noop
Sending Access-Accept of id 19 to 192.168.100.2 port 32773
	MS-MPPE-Recv-Key =
0x5b81c8ead986cb6408398bc0a2e3bef7457500dd6b8504be9d63a097679ee0d8
	MS-MPPE-Send-Key =
0x4da2d778e0ffa8bddaf4e989a5b34e69e29266ff830134df8c2f03ca8d21bbe7
	EAP-Message = 0x03070004
	Message-Authenticator = 0x00000000000000000000000000000000
	User-Name = "vitor33"
Finished request 7.

My radgroupcheck table:
4;"testgroup";"Simultaneous-Use";":=";"1"
7;"testgroup";"Calling-Station-Id";"==";"00-00-00-00-00-11"

My radusergroup table:
"admin";"testgroup";0
"vitor33";"testgroup";0


Can anyone help me ?

Thanks in advance.

edit: If I add the line "Auth-Type := Reject" for the same group in
radgroupcheck, freeradius keep send Access-Acept when he should send
Access-Reject, right ?
-- 
View this message in context: http://www.nabble.com/Checkval-tp23867006p23867006.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

More information about the Freeradius-Users mailing list