Default behavior for users not in any group
Maxim S. Denisov
kbessmertniy at gmail.com
Tue Oct 12 15:19:25 CEST 2010
Hello.
12.10.2010, в 13:54, Alan Buxey написал(а):
>> I have freeradius 2.1.6 with rlm_sql_oracle. There is a plenty of users in radcheck table and several of them are a members of a group. As stated in comments in the dialup.conf all other users are a members of the group DEFAULT if I understood it right. I put the fields DEFAULT Auth-Type := Reject in the radgroupcheck table but it seems that radius doesn't process the group checks if there is no explict group record for the user in radusergroup table even if I set read_groups. The radius accepts the requests if the username and password matches.
>> How can I reject users not stated in the group without explictly assigning them to the DEFAULT group in radusergroup?
>
> if you run briefly in full debug mode - ie 'radiusd -X' and then spend some time
> with a coffee or herbal tea or Jolt..or whatever - you can read exactly what the
> server is doing...you can watch and disect its logic and see exactly why
> its not doing what you want. then you can change it :-)
I have alredy checked the debug output and saw that radiusd doesn't check radgroupckeck table if the username is not associated with any group in radusergroup. I have the record DEFAULT Auth-Type := Reject in the radgroupreply table and if I explictly associate the user with the DEFAULT group i getting the reject. This is the output of the radiusd -X -f:
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[sql] expand: %{Stripped-User-Name} ->
[sql] expand: %{User-Name} -> 1001
[sql] expand: %{%{User-Name}:-DEFAULT} -> 1001
[sql] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> 1001
[sql] sql_set_user escaped user --> '1001'
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '1001' ORDER BY id
SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '1001' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '1001' ORDER BY id
SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '1001' ORDER BY id
[sql] expand: SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' -> SELECT GroupName FROM radusergroup WHERE UserName='1001'
SELECT GroupName FROM radusergroup WHERE UserName='1001'
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "temp"
[pap] Using clear text password "temp"
[pap] User authenticated successfully
++[pap] returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 62 to 10.0.0.1 port 1025
How can I reject the users not listed in any group?
More information about the Freeradius-Users
mailing list