RADIUS does not send reply for all groups the user is a member of
Det Det
det.explorer at yahoo.com
Tue Aug 23 08:53:30 CEST 2011
Hi there,
here is the SQL and debug logs from radius.
mysql> select * from radusergroup;
+---------------------------+-----------+----------+
| username | groupname | priority |
+---------------------------+-----------+----------+
| user1 at mydomain.com | defgroup | 1 |
user1 at mydomain.com | dynamic | 1 |
+---------------------------+-----------+----------+
mysql> select * from radcheck;
+-------+---------------------------+----------------+----+------------------------------------+
| id | username | attribute | op | value |
+-------+---------------------------+----------------+----+------------------------------------+
| 72766 | user1 at mydomain.com | Crypt-Password | := | $1$7l.zLR5h$8ahKvbTht98HuOHOXWI7v0 |
+-------+---------------------------+----------------+----+------------------------------------+
mysql> select * from radreply;
Empty set (0.00 sec)
mysql> select * from radgroupcheck;
Empty set (0.00 sec)
mysql> select * from radgroupreply;
+----+-----------+-------------------+----+-----------------+
| id | groupname | attribute | op | value |
+----+-----------+-------------------+----+-----------------+
| 1 | defgroup | Framed-MTU | = | 1500 |
| 2 | defgroup | Service-Type | = | Framed-User |
| 3 | defgroup | Port-Limit | = | 1 |
| 7 | dynamic | Framed-IP-Netmask | = | 255.255.255.255 |
| 6 | dynamic | Framed-IP-Address | = | 255.255.255.254 |
+----+-----------+-------------------+----+-----------------+
rad_recv: Access-Request packet from host 127.0.0.1 port 60675, id=90, length=76
User-Name = "user1 at mydomain.com"
User-Password = "xxx"
NAS-IP-Address = 10.10.11.95
NAS-Port = 0
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "mydomain.com" for User-Name = "user1 at mydomain.com"
[suffix] No such realm "mydomain.com"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
[sql] expand: %{User-Name} -> user1 at mydomain.com
[sql] sql_set_user escaped user --> 'user1 at mydomain.com'
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'user1 at mydomain.com' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'user1 at mydomain.com' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'user1 at mydomain.com' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'user1 at mydomain.com' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'user1 at mydomain.com' ORDER BY priority
rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = 'user1 at mydomain.com' ORDER BY priority
[sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'defgroup' ORDER BY id
rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'defgroup' ORDER BY id
[sql] User found in group defgroup
[sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'defgroup' ORDER BY id
rlm_sql_mysql: query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'defgroup' ORDER BY id
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "xxx"
[pap] Using CRYPT encryption.
[pap] User authenticated successfully
++[pap] returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 90 to 127.0.0.1 port 60675
Framed-MTU = 1500
Service-Type = Framed-User
Port-Limit = 1
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 90 with timestamp +12
Ready to process requests.
And also what does this line for item 5 in rlm_sql mean? What match is it referring to?
If there is a match, the reply items for this group are pulled from the radgroupreply table and applied.
thanks,
det
________________________________
From: Fajar A. Nugraha <list at fajar.net>
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Sent: Tuesday, August 23, 2011 1:35 PM
Subject: Re: RADIUS does not send reply for all groups the user is a member of
On Tue, Aug 23, 2011 at 12:23 PM, Det Det <det.explorer at yahoo.com> wrote:
> Hi,
> user1 is a member of group1 and group2. both group1 and group2 has replies
> in radgroupreply table.
> when freeradius query for radusergroup, it will only get the first group the
> user is a member of and will proceed to get the reply attributes for that
> group as below.
> query1: SELECT groupname FROM radusergroup WHERE
> username = 'user1 at domain.com' ORDER BY priority
> query2: SELECT id, groupname, attribute, value, op FROM
> radgroupreply WHERE groupname = 'group1' ORDER BY id
> from the debug, it does not do this query
> query3: SELECT id, groupname, attribute, value, op FROM
> radgroupreply WHERE groupname = 'group2' ORDER BY id
> any idea why?
> i am very sure that query 1 returns more that one value (that is 2 groups,
> group1 and group2)
If you want more help, you need to provide more output from debug log,
and (possibly) what's in the radusergroup/radgroupcheck/radgroupreply.
In the mean time, see doc/rlm_sql. A snippet from that file:
5. For each group this user is a member of, the corresponding check items
are pulled from radgroupcheck table and compared with the request. If
there is a match, the reply items for this group are pulled from the
radgroupreply table and applied.
6. Processing continues to the next group IF:
a. There was not a match for the last group's check items OR
b. Fall-Through was set in the last group's reply items
(The above is exactly the same as in the users file)
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110822/d1e90c7b/attachment.html>
More information about the Freeradius-Users
mailing list