rlm_checkval and Hint attribute

Tony Peña emperor.cu at gmail.com
Fri Mar 22 18:48:50 CET 2013

Hi again...
I'm starting taking some confuse idea with this...

I use 3 checkvals.

1 for Calling-Station-Id
2 for Called-Station-Id
and 3 for Hints

and in the Hints file.. i setup my hints domains and filter to can apply
for the suffix the correct acl/pool ip.

also have radiusHints and radiusFilterId in my OpenLDAP db.

now.. my question is.. why if Hints is not found in radius query...
continue checking the rest for the values... and with any checkvals 1 or 2
works fine.. ??

so... if some user use other hints radius do access-accept... and not the
reject like callings/called-station-id who with that... works fine..

simple debug.

[ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=gtm478)
[ldap]  expand: ou=institute,ou=users,dc=sld,dc=cu ->
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in ou=institute,ou=users,dc=domain,dc=com, with
filter (uid=gtm478)
  [ldap] performing search in
cn=users.ppp,ou=profiles,ou=radius,ou=services,dc=domain,dc=com, with
filter (objectclass=radiusprofile)
  [ldap] radiusCalledStationId -> Called-Station-Id == "999999"
  [ldap] radiusCalledStationId -> Called-Station-Id == "888888"
  [ldap] radiusCalledStationId -> Called-Station-Id == "111111"
  [ldap] extracted attribute Max-Monthly-Session from generic item
Max-Monthly-Session := 90000
  [ldap] radiusIdleTimeout -> Idle-Timeout = 300
  [ldap] radiusSessionTimeout -> Session-Timeout = 7200
  [ldap] radiusFramedCompression -> Framed-Compression = Van-Jacobson-TCP-IP
  [ldap] radiusFramedMTU -> Framed-MTU = 576
  [ldap] radiusFilterId -> Filter-Id = "general.in"
  [ldap] radiusFramedProtocol -> Framed-Protocol = PPP
  [ldap] radiusServiceType -> Service-Type = Framed-User
[ldap] Added User-Password = {CRYPT}$1$passwordcrypted in check items
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
  [ldap] userPassword -> Password-With-Header == "{CRYPT}$1$cryptedpassword"
  [ldap] radiusCallingStationId -> Calling-Station-Id == "111111"
[ldap] looking for reply items in directory...
[ldap] user gtm478 authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
rlm_checkval: Item Name: Calling-Station-Id, Value: 111111
rlm_checkval: Value Name: Calling-Station-Id, Value: 111111
++[checkval1] returns ok
rlm_checkval: Item Name: Called-Station-Id, Value: 88888
rlm_checkval: Value Name: Called-Station-Id, Value: 999999
rlm_checkval: Value Name: Called-Station-Id, Value: 88888
++[checkval2] returns ok
rlm_checkval: Item Name: Hint, Value: userdefault
*rlm_checkval: Could not find attribute named Hint in check pairs*
*++[checkval3] returns notfound*

*I need to stop here.. and reject the user.. *

++? if (User-Name =~ /^(.+)@institute.domain.com/)
? Evaluating (User-Name =~ /^(.+)@institute.domain.com/) -> TRUE
++? if (User-Name =~ /^(.+)@institute.domain.com/) -> TRUE
++- entering if (User-Name =~ /^(.+)@institute.domain.com/) {...}
rlm_sqlcounter: Entering module authorize code

*NOT should be continue.....*

the users .. logging on...ok. (with bad hints)
with hints works fine.

thanxs in advance... (i'm continue searching and try meanwhilte wait for
sorry for my bad english ..  O:-)

Antonio Peña
Secure email with PGP 0x8B021001 available at http://pgp.mit.edu
Fingerprint: 74E6 2974 B090 366D CE71  7BB2 6476 FA09 8B02 1001
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130322/00bed0d6/attachment.html>

More information about the Freeradius-Users mailing list