SV: Make sense of SQL Huntgroup HOWTO?

Michael Hartwick hcc.lists at gmail.com
Fri Dec 18 22:26:32 CET 2015



On 2015-12-18 15:55, Joel Bergmark wrote:
> I copy pasted the rules as you wrote them but they didn't work it allows a user defined as 2ndline to log on to equipment that’s 3rdline. I'm not enjoying to not be as clear as I would normally be, I work with networks, not so much freeradius or coding.
>
> This is what I ran:
>
>          update request {
>                  Huntgroup-Name := "%{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{NAS-IP-Address}'}"
>          }
>          if ((Huntgroup-Name == "2ndline") && (SQL-Group != "2ndline")) {
>                  reject
>          }
>
>
> Debuginfo:
>
> rad_recv: Access-Request packet from host 46.23X.XX.170 port 1645, id=118, length=66
>          User-Name = "bl"
>          User-Password = "asdfasdf"
>          NAS-Port = 1
>          NAS-Port-Id = "tty1"
>          NAS-Port-Type = Virtual
>          NAS-IP-Address = 46.23X.XX.170
> # Executing section authorize from file /etc/freeradius/sites-enabled/default
> +- entering group authorize {...}
> sql_xlat
>          expand: %{User-Name} -> bl
> sql_set_user escaped user --> 'bl'
>          expand: SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{NAS-IP-Address}' -> SELECT groupname FROM radhuntgroup WHERE nasipaddress='46.23X.XX.170'
> rlm_sql (sql): Reserving sql socket id: 3
> sql_xlat finished
> rlm_sql (sql): Released sql socket id: 3
>          expand: %{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{NAS-IP-Address}'} -> Noc
> ++[request] returns notfound
> ++? if ((Huntgroup-Name == "2ndline") && (SQL-Group != "2ndline"))
> ?? Evaluating (Huntgroup-Name == "2ndline") -> FALSE

Huntgroup-Name != 2ndline so the whole condition is false. The debug 
information shows you this. From the 20 seconds I looked at this I 
suspect the SQL is returning nothing.
> ?? Skipping (SQL-Group != "2ndline")
> ++? if ((Huntgroup-Name == "2ndline") && (SQL-Group != "2ndline")) -> FALSE
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "bl", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] No EAP-Message, not doing EAP
> ++[eap] returns noop
> [sql]   expand: %{User-Name} -> bl
> [sql] sql_set_user escaped user --> 'bl'
> rlm_sql (sql): Reserving sql socket id: 2
> [sql]   expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = 'bl'           ORDER BY id
> [sql] User found in radcheck table
> [sql]   expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = 'bl'           ORDER BY id
> [sql]   expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = 'bl'           ORDER BY priority
> [sql]   expand: SELECT id, groupname, attribute,           Value, op           FROM radgroupcheck           WHERE groupname = '%{Sql-Group}'           ORDER BY id -> SELECT id, groupname, attribute,           Value, op           FROM radgroupcheck           WHERE groupname = '2ndline'           ORDER BY id
> rlm_sql (sql): Released sql socket id: 2
> ++[sql] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> ++[pap] returns updated
> Found Auth-Type = PAP
> # Executing group from file /etc/freeradius/sites-enabled/default
> +- entering group PAP {...}
> [pap] login attempt with password "asdfasdf"
> [pap] Using clear text password "asdfasdf"
> [pap] User authenticated successfully
> ++[pap] returns ok
>
> I expected to get reject on this login, but thats not happening, so I clearly don't understand all elements in this.
>
> I just want this to work, http://wiki.freeradius.org/guide/SQL%20Huntgroup%20HOWTO
> "Suppose you want to only allow the group site_a_admins to be used when logging into a NAS' at site_a . Assuming example_user was already a member of site_a_admins, you would follow the steps below."
>
> Or even better to allow 3rdline users to login to everything and 2ndline users to login to some equipment.
>
> Regards, Joel
>
> -----Ursprungligt meddelande-----
> Från: Freeradius-Users [mailto:freeradius-users-bounces+joel.bergmark=t3.se at lists.freeradius.org] För Alan DeKok
> Skickat: den 18 december 2015 21:43
> Till: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
> Ämne: Re: Make sense of SQL Huntgroup HOWTO?
>
> On Dec 18, 2015, at 3:38 PM, Joel Bergmark <joel.bergmark at t3.se> wrote:
>> I'm not sure I have been clear enough.
>>
>> If conditions below is achieved ie, it's determined that user is 2ndline and nas is 3rdline then it's supposed to be rejected? If so then its not working since the radius allows access.
>    The server does not have these rules by default.  If the rules you created don't do what you want, it's because the rules are wrong.
>
>> If not, then I probably haven’t made myself understood, if user is recognized as 2ndline attempting to login to something belonging to 3rdline it should be rejected.
>    Sure.
>
>> Perhaps something more like this would work as described?
>>
>>         update request {
>>                 Huntgroup-Name := "%{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{NAS-IP-Address}'}"
>>         }
>>                 if ((Huntgroup-Name == "2ndline" || SQL-Group != "2ndline")) {
>>                 reject
>>         }
>    No.  That does NOT do what you want.
>
>    Why not use the rules I put in my previous message?  Are you changing them... just because?  Do you understand what they did?  Do you understand the difference between what I posted, and what you posted here?
>
>    Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list