using huntgroups to restrict users in particular groups
Root, Paul T
Paul.Root at CenturyLink.com
Tue Jun 2 00:02:45 CEST 2020
Thanks for the help Alan!
I came down to attention to detail and thinking it through. Like you suggested, write in English and convert.
Details below.
Paul.
-----Original Message-----
From: Freeradius-Users <freeradius-users-bounces+paul.root=centurylink.com at lists.freeradius.org> On Behalf Of Alan DeKok
Sent: Friday, May 29, 2020 4:13 PM
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Subject: Re: using huntgroups to restrict users in particular groups
On May 29, 2020, at 2:53 PM, Root, Paul T via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> I'm new to FreeRadius. I've built a test server with freeradius 3.0.13, mariadb 10.1.45, and daloradius 1.1-3 beta on CentOS 7.
OK.
> We are just starting into radius authentication. We just want it for logging into routers and switches for administration work. What I need is to define multiple groups of devices - in huntgroups. And multiple groups of users. There may be a base group of users that should be allowed to any huntgroup. But mostly, one user group is to be specific to one hunt group.
That should be possible.
> I'm following the how-to for SQL-Huntgroups. https://imss91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fwiki.freeradius.org%2fguide%2fSQL%2dHuntgroup%2dHOWTO&umid=DDD454A6-A6CF-EB05-B0DC-619C964DB55F&auth=19120be9529b25014b618505cb01789c5433dae7-43e31a128b03734f5c15197d7f5fdf2559d0d31f
>
> MariaDB [radius]> select * from radhuntgroup;
> +----+-----------------+----------------------+--------------+
> | id | groupname | nasipaddress | nasportid |
> +----+----------------+-----------------------+--------------+
> | 1 | group1 | 10.161.161.0/24 | 0 |
> | 2 | group2 | 10.139.63.0/24 | 0 |
> +----+---------------+------------------------+-------------+
Netmasks really won't work there. There's a reason the field is called "IP address".
Yeah I see that now. I was thinking of a 1 to 1 mapping of NAS to groups.
MariaDB [radius]> select * from radhuntgroup;
+----+-----------+-----------------+-----------+
| id | groupname | nasipaddress | nasportid |
+----+-----------+-----------------+-----------+
| 1 | group1 | 10.161.161.0/24 | 0 |
| 2 | group2 | 10.139.63.0/24 | 0 |
| 3 | group1 | 10.161.169.154 | 0 |
| 4 | group2 | 10.139.63.13 | 0 |
| 5 | group2 | 127.0.0.1 | 0 |
+----+-----------+-----------------+-----------+
5 rows in set (0.00 sec)
Need to clean out the netmask entries.
Interestingly, I have my PC with NTRadPing for one test NAS, and then another linux machine for another using radtest .
But the linux machine, matches localhost instead of ip address. Must be something to do with radtest
> MariaDB [radius]> select * from radusergroup;
> +---------------+-----------------+-----------+
> | username | groupname | priority |
> +---------------+-----------------+-----------+
> | paul | usergroup1 | 0 |
> | ptr | usergroup2 | 0 |
> +---------------+-----------------+-----------+
I changed the groupnames to match the huntgroup names. Trying to cheat with a if (SQL-Group == Huntrgroup-Name). That's not allowed. That's fine.
> MariaDB [radius]> select * from radgroupcheck;
> +----+--------------------------------------+-------------------+-----+-----------+
> | id | groupname | attribute | op | value |
> +----+--------------------------------------+-------------------+-----+-----------+
> | 1 | daloRADIUS-Disabled-Users | Auth-Type | := | Reject |
> | 2 | daloRADIUS-Disabled-Users | Auth-Type | := | Reject |
> | 3 | usergroup1 | Huntgroup-Name | == | group1 |
> | 4 | usergroup2 | Huntgroup-Name | == | group2 |
> +----+--------------------------------------+-------------------+-----+-----------+
See the Wiki for how the SQL module works: https://imss91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fwiki.freeradius.org%2fmodules%2fRlm%5fsql&umid=DDD454A6-A6CF-EB05-B0DC-619C964DB55F&auth=19120be9529b25014b618505cb01789c5433dae7-b20759af52ecb897d9e10c43700964401a25133b
That configuration just says "match user group 1 if hunt group name is group2". It doesn't *do* anything with that result.
> However, both users can connect to either huntgroup.
>
> I must be missing something here. My impression is that this would be all that's needed. Maybe there is a configuration variable I missed?
By default, FreeRADIUS authenticates all valid users, and allows them network access. If you want something else, you have to write those policies. So this isn't just "match group X", it's
if user in group X
and user is coming from hunt group Y
then
allow
else
reject
i.e. write your policies as English first. It should then be reasonably simple to convert them to "unlang".
> I also tried the update request to allow users groups/profiles to access a different has but if I edit sites-enables/defaults, I get an error trying to start radius.
>
> update request {
> Huntgroup-Name := "%{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress=='%{NAS-IP-Address}'}"
>
> # only allow usergroup1 to group1
> if (SQL-Group == "usergroup1") {
> if (Huntgroup-Name != "group1") {
> reject
> }
> }
> }
>
> /etc/raddb/sites-enabled/default[307]: Entry is not in "attribute = value" format
That is the line with the "if" statement.
Found this, read it 50 times and eventually you read what is there instead of what you think is there.
> That's simplified but pretty much straight out of the how-to.
You've edited it to rearrange the braces. The braces are important.
Yeah, I just read that wrong, I thought the if statements was supposed to be in the update. Just read it wrong.
This is the working config:
update request {
Huntgroup-Name := "%{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{NAS-IP-Address}'}"
}
# only allow user in group1 to huntgroup group1
if (SQL-Group == "group1" && Huntgroup-Name == "group1") {
accept
# only allow user in group2 to huntgroup group2
} elsif (SQL-Group == "group2" && Huntgroup-Name == "group2") {
accept
# Other groups here add as needed
# } elsif (SQL-Group == 'groupN" && Huntgroup-Name != "groupN") {
# accept
} else {
reject
}
The "update" statement just contains "attribute = value". It doesn't contain "if" or any other keyword.
Rewrite that and post the debug output.
Alan DeKok.
Here is success (user in proper group):
(4) Received Access-Request Id 30 from 10.161.169.154:58330 to 10.139.63.174:1812 length 45
(4) User-Name = "paul"
(4) CHAP-Password = 0x91b8679b702a5682c0d116d266ee8344a5
(4) # Executing section authorize from file /etc/raddb/sites-enabled/default
(4) authorize {
(4) policy filter_username {
(4) if (&User-Name) {
(4) if (&User-Name) -> TRUE
(4) if (&User-Name) {
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@[^@]*@/ ) {
(4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(4) if (&User-Name =~ /\.\./ ) {
(4) if (&User-Name =~ /\.\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(4) if (&User-Name =~ /\.$/) {
(4) if (&User-Name =~ /\.$/) -> FALSE
(4) if (&User-Name =~ /@\./) {
(4) if (&User-Name =~ /@\./) -> FALSE
(4) } # if (&User-Name) = notfound
(4) } # policy filter_username = notfound
(4) [preprocess] = ok
(4) sql: EXPAND %{User-Name}
(4) sql: --> paul
(4) sql: SQL-User-Name set to 'paul'
rlm_sql (sql): Reserved connection (2)
(4) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(4) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'paul' ORDER BY id
(4) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'paul' ORDER BY id
(4) sql: User found in radcheck table
(4) sql: Conditional check items matched, merging assignment check items
(4) sql: Cleartext-Password := "anotherPwd"
(4) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(4) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'paul' ORDER BY id
(4) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'paul' ORDER BY id
(4) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(4) sql: --> SELECT groupname FROM radusergroup WHERE username = 'paul' ORDER BY priority
(4) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'paul' ORDER BY priority
(4) sql: User found in the group table
(4) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id
(4) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'group1' ORDER BY id
(4) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'group1' ORDER BY id
rlm_sql (sql): Released connection (2)
Need 1 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (9), 1 of 23 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.1.45-MariaDB, protocol version 10
(4) [sql] = ok
(4) update request {
(4) EXPAND %{User-Name}
(4) --> paul
(4) SQL-User-Name set to 'paul'
rlm_sql (sql): Reserved connection (3)
(4) EXPAND /var/log/radius/sqllog.sql
(4) --> /var/log/radius/sqllog.sql
(4) Executing select query: SELECT groupname FROM radhuntgroup WHERE nasipaddress='10.161.169.154'
rlm_sql (sql): Released connection (3)
(4) EXPAND %{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{NAS-IP-Address}'}
(4) --> group1
(4) Huntgroup-Name := group1
(4) } # update request = noop
(4) if (SQL-Group == "group1" && Huntgroup-Name == "group1") {
(4) sql_groupcmp
(4) EXPAND %{User-Name}
(4) --> paul
(4) SQL-User-Name set to 'paul'
rlm_sql (sql): Reserved connection (4)
(4) EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(4) --> SELECT groupname FROM radusergroup WHERE username = 'paul' ORDER BY priority
(4) Executing select query: SELECT groupname FROM radusergroup WHERE username = 'paul' ORDER BY priority
(4) sql_groupcmp finished: User is a member of group group1
rlm_sql (sql): Released connection (4)
(4) if (SQL-Group == "group1" && Huntgroup-Name == "group1") -> TRUE
(4) if (SQL-Group == "group1" && Huntgroup-Name == "group1") {
(4) policy accept {
(4) update control {
(4) &Response-Packet-Type = Access-Accept
(4) } # update control = noop
(4) [handled] = handled
(4) } # policy accept = handled
(4) } # if (SQL-Group == "group1" && Huntgroup-Name == "group1") = handled
(4) } # authorize = handled
(4) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(4) post-auth {
(4) update {
(4) No attributes updated
(4) } # update = noop
(4) sql: EXPAND .query
(4) sql: --> .query
(4) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (0)
(4) sql: EXPAND %{User-Name}
(4) sql: --> paul
(4) sql: SQL-User-Name set to 'paul'
(4) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(4) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'paul', '0x91b8679b702a5682c0d116d266ee8344a5', 'Access-Accept', '2020-06-01 16:54:24.568323')
(4) sql: EXPAND /var/log/radius/sqllog.sql
(4) sql: --> /var/log/radius/sqllog.sql
(4) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'paul', '0x91b8679b702a5682c0d116d266ee8344a5', 'Access-Accept', '2020-06-01 16:54:24.568323')
(4) sql: SQL query returned: success
(4) sql: 1 record(s) updated
rlm_sql (sql): Released connection (0)
(4) [sql] = ok
(4) [exec] = noop
(4) policy remove_reply_message_if_eap {
(4) if (&reply:EAP-Message && &reply:Reply-Message) {
(4) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(4) else {
(4) [noop] = noop
(4) } # else = noop
(4) } # policy remove_reply_message_if_eap = noop
(4) } # post-auth = ok
(4) Sent Access-Accept Id 30 from 10.139.63.174:1812 to 10.161.169.154:58330 length 0
(4) Finished request
And failure (user not in proper group):
(4) Received Access-Request Id 30 from 10.161.169.154:58330 to 10.139.63.174:1812 length 45
(4) User-Name = "paul"
(4) CHAP-Password = 0x91b8679b702a5682c0d116d266ee8344a5
(4) # Executing section authorize from file /etc/raddb/sites-enabled/default
(4) authorize {
(4) policy filter_username {
(4) if (&User-Name) {
(4) if (&User-Name) -> TRUE
(4) if (&User-Name) {
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@[^@]*@/ ) {
(4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(4) if (&User-Name =~ /\.\./ ) {
(4) if (&User-Name =~ /\.\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(4) if (&User-Name =~ /\.$/) {
(4) if (&User-Name =~ /\.$/) -> FALSE
(4) if (&User-Name =~ /@\./) {
(4) if (&User-Name =~ /@\./) -> FALSE
(4) } # if (&User-Name) = notfound
(4) } # policy filter_username = notfound
(4) [preprocess] = ok
(4) sql: EXPAND %{User-Name}
(4) sql: --> paul
(4) sql: SQL-User-Name set to 'paul'
rlm_sql (sql): Reserved connection (2)
(4) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(4) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'paul' ORDER BY id
(4) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'paul' ORDER BY id
(4) sql: User found in radcheck table
(4) sql: Conditional check items matched, merging assignment check items
(4) sql: Cleartext-Password := "anotherPwd"
(4) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(4) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'paul' ORDER BY id
(4) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'paul' ORDER BY id
(4) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(4) sql: --> SELECT groupname FROM radusergroup WHERE username = 'paul' ORDER BY priority
(4) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'paul' ORDER BY priority
(4) sql: User found in the group table
(4) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id
(4) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'group1' ORDER BY id
(4) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'group1' ORDER BY id
rlm_sql (sql): Released connection (2)
Need 1 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (9), 1 of 23 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.1.45-MariaDB, protocol version 10
(4) [sql] = ok
(4) update request {
(4) EXPAND %{User-Name}
(4) --> paul
(4) SQL-User-Name set to 'paul'
rlm_sql (sql): Reserved connection (3)
(4) EXPAND /var/log/radius/sqllog.sql
(4) --> /var/log/radius/sqllog.sql
(4) Executing select query: SELECT groupname FROM radhuntgroup WHERE nasipaddress='10.161.169.154'
rlm_sql (sql): Released connection (3)
(4) EXPAND %{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{NAS-IP-Address}'}
(4) --> group1
(4) Huntgroup-Name := group1
(4) } # update request = noop
(4) if (SQL-Group == "group1" && Huntgroup-Name == "group1") {
(4) sql_groupcmp
(4) EXPAND %{User-Name}
(4) --> paul
(4) SQL-User-Name set to 'paul'
rlm_sql (sql): Reserved connection (4)
(4) EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(4) --> SELECT groupname FROM radusergroup WHERE username = 'paul' ORDER BY priority
(4) Executing select query: SELECT groupname FROM radusergroup WHERE username = 'paul' ORDER BY priority
(4) sql_groupcmp finished: User is a member of group group1
rlm_sql (sql): Released connection (4)
(4) if (SQL-Group == "group1" && Huntgroup-Name == "group1") -> TRUE
(4) if (SQL-Group == "group1" && Huntgroup-Name == "group1") {
(4) policy accept {
(4) update control {
(4) &Response-Packet-Type = Access-Accept
(4) } # update control = noop
(4) [handled] = handled
(4) } # policy accept = handled
(4) } # if (SQL-Group == "group1" && Huntgroup-Name == "group1") = handled
(4) } # authorize = handled
(4) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(4) post-auth {
(4) update {
(4) No attributes updated
(4) } # update = noop
(4) sql: EXPAND .query
(4) sql: --> .query
(4) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (0)
(4) sql: EXPAND %{User-Name}
(4) sql: --> paul
(4) sql: SQL-User-Name set to 'paul'
(4) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(4) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'paul', '0x91b8679b702a5682c0d116d266ee8344a5', 'Access-Accept', '2020-06-01 16:54:24.568323')
(4) sql: EXPAND /var/log/radius/sqllog.sql
(4) sql: --> /var/log/radius/sqllog.sql
(4) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'paul', '0x91b8679b702a5682c0d116d266ee8344a5', 'Access-Accept', '2020-06-01 16:54:24.568323')
(4) sql: SQL query returned: success
(4) sql: 1 record(s) updated
rlm_sql (sql): Released connection (0)
(4) [sql] = ok
(4) [exec] = noop
(4) policy remove_reply_message_if_eap {
(4) if (&reply:EAP-Message && &reply:Reply-Message) {
(4) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(4) else {
(4) [noop] = noop
(4) } # else = noop
(4) } # policy remove_reply_message_if_eap = noop
(4) } # post-auth = ok
(4) Sent Access-Accept Id 30 from 10.139.63.174:1812 to 10.161.169.154:58330 length 0
(4) Finished request
Waking up in 4.9 seconds.
(4) Cleaning up request packet ID 30 with timestamp +29
Ready to process requests
(5) Received Access-Request Id 31 from 10.161.169.154:49856 to 10.139.63.174:1812 length 44
(5) User-Name = "ptr"
(5) CHAP-Password = 0xeead451ce5929e48c7e757ecf3322248fb
(5) # Executing section authorize from file /etc/raddb/sites-enabled/default
(5) authorize {
(5) policy filter_username {
(5) if (&User-Name) {
(5) if (&User-Name) -> TRUE
(5) if (&User-Name) {
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@[^@]*@/ ) {
(5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /@\./) {
(5) if (&User-Name =~ /@\./) -> FALSE
(5) } # if (&User-Name) = notfound
(5) } # policy filter_username = notfound
(5) [preprocess] = ok
(5) sql: EXPAND %{User-Name}
(5) sql: --> ptr
(5) sql: SQL-User-Name set to 'ptr'
rlm_sql (sql): Closing connection (7): Hit idle_timeout, was idle for 61 seconds
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (8): Hit idle_timeout, was idle for 61 seconds
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (5): Hit idle_timeout, was idle for 61 seconds
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (1): Hit idle_timeout, was idle for 61 seconds
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (6): Hit idle_timeout, was idle for 61 seconds
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Reserved connection (2)
(5) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(5) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'ptr' ORDER BY id
(5) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'ptr' ORDER BY id
(5) sql: User found in radcheck table
(5) sql: Conditional check items matched, merging assignment check items
(5) sql: Cleartext-Password := "Strongpassword"
(5) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(5) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'ptr' ORDER BY id
(5) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'ptr' ORDER BY id
(5) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(5) sql: --> SELECT groupname FROM radusergroup WHERE username = 'ptr' ORDER BY priority
(5) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'ptr' ORDER BY priority
(5) sql: User found in the group table
(5) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id
(5) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'group2' ORDER BY id
(5) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'group2' ORDER BY id
rlm_sql (sql): Released connection (2)
Need 5 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (10), 1 of 27 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.1.45-MariaDB, protocol version 10
(5) [sql] = ok
(5) update request {
(5) EXPAND %{User-Name}
(5) --> ptr
(5) SQL-User-Name set to 'ptr'
rlm_sql (sql): Reserved connection (9)
(5) EXPAND /var/log/radius/sqllog.sql
(5) --> /var/log/radius/sqllog.sql
(5) Executing select query: SELECT groupname FROM radhuntgroup WHERE nasipaddress='10.161.169.154'
rlm_sql (sql): Released connection (9)
(5) EXPAND %{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{NAS-IP-Address}'}
(5) --> group1
(5) Huntgroup-Name := group1
(5) } # update request = noop
(5) if (SQL-Group == "group1" && Huntgroup-Name == "group1") {
(5) sql_groupcmp
(5) EXPAND %{User-Name}
(5) --> ptr
(5) SQL-User-Name set to 'ptr'
rlm_sql (sql): Reserved connection (3)
(5) EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(5) --> SELECT groupname FROM radusergroup WHERE username = 'ptr' ORDER BY priority
(5) Executing select query: SELECT groupname FROM radusergroup WHERE username = 'ptr' ORDER BY priority
rlm_sql (sql): Released connection (3)
(5) sql_groupcmp finished: User is NOT a member of group group1
(5) if (SQL-Group == "group1" && Huntgroup-Name == "group1") -> FALSE
(5) elsif (SQL-Group == "group2" && Huntgroup-Name == "group2") {
(5) sql_groupcmp
(5) EXPAND %{User-Name}
(5) --> ptr
(5) SQL-User-Name set to 'ptr'
rlm_sql (sql): Reserved connection (4)
(5) EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(5) --> SELECT groupname FROM radusergroup WHERE username = 'ptr' ORDER BY priority
(5) Executing select query: SELECT groupname FROM radusergroup WHERE username = 'ptr' ORDER BY priority
(5) sql_groupcmp finished: User is a member of group group2
rlm_sql (sql): Released connection (4)
(5) elsif (SQL-Group == "group2" && Huntgroup-Name == "group2") -> FALSE
(5) else {
(5) [reject] = reject
(5) } # else = reject
(5) } # authorize = reject
(5) Using Post-Auth-Type Reject
(5) # Executing group from file /etc/raddb/sites-enabled/default
(5) Post-Auth-Type REJECT {
(5) sql: EXPAND .query
(5) sql: --> .query
(5) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (0)
(5) sql: EXPAND %{User-Name}
(5) sql: --> ptr
(5) sql: SQL-User-Name set to 'ptr'
(5) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(5) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'ptr', '0xeead451ce5929e48c7e757ecf3322248fb', 'Access-Reject', '2020-06-01 16:55:18.676906')
(5) sql: EXPAND /var/log/radius/sqllog.sql
(5) sql: --> /var/log/radius/sqllog.sql
(5) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'ptr', '0xeead451ce5929e48c7e757ecf3322248fb', 'Access-Reject', '2020-06-01 16:55:18.676906')
(5) sql: SQL query returned: success
(5) sql: 1 record(s) updated
rlm_sql (sql): Released connection (0)
(5) [sql] = ok
(5) attr_filter.access_reject: EXPAND %{User-Name}
(5) attr_filter.access_reject: --> ptr
(5) attr_filter.access_reject: Matched entry DEFAULT at line 11
(5) [attr_filter.access_reject] = updated
(5) [eap] = noop
(5) policy remove_reply_message_if_eap {
(5) if (&reply:EAP-Message && &reply:Reply-Message) {
(5) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(5) else {
(5) [noop] = noop
(5) } # else = noop
(5) } # policy remove_reply_message_if_eap = noop
(5) } # Post-Auth-Type REJECT = updated
(5) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(5) Sending delayed response
(5) Sent Access-Reject Id 31 from 10.139.63.174:1812 to 10.161.169.154:49856 length 20
-
List info/subscribe/unsubscribe? See https://imss91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=http%3a%2f%2fwww.freeradius.org%2flist%2fusers.html&umid=DDD454A6-A6CF-EB05-B0DC-619C964DB55F&auth=19120be9529b25014b618505cb01789c5433dae7-d79e373c8e6972f63f4dd64302685e6fe03310b7
This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.
More information about the Freeradius-Users
mailing list