Hi! Experts


Sorry for disturbing, I want to use radgroupreply attribute “Auth-Type:=Reject” to disable some users, but found this attribute is override by others procedure and it is not works.


For example, from the mysql database, you could see user “lichan” is in “disabled” group:


mysql> select * from radusergroup;

+-----+--------------+-------------+----------+

| id  | username     | groupname   | priority |

+-----+--------------+-------------+----------+

|  42 | james        | microshield |        1 |

| 126 | lichan       | disabled    |        1 |

+-----+--------------+-------------+----------+

2 rows in set (0.00 sec)


and in radgroupreply, there is a Auth-type:=Reject attribute:


mysql> select * from radgroupreply;

+----+-------------+-------------------------+----+-------------+

| id | groupname   | attribute               | op | value       |

+----+-------------+-------------------------+----+-------------+

|  1 | microshield | Service-Type            | =  | Framed-User |

| 12 | disabled    | Auth-Type               |:=  | Reject      |

+----+-------------+-------------------------+----+-------------+

2 rows in set (0.00 sec)


Then I use radtest to do the test:


[root@centos-1 ~]# radtest lichan lab123 127.0.0.1 1812 lab123

Sending Access-Request of id 65 to 127.0.0.1 port 1812

        User-Name = "lichan"

        User-Password = "lab123"

        NAS-IP-Address = 127.0.0.1

        NAS-Port = 1812

rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=65, length=20


From the "radiusd -X” console, we could see

# Executing section authorize from file /etc/raddb/sites-enabled/default

+- entering group authorize {...}

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

++[digest] returns noop

[suffix] No '@' in User-Name = "lichan", looking up realm NULL

[suffix] No such realm "NULL"

++[suffix] returns noop

[eap] No EAP-Message, not doing EAP

++[eap] returns noop

++[files] returns noop

[sql]   expand: %{User-Name} -> lichan

[sql] sql_set_user escaped user --> 'lichan'

rlm_sql (sql): Reserving sql socket id: 3

[sql]   expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = 'lichan'           ORDER BY id

[sql] User found in radcheck table

[sql]   expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = 'lichan'           ORDER BY id

[sql]   expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = 'lichan'           ORDER BY priority

[sql]   expand: SELECT id, groupname, attribute,           Value, op           FROM radgroupcheck           WHERE groupname = '%{Sql-Group}'           ORDER BY id -> SELECT id, groupname, attribute,           Value, op           FROM radgroupcheck           WHERE groupname = 'disabled'           ORDER BY id

[sql] User found in group disabled

[sql]   expand: SELECT id, groupname, attribute,           value, op           FROM radgroupreply           WHERE groupname = '%{Sql-Group}'           ORDER BY id -> SELECT id, groupname, attribute,           value, op           FROM radgroupreply           WHERE groupname = 'disabled'           ORDER BY id

rlm_sql (sql): Released sql socket id: 3

++[sql] returns ok

++[expiration] returns noop

++[logintime] returns noop

++[pap] returns updated

Found Auth-Type = PAP

# Executing group from file /etc/raddb/sites-enabled/default

+- entering group PAP {...}

[pap] login attempt with password "lab123"

[pap] Using clear text password "lab123"

[pap] User authenticated successfully

++[pap] returns ok

# Executing section session from file /etc/raddb/sites-enabled/default

+- entering group session {...}

[radutmp]       expand: /var/log/radius/radutmp -> /var/log/radius/radutmp

[radutmp]       expand: %{User-Name} -> lichan

++[radutmp] returns ok

# Executing section post-auth from file /etc/raddb/sites-enabled/default

+- entering group post-auth {...}

[sql]   expand: %{User-Name} -> lichan

[sql] sql_set_user escaped user --> 'lichan'

[sql]   expand: %{User-Password} -> lab123

[sql]   expand: INSERT INTO radpostauth                           (username, pass, reply, authdate)                           VALUES (                           '%{User-Name}',                           '%{%{User-Password}:-%{Chap-Password}}',                           '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth                           (username, pass, reply, authdate)                           VALUES (                           'lichan',                           'lab123',                           'Access-Accept', '2014-11-13 00:45:43')

rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth                           (username, pass, reply, authdate)                           VALUES (                           'lichan',                           'lab123',                           'Access-Accept', '2014-11-13 00:45:43')

rlm_sql (sql): Reserving sql socket id: 2

rlm_sql (sql): Released sql socket id: 2

++[sql] returns ok

++[exec] returns noop

Sending Access-Accept of id 65 to 127.0.0.1 port 49529

Finished request 0.

Going to the next request

Waking up in 4.9 seconds.

Cleaning up request 0 ID 65 with timestamp +8

Ready to process requests.


Is there any light you could shed on this? thanks for your help!

BR!

Chen Jiang