Sorry forget about priority i thought higher was first..Which it wasn’t.. Still is it possible to get replies from multiple groups an account belongs to?

 

Cheers

Alex

 

Från: freeradius-users-bounces+alexander.silverohrt=itux.se@lists.freeradius.org [mailto:freeradius-users-bounces+alexander.silverohrt=itux.se@lists.freeradius.org] För Alexander Silveröhrt
Skickat: den 12 april 2013 09:33
Till: freeradius-users@lists.freeradius.org
Ämne: Group questions..several group memberships to one account. FreeRADIUS Version 2.1.10

 

Hello,

 

Never played around with groups using rlm_sql and the default schema..
I am reading what i assume is saying that it should be possible to have several groups to a account and each group should be able to supply that specific groups radgroupreply attributes..

Number 4 below sure sounds like it should get all the accounts groups first and then process them according to priority? Below test shows it only reads the first group? And no matter what priority..
Is that how it should work or what am i missing here?

1.Search the radcheck table for any check attributes specific to the user

2.If check attributes are found, and there's a match, pull the reply items from the radreply table for this user and add them to the reply

3.Group processing then begins if any of the following conditions are met:

The user IS NOT found in radcheck

The user IS found in radcheck, but the check items don't match

The user IS found in radcheck, the check items DO match AND Fall-Through is set in the radreply table

The user IS found in radcheck, the check items DO match AND the read_groups directive is set to 'yes'

4.If groups are to be processed for this user, the first thing that is done is the list of groups this user is a member of is pulled from the usergroup table ordered by the priority field. The priority field of the usergroup table allows us to control the order in which groups are processed, so that we can emulate the ordering in the users file. This can be important in many cases.

5.For each group this user is a member of, the corresponding check items are pulled from radgroupcheck table and compared with the request. If there is a match, the reply items for this group are pulled from the radgroupreply table and applied.

6.Processing continues to the next group IF:

There was not a match for the last group's check items OR

Fall-Through was set in the last group's reply items (The above is exactly the same as in the users file)

7.Finally, if the user has a User-Profile attribute set or the Default Profile option is set in the sql.conf, then steps 4-6 are repeated for the groups that the profile is a member of.

To test it i added som data to

 

mysql> select * from radcheck;

+----+----------+-----------+----+-------+

| id | username | attribute | op | value |

+----+----------+-----------+----+-------+

|  8 | alex     | Password  | := | test  |

+----+----------+-----------+----+-------+


mysql> select * from radusergroup;

+----------+------------------+----------+

| username | groupname        | priority |

+----------+------------------+----------+

| alex     | mega-admin-group |        0 |

| alex     | cisco_admin      |        1 |

+----------+------------------+----------+


mysql> select * from radgroupreply;

+----+------------------+----------------+----+----------------------------------+

| id | groupname        | attribute      | op | value                            |

+----+------------------+----------------+----+----------------------------------+

|  1 | mega-admin-group | Reply-Message  | =  | test-mega-admin-reply-attribute  |

|  2 | mega-admin-group | NAS-Identifier | =  | test-NAS                             |

|  3 | cisco_admin      | Service-Type   | =  | NAS-Prompt-User                     |

|  4 | cisco_admin      | cisco-avpair   | =  | shell:priv-lvl=15                           |

+----+------------------+----------------+----+----------------------------------+

5 rows in set (0.00 sec)

root@noc1:/etc/freeradius# radtest -x alex test localhost 1812 testing123

Sending Access-Request of id 69 to 127.0.0.1 port 1812

        User-Name = "alex"

        User-Password = "test"

        NAS-IP-Address = 10.173.2.10

        NAS-Port = 1812

rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=69, length=63

        Reply-Message = "test-mega-admin-reply-attribute"

        NAS-Identifier = "test-NAS"                     < -- Only replies from group mega-admin-group

And freeradius debug is showing it only checked replies from the first group..

rad_recv: Access-Request packet from host 127.0.0.1 port 49061, id=3, length=56

        User-Name = "alex"

        User-Password = "test"

        NAS-IP-Address = 10.173.2.10

        NAS-Port = 1812

# Executing section authorize from file /etc/freeradius/sites-enabled/default

+- entering group authorize {...}

++[preprocess] returns ok

rlm_perl: rlm_perl::Itux DEBUG::Inside authorize Function.

rlm_perl: Added pair User-Name = alex

rlm_perl: Added pair User-Password = test

rlm_perl: Added pair NAS-Port = 1812

rlm_perl: Added pair NAS-IP-Address = 10.173.2.10

++[perl] returns ok

++[chap] returns noop

++[mschap] returns noop

++[digest] returns noop

[suffix] No '@' in User-Name = "alex", looking up realm NULL

[suffix] No such realm "NULL"

++[suffix] returns noop

[sql]   expand: %{User-Name} -> alex

[sql] sql_set_user escaped user --> 'alex'

rlm_sql (sql): Reserving sql socket id: 3

[sql]   expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = 'alex'           ORDER BY id

[sql] User found in radcheck table

[sql]   expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = 'alex'           ORDER BY id

[sql]   expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = 'alex'           ORDER BY priority

[sql]   expand: SELECT id, groupname, attribute,           Value, op           FROM radgroupcheck           WHERE groupname = '%{Sql-Group}'           ORDER BY id -> SELECT id, groupname, attribute,           Value, op           FROM radgroupcheck           WHERE groupname = 'mega-admin-group'           ORDER BY id

[sql] User found in group mega-admin-group

[sql]   expand: SELECT id, groupname, attribute,           value, op           FROM radgroupreply           WHERE groupname = '%{Sql-Group}'           ORDER BY id -> SELECT id, groupname, attribute,           value, op           FROM radgroupreply           WHERE groupname = 'mega-admin-group'           ORDER BY id

rlm_sql (sql): Released sql socket id: 3

++[sql] returns ok

++[expiration] returns noop

++[logintime] returns noop

++[pap] returns updated

Found Auth-Type = PAP

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!    Replacing User-Password in config items with Cleartext-Password.     !!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!! Please update your configuration so that the "known good"               !!!

!!! clear text password is in Cleartext-Password, and not in User-Password. !!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

# Executing group from file /etc/freeradius/sites-enabled/default

+- entering group PAP {...}

[pap] login attempt with password "test"

[pap] Using clear text password "test"

[pap] User authenticated successfully

++[pap] returns ok

Login OK: [alex] (from client localhost port 1812)

# Executing section post-auth from file /etc/freeradius/sites-enabled/default

+- entering group post-auth {...}

++[exec] returns noop

Sending Access-Accept of id 3 to 127.0.0.1 port 49061

        Reply-Message = "test-mega-admin-reply-attribute"

Finished request 10.

Going to the next request

Waking up in 4.9 seconds.

Cleaning up request 10 ID 3 with timestamp +7141

Ready to process requests.

 

Thx

Alex

 

 

********* DISCLAIMER *********

This message and any attachment are confidential and may be privileged or otherwise protected from disclosure and may include proprietary information. If you are not the intended recipient, please telephone or email the sender and delete this message and any attachment from your system. If you are not the intended recipient you must not copy this message or attachment or disclose the contents to any other person


********* DISCLAIMER *********

This message and any attachment are confidential and may be privileged or otherwise protected from disclosure and may include proprietary information. If you are not the intended recipient, please telephone or email the sender and delete this message and any attachment from your system. If you are not the intended recipient you must not copy this message or attachment or disclose the contents to any other person