I have a freeradius, and I need "Calling-Station-Id" for authorization. This is the one attribute, which I select in the radiusd.conf checkval { # The attribute to look for in the request item-name = Calling-Station-Id # The attribute to look for in check items. Can be multi valued check-name = Calling-Station-Id # The data type. Can be # string,integer,ipaddr,date,abinary,octets data-type = string # If set to yes and we dont find the item-name attribute in the # request then we send back a reject # DEFAULT is no notfound-reject = yes } (But in fact, I do not use this) Why, when freeradius rescieve the access-request packet, and "username" field is empty, then we got access-denied? I use SQL authorization module. In the database (I use it as a blacklist, id Calling-Station-Id exist in the list, then access denied.): +----+------------+-----------+----+--------+ | id | UserName | Attribute | op | Value | +----+------------+-----------+----+--------+ | 2 | 3339222222 | Auth-Type | == | Reject | | 1 | all_users_not_in_black_list | Auth-Type | == | Accept | +----+------------+-----------+----+--------+
From sql.conf: authorize_check_query = "SELECT id, UserName, Attribute, Value, op \ FROM ${authcheck_table} \ WHERE Username = IF(Username='%{SQL-User-Name}','%{SQL-User-Name}','all_users_not_in_black_list') \ LIMIT 1" authorize_reply_query = "SELECT id, UserName, Attribute, Value, op \ FROM ${authreply_table} \ WHERE Username = 'all_users_not_in_black_list' \ ORDER BY id"
So, info from radiusd in debug mode: rad_recv: Access-Request packet from host XXX.XXX.XXX.XXX:1812, id=182, length=113 NAS-Identifier = "ggsn2" User-Name = "" User-Password = "" NAS-IP-Address = XXX.XXX.XXX.XXX NAS-Port-Type = Virtual Called-Station-Id = "1000" Calling-Station-Id = "3339222225" Acct-Session-Id = "d45d6126057478b1" Acct-Multi-Session-Id = "d45d61260000b77a" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 radius_xlat: '/usr/local/var/log/radius/radacct/auth-detail.log' rlm_detail: /usr/local/var/log/radius/radacct/auth-detail.log expands to /usr/local/var/log/radius/radacct/auth-detail.log modcall[authorize]: module "auth_log" returns ok for request 0 rlm_sql (sql): zero length username not permitted modcall[authorize]: module "sql" returns invalid for request 0 modcall: leaving group authorize (returns invalid) for request 0 Invalid user: [/] (from client ggsn2 port 0 cli 3719248521) Sending Access-Reject of id 182 to XXX.XXX.XXX.XXX port 1812 I don't care, what kind of username do we have! How I can avoid this problem? :-( Can someone help me with this quesion? Here is the part of my radiusd.conf file: <...skipped...> modules { checkval { # The attribute to look for in the request item-name = Calling-Station-Id # The attribute to look for in check items. Can be multi valued check-name = Calling-Station-Id # The data type. Can be # string,integer,ipaddr,date,abinary,octets data-type = string # If set to yes and we dont find the item-name attribute in the # request then we send back a reject # DEFAULT is no notfound-reject = yes } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } # Livingston-style 'users' file # files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users preproxy_usersfile = ${confdir}/preproxy_users # If you want to use the old Cistron 'users' file # with FreeRADIUS, you should change the next line # to 'compat = cistron'. You can the copy your 'users' # file from Cistron. compat = no } # Write a detailed log of all accounting records received. # detail { detailfile = ${radacctdir}/acct-detail.log detailperm = 0600 } detail auth_log { detailfile = ${radacctdir}/auth-detail.log detailperm = 0600 } detail reply_log { detailfile = ${radacctdir}/reply-detail.log detailperm = 0600 } $INCLUDE ${confdir}/sql.conf radutmp { filename = ${logdir}/radutmp username = %{Calling-Station-Id} case_sensitive = yes check_with_nas = yes perm = 0600 callerid = "yes" } radutmp sradutmp { filename = ${logdir}/sradutmp perm = 0644 callerid = "no" } always fail { rcode = fail } always reject { rcode = reject } always ok { rcode = ok simulcount = 0 mpp = no } expr { } digest { } exec { wait = yes input_pairs = request } exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = request output_pairs = reply } } instantiate { } authorize { auth_log # See "Authorization Queries" in sql.conf sql } authenticate { } accounting { detail radutmp } session { radutmp } # Post-Authentication post-auth { reply_log } ------------------------------------------------------------------------------- http://www.one.lv - Tavs mobilais e-pasts! Tagad lasi savu e-pastu ar mobilo telefonu - wap.one.lv!