Hi to all, I've configured freeradius with mysql anche checkval and all works as expected when I try to authenticate users with Calling-Station-ID and := operators in radgroupcheck but I cannot use it with != operator. To sum up I want some accounts to login only on some machines and I don't want other accounts to login on the above machines. Can I use checkval also with != operator? ...if not, is there another way? thank you, Christian
Il 20/06/2010 20:02, Christian Zoffoli ha scritto:
Hi to all, I've configured freeradius with mysql anche checkval and all works as expected when I try to authenticate users with Calling-Station-ID and := operators in radgroupcheck but I cannot use it with != operator. [cut]
I've tryed also adding these lines to the authorize section if (Calling-Station-Id == "%{sql: SELECT value FROM radgroupcheck WHERE groupname='%{Sql-Group}' AND op='!=' }") { reject } but the variable Sql-Group is not expanded. Changing the lines above in: if (Calling-Station-Id == "%{sql: SELECT value FROM radgroupcheck WHERE groupname='wireless' AND op='!=' }") { reject } allo works as expected but now I have to hardcode all the group with the != operator. Is there a way to rightly expand the %{Sql-Group} variable? Best regards, Christian
Christian Zoffoli wrote:
I've configured freeradius with mysql anche checkval and all works as expected when I try to authenticate users with Calling-Station-ID and := operators in radgroupcheck but I cannot use it with != operator.
I don't see why. It works as documented, and the != operator works.
To sum up I want some accounts to login only on some machines and I don't want other accounts to login on the above machines.
Yes... many people do that.
Can I use checkval also with != operator? ...if not, is there another way?
Yes. *Please* explain what you tried, and what happened. Right now, your message is little more than "I tried stuff and it didn't work." Alan DeKok.
Il 21/06/2010 08:30, Alan DeKok ha scritto:
Christian Zoffoli wrote:
I've configured freeradius with mysql anche checkval and all works as expected when I try to authenticate users with Calling-Station-ID and := operators in radgroupcheck but I cannot use it with != operator.
I don't see why. It works as documented, and the != operator works.
mysql> SELECT * FROM radcheck WHERE username='bumlwdgx'; +-------+----------+--------------------+----+----------------------+ | id | username | attribute | op | value | +-------+----------+--------------------+----+----------------------+ | 20716 | bumlwdgx | Expiration | := | 18 Dec 2010 11:06:03 | | 20715 | bumlwdgx | Cleartext-Password | := | 88209211 | +-------+----------+--------------------+----+----------------------+ mysql> SELECT * FROM radusergroup WHERE username='bumlwdgx'; +-------+----------+-----------+----------+ | ID | username | groupname | priority | +-------+----------+-----------+----------+ | 10114 | bumlwdgx | wireless | 1 | +-------+----------+-----------+----------+ 1 row in set (0.00 sec) SELECT * FROM radgroupcheck WHERE groupname='wireless'; +----+-----------+--------------------+----+-------------------+ | id | groupname | attribute | op | value | +----+-----------+--------------------+----+-------------------+ | 18 | wireless | Calling-Station-Id | != | 00-22-15-16-35-B0 | | 9 | wireless | Access-Period | := | 604800 | | 11 | wireless | Max-All-Session | := | 86400 | +----+-----------+--------------------+----+-------------------+ 3 rows in set (0.00 sec) here is the output of the radius auth --- rad_recv: Access-Request packet from host 127.0.0.1 port 34220, id=1, length=298 ChilliSpot-Version = "1.2.2" User-Name = "bumlwdgx" CHAP-Challenge = 0x777d7fc0c28a480f750e1f5506c3ccd7 CHAP-Password = 0x008617e203333f1fc66b2cacc4cbbe2255 NAS-IP-Address = 192.168.182.1 Service-Type = Login-User Framed-IP-Address = 192.168.182.2 Calling-Station-Id = "00-22-15-16-35-B0" Called-Station-Id = "00-0D-B9-15-F4-C9" NAS-Identifier = "localhost" Acct-Session-Id = "4c1f2f3e00000001" NAS-Port-Type = Wireless-802.11 NAS-Port = 1 WISPr-Location-ID = "isocc=,cc=,ac=,network=XTekLABS," WISPr-Location-Name = "HotSpot_Service" WISPr-Logoff-URL = "http://192.168.182.1:3990/logoff" Message-Authenticator = 0x2fea143af618652c950abd1fe0ad8cce +- entering group authorize ++[preprocess] returns ok rlm_realm: No '@' in User-Name = "bumlwdgx", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop expand: %{Stripped-User-Name} -> expand: %{User-Name} -> bumlwdgx expand: %{%{User-Name}:-DEFAULT} -> bumlwdgx expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> bumlwdgx rlm_sql (sql): sql_set_user escaped user --> 'bumlwdgx' rlm_sql (sql): Reserving sql socket id: 0 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'bumlwdgx' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'bumlwdgx' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'bumlwdgx' ORDER BY priority expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'wireless' ORDER BY id rlm_sql (sql): Released sql socket id: 0 ++[sql] returns ok rlm_checkval: Item Name: Calling-Station-Id, Value: 00-22-15-16-35-B0 rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs ++[checkval] returns notfound rlm_expiration: Checking Expiration time: '18 Dec 2010 11:06:03' ++[expiration] returns ok rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair ++[noresetcounter] returns noop rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair ++[accessperiod] returns noop auth: type Local auth: user supplied CHAP-Password matches local User-Password Login OK: [bumlwdgx/<CHAP-Password>] (from client localhost port 1 cli 00-22-15-16-35-B0) +- entering group post-auth rlm_sql (sql): Processing sql_postauth expand: %{Stripped-User-Name} -> expand: %{User-Name} -> bumlwdgx expand: %{%{User-Name}:-DEFAULT} -> bumlwdgx expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> bumlwdgx rlm_sql (sql): sql_set_user escaped user --> 'bumlwdgx' expand: %{User-Password} -> expand: %{Chap-Password} -> 0x008617e203333f1fc66b2cacc4cbbe2255 expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'bumlwdgx', '0x008617e203333f1fc66b2cacc4cbbe2255', 'Access-Accept', '2010-06-21 11:22:37') rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'bumlwdgx', '0x008617e203333f1fc66b2cacc4cbbe2255', 'Access-Accept', '2010-06-21 11:22:37') rlm_sql (sql): Reserving sql socket id: 4 rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok ++[exec] returns noop Sending Access-Accept of id 1 to 127.0.0.1 port 34220 Session-Timeout = 15554606 Finished request 10. Going to the next request Waking up in 4.9 seconds. rad_recv: Accounting-Request packet from host 127.0.0.1 port 60147, id=8, length=225 ChilliSpot-Version = "1.2.2" ChilliSpot-Attr-10 = 0x00000002 Acct-Status-Type = Start User-Name = "bumlwdgx" Calling-Station-Id = "00-22-15-16-35-B0" NAS-Port-Type = Wireless-802.11 NAS-Port = 1 NAS-Port-Id = "00000001" Framed-IP-Address = 192.168.182.2 Acct-Session-Id = "4c1f2f3e00000001" NAS-IP-Address = 192.168.182.1 Called-Station-Id = "00-0D-B9-15-F4-C9" NAS-Identifier = "localhost" WISPr-Location-ID = "isocc=,cc=,ac=,network=XTekLABS," WISPr-Location-Name = "HotSpot_Service" +- entering group preacct ++[preprocess] returns ok rlm_acct_unique: Hashing 'NAS-Port = 1,Client-IP-Address = 127.0.0.1,NAS-IP-Address = 192.168.182.1,Acct-Session-Id = "4c1f2f3e00000001",User-Name = "bumlwdgx"' rlm_acct_unique: Acct-Unique-Session-ID = "18a263802bd4fe7e". ++[acct_unique] returns ok rlm_realm: No '@' in User-Name = "bumlwdgx", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop ++[files] returns noop +- entering group accounting expand: /var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d -> /var/log/freeradius/radacct/127.0.0.1/detail-20100621 rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/freeradius/radacct/127.0.0.1/detail-20100621 expand: %t -> Mon Jun 21 11:22:37 2010 ++[detail] returns ok expand: %{Stripped-User-Name} -> expand: %{User-Name} -> bumlwdgx expand: %{%{User-Name}:-DEFAULT} -> bumlwdgx expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> bumlwdgx rlm_sql (sql): sql_set_user escaped user --> 'bumlwdgx' expand: %{Acct-Delay-Time} -> expand: INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{%{Acct-Delay-Time}:-0}', '0', '%{X-Ascend-Session-Svr-Key}') -> INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay, xascendsessionsvrkey) VALUES ('4c1f2f3e00000001', '18a263802bd4fe7e', 'bumlwdgx', '', '192.168.182.1', '1', 'Wireless-802.11', '2010-06-21 11:22:37', NULL, '0', '', '', '', '0', '0', '00-0D-B9-15-F4-C9', '00-22-15-16-35-B0', '', '', '', '192.168.182.2', '0', '0', '') rlm_sql (sql): Reserving sql socket id: 3 rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok expand: %{User-Name} -> bumlwdgx attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] returns updated Sending Accounting-Response of id 8 to 127.0.0.1 port 60147 Finished request 11. Cleaning up request 11 ID 8 with timestamp +779 Going to the next request Waking up in 4.9 seconds. --- in radiusd.conf I have: checkval { item-name = Calling-Station-Id check-name = Calling-Station-Id data-type = string } Best regards, Christian
Christian Zoffoli wrote:
mysql> SELECT * FROM radcheck WHERE username='bumlwdgx'; ... mysql> SELECT * FROM radusergroup WHERE username='bumlwdgx';
<sigh> You asked about radgroupcheck. Why post this?
SELECT * FROM radgroupcheck WHERE groupname='wireless'; +----+-----------+--------------------+----+-------------------+ | id | groupname | attribute | op | value | +----+-----------+--------------------+----+-------------------+ | 18 | wireless | Calling-Station-Id | != | 00-22-15-16-35-B0 |
Which is OK, and should work.
rad_recv: Access-Request packet from host 127.0.0.1 port 34220, id=1, length=298 ChilliSpot-Version = "1.2.2" User-Name = "bumlwdgx" CHAP-Challenge = 0x777d7fc0c28a480f750e1f5506c3ccd7 CHAP-Password = 0x008617e203333f1fc66b2cacc4cbbe2255 NAS-IP-Address = 192.168.182.1 Service-Type = Login-User Framed-IP-Address = 192.168.182.2 Calling-Station-Id = "00-22-15-16-35-B0"
Which shouldn't match the entry in radgroupcheck.
expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'wireless' ORDER BY id rlm_sql (sql): Released sql socket id: 0
Which doesn't match, as expected.
++[sql] returns ok rlm_checkval: Item Name: Calling-Station-Id, Value: 00-22-15-16-35-B0 rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs
Of *course* this doesn't work. You didn't add a Calling-Station-Id to the check pairs. I told you that the behavior of rlm_sql was documented. Go read that documentation. *Nothing* in it suggests that using "!=" as a check operator will result in the Calling-Station-Id attribute being added to the check pairs.
in radiusd.conf I have:
checkval { item-name = Calling-Station-Id check-name = Calling-Station-Id data-type = string }
Why? What possible use is this? What do you expect it to do? Alan DeKok.
Il 21/06/2010 13:50, Alan DeKok ha scritto: [cut]
Why? What possible use is this? What do you expect it to do?
there is something strange IMHO if I try a different user in the wired group and this radgroupcheck: mysql> SELECT * FROM radgroupcheck WHERE groupname='wired'; +----+-----------+--------------------+----+-------------------+ | id | groupname | attribute | op | value | +----+-----------+--------------------+----+-------------------+ | 6 | wired | Calling-Station-Id | := | 00-22-15-16-35-B0 | | 7 | wired | Simultaneous-Use | := | 1 | | 10 | wired | Max-All-Session | := | 3600 | | 12 | wired | Access-Period | := | 604800 | +----+-----------+--------------------+----+-------------------+ 4 rows in set (0.00 sec) All works as expected. The software is the same, the machine is the same but now rlm_checkval works --- rad_recv: Access-Request packet from host 127.0.0.1 port 51146, id=1, length=298 ChilliSpot-Version = "1.2.2" User-Name = "m7dby5cc" CHAP-Challenge = 0x0c8e9cdfd1f76caa475d8120e0af8660 CHAP-Password = 0x00d4c0245b2a9b2a0429c5c3401da5439e NAS-IP-Address = 192.168.182.1 Service-Type = Login-User Framed-IP-Address = 192.168.182.2 Calling-Station-Id = "00-22-15-16-35-B0" Called-Station-Id = "00-0D-B9-15-F4-C9" NAS-Identifier = "localhost" Acct-Session-Id = "4c1f311000000001" NAS-Port-Type = Wireless-802.11 NAS-Port = 1 WISPr-Location-ID = "isocc=,cc=,ac=,network=XTekLABS," WISPr-Location-Name = "HotSpot_Service" WISPr-Logoff-URL = "http://192.168.182.1:3990/logoff" Message-Authenticator = 0x7d095fb7ce6c28a7459e053a4074bf17 +- entering group authorize ++[preprocess] returns ok rlm_realm: No '@' in User-Name = "m7dby5cc", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop expand: %{Stripped-User-Name} -> expand: %{User-Name} -> m7dby5cc expand: %{%{User-Name}:-DEFAULT} -> m7dby5cc expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> m7dby5cc rlm_sql (sql): sql_set_user escaped user --> 'm7dby5cc' rlm_sql (sql): Reserving sql socket id: 0 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'm7dby5cc' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'm7dby5cc' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'm7dby5cc' ORDER BY priority expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'wired' ORDER BY id rlm_sql (sql): User found in group wired expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'wired' ORDER BY id rlm_sql (sql): Released sql socket id: 0 ++[sql] returns ok rlm_checkval: Item Name: Calling-Station-Id, Value: 00-22-15-16-35-B0 rlm_checkval: Value Name: Calling-Station-Id, Value: 00-22-15-16-35-B0 ++[checkval] returns ok rlm_expiration: Checking Expiration time: '18 Dec 2010 11:06:25' ++[expiration] returns ok rlm_sqlcounter: Entering module authorize code sqlcounter_expand: 'SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{User-Name}'' expand: SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{User-Name}' -> SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='m7dby5cc' sqlcounter_expand: '%{sql:SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='m7dby5cc'}' rlm_sql (sql): - sql_xlat expand: %{Stripped-User-Name} -> expand: %{User-Name} -> m7dby5cc expand: %{%{User-Name}:-DEFAULT} -> m7dby5cc expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> m7dby5cc rlm_sql (sql): sql_set_user escaped user --> 'm7dby5cc' expand: SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='m7dby5cc' -> SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='m7dby5cc' rlm_sql (sql): Reserving sql socket id: 4 rlm_sql (sql): row[0] returned NULL rlm_sql (sql): Released sql socket id: 4 expand: %{sql:SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='m7dby5cc'} -> rlm_sqlcounter: No integer found in string "" ++[noresetcounter] returns noop rlm_sqlcounter: Entering module authorize code sqlcounter_expand: 'SELECT UNIX_TIMESTAMP() - UNIX_TIMESTAMP(AcctStartTime) FROM radacct WHERE UserName = '%{User-Name}' ORDER BY AcctStartTime LIMIT 1' expand: SELECT UNIX_TIMESTAMP() - UNIX_TIMESTAMP(AcctStartTime) FROM radacct WHERE UserName = '%{User-Name}' ORDER BY AcctStartTime LIMIT 1 -> SELECT UNIX_TIMESTAMP() - UNIX_TIMESTAMP(AcctStartTime) FROM radacct WHERE UserName = 'm7dby5cc' ORDER BY AcctStartTime LIMIT 1 sqlcounter_expand: '%{sql:SELECT UNIX_TIMESTAMP() - UNIX_TIMESTAMP(AcctStartTime) FROM radacct WHERE UserName = 'm7dby5cc' ORDER BY AcctStartTime LIMIT 1}' rlm_sql (sql): - sql_xlat expand: %{Stripped-User-Name} -> expand: %{User-Name} -> m7dby5cc expand: %{%{User-Name}:-DEFAULT} -> m7dby5cc expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> m7dby5cc rlm_sql (sql): sql_set_user escaped user --> 'm7dby5cc' expand: SELECT UNIX_TIMESTAMP() - UNIX_TIMESTAMP(AcctStartTime) FROM radacct WHERE UserName = 'm7dby5cc' ORDER BY AcctStartTime LIMIT 1 -> SELECT UNIX_TIMESTAMP() - UNIX_TIMESTAMP(AcctStartTime) FROM radacct WHERE UserName = 'm7dby5cc' ORDER BY AcctStartTime LIMIT 1 rlm_sql (sql): Reserving sql socket id: 3 rlm_sql (sql): SQL query did not return any results rlm_sql (sql): Released sql socket id: 3 expand: %{sql:SELECT UNIX_TIMESTAMP() - UNIX_TIMESTAMP(AcctStartTime) FROM radacct WHERE UserName = 'm7dby5cc' ORDER BY AcctStartTime LIMIT 1} -> rlm_sqlcounter: No integer found in string "" ++[accessperiod] returns noop auth: type Local auth: user supplied CHAP-Password matches local User-Password +- entering group session expand: %{Stripped-User-Name} -> expand: %{User-Name} -> m7dby5cc expand: %{%{User-Name}:-DEFAULT} -> m7dby5cc expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> m7dby5cc rlm_sql (sql): sql_set_user escaped user --> 'm7dby5cc' expand: SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime is NULL -> SELECT COUNT(*) FROM radacct WHERE username = 'm7dby5cc' AND acctstoptime is NULL rlm_sql (sql): Reserving sql socket id: 2 rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok Login OK: [m7dby5cc/<CHAP-Password>] (from client localhost port 1 cli 00-22-15-16-35-B0) +- entering group post-auth rlm_sql (sql): Processing sql_postauth expand: %{Stripped-User-Name} -> expand: %{User-Name} -> m7dby5cc expand: %{%{User-Name}:-DEFAULT} -> m7dby5cc expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> m7dby5cc rlm_sql (sql): sql_set_user escaped user --> 'm7dby5cc' expand: %{User-Password} -> expand: %{Chap-Password} -> 0x00d4c0245b2a9b2a0429c5c3401da5439e expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'm7dby5cc', '0x00d4c0245b2a9b2a0429c5c3401da5439e', 'Access-Accept', '2010-06-21 14:36:34') rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'm7dby5cc', '0x00d4c0245b2a9b2a0429c5c3401da5439e', 'Access-Accept', '2010-06-21 14:36:34') rlm_sql (sql): Reserving sql socket id: 1 rlm_sql (sql): Released sql socket id: 1 ++[sql] returns ok ++[exec] returns noop Sending Access-Accept of id 1 to 127.0.0.1 port 51146 Acct-Interim-Interval := 600 Session-Timeout = 15542991 Finished request 14. Going to the next request Waking up in 4.9 seconds. rad_recv: Accounting-Request packet from host 127.0.0.1 port 60147, id=11, length=225 ChilliSpot-Version = "1.2.2" ChilliSpot-Attr-10 = 0x00000002 Acct-Status-Type = Start User-Name = "m7dby5cc" Calling-Station-Id = "00-22-15-16-35-B0" NAS-Port-Type = Wireless-802.11 NAS-Port = 1 NAS-Port-Id = "00000001" Framed-IP-Address = 192.168.182.2 Acct-Session-Id = "4c1f311000000001" NAS-IP-Address = 192.168.182.1 Called-Station-Id = "00-0D-B9-15-F4-C9" NAS-Identifier = "localhost" WISPr-Location-ID = "isocc=,cc=,ac=,network=XTekLABS," WISPr-Location-Name = "HotSpot_Service" +- entering group preacct ++[preprocess] returns ok rlm_acct_unique: Hashing 'NAS-Port = 1,Client-IP-Address = 127.0.0.1,NAS-IP-Address = 192.168.182.1,Acct-Session-Id = "4c1f311000000001",User-Name = "m7dby5cc"' rlm_acct_unique: Acct-Unique-Session-ID = "ddca1f9d2efffb89". ++[acct_unique] returns ok rlm_realm: No '@' in User-Name = "m7dby5cc", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop ++[files] returns noop +- entering group accounting expand: /var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d -> /var/log/freeradius/radacct/127.0.0.1/detail-20100621 rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/freeradius/radacct/127.0.0.1/detail-20100621 expand: %t -> Mon Jun 21 14:36:35 2010 ++[detail] returns ok expand: %{Stripped-User-Name} -> expand: %{User-Name} -> m7dby5cc expand: %{%{User-Name}:-DEFAULT} -> m7dby5cc expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> m7dby5cc rlm_sql (sql): sql_set_user escaped user --> 'm7dby5cc' expand: %{Acct-Delay-Time} -> expand: INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{%{Acct-Delay-Time}:-0}', '0', '%{X-Ascend-Session-Svr-Key}') -> INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay, xascendsessionsvrkey) VALUES ('4c1f311000000001', 'ddca1f9d2efffb89', 'm7dby5cc', '', '192.168.182.1', '1', 'Wireless-802.11', '2010-06-21 14:36:35', NULL, '0', '', '', '', '0', '0', '00-0D-B9-15-F4-C9', '00-22-15-16-35-B0', '', '', '', '192.168.182.2', '0', '0', '') rlm_sql (sql): Reserving sql socket id: 0 rlm_sql (sql): Released sql socket id: 0 ++[sql] returns ok expand: %{User-Name} -> m7dby5cc attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] returns updated Sending Accounting-Response of id 11 to 127.0.0.1 port 60147 Finished request 15. Cleaning up request 15 ID 11 with timestamp +12417 Going to the next request Waking up in 4.9 seconds. --- Best regards, Christian
Christian Zoffoli wrote:
Il 21/06/2010 13:50, Alan DeKok ha scritto: [cut]
Why? What possible use is this? What do you expect it to do?
there is something strange IMHO
Only if you haven't bothered reading the documentation.
if I try a different user in the wired group and this radgroupcheck:
mysql> SELECT * FROM radgroupcheck WHERE groupname='wired'; +----+-----------+--------------------+----+-------------------+ | id | groupname | attribute | op | value | +----+-----------+--------------------+----+-------------------+ | 6 | wired | Calling-Station-Id | := | 00-22-15-16-35-B0 | ... All works as expected. The software is the same, the machine is the same but now rlm_checkval works
Yes. The server works as documented. Since you haven't read the documentation, you don't understand what it's doing. Weird, isn't it? Alan DeKok.
Il 21/06/2010 14:57, Alan DeKok ha scritto: [cut]
The server works as documented. Since you haven't read the documentation, you don't understand what it's doing.
Weird, isn't it?
probably you are right, probably I've read all the docs, some useless guides, many threads on the mailing list and I've not understood the right way probably your answers doesn't help much probably there is not so much doc and probably there are not enought examples and the last book is 8 years old and doesn't cover what I need. Best regards, Christian
Christian Zoffoli wrote:
probably you are right, probably I've read all the docs, some useless guides, many threads on the mailing list and I've not understood the right way
probably your answers doesn't help much
Have you read the documentation as I suggested? No, not really. That's why my answers don't help.
probably there is not so much doc and probably there are not enought examples and the last book is 8 years old and doesn't cover what I need.
The documentation for the SQL module is on the Wiki and in the doc/ directory. It documents *exactly* how the module works, include the "!=" and ":=" operator. I'm sorry you feel like I'm not helping you. But this *is* documented, and it is *not* rude to ask you to read the documentation. *All* of your questions and confusion would be addressed by reading the documentation. Please read it. If you have any questions about it, ask. Alan DeKok.
Il 21/06/2010 20:26, Alan DeKok ha scritto:
Christian Zoffoli wrote: [many] Have you read the documentation as I suggested?
No, not really. That's why my answers don't help.
probably I don't know many things to find my mistakes now I've fixed my problem in this way --- update control { Tmp-String-0 = "%{sql: SELECT groupname FROM radusergroup WHERE username='%{request:User-Name}'}" } if ( "%{control:Tmp-String-0}" != "" ) { update control { Tmp-String-1 = "%{sql: SELECT value FROM radgroupcheck WHERE groupname='%{control:Tmp-String-0}' AND op='!=' AND value='%{request:Calling-Station-Id}' }" } if ( "%{control:Tmp-String-1}" != "" ) { if ( "%{request:Calling-Station-Id}" == "%{control:Tmp-String-1}" ) { reject } } update control { Tmp-String-2 = "%{sql: SELECT value FROM radgroupcheck WHERE groupname='%{control:Tmp-String-0}' AND op=':=' AND value='%{request:Calling-Station-Id}' }" } if ( "%{control:Tmp-String-2}" != "" ) { if ( "%{request:Calling-Station-Id}" != "%{control:Tmp-String-2}" ) { reject } } } --- surely is not the right way ...but I don't know a better one. rlm_sql already do the query I use to populate Tmp-String-0 is there a way to re-use such value ? ...I've not find an answer Best regards, Christian
Christian Zoffoli wrote:
now I've fixed my problem in this way
I'm not sure why. In all of this, you haven't explained what you want to do. You've asked about the SQL and checkval modules. But you haven't given a *problem* you would like to solve.
surely is not the right way ...but I don't know a better one.
Neither do I, until you explain *what* you want to do. I'm not prepared to guess, either. Alan DeKok.
Il 22/06/2010 08:08, Alan DeKok ha scritto:
Christian Zoffoli wrote:
now I've fixed my problem in this way
I'm not sure why.
In all of this, you haven't explained what you want to do. You've asked about the SQL and checkval modules. But you haven't given a *problem* you would like to solve.
I want the users in some groups to login only on the machine with a given mac address and I want the users in the group wireless to use all the machines with the exception of the previous mac address. raggroupcheck +----+-----------+--------------------+----+-------------------+ | id | groupname | attribute | op | value | +----+-----------+--------------------+----+-------------------+ | 6 | wired | Calling-Station-Id | == | 00-22-15-16-35-B0 | | 22 | wireless | Calling-Station-Id | != | 00-22-15-16-35-B1 | +----+-----------+--------------------+----+-------------------+ I've just made a minor change on the ulang script and the DB (op := to ==) Best regards, Christian
participants (2)
-
Alan DeKok -
Christian Zoffoli