Huntgroups, Realms, MySQL
Sorry if this has already been addressed. I has been searching all day and haven't found the solution to my problem. I am attempting to setup multiple huntgroups to limit the types of connections that clients can make. Along with this I have a list of realms that are authenticated locally and others that are directed to remote radius servers. All of the user and group information is stored in a mysql db. I am having problems authenticating users with realms that are not passed to a remote server. Below is an example of a test without a realm: radtest test blah123 127.0.0.1 0 testing123Sending Access-Request of id 215 to 127.0.0.1:1812 User-Name = "test" User-Password = "blah123" NAS-IP-Address = localhost.localdomain NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=215, length=272 Framed-Protocol = PPP Framed-Routing = Broadcast Framed-Compression = None Framed-MTU = 1500 Idle-Timeout = 0 Cisco-AVPair = "lcp:interface-config=rate-limit input 256000 32000 32000 conform-action transmit exceed-action drop" Cisco-AVPair = "lcp:interface-config=rate-limit output 4500000 32000 32000 conform-action transmit exceed-action drop" Service-Type = Framed-User With a realm: radtest test@dls.net blah123 127.0.0.1 0 testing123 Sending Access-Request of id 223 to 127.0.0.1:1812 User-Name = "test@dls.net" User-Password = "blah123" NAS-IP-Address = localhost.localdomain NAS-Port = 0 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=223, length=20 Output from the server: rad_recv: Access-Request packet from host 127.0.0.1:32770, id=223, length=77 User-Name = "test@dls.net" User-Password = "blah123" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 rlm_sql (sql): - sql_groupcmp radius_xlat: 'test@dls.net' rlm_sql (sql): sql_set_user escaped user --> 'test@dls.net' radius_xlat: 'SELECT GroupName FROM usergroup WHERE UserName='test@dls.net'' rlm_sql (sql): Reserving sql socket id: 0 rlm_sql (sql): Released sql socket id: 0 rlm_sql (sql): - sql_groupcmp finished: User does not belong in group 3072BY256 No huntgroup access: [test@dls.net] (from client localhost port 0) modcall[authorize]: module "preprocess" returns reject for request 2 modcall: group authorize returns reject for request 2 If I removed the huntgroups out of the picture, is works fine. The problem seems to be that the realm is not being stripped off of the username when it checks it against the usergroup table. If more information is needed, please let me know. I would really like to get this working. Thanks! - Brad
Brad McAllister wrote:
If I removed the huntgroups out of the picture, is works fine. The problem seems to be that the realm is not being stripped off of the username when it checks it against the usergroup table. If more information is needed, please let me know. I would really like to get this working.
Thanks!
- Brad
Have a look at the realm { } instances and attr_rewrite in http://wiki.freeradius.org/Radiusd.conf. If that doesn't sort you out, could you post (with private info obscured, of course) relevant excerpts from your radgroupcheck table and huntgroups file? Cheers, -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: james.wakefield@deakin.edu.au Website: http://www.deakin.edu.au
G'day mate, thanks for the quick reply. I already have this in my radiusd.conf: realm suffix { format = suffix delimiter = "@" ignore_default = no ignore_null = no } The huntgroups file looks like this: wireless NAS-IP-Address == 127.0.0.1 wireless NAS-IP-Address == localhost.localdomain SQL-Group == 3072BY256 radgroupcheck table: | 8 | netmaster | Huntgroup-Name | == | netmaster | | 6 | 3072BY256 | Huntgroup-Name | == | wireless | | 7 | 3072BY256 | Auth-Type | += | local | | 9 | netmaster | Auth-Type | += | local | All of this is still in a test environment so I am able to change whatever is needed. -- Brad McAllister bmcallister@noc.dls.net On Oct 5, 2006, at 6:13 PM, James Wakefield wrote:
Brad McAllister wrote:
If I removed the huntgroups out of the picture, is works fine. The problem seems to be that the realm is not being stripped off of the username when it checks it against the usergroup table. If more information is needed, please let me know. I would really like to get this working. Thanks! - Brad
Have a look at the realm { } instances and attr_rewrite in http:// wiki.freeradius.org/Radiusd.conf.
If that doesn't sort you out, could you post (with private info obscured, of course) relevant excerpts from your radgroupcheck table and huntgroups file?
Cheers, -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia.
Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: james.wakefield@deakin.edu.au Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
Brad McAllister wrote:
G'day mate, thanks for the quick reply. I already have this in my radiusd.conf:
realm suffix { format = suffix delimiter = "@" ignore_default = no ignore_null = no }
Have you got suffix in your authorize { } section?
The huntgroups file looks like this:
wireless NAS-IP-Address == 127.0.0.1 wireless NAS-IP-Address == localhost.localdomain SQL-Group == 3072BY256
radgroupcheck table:
| 8 | netmaster | Huntgroup-Name | == | netmaster | | 6 | 3072BY256 | Huntgroup-Name | == | wireless | | 7 | 3072BY256 | Auth-Type | += | local | | 9 | netmaster | Auth-Type | += | local |
Any reason you're setting values for Auth-Type? -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: james.wakefield@deakin.edu.au Website: http://www.deakin.edu.au
Yes, the suffix is in the authorize { } section as well. I was just following the examples with the Auth-Type, I removed them from the DB, but end up with the same results. -- Brad McAllister DLS Internet Services p. 847.854.4799 x.232 bmcallister@noc.dls.net On Oct 9, 2006, at 5:26 AM, James Wakefield wrote:
Brad McAllister wrote:
G'day mate, thanks for the quick reply. I already have this in my radiusd.conf: realm suffix { format = suffix delimiter = "@" ignore_default = no ignore_null = no }
Have you got suffix in your authorize { } section?
The huntgroups file looks like this: wireless NAS-IP-Address == 127.0.0.1 wireless NAS-IP-Address == localhost.localdomain SQL-Group == 3072BY256 radgroupcheck table: | 8 | netmaster | Huntgroup-Name | == | netmaster | | 6 | 3072BY256 | Huntgroup-Name | == | wireless | | 7 | 3072BY256 | Auth-Type | += | local | | 9 | netmaster | Auth-Type | += | local |
Any reason you're setting values for Auth-Type?
-- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia.
Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: james.wakefield@deakin.edu.au Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
I got it working! I had to put suffix before preprocess in the authorize { } section -- Brad McAllister DLS Internet Services p. 847.854.4799 x.232 bmcallister@noc.dls.net On Oct 9, 2006, at 9:18 AM, Brad McAllister wrote:
Yes, the suffix is in the authorize { } section as well. I was just following the examples with the Auth-Type, I removed them from the DB, but end up with the same results.
-- Brad McAllister DLS Internet Services p. 847.854.4799 x.232 bmcallister@noc.dls.net
On Oct 9, 2006, at 5:26 AM, James Wakefield wrote:
Brad McAllister wrote:
G'day mate, thanks for the quick reply. I already have this in my radiusd.conf: realm suffix { format = suffix delimiter = "@" ignore_default = no ignore_null = no }
Have you got suffix in your authorize { } section?
The huntgroups file looks like this: wireless NAS-IP-Address == 127.0.0.1 wireless NAS-IP-Address == localhost.localdomain SQL-Group == 3072BY256 radgroupcheck table: | 8 | netmaster | Huntgroup-Name | == | netmaster | | 6 | 3072BY256 | Huntgroup-Name | == | wireless | | 7 | 3072BY256 | Auth-Type | += | local | | 9 | netmaster | Auth-Type | += | local |
Any reason you're setting values for Auth-Type?
-- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia.
Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: james.wakefield@deakin.edu.au Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
-List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
participants (2)
-
Brad McAllister -
James Wakefield