I have a user called "test150" that belongs to group "testgroup123". Bellow you can see what I have in my database related to "test150" user and "testgroup123" group: select * from radcheck where username = 'test150'; id | username | attribute |op | value --------------+---------------+-----------------------------+----+--------- 1523812 | test150 | Cleartext-Password | := | test150 select * from radgroupcheck where groupname = 'testgroup123'; id | groupname | attribute | op | value ----+--------------------+----------------------------------------+----+---------- 11 | testgroup123 | NAS-IP-Address | := | 10.3.1.1 15 | testgroup123 | CarboSolutions-Max-Users | < | 5 CarboSolutions-Max-Users is an attribute declared of myself. select * from radusergroup where username = 'test150'; username | groupname | priority ---------------+--------------------+---------- test150 | testgroup123 | 0 select * from radgroupreply where groupname = 'testgroup123'; id | groupname | attribute | op | value -----+--------------------+------------------------------------------+----+-------- 14 | testgroup123 | WISPr-Bandwidth-Max-Down | := | 256000 *The problem:* * * When I try to log in with "test150" and CarboSolutions-Max-Users attribute is < 5, the bandwidth limitation is working (in debug output I can see that FR sends WISPr-Bandwidth-Max-Down attribute in reply - and it applies). But when CarboSolutions-Max-Users check isn't fulfilled (I mean is greater or equal to 5) WISPr-Bandwidth-Max-Down attribute isn't shown in FR debug output as reply attrtibute - and not working bandwidth limitation. *N.B.1 *I set the CarboSolutions-Max-Users attribute in default site's file in authorize section. Looks like this: update request { CarboSolutions-Max-Users="%{sql:SELECT COUNT(DISTINCT radacct.UserName) FROM radacct INNER JOIN radusergroup ON radusergroup.UserName = radacct.UserName WHERE radusergroup.GroupName = (SELECT GroupName FROM radusergroup ...}" } I understand that when group's check conditions aren't meet, I can login neglecting the group's attributes. Can anybody tell me how to avoid that behavior? I think that if a user belongs to a group and the checks for the group aren't meet, the user shoudn't be able to be authenticated. Am I wrong? If not, what's the problem to my issue? *N.B.2 *The output from running FR with -XXX switch is (when it is not working well): rad_recv: Access-Request packet from host 127.0.0.1 port 34173, id=225, length=276 ChilliSpot-Version = "1.2.9" User-Name = "test150" User-Password = "test150" Service-Type = Login-User Acct-Session-Id = "501a75b300000001" Framed-IP-Address = 10.3.1.3 NAS-Port-Type = Wireless-802.11 NAS-Port = 1 NAS-Port-Id = "00000001" Calling-Station-Id = "00-25-22-83-95-C5" Called-Station-Id = "F8-D1-11-05-93-01" NAS-IP-Address = 10.3.1.1 NAS-Identifier = "nas-1" WISPr-Location-ID = "isocc=,cc=,ac=,network=netNFork," WISPr-Location-Name = "netNFork_LAN" WISPr-Logoff-URL = "http://10.3.1.1:3001/logoff" Message-Authenticator = 0x0c4075cf2f111445caff3fb367ddd776 Thu Aug 2 15:43:44 2012 : Info: # Executing section authorize from file /netnfork/radius//etc/raddb/sites-enabled/default Thu Aug 2 15:43:44 2012 : Info: +- entering group authorize {...} Thu Aug 2 15:43:44 2012 : Info: expand: %S -> 2012-08-02 15:43:44 Thu Aug 2 15:43:44 2012 : Info: sql_xlat Thu Aug 2 15:43:44 2012 : Info: expand: %{User-Name} -> test150 Thu Aug 2 15:43:44 2012 : Info: sql_set_user escaped user --> 'test150' Thu Aug 2 15:43:44 2012 : Info: expand: SELECT COUNT(DISTINCT CallingStationId) FROM radacct WHERE UserName='%{User-Name}' AND CallingStationId != '%{Calling-Station-Id}' -> SELECT COUNT(DISTINCT CallingStationId) FROM radacct WHERE UserName='test150' AND CallingStationId != '00-25-22-83-95-C5' Thu Aug 2 15:43:44 2012 : Debug: rlm_sql (sql): Reserving sql socket id: 30 Thu Aug 2 15:43:45 2012 : Debug: rlm_sql_postgresql: Status: PGRES_TUPLES_OK Thu Aug 2 15:43:45 2012 : Debug: rlm_sql_postgresql: query affected rows = 1 , fields = 1 Thu Aug 2 15:43:45 2012 : Info: sql_xlat finished Thu Aug 2 15:43:45 2012 : Debug: rlm_sql (sql): Released sql socket id: 30 Thu Aug 2 15:43:45 2012 : Info: expand: %{sql:SELECT COUNT(DISTINCT CallingStationId) FROM radacct WHERE UserName='%{User-Name}' AND CallingStationId != '%{Calling-Station-Id}'} -> 0 Thu Aug 2 15:43:45 2012 : Info: sql_xlat Thu Aug 2 15:43:45 2012 : Info: expand: %{User-Name} -> test150 Thu Aug 2 15:43:45 2012 : Info: sql_set_user escaped user --> 'test150' //*** this interests (bellow)--> Thu Aug 2 15:43:45 2012 : Info: expand: SELECT COUNT(DISTINCT radacct.UserName) FROM radacct INNER JOIN radusergroup ON radusergroup.UserName = radacct.UserName WHERE radusergroup.GroupName = (SELECT GroupName FROM radusergroup WHERE UserName='%{User-Name}') AND AcctStopTime ISNULL -> SELECT COUNT(DISTINCT radacct.UserName) FROM radacct INNER JOIN radusergroup ON radusergroup.UserName = radacct.UserName WHERE radusergroup.GroupName = (SELECT GroupName FROM radusergroup WHERE UserName='test150') AND AcctStopTime ISNULL Thu Aug 2 15:43:45 2012 : Debug: rlm_sql (sql): Reserving sql socket id: 29 Thu Aug 2 15:43:45 2012 : Debug: rlm_sql_postgresql: Status: PGRES_TUPLES_OK Thu Aug 2 15:43:45 2012 : Debug: rlm_sql_postgresql: query affected rows = 1 , fields = 1 Thu Aug 2 15:43:45 2012 : Info: sql_xlat finished Thu Aug 2 15:43:45 2012 : Debug: rlm_sql (sql): Released sql socket id: 29 Thu Aug 2 15:43:45 2012 : Info: expand: %{sql:SELECT COUNT(DISTINCT radacct.UserName) FROM radacct INNER JOIN radusergroup ON radusergroup.UserName = radacct.UserName WHERE radusergroup.GroupName = (SELECT GroupName FROM radusergroup WHERE UserName='%{User-Name}') AND AcctStopTime ISNULL} -> 1 Thu Aug 2 15:43:45 2012 : Info: ++[request] returns notfound Thu Aug 2 15:43:45 2012 : Info: [sql] expand: %{User-Name} -> test150 Thu Aug 2 15:43:45 2012 : Info: [sql] sql_set_user escaped user --> 'test150' Thu Aug 2 15:43:45 2012 : Debug: rlm_sql (sql): Reserving sql socket id: 28 Thu Aug 2 15:43:45 2012 : Info: [sql] expand: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'test150' ORDER BY id Thu Aug 2 15:43:45 2012 : Debug: rlm_sql_postgresql: Status: PGRES_TUPLES_OK Thu Aug 2 15:43:45 2012 : Debug: rlm_sql_postgresql: query affected rows = 1 , fields = 5 Thu Aug 2 15:43:45 2012 : Info: [sql] User found in radcheck table Thu Aug 2 15:43:45 2012 : Info: [sql] expand: SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE Username = 'test150' ORDER BY id Thu Aug 2 15:43:45 2012 : Debug: rlm_sql_postgresql: Status: PGRES_TUPLES_OK Thu Aug 2 15:43:45 2012 : Debug: rlm_sql_postgresql: query affected rows = 0 , fields = 5 Thu Aug 2 15:43:45 2012 : Info: [sql] expand: SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority -> SELECT GroupName FROM radusergroup WHERE UserName='test150' ORDER BY priority Thu Aug 2 15:43:45 2012 : Debug: rlm_sql_postgresql: Status: PGRES_TUPLES_OK Thu Aug 2 15:43:45 2012 : Debug: rlm_sql_postgresql: query affected rows = 1 , fields = 1 Thu Aug 2 15:43:45 2012 : Info: [sql] expand: SELECT id, GroupName, Attribute, Value, op FROM radgroupcheck WHERE GroupName = '%{Sql-Group}' ORDER BY id -> SELECT id, GroupName, Attribute, Value, op FROM radgroupcheck WHERE GroupName = 'testgroup123' ORDER BY id Thu Aug 2 15:43:45 2012 : Debug: rlm_sql_postgresql: Status: PGRES_TUPLES_OK Thu Aug 2 15:43:45 2012 : Debug: rlm_sql_postgresql: query affected rows = 2 , fields = 5 Thu Aug 2 15:43:45 2012 : Debug: rlm_sql (sql): Released sql socket id: 28 Thu Aug 2 15:43:45 2012 : Info: ++[sql] returns ok Thu Aug 2 15:43:45 2012 : Info: ++[expiration] returns noop Thu Aug 2 15:43:45 2012 : Info: ++[logintime] returns noop Thu Aug 2 15:43:45 2012 : Info: WARNING: Please update your configuration, and remove 'Auth-Type = Local' Thu Aug 2 15:43:45 2012 : Info: WARNING: Use the PAP or CHAP modules instead. Thu Aug 2 15:43:45 2012 : Info: User-Password in the request is correct. Thu Aug 2 15:43:45 2012 : Info: # Executing section post-auth from file /netnfork/radius//etc/raddb/sites-enabled/default Thu Aug 2 15:43:45 2012 : Info: +- entering group post-auth {...} Thu Aug 2 15:43:45 2012 : Info: ++[exec] returns noop Sending Access-Accept of id 225 to 127.0.0.1 port 34173 Thu Aug 2 15:43:45 2012 : Info: Finished request 14. Thu Aug 2 15:43:45 2012 : Debug: Going to the next request Thu Aug 2 15:43:45 2012 : Debug: Waking up in 2.9 seconds. //*** bellow is the accounting log, I think it shouldn't present interest rad_recv: Accounting-Request packet from host 127.0.0.1 port 41985, id=8, length=223 ChilliSpot-Version = "1.2.9" ChilliSpot-Attr-10 = 0x00000002 Event-Timestamp = "Aug 2 2012 15:43:44 EEST" User-Name = "test150" Acct-Status-Type = Start Acct-Session-Id = "501a75b300000001" Framed-IP-Address = 10.3.1.3 NAS-Port-Type = Wireless-802.11 NAS-Port = 1 NAS-Port-Id = "00000001" Calling-Station-Id = "00-25-22-83-95-C5" Called-Station-Id = "F8-D1-11-05-93-01" NAS-IP-Address = 10.3.1.1 NAS-Identifier = "nas-1" WISPr-Location-ID = "isocc=,cc=,ac=,network=netNFork," WISPr-Location-Name = "netNFork_LAN" Thu Aug 2 15:43:45 2012 : Info: # Executing section preacct from file /netnfork/radius//etc/raddb/sites-enabled/default Thu Aug 2 15:43:45 2012 : Info: +- entering group preacct {...} Thu Aug 2 15:43:45 2012 : Info: ++[preprocess] returns ok Thu Aug 2 15:43:45 2012 : Info: [acct_unique] Hashing 'NAS-Port = 1,Client-IP-Address = 127.0.0.1,NAS-IP-Address = 10.3.1.1,Acct-Session-Id = "501a75b300000001",User-Name = "test150"' Thu Aug 2 15:43:45 2012 : Info: [acct_unique] Acct-Unique-Session-ID = "84a01adb8bcce762". Thu Aug 2 15:43:45 2012 : Info: ++[acct_unique] returns ok Thu Aug 2 15:43:45 2012 : Info: [suffix] No '@' in User-Name = "test150", looking up realm NULL Thu Aug 2 15:43:45 2012 : Info: [suffix] No such realm "NULL" Thu Aug 2 15:43:45 2012 : Info: ++[suffix] returns noop Thu Aug 2 15:43:45 2012 : Info: # Executing section accounting from file /netnfork/radius//etc/raddb/sites-enabled/default Thu Aug 2 15:43:45 2012 : Info: +- entering group accounting {...} Thu Aug 2 15:43:45 2012 : Info: [detail] expand: %{Packet-Src-IP-Address} -> 127.0.0.1 Thu Aug 2 15:43:45 2012 : Info: [detail] expand: /netnfork/radius//var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d -> /netnfork/radius//var/log/radius/radacct/127.0.0.1/detail-20120802 Thu Aug 2 15:43:45 2012 : Info: [detail] /netnfork/radius//var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /netnfork/radius//var/log/radius/radacct/ 127.0.0.1/detail-20120802 Thu Aug 2 15:43:45 2012 : Info: [detail] expand: %t -> Thu Aug 2 15:43:45 2012 Thu Aug 2 15:43:45 2012 : Info: ++[detail] returns ok Thu Aug 2 15:43:45 2012 : Info: [sql] expand: %{User-Name} -> test150 Thu Aug 2 15:43:45 2012 : Info: [sql] sql_set_user escaped user --> 'test150' Thu Aug 2 15:43:45 2012 : Info: [sql] expand: %{NAS-Port} -> 1 Thu Aug 2 15:43:45 2012 : Info: [sql] expand: %{Acct-Delay-Time} -> Thu Aug 2 15:43:45 2012 : Info: [sql] ... expanding second conditional Thu Aug 2 15:43:45 2012 : Info: [sql] expand: INSERT INTO radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctAuthentic, ConnectInfo_start, CalledStationId, CallingStationId, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, XAscendSessionSvrKey) VALUES('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', NULLIF('%{Realm}', ''), '%{NAS-IP-Address}', %{%{NAS-Port}:-NULL}, '%{NAS-Port-Type}', ('%S'::timestamp - '%{%{Acct-Delay-Time}:-0}'::interval), '%{Acct-Authentic}', '%{Connect-Info}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', NULLIF('%{Framed-IP-Address}', '')::inet, 0, '%{X-Ascend-Session-Svr-Key}') -> INSERT INTO radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctAuthentic, ConnectInfo_start, CalledStationId, CallingStationId, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, Thu Aug 2 15:43:45 2012 : Debug: rlm_sql (sql): Reserving sql socket id: 27 Thu Aug 2 15:43:45 2012 : Debug: rlm_sql_postgresql: Status: PGRES_COMMAND_OK Thu Aug 2 15:43:45 2012 : Debug: rlm_sql_postgresql: query affected rows = 1 Thu Aug 2 15:43:45 2012 : Debug: rlm_sql (sql): Released sql socket id: 27 Thu Aug 2 15:43:45 2012 : Info: ++[sql] returns ok Thu Aug 2 15:43:45 2012 : Info: [attr_filter.accounting_response] expand: %{User-Name} -> test150 Thu Aug 2 15:43:45 2012 : Debug: attr_filter: Matched entry DEFAULT at line 12 Thu Aug 2 15:43:45 2012 : Info: ++[attr_filter.accounting_response] returns updated Sending Accounting-Response of id 8 to 127.0.0.1 port 41985 Thu Aug 2 15:43:45 2012 : Info: Finished request 15. Thu Aug 2 15:43:45 2012 : Info: Cleaning up request 15 ID 8 with timestamp +1230 Thu Aug 2 15:43:45 2012 : Debug: Going to the next request Thu Aug 2 15:43:45 2012 : Debug: Waking up in 2.9 seconds. Thu Aug 2 15:43:48 2012 : Info: Cleaning up request 14 ID 225 with timestamp +1229 Thu Aug 2 15:43:48 2012 : Info: Ready to process requests.
Andrei Petru Mura wrote:
I understand that when group's check conditions aren't meet, I can login neglecting the group's attributes. Can anybody tell me how to avoid that behavior? I think that if a user belongs to a group and the checks for the group aren't meet, the user shoudn't be able to be authenticated. Am I wrong? If not, what's the problem to my issue?
That's wrong. The group checks are useful, but not required. Users can be members of multiple groups. If you want users from only one group to authenticate, then check for that group membership, and reject anyone who isn't a member. Alan DeKok.
participants (2)
-
Alan DeKok -
Andrei Petru Mura