I have an old instance of icradius - which - when users had a static IP allocated - login would fail if there was a realm present but work just fine if the realm was missing. This was in the old, dark days - when everyone was in the same realm. Now - freeradius works just fine with a full realm based login and statc IP but I have a number of users both with and without static IP's who don't have their realm as part of their login ID.. ie rather than 'joe@pop.co.za' - they just use 'joe'. The easiest solution would be - if (REALM == NULL) - add on the default realm. There are about 10 different realms being used - as well as the 'default'. Anyway.. In proxy.conf - I have uncommented .. realm NULL { type = radius authhost = LOCAL accthost = LOCAL } (This is now the last 'realm' definition in this file - in case order matters. 'DEFAULT' is still commented) In my sql.conf - I have code that looks like... ... Username='%{Stripped-User-Name}' AND realm='%{Realm:-pop.co.za}' AND .... ie - if the REALM is missing - it should default to 'pop.co.za'... Anyway - still getting incorrect logins.... A radiusd -X shows me that .."WHERE Username='mje' AND realm='NULL' AND"... ie - If there is no realm - its set to the string of four characters 'NULL' rather than the string '\0' .. not what I was hoping for... If the realm is missing - it can only refer to a user in the 'pop.co.za' realm - and no other. Suggestions? ie - the equivalent of ... if( ${Realm} == "NULL") Realm="pop.co.za" ..put somewhere. ps. It would be very useful if one could run radiusd in '-X' mode based on some criteria - such as the Realm or the Nas, especially on a busy server - just for matching packets. (in proxy.conf .. syntax of realm myrealm.com { type = radius authhost = LOCAL accthost = LOCAL debug = yes } or in clients.conf client access.pop.co.za { secret = very shortname = access nastype = cisco debug = yes } ) -- . . ___. .__ Posix Systems - Sth Africa /| /| / /__ mje@posix.co.za - Mark J Elkins, SCO ACE, Cisco CCIE / |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496
... Username='%{Stripped-User-Name}' AND realm='%{Realm:-pop.co.za}' AND ....
ie - if the REALM is missing - it should default to 'pop.co.za'...
Anyway - still getting incorrect logins....
A radiusd -X shows me that .."WHERE Username='mje' AND realm='NULL' AND"...
That's how it works. You'll need to refactor your SQL query e.g. select foo from bar where Username='%{Stripped-User-Name}' and realm=( case when '%{Realm}'='NULL' then 'pop.co.za' else '%{Realm}' end) The other and slightly easier alternative is to set "ignore_null = yes" on your realm module so that users without a realm won't match the module, and then use: select foo from bar where Username='%{Stripped-User-Name:-%{User-Name}}' and realm='${Realm:-pop.co.za}'
ie - If there is no realm - its set to the string of four characters 'NULL' rather than the string '\0' .. not what I was hoping for...
If the realm is missing - it can only refer to a user in the 'pop.co.za' realm - and no other.
Suggestions?
ie - the equivalent of ... if( ${Realm} == "NULL") Realm="pop.co.za" ..put somewhere.
ps. It would be very useful if one could run radiusd in '-X' mode based on some criteria - such as the Realm or the Nas, especially on a busy server - just for matching packets.
(in proxy.conf .. syntax of realm myrealm.com { type = radius authhost = LOCAL accthost = LOCAL debug = yes }
or in clients.conf client access.pop.co.za { secret = very shortname = access nastype = cisco debug = yes } )
Phil Mayers wrote:
... Username='%{Stripped-User-Name}' AND realm='%{Realm:-pop.co.za}' AND ....
ie - if the REALM is missing - it should default to 'pop.co.za'...
Anyway - still getting incorrect logins....
A radiusd -X shows me that .."WHERE Username='mje' AND realm='NULL' AND"...
That's how it works. You'll need to refactor your SQL query e.g.
grumble.... if people wanted the string 'NULL' - they should use "%{Realm:-NULL}" (user hides below the keyboard :-)
select foo from bar where Username='%{Stripped-User-Name}' and realm=( case when '%{Realm}'='NULL' then 'pop.co.za' else '%{Realm}' end)
The other and slightly easier alternative is to set "ignore_null = yes" on your realm module so that users without a realm won't match the module, and then use:
select foo from bar where Username='%{Stripped-User-Name:-%{User-Name}}' and realm='${Realm:-pop.co.za}'
Being lazy - I'm starting here. (Also - less impact on existing users) Changed 'ignore_null' to yes.. Smiled - and tried to dial-in rad_recv: Access-Request packet from host 160.124.0.97:1645, id=81, length=106 NAS-IP-Address = 160.124.0.97 NAS-Port = 70 Cisco-NAS-Port = "Async70" NAS-Port-Type = Async User-Name = "mje" Called-Station-Id = "0800" User-Password = "verysecret" Service-Type = Framed-User Framed-Protocol = PPP Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns ok for request 7 modcall[authorize]: module "chap" returns noop for request 7 modcall[authorize]: module "mschap" returns noop for request 7 rlm_realm: No '@' in User-Name = "mje", skipping NULL due to config. *** Line above suggests the 'ignore_null' worked *** modcall[authorize]: module "suffix" returns noop for request 7 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 7 radius_xlat: 'mje' rlm_sql (sql): sql_set_user escaped user --> 'mje' radius_xlat: 'SELECT userid as id,UserName,'Password' as Attribute,password as Value,'==' as op FROM useracct WHERE Username='' AND realm='pop.co.za' AND ..... Something stole my username ??? I'm not too sure of the logic here. I've left the NULL realm in "proxy.conf" uncommented - so its 'live'. It seems that the 'NULL' realm matched... then skipped (?) - so I got a null username and a null realm (all the other info got through!) Looks like the SQL logic works though... I just hate complicating the SQL queries even more than I already have! I guess FreeRadius 2.xx will make things easier?
ie - If there is no realm - its set to the string of four characters 'NULL' rather than the string '\0' .. not what I was hoping for...
If the realm is missing - it can only refer to a user in the 'pop.co.za' realm - and no other.
Suggestions?
ie - the equivalent of ... if( ${Realm} == "NULL") Realm="pop.co.za" ..put somewhere.
ps. It would be very useful if one could run radiusd in '-X' mode based on some criteria - such as the Realm or the Nas, especially on a busy server - just for matching packets.
(in proxy.conf .. syntax of realm myrealm.com { type = radius authhost = LOCAL accthost = LOCAL debug = yes }
or in clients.conf client access.pop.co.za { secret = very shortname = access nastype = cisco debug = yes } )
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- . . ___. .__ Posix Systems - Sth Africa /| /| / /__ mje@posix.co.za - Mark J Elkins, SCO ACE, Cisco CCIE / |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496
The other and slightly easier alternative is to set "ignore_null = yes" on your realm module so that users without a realm won't match the module, and then use:
select foo from bar where Username='%{Stripped-User-Name:-%{User-Name}}' and realm='${Realm:-pop.co.za}'
Being lazy - I'm starting here. (Also - less impact on existing users)
It's probably the most sensible thing to do
Changed 'ignore_null' to yes.. Smiled - and tried to dial-in
rad_recv: Access-Request packet from host 160.124.0.97:1645, id=81, length=106 NAS-IP-Address = 160.124.0.97 NAS-Port = 70 Cisco-NAS-Port = "Async70" NAS-Port-Type = Async User-Name = "mje" Called-Station-Id = "0800" User-Password = "verysecret" Service-Type = Framed-User Framed-Protocol = PPP Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns ok for request 7 modcall[authorize]: module "chap" returns noop for request 7 modcall[authorize]: module "mschap" returns noop for request 7 rlm_realm: No '@' in User-Name = "mje", skipping NULL due to config. *** Line above suggests the 'ignore_null' worked *** modcall[authorize]: module "suffix" returns noop for request 7 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 7 radius_xlat: 'mje' rlm_sql (sql): sql_set_user escaped user --> 'mje' radius_xlat: 'SELECT userid as id,UserName,'Password' as Attribute,password as Value,'==' as op FROM useracct WHERE Username='' AND realm='pop.co.za' AND .....
Something stole my username ???
Well, something in your SQL query is wrong. The default queries use %{SQL-User-Name} which is set to %{Stripped-User-Name:-%{User-Name}} which will work with and without a realm match. If you've changed that e.g. to make the queries use %{Stripped-User-Name} directly then it'll fail because of course now the realm module isn't matching, so no Stripped-User-Name is being set.
I'm not too sure of the logic here. I've left the NULL realm in "proxy.conf" uncommented - so its 'live'.
Yes - but you've told the realm module to ignore_null, so it'll never match and a user will never be "in" that realm.
It seems that the 'NULL' realm matched... then skipped (?) - so I got a null username and a null realm (all the other info got through!)
You got a null *STRIPPED* user name. Use the conditional expansion as above and per the default configs.
Looks like the SQL logic works though... I just hate complicating the SQL queries even more than I already have!
I guess FreeRadius 2.xx will make things easier?
Well no - if you break the SQL queries then 2.x will fail too ;o)
participants (3)
-
Mark J Elkins -
Phil Mayers -
Santiago Balaguer García