Hi, I am using freeradius 2.0.5 with MySQL, I am very new to Radius and FreRadius so please pardon my ignorance I need to reject user if his NAS-IP-Address input attribute does not match check attributes defined for his group. For example radgroupcheck | 1 | GROUP1 | NAS-IP-Address | == | x.x.x.1 | 2 | GROUP1 | NAS-IP-Address | == | x.x.x.2 | 3 | GROUP1 | NAS-IP-Address | == | x.x.x.3 If user is coming from NAS-IP-Address x.x.x.1 or x.x.x.2 or x.x.x.3 the user should be accepted and reply attributes are sent back If however if user is coming from NAS-IP-Address y.y.y.1 he should be rejected (even in the case he provide a valid password and NAS y.y.y.1 is properly defined in NAS table with a valid shared key) Since I found that only one operator "==" for NAS-IP-Address check attrubute can be found, I changed authorize_group_check_query, but still I managed to get reply list as empty for invalid NAS-IP and expected attributes from valid NAS (which is part of check attributes) but user is accepted in both cases. Is there a way to check if "reply" list is empty in unlang (does not contain ANY attributes)? I tried this, but it does not work. if (!reply:[0]) { # reply list is empty reject } Do you have any suggestions? Thanks you very much for your reply. -- View this message in context: http://www.nabble.com/authorization%3A-unlang-NAS-IP-Address-tp18609937p1860... Sent from the FreeRadius - User mailing list archive at Nabble.com.
leopold wrote:
If user is coming from NAS-IP-Address x.x.x.1 or x.x.x.2 or x.x.x.3 the user should be accepted and reply attributes are sent back If however if user is coming from NAS-IP-Address y.y.y.1 he should be rejected (even in the case he provide a valid password and NAS y.y.y.1 is properly defined in NAS table with a valid shared key)
It's a little difficult to do that with just the SQL module.
Since I found that only one operator "==" for NAS-IP-Address check attrubute can be found, I changed authorize_group_check_query, but still I managed to get reply list as empty for invalid NAS-IP and expected attributes from valid NAS (which is part of check attributes) but user is accepted in both cases.
Is there a way to check if "reply" list is empty in unlang (does not contain ANY attributes)?
No. However, see the return code from SQL. If it doesn't find the user, it should return "notfound", or "noop". Read the debug output to see more. You can then do: if (notfound) { reject } Which is what you want. Alan DeKok.
The problem is that all the users are valid and SQL module returns OK replyattribute list is empty, so I need somehow reject the user I did some dirty workaround if (!reply:Service-Type) { # reply list does not contain Service-Type reject } See in debug output a valid user with valid password comes from wrong NAS-IP-Address which does not belong to check attributes of the user's group ++[sql] returns ok ++? if (!reply:Service-Type) ? Evaluating !(reply:Service-Type) -> FALSE ++? if (!reply:Service-Type) -> TRUE ++- entering if (!reply:Service-Type) +++[reject] returns reject ++- if (!reply:Service-Type) returns reject Found Post-Auth-Type Reject +- entering group REJECT The problem is that I do not want to rely that reply list always contains Service-Type reply:Service-Type The SQL module returns OK even if there are no reply attributes Thanks again -- View this message in context: http://www.nabble.com/authorization%3A-unlang-NAS-IP-Address-tp18609937p1861... Sent from the FreeRadius - User mailing list archive at Nabble.com.
See in debug output a valid user with valid password comes from wrong NAS-IP-Address which does not belong to check attributes of the user's group
++[sql] returns ok
That is wrong. If group check fails sql should return notfound. Check your sql entries again. Have you altered default sql queries in some way (you have left them out of the debug)? Ivan Kalik Kalik Informatika ISP
Ivan, Even with default SQL query it returns OK, because user is defined properly, it is just check attributes of group do not match I went to the code and I saw that rlm_sql_process_groups function causes the whole module to return OK even though NAS-IP-Address attribute does not match Note it does not return attributes, it just return OK /* * rows == 0. This is like having the username on a line * in the user's file with no check vp's. As such, we treat * it as found and add the reply attributes, so that we * match expected behavior */ found = 1; DEBUG2("rlm_sql (%s): User found in group %s", inst->config->xlat_name, group_list_tmp->groupname); User-Name = "validuser" User-Password = "validpasswd" NAS-IP-Address = y.y.y.1 rlm_sql (sql): Reserving sql socket id: 6 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'validuser' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'validuser' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'validuser' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'validuser' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'validuser' ORDER BY priority rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = 'validuser' ORDER BY priority expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'GROUP1' ORDER BY id rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'GROUP1' ORDER BY id rlm_sql (sql): Released sql socket id: 6 ++[sql] returns ok Should this module return FAIL if group check fails? Ivan Kalik wrote:
See in debug output a valid user with valid password comes from wrong NAS-IP-Address which does not belong to check attributes of the user's
group
++[sql] returns ok
That is wrong. If group check fails sql should return notfound. Check your sql entries again. Have you altered default sql queries in some way (you have left them out of the debug)?
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- View this message in context: http://www.nabble.com/authorization%3A-unlang-NAS-IP-Address-tp18609937p1861... Sent from the FreeRadius - User mailing list archive at Nabble.com.
No, it should return notfound. I can confirm this. If check is put in radcheck table user will be rejected but if check (that should fail) is put in radgroupcheck table user is authenticated. That is not how things should work. It should return notfound if there is no match in radgroupcheck too. Ivan Kalik Kalik Informatika ISP Dana 23/7/2008, "leopold" <vova_b@yahoo.com> piše:
Ivan, Even with default SQL query it returns OK, because user is defined properly, it is just check attributes of group do not match
I went to the code and I saw that rlm_sql_process_groups function causes the whole module to return OK even though NAS-IP-Address attribute does not match Note it does not return attributes, it just return OK
/* * rows == 0. This is like having the username on a line * in the user's file with no check vp's. As such, we treat * it as found and add the reply attributes, so that we * match expected behavior */ found = 1; DEBUG2("rlm_sql (%s): User found in group %s", inst->config->xlat_name, group_list_tmp->groupname);
User-Name = "validuser" User-Password = "validpasswd" NAS-IP-Address = y.y.y.1
rlm_sql (sql): Reserving sql socket id: 6 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'validuser' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'validuser' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'validuser' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'validuser' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'validuser' ORDER BY priority rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = 'validuser' ORDER BY priority expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'GROUP1' ORDER BY id
rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'GROUP1' ORDER BY id rlm_sql (sql): Released sql socket id: 6 ++[sql] returns ok
Should this module return FAIL if group check fails?
Ivan Kalik wrote:
See in debug output a valid user with valid password comes from wrong NAS-IP-Address which does not belong to check attributes of the user's
group
++[sql] returns ok
That is wrong. If group check fails sql should return notfound. Check your sql entries again. Have you altered default sql queries in some way (you have left them out of the debug)?
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- View this message in context: http://www.nabble.com/authorization%3A-unlang-NAS-IP-Address-tp18609937p1861... Sent from the FreeRadius - User mailing list archive at Nabble.com.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
It seems that rlm_sql_process_groups in rlm_sql.c does not handle this situation 1. If paircompare fails in rlm_sql_process_groups it should not return found=1 2. rlm_sql_authorize should handle return code of rlm_sql_process_groups so that if it is not found it should actually return not found and not "OK" diff ./src/modules/rlm_sql/rlm_sql.c.ORIG ./src/modules/rlm_sql/rlm_sql.c 676a677,682
else { found = 0; DEBUG2("rlm_sql (%s): User not found in group %s", inst->config->xlat_name, group_list_tmp->groupname); }
1004a1011,1015
else { /* rows == 0 here */ found = 0; }
1048a1060,1064
else { /* rows == 0 here */ found = 0;
Comments? -- View this message in context: http://www.nabble.com/authorization%3A-unlang-NAS-IP-Address-tp18609937p1861... Sent from the FreeRadius - User mailing list archive at Nabble.com.
participants (3)
-
Alan DeKok -
Ivan Kalik -
leopold