what would cause sql to return reject response?
i have the below in authorize sql { notfound = 1 reject = 2 } if (notfound) { update reply { Reply-Message := "Incorrect Username or Password" } reject } if (reject) { update reply { Reply-Message := "Your account is disabled, contact admin" } reject } expiration { userlock = 1 } if (userlock) { update reply { Reply-Message := "Your account has expired, contact admin" } reject } logintime pap but the reject response is never generated from the sql module, if the username doesnt match it generates the notfound and if password doesnt match the pap module rejects the request and sql responds ok but what i want is the sql module to generate the reject response. can anyone guide me under what circumstances does the sql module generate a reject response coz i tried setting Auth-Type attribute to reject but still sql doesnt generate reject
On Feb 11, 2019, at 10:23 AM, Bipin Patel via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
i have the below in authorize
sql { notfound = 1 reject = 2 }
...
but the reject response is never generated from the sql module,
Because the SQL module does not authenticate a user. SQL is a database. FreeRADIUS just looks the user up in the database. The answer is either "yes, the user is there" or "no such user in the database".
if the username doesnt match it generates the notfound and if password doesnt match the pap module rejects the request and sql responds ok but what i want is the sql module to generate the reject response.
Why? This is the typical issue of you have a solution in mind, and you're wondering how to implement it. And, why the server doesn't behave the way you expect. You should instead discuss the *problem* you're having. Why is it important for "sql" to reject the user, instead of "pap" ?
can anyone guide me under what circumstances does the sql module generate a reject response coz i tried setting Auth-Type attribute to reject but still sql doesnt generate reject
The SQL module never rejects a user. You might have 4 different databases for users. It is *wrong* for the SQL module to reject a user. Alan DeKok.
basically i have developed a full web gui for mikrotik routers and freeradius to work as a hotspot where the web gui talks to the sql db directly and the user can create plans which would be the radius groups and associated check and reply attributes. I have created a disable client account option which deactivates the account and what i saw in daloradius was it used to create a disabled group with priority 0 and sets the Auth-Type attribute to Reject, i know the docs mention not the set the auth-type directly but i dont see a way to do it directly in FR so i followed the same method and the reason i was assuming the sql module would reject seeing the auth-type to reject using the reject response but later noticed it would never respond with reject. I searched all docs and the book but no place it mentions under what cases sql module would respond with reject and i wanted to sql module to reject so i can reply with "account disabled" and not have the rest of the authorize section to execute coz later down the section i have a call to a php script and im trying to reduce calls to it unless the account is enabled and id/pass match On 11-02-2019 19:37, Alan DeKok wrote:
On Feb 11, 2019, at 10:23 AM, Bipin Patel via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
i have the below in authorize
sql { notfound = 1 reject = 2 } ...
but the reject response is never generated from the sql module,
Because the SQL module does not authenticate a user. SQL is a database. FreeRADIUS just looks the user up in the database. The answer is either "yes, the user is there" or "no such user in the database".
if the username doesnt match it generates the notfound and if password doesnt match the pap module rejects the request and sql responds ok but what i want is the sql module to generate the reject response.
Why?
This is the typical issue of you have a solution in mind, and you're wondering how to implement it. And, why the server doesn't behave the way you expect.
You should instead discuss the *problem* you're having. Why is it important for "sql" to reject the user, instead of "pap" ?
can anyone guide me under what circumstances does the sql module generate a reject response coz i tried setting Auth-Type attribute to reject but still sql doesnt generate reject
The SQL module never rejects a user.
You might have 4 different databases for users. It is *wrong* for the SQL module to reject a user.
Alan DeKok.
On Feb 11, 2019, at 11:33 AM, Bipin Patel via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
basically i have developed a full web gui for mikrotik routers and freeradius to work as a hotspot where the web gui talks to the sql db directly and the user can create plans which would be the radius groups and associated check and reply attributes.
Ok...
I have created a disable client account option which deactivates the account and what i saw in daloradius was it used to create a disabled group with priority 0 and sets the Auth-Type attribute to Reject, i know the docs mention not the set the auth-type directly but i dont see a way to do it directly in FR
That should work. If it doesn't, read the debug output as suggest in the "man" page, web pages, and the message you get when joining this list. No amount of randomly changing things will fix it. You need to understand what it's doing.
so i followed the same method and the reason i was assuming the sql module would reject seeing the auth-type to reject using the reject response but later noticed it would never respond with reject. I searched all docs and the book but no place it mentions under what cases sql module would respond with reject and i wanted to sql module to reject
It doesn't. You want the group to match.
so i can reply with "account disabled" and not have the rest of the authorize section to execute coz later down the section i have a call to a php script and im trying to reduce calls to it unless the account is enabled and id/pass match
If you want to skip parts of the "authorize" section, you will need to check for that and write the policy. Something like: authorize { ... sql if (SQL-Group == "disabled") { reject } ... } Alan DeKok.
The part about checking the SQL-group for disabled didn't click to me so let me try that, hopefully it should work help me skip calling the php script which basically just sets the bandwidth which I don't need to call if account is part of disabled group. Setting auth-type to reject works like daloradius does but the call to php script would still run which I'm trying to avoid coz no point setting bandwidth from the group with priority 1 when the group with priority 0 says auth-type reject. Earlier I used to think SQL module would respond with reject which clearly doesn't and thanks for the clarification, coz most docs say it has possible response of reject also and I was wondering why isn't it responding with that and went on a quest to figure out what situation would cause it to respond with that. Btw the hotspot is mostly ready to use and once I add even more features I shall be releasing it as open source if it helps others. Mikrotik router based hotspot with FR running on raspberry pi for very small setups but it can run on any normal Debian machine too. On February 11, 2019 9:07:50 PM Alan DeKok <aland@deployingradius.com> wrote:
On Feb 11, 2019, at 11:33 AM, Bipin Patel via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
basically i have developed a full web gui for mikrotik routers and freeradius to work as a hotspot where the web gui talks to the sql db directly and the user can create plans which would be the radius groups and associated check and reply attributes.
Ok...
I have created a disable client account option which deactivates the account and what i saw in daloradius was it used to create a disabled group with priority 0 and sets the Auth-Type attribute to Reject, i know the docs mention not the set the auth-type directly but i dont see a way to do it directly in FR
That should work. If it doesn't, read the debug output as suggest in the "man" page, web pages, and the message you get when joining this list.
No amount of randomly changing things will fix it. You need to understand what it's doing.
so i followed the same method and the reason i was assuming the sql module would reject seeing the auth-type to reject using the reject response but later noticed it would never respond with reject. I searched all docs and the book but no place it mentions under what cases sql module would respond with reject and i wanted to sql module to reject
It doesn't. You want the group to match.
so i can reply with "account disabled" and not have the rest of the authorize section to execute coz later down the section i have a call to a php script and im trying to reduce calls to it unless the account is enabled and id/pass match
If you want to skip parts of the "authorize" section, you will need to check for that and write the policy. Something like:
authorize { ... sql if (SQL-Group == "disabled") { reject } ... }
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Alan DeKok -
Bipin Patel