mysql radgroupcheck, deny access
I had some older Debian 4.0 (etch) servers, with freeradius v1.1.3 installed from packages. I then upgraded to Debian 5.0 (lenny), which comes with freeradius v2.0.4 After upgrading I ran into some problems with my radgroupcheck rules. In radgroupcheck, I have some rules to restrict which NAS users are allowed to connect to. Here's an example : mysql> select * from radcheck where username = 'mbowe-test'; +------+------------+----------------+----+--------------------------------- ---+ | id | username | attribute | op | value | +------+------------+----------------+----+--------------------------------- ---+ | 708 | mbowe-test | Crypt-Password | := | <SNIPPED> | +------+------------+----------------+----+--------------------------------- ---+ mysql> select * from radreply where username = 'mbowe-test'; Empty set (0.00 sec) mysql> select * from radusergroup where username = 'mbowe-test'; +------------+----------------+----------+ | username | groupname | priority | +------------+----------------+----------+ | mbowe-test | dialup-freedom | 1 | +------------+----------------+----------+ mysql> select * from radgroupcheck where groupname = 'dialup-freedom'; +----+----------------+------------------+----+----------------------------- + | id | groupname | attribute | op | value | +----+----------------+------------------+----+----------------------------- + | 3 | dialup-freedom | NAS-IP-Address | !~ | ^111.222.333.(1|2|3|4|5|6)$ | | 4 | dialup-freedom | Simultaneous-Use | := | 1 | +----+----------------+------------------+----+----------------------------- + mysql> select * from radgroupreply where groupname = 'dialup-freedom'; +----+----------------+--------------------+----+---------------------+ | id | groupname | attribute | op | value | +----+----------------+--------------------+----+---------------------+ | 9 | dialup-freedom | Service-Type | := | Framed-User | | 10 | dialup-freedom | Framed-Protocol | := | PPP | | 11 | dialup-freedom | Framed-IP-Address | = | 255.255.255.254 | | 12 | dialup-freedom | Framed-IP-Netmask | := | 255.255.255.255 | | 13 | dialup-freedom | Framed-Compression | := | Van-Jacobson-TCP-IP | | 14 | dialup-freedom | Idle-Timeout | := | 1800 | | 15 | dialup-freedom | Session-Timeout | := | 14400 | | 16 | dialup-freedom | Port-Limit | := | 1 | +----+----------------+--------------------+----+---------------------+ Under the older freeradius, if the mbowe-test user tried to connect to a NAS with IP 111.222.333.1|2|3|4|5|6 then their access would be rejected. However under the newer freeradius, the user can now get online OK. (The group doesn't match so the 'dialup-freedom' attributes are not returned) In my sql.conf I have read_groups = yes I tried installing the freeradius 2.1.7 from source, and it gives the same result as the 2.0.4 from packages (user can get online). Am I doing something wrong? Let me know if you would like me to paste some debugs. Michael.
I had some older Debian 4.0 (etch) servers, with freeradius v1.1.3 installed from packages.
I then upgraded to Debian 5.0 (lenny), which comes with freeradius v2.0.4
After upgrading I ran into some problems with my radgroupcheck rules.
In radgroupcheck, I have some rules to restrict which NAS users are allowed to connect to.
Here's an example :
mysql> select * from radcheck where username = 'mbowe-test'; +------+------------+----------------+----+--------------------------------- ---+ | id | username | attribute | op | value | +------+------------+----------------+----+--------------------------------- ---+ | 708 | mbowe-test | Crypt-Password | := | <SNIPPED> | +------+------------+----------------+----+--------------------------------- ---+
mysql> select * from radreply where username = 'mbowe-test'; Empty set (0.00 sec)
mysql> select * from radusergroup where username = 'mbowe-test'; +------------+----------------+----------+ | username | groupname | priority | +------------+----------------+----------+ | mbowe-test | dialup-freedom | 1 | +------------+----------------+----------+
mysql> select * from radgroupcheck where groupname = 'dialup-freedom'; +----+----------------+------------------+----+----------------------------- + | id | groupname | attribute | op | value | +----+----------------+------------------+----+----------------------------- + | 3 | dialup-freedom | NAS-IP-Address | !~ | ^111.222.333.(1|2|3|4|5|6)$ | | 4 | dialup-freedom | Simultaneous-Use | := | 1 | +----+----------------+------------------+----+----------------------------- +
mysql> select * from radgroupreply where groupname = 'dialup-freedom'; +----+----------------+--------------------+----+---------------------+ | id | groupname | attribute | op | value | +----+----------------+--------------------+----+---------------------+ | 9 | dialup-freedom | Service-Type | := | Framed-User | | 10 | dialup-freedom | Framed-Protocol | := | PPP | | 11 | dialup-freedom | Framed-IP-Address | = | 255.255.255.254 | | 12 | dialup-freedom | Framed-IP-Netmask | := | 255.255.255.255 | | 13 | dialup-freedom | Framed-Compression | := | Van-Jacobson-TCP-IP | | 14 | dialup-freedom | Idle-Timeout | := | 1800 | | 15 | dialup-freedom | Session-Timeout | := | 14400 | | 16 | dialup-freedom | Port-Limit | := | 1 | +----+----------------+--------------------+----+---------------------+
Under the older freeradius, if the mbowe-test user tried to connect to a NAS with IP 111.222.333.1|2|3|4|5|6 then their access would be rejected.
However under the newer freeradius, the user can now get online OK. (The group doesn't match so the 'dialup-freedom' attributes are not returned)
In my sql.conf I have read_groups = yes
I tried installing the freeradius 2.1.7 from source, and it gives the same result as the 2.0.4 from packages (user can get online).
Am I doing something wrong?
No. That is the correct behaviour. Groups emulate DEFAULT entries in users file. If check doesn't match reply is ignored but user is not rejected. If you want to reject the user not matching NAS-IP-Address for this group you need to add: if(SQL-Group == "dialup-freedom") { if(NAS-IP-Address !~ "^111.222.333.(1|2|3|4|5|6)$") { ok } else { reject } } Ivan Kalik Kalik Informatika ISP
participants (2)
-
Ivan Kalik -
Michael Bowe