using huntgroups to restrict users in particular groups
Hi, I'm new to FreeRadius. I've built a test server with freeradius 3.0.13, mariadb 10.1.45, and daloradius 1.1-3 beta on CentOS 7. We are just starting into radius authentication. We just want it for logging into routers and switches for administration work. What I need is to define multiple groups of devices - in huntgroups. And multiple groups of users. There may be a base group of users that should be allowed to any huntgroup. But mostly, one user group is to be specific to one hunt group. I'm following the how-to for SQL-Huntgroups. https://wiki.freeradius.org/guide/SQL-Huntgroup-HOWTO MariaDB [radius]> select * from radhuntgroup; +----+-----------------+----------------------+--------------+ | id | groupname | nasipaddress | nasportid | +----+----------------+-----------------------+--------------+ | 1 | group1 | 10.161.161.0/24 | 0 | | 2 | group2 | 10.139.63.0/24 | 0 | +----+---------------+------------------------+-------------+ MariaDB [radius]> select * from radusergroup; +---------------+-----------------+-----------+ | username | groupname | priority | +---------------+-----------------+-----------+ | paul | usergroup1 | 0 | | ptr | usergroup2 | 0 | +---------------+-----------------+-----------+ MariaDB [radius]> select * from radgroupcheck; +----+--------------------------------------+-------------------+-----+-----------+ | id | groupname | attribute | op | value | +----+--------------------------------------+-------------------+-----+-----------+ | 1 | daloRADIUS-Disabled-Users | Auth-Type | := | Reject | | 2 | daloRADIUS-Disabled-Users | Auth-Type | := | Reject | | 3 | usergroup1 | Huntgroup-Name | == | group1 | | 4 | usergroup2 | Huntgroup-Name | == | group2 | +----+--------------------------------------+-------------------+-----+-----------+ However, both users can connect to either huntgroup. I must be missing something here. My impression is that this would be all that's needed. Maybe there is a configuration variable I missed? I also tried the update request to allow users groups/profiles to access a different has but if I edit sites-enables/defaults, I get an error trying to start radius. update request { Huntgroup-Name := "%{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress=='%{NAS-IP-Address}'}" # only allow usergroup1 to group1 if (SQL-Group == "usergroup1") { if (Huntgroup-Name != "group1") { reject } } } /etc/raddb/sites-enabled/default[307]: Entry is not in "attribute = value" format That's simplified but pretty much straight out of the how-to. I'm not stuck on the idea of daloradius or even SQL. But the user space will be managing, and they want a web admin. I could write my own simple one, as all we need to manage is users and huntgroups. Any ideas here? Thanks, Paul. Paul Root Lead Operations Engineer - IT Managed Services 390 Commerce Dr Woodbury, Mn 55125 651-312-5207 paul.root@centurylink.com This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.
On May 29, 2020, at 2:53 PM, Root, Paul T via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I'm new to FreeRadius. I've built a test server with freeradius 3.0.13, mariadb 10.1.45, and daloradius 1.1-3 beta on CentOS 7.
OK.
We are just starting into radius authentication. We just want it for logging into routers and switches for administration work. What I need is to define multiple groups of devices - in huntgroups. And multiple groups of users. There may be a base group of users that should be allowed to any huntgroup. But mostly, one user group is to be specific to one hunt group.
That should be possible.
I'm following the how-to for SQL-Huntgroups. https://wiki.freeradius.org/guide/SQL-Huntgroup-HOWTO
MariaDB [radius]> select * from radhuntgroup; +----+-----------------+----------------------+--------------+ | id | groupname | nasipaddress | nasportid | +----+----------------+-----------------------+--------------+ | 1 | group1 | 10.161.161.0/24 | 0 | | 2 | group2 | 10.139.63.0/24 | 0 | +----+---------------+------------------------+-------------+
Netmasks really won't work there. There's a reason the field is called "IP address".
MariaDB [radius]> select * from radusergroup; +---------------+-----------------+-----------+ | username | groupname | priority | +---------------+-----------------+-----------+ | paul | usergroup1 | 0 | | ptr | usergroup2 | 0 | +---------------+-----------------+-----------+
MariaDB [radius]> select * from radgroupcheck; +----+--------------------------------------+-------------------+-----+-----------+ | id | groupname | attribute | op | value | +----+--------------------------------------+-------------------+-----+-----------+ | 1 | daloRADIUS-Disabled-Users | Auth-Type | := | Reject | | 2 | daloRADIUS-Disabled-Users | Auth-Type | := | Reject | | 3 | usergroup1 | Huntgroup-Name | == | group1 | | 4 | usergroup2 | Huntgroup-Name | == | group2 | +----+--------------------------------------+-------------------+-----+-----------+
See the Wiki for how the SQL module works: https://wiki.freeradius.org/modules/Rlm_sql That configuration just says "match user group 1 if hunt group name is group2". It doesn't *do* anything with that result.
However, both users can connect to either huntgroup.
I must be missing something here. My impression is that this would be all that's needed. Maybe there is a configuration variable I missed?
By default, FreeRADIUS authenticates all valid users, and allows them network access. If you want something else, you have to write those policies. So this isn't just "match group X", it's if user in group X and user is coming from hunt group Y then allow else reject i.e. write your policies as English first. It should then be reasonably simple to convert them to "unlang".
I also tried the update request to allow users groups/profiles to access a different has but if I edit sites-enables/defaults, I get an error trying to start radius.
update request { Huntgroup-Name := "%{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress=='%{NAS-IP-Address}'}"
# only allow usergroup1 to group1 if (SQL-Group == "usergroup1") { if (Huntgroup-Name != "group1") { reject } } }
/etc/raddb/sites-enabled/default[307]: Entry is not in "attribute = value" format
That is the line with the "if" statement.
That's simplified but pretty much straight out of the how-to.
You've edited it to rearrange the braces. The braces are important. The "update" statement just contains "attribute = value". It doesn't contain "if" or any other keyword. Rewrite that and post the debug output. Alan DeKok.
Thanks for the help Alan! I came down to attention to detail and thinking it through. Like you suggested, write in English and convert. Details below. Paul. -----Original Message----- From: Freeradius-Users <freeradius-users-bounces+paul.root=centurylink.com@lists.freeradius.org> On Behalf Of Alan DeKok Sent: Friday, May 29, 2020 4:13 PM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: using huntgroups to restrict users in particular groups On May 29, 2020, at 2:53 PM, Root, Paul T via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I'm new to FreeRadius. I've built a test server with freeradius 3.0.13, mariadb 10.1.45, and daloradius 1.1-3 beta on CentOS 7.
OK.
We are just starting into radius authentication. We just want it for logging into routers and switches for administration work. What I need is to define multiple groups of devices - in huntgroups. And multiple groups of users. There may be a base group of users that should be allowed to any huntgroup. But mostly, one user group is to be specific to one hunt group.
That should be possible.
I'm following the how-to for SQL-Huntgroups. https://imss91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f...
MariaDB [radius]> select * from radhuntgroup; +----+-----------------+----------------------+--------------+ | id | groupname | nasipaddress | nasportid | +----+----------------+-----------------------+--------------+ | 1 | group1 | 10.161.161.0/24 | 0 | | 2 | group2 | 10.139.63.0/24 | 0 | +----+---------------+------------------------+-------------+
Netmasks really won't work there. There's a reason the field is called "IP address". Yeah I see that now. I was thinking of a 1 to 1 mapping of NAS to groups. MariaDB [radius]> select * from radhuntgroup; +----+-----------+-----------------+-----------+ | id | groupname | nasipaddress | nasportid | +----+-----------+-----------------+-----------+ | 1 | group1 | 10.161.161.0/24 | 0 | | 2 | group2 | 10.139.63.0/24 | 0 | | 3 | group1 | 10.161.169.154 | 0 | | 4 | group2 | 10.139.63.13 | 0 | | 5 | group2 | 127.0.0.1 | 0 | +----+-----------+-----------------+-----------+ 5 rows in set (0.00 sec) Need to clean out the netmask entries. Interestingly, I have my PC with NTRadPing for one test NAS, and then another linux machine for another using radtest . But the linux machine, matches localhost instead of ip address. Must be something to do with radtest
MariaDB [radius]> select * from radusergroup; +---------------+-----------------+-----------+ | username | groupname | priority | +---------------+-----------------+-----------+ | paul | usergroup1 | 0 | | ptr | usergroup2 | 0 | +---------------+-----------------+-----------+
I changed the groupnames to match the huntgroup names. Trying to cheat with a if (SQL-Group == Huntrgroup-Name). That's not allowed. That's fine.
MariaDB [radius]> select * from radgroupcheck; +----+--------------------------------------+-------------------+-----+-----------+ | id | groupname | attribute | op | value | +----+--------------------------------------+-------------------+-----+-----------+ | 1 | daloRADIUS-Disabled-Users | Auth-Type | := | Reject | | 2 | daloRADIUS-Disabled-Users | Auth-Type | := | Reject | | 3 | usergroup1 | Huntgroup-Name | == | group1 | | 4 | usergroup2 | Huntgroup-Name | == | group2 | +----+--------------------------------------+-------------------+-----+-----------+
See the Wiki for how the SQL module works: https://imss91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f... That configuration just says "match user group 1 if hunt group name is group2". It doesn't *do* anything with that result.
However, both users can connect to either huntgroup.
I must be missing something here. My impression is that this would be all that's needed. Maybe there is a configuration variable I missed?
By default, FreeRADIUS authenticates all valid users, and allows them network access. If you want something else, you have to write those policies. So this isn't just "match group X", it's if user in group X and user is coming from hunt group Y then allow else reject i.e. write your policies as English first. It should then be reasonably simple to convert them to "unlang".
I also tried the update request to allow users groups/profiles to access a different has but if I edit sites-enables/defaults, I get an error trying to start radius.
update request { Huntgroup-Name := "%{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress=='%{NAS-IP-Address}'}"
# only allow usergroup1 to group1 if (SQL-Group == "usergroup1") { if (Huntgroup-Name != "group1") { reject } } }
/etc/raddb/sites-enabled/default[307]: Entry is not in "attribute = value" format
That is the line with the "if" statement. Found this, read it 50 times and eventually you read what is there instead of what you think is there.
That's simplified but pretty much straight out of the how-to.
You've edited it to rearrange the braces. The braces are important. Yeah, I just read that wrong, I thought the if statements was supposed to be in the update. Just read it wrong. This is the working config: update request { Huntgroup-Name := "%{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{NAS-IP-Address}'}" } # only allow user in group1 to huntgroup group1 if (SQL-Group == "group1" && Huntgroup-Name == "group1") { accept # only allow user in group2 to huntgroup group2 } elsif (SQL-Group == "group2" && Huntgroup-Name == "group2") { accept # Other groups here add as needed # } elsif (SQL-Group == 'groupN" && Huntgroup-Name != "groupN") { # accept } else { reject } The "update" statement just contains "attribute = value". It doesn't contain "if" or any other keyword. Rewrite that and post the debug output. Alan DeKok. Here is success (user in proper group): (4) Received Access-Request Id 30 from 10.161.169.154:58330 to 10.139.63.174:1812 length 45 (4) User-Name = "paul" (4) CHAP-Password = 0x91b8679b702a5682c0d116d266ee8344a5 (4) # Executing section authorize from file /etc/raddb/sites-enabled/default (4) authorize { (4) policy filter_username { (4) if (&User-Name) { (4) if (&User-Name) -> TRUE (4) if (&User-Name) { (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@[^@]*@/ ) { (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # if (&User-Name) = notfound (4) } # policy filter_username = notfound (4) [preprocess] = ok (4) sql: EXPAND %{User-Name} (4) sql: --> paul (4) sql: SQL-User-Name set to 'paul' rlm_sql (sql): Reserved connection (2) (4) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (4) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'paul' ORDER BY id (4) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'paul' ORDER BY id (4) sql: User found in radcheck table (4) sql: Conditional check items matched, merging assignment check items (4) sql: Cleartext-Password := "anotherPwd" (4) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (4) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'paul' ORDER BY id (4) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'paul' ORDER BY id (4) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (4) sql: --> SELECT groupname FROM radusergroup WHERE username = 'paul' ORDER BY priority (4) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'paul' ORDER BY priority (4) sql: User found in the group table (4) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id (4) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'group1' ORDER BY id (4) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'group1' ORDER BY id rlm_sql (sql): Released connection (2) Need 1 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (9), 1 of 23 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.1.45-MariaDB, protocol version 10 (4) [sql] = ok (4) update request { (4) EXPAND %{User-Name} (4) --> paul (4) SQL-User-Name set to 'paul' rlm_sql (sql): Reserved connection (3) (4) EXPAND /var/log/radius/sqllog.sql (4) --> /var/log/radius/sqllog.sql (4) Executing select query: SELECT groupname FROM radhuntgroup WHERE nasipaddress='10.161.169.154' rlm_sql (sql): Released connection (3) (4) EXPAND %{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{NAS-IP-Address}'} (4) --> group1 (4) Huntgroup-Name := group1 (4) } # update request = noop (4) if (SQL-Group == "group1" && Huntgroup-Name == "group1") { (4) sql_groupcmp (4) EXPAND %{User-Name} (4) --> paul (4) SQL-User-Name set to 'paul' rlm_sql (sql): Reserved connection (4) (4) EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (4) --> SELECT groupname FROM radusergroup WHERE username = 'paul' ORDER BY priority (4) Executing select query: SELECT groupname FROM radusergroup WHERE username = 'paul' ORDER BY priority (4) sql_groupcmp finished: User is a member of group group1 rlm_sql (sql): Released connection (4) (4) if (SQL-Group == "group1" && Huntgroup-Name == "group1") -> TRUE (4) if (SQL-Group == "group1" && Huntgroup-Name == "group1") { (4) policy accept { (4) update control { (4) &Response-Packet-Type = Access-Accept (4) } # update control = noop (4) [handled] = handled (4) } # policy accept = handled (4) } # if (SQL-Group == "group1" && Huntgroup-Name == "group1") = handled (4) } # authorize = handled (4) # Executing section post-auth from file /etc/raddb/sites-enabled/default (4) post-auth { (4) update { (4) No attributes updated (4) } # update = noop (4) sql: EXPAND .query (4) sql: --> .query (4) sql: Using query template 'query' rlm_sql (sql): Reserved connection (0) (4) sql: EXPAND %{User-Name} (4) sql: --> paul (4) sql: SQL-User-Name set to 'paul' (4) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (4) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'paul', '0x91b8679b702a5682c0d116d266ee8344a5', 'Access-Accept', '2020-06-01 16:54:24.568323') (4) sql: EXPAND /var/log/radius/sqllog.sql (4) sql: --> /var/log/radius/sqllog.sql (4) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'paul', '0x91b8679b702a5682c0d116d266ee8344a5', 'Access-Accept', '2020-06-01 16:54:24.568323') (4) sql: SQL query returned: success (4) sql: 1 record(s) updated rlm_sql (sql): Released connection (0) (4) [sql] = ok (4) [exec] = noop (4) policy remove_reply_message_if_eap { (4) if (&reply:EAP-Message && &reply:Reply-Message) { (4) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (4) else { (4) [noop] = noop (4) } # else = noop (4) } # policy remove_reply_message_if_eap = noop (4) } # post-auth = ok (4) Sent Access-Accept Id 30 from 10.139.63.174:1812 to 10.161.169.154:58330 length 0 (4) Finished request And failure (user not in proper group): (4) Received Access-Request Id 30 from 10.161.169.154:58330 to 10.139.63.174:1812 length 45 (4) User-Name = "paul" (4) CHAP-Password = 0x91b8679b702a5682c0d116d266ee8344a5 (4) # Executing section authorize from file /etc/raddb/sites-enabled/default (4) authorize { (4) policy filter_username { (4) if (&User-Name) { (4) if (&User-Name) -> TRUE (4) if (&User-Name) { (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@[^@]*@/ ) { (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # if (&User-Name) = notfound (4) } # policy filter_username = notfound (4) [preprocess] = ok (4) sql: EXPAND %{User-Name} (4) sql: --> paul (4) sql: SQL-User-Name set to 'paul' rlm_sql (sql): Reserved connection (2) (4) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (4) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'paul' ORDER BY id (4) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'paul' ORDER BY id (4) sql: User found in radcheck table (4) sql: Conditional check items matched, merging assignment check items (4) sql: Cleartext-Password := "anotherPwd" (4) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (4) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'paul' ORDER BY id (4) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'paul' ORDER BY id (4) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (4) sql: --> SELECT groupname FROM radusergroup WHERE username = 'paul' ORDER BY priority (4) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'paul' ORDER BY priority (4) sql: User found in the group table (4) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id (4) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'group1' ORDER BY id (4) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'group1' ORDER BY id rlm_sql (sql): Released connection (2) Need 1 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (9), 1 of 23 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.1.45-MariaDB, protocol version 10 (4) [sql] = ok (4) update request { (4) EXPAND %{User-Name} (4) --> paul (4) SQL-User-Name set to 'paul' rlm_sql (sql): Reserved connection (3) (4) EXPAND /var/log/radius/sqllog.sql (4) --> /var/log/radius/sqllog.sql (4) Executing select query: SELECT groupname FROM radhuntgroup WHERE nasipaddress='10.161.169.154' rlm_sql (sql): Released connection (3) (4) EXPAND %{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{NAS-IP-Address}'} (4) --> group1 (4) Huntgroup-Name := group1 (4) } # update request = noop (4) if (SQL-Group == "group1" && Huntgroup-Name == "group1") { (4) sql_groupcmp (4) EXPAND %{User-Name} (4) --> paul (4) SQL-User-Name set to 'paul' rlm_sql (sql): Reserved connection (4) (4) EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (4) --> SELECT groupname FROM radusergroup WHERE username = 'paul' ORDER BY priority (4) Executing select query: SELECT groupname FROM radusergroup WHERE username = 'paul' ORDER BY priority (4) sql_groupcmp finished: User is a member of group group1 rlm_sql (sql): Released connection (4) (4) if (SQL-Group == "group1" && Huntgroup-Name == "group1") -> TRUE (4) if (SQL-Group == "group1" && Huntgroup-Name == "group1") { (4) policy accept { (4) update control { (4) &Response-Packet-Type = Access-Accept (4) } # update control = noop (4) [handled] = handled (4) } # policy accept = handled (4) } # if (SQL-Group == "group1" && Huntgroup-Name == "group1") = handled (4) } # authorize = handled (4) # Executing section post-auth from file /etc/raddb/sites-enabled/default (4) post-auth { (4) update { (4) No attributes updated (4) } # update = noop (4) sql: EXPAND .query (4) sql: --> .query (4) sql: Using query template 'query' rlm_sql (sql): Reserved connection (0) (4) sql: EXPAND %{User-Name} (4) sql: --> paul (4) sql: SQL-User-Name set to 'paul' (4) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (4) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'paul', '0x91b8679b702a5682c0d116d266ee8344a5', 'Access-Accept', '2020-06-01 16:54:24.568323') (4) sql: EXPAND /var/log/radius/sqllog.sql (4) sql: --> /var/log/radius/sqllog.sql (4) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'paul', '0x91b8679b702a5682c0d116d266ee8344a5', 'Access-Accept', '2020-06-01 16:54:24.568323') (4) sql: SQL query returned: success (4) sql: 1 record(s) updated rlm_sql (sql): Released connection (0) (4) [sql] = ok (4) [exec] = noop (4) policy remove_reply_message_if_eap { (4) if (&reply:EAP-Message && &reply:Reply-Message) { (4) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (4) else { (4) [noop] = noop (4) } # else = noop (4) } # policy remove_reply_message_if_eap = noop (4) } # post-auth = ok (4) Sent Access-Accept Id 30 from 10.139.63.174:1812 to 10.161.169.154:58330 length 0 (4) Finished request Waking up in 4.9 seconds. (4) Cleaning up request packet ID 30 with timestamp +29 Ready to process requests (5) Received Access-Request Id 31 from 10.161.169.154:49856 to 10.139.63.174:1812 length 44 (5) User-Name = "ptr" (5) CHAP-Password = 0xeead451ce5929e48c7e757ecf3322248fb (5) # Executing section authorize from file /etc/raddb/sites-enabled/default (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) [preprocess] = ok (5) sql: EXPAND %{User-Name} (5) sql: --> ptr (5) sql: SQL-User-Name set to 'ptr' rlm_sql (sql): Closing connection (7): Hit idle_timeout, was idle for 61 seconds rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (8): Hit idle_timeout, was idle for 61 seconds rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (5): Hit idle_timeout, was idle for 61 seconds rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (1): Hit idle_timeout, was idle for 61 seconds rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (6): Hit idle_timeout, was idle for 61 seconds rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Reserved connection (2) (5) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (5) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'ptr' ORDER BY id (5) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'ptr' ORDER BY id (5) sql: User found in radcheck table (5) sql: Conditional check items matched, merging assignment check items (5) sql: Cleartext-Password := "Strongpassword" (5) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (5) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'ptr' ORDER BY id (5) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'ptr' ORDER BY id (5) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (5) sql: --> SELECT groupname FROM radusergroup WHERE username = 'ptr' ORDER BY priority (5) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'ptr' ORDER BY priority (5) sql: User found in the group table (5) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id (5) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'group2' ORDER BY id (5) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'group2' ORDER BY id rlm_sql (sql): Released connection (2) Need 5 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (10), 1 of 27 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.1.45-MariaDB, protocol version 10 (5) [sql] = ok (5) update request { (5) EXPAND %{User-Name} (5) --> ptr (5) SQL-User-Name set to 'ptr' rlm_sql (sql): Reserved connection (9) (5) EXPAND /var/log/radius/sqllog.sql (5) --> /var/log/radius/sqllog.sql (5) Executing select query: SELECT groupname FROM radhuntgroup WHERE nasipaddress='10.161.169.154' rlm_sql (sql): Released connection (9) (5) EXPAND %{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{NAS-IP-Address}'} (5) --> group1 (5) Huntgroup-Name := group1 (5) } # update request = noop (5) if (SQL-Group == "group1" && Huntgroup-Name == "group1") { (5) sql_groupcmp (5) EXPAND %{User-Name} (5) --> ptr (5) SQL-User-Name set to 'ptr' rlm_sql (sql): Reserved connection (3) (5) EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (5) --> SELECT groupname FROM radusergroup WHERE username = 'ptr' ORDER BY priority (5) Executing select query: SELECT groupname FROM radusergroup WHERE username = 'ptr' ORDER BY priority rlm_sql (sql): Released connection (3) (5) sql_groupcmp finished: User is NOT a member of group group1 (5) if (SQL-Group == "group1" && Huntgroup-Name == "group1") -> FALSE (5) elsif (SQL-Group == "group2" && Huntgroup-Name == "group2") { (5) sql_groupcmp (5) EXPAND %{User-Name} (5) --> ptr (5) SQL-User-Name set to 'ptr' rlm_sql (sql): Reserved connection (4) (5) EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (5) --> SELECT groupname FROM radusergroup WHERE username = 'ptr' ORDER BY priority (5) Executing select query: SELECT groupname FROM radusergroup WHERE username = 'ptr' ORDER BY priority (5) sql_groupcmp finished: User is a member of group group2 rlm_sql (sql): Released connection (4) (5) elsif (SQL-Group == "group2" && Huntgroup-Name == "group2") -> FALSE (5) else { (5) [reject] = reject (5) } # else = reject (5) } # authorize = reject (5) Using Post-Auth-Type Reject (5) # Executing group from file /etc/raddb/sites-enabled/default (5) Post-Auth-Type REJECT { (5) sql: EXPAND .query (5) sql: --> .query (5) sql: Using query template 'query' rlm_sql (sql): Reserved connection (0) (5) sql: EXPAND %{User-Name} (5) sql: --> ptr (5) sql: SQL-User-Name set to 'ptr' (5) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (5) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'ptr', '0xeead451ce5929e48c7e757ecf3322248fb', 'Access-Reject', '2020-06-01 16:55:18.676906') (5) sql: EXPAND /var/log/radius/sqllog.sql (5) sql: --> /var/log/radius/sqllog.sql (5) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'ptr', '0xeead451ce5929e48c7e757ecf3322248fb', 'Access-Reject', '2020-06-01 16:55:18.676906') (5) sql: SQL query returned: success (5) sql: 1 record(s) updated rlm_sql (sql): Released connection (0) (5) [sql] = ok (5) attr_filter.access_reject: EXPAND %{User-Name} (5) attr_filter.access_reject: --> ptr (5) attr_filter.access_reject: Matched entry DEFAULT at line 11 (5) [attr_filter.access_reject] = updated (5) [eap] = noop (5) policy remove_reply_message_if_eap { (5) if (&reply:EAP-Message && &reply:Reply-Message) { (5) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (5) else { (5) [noop] = noop (5) } # else = noop (5) } # policy remove_reply_message_if_eap = noop (5) } # Post-Auth-Type REJECT = updated (5) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (5) Sending delayed response (5) Sent Access-Reject Id 31 from 10.139.63.174:1812 to 10.161.169.154:49856 length 20 - List info/subscribe/unsubscribe? See https://imss91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=http%3a%2f%... This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.
participants (2)
-
Alan DeKok -
Root, Paul T