Re: HuntGroup check in radgroupcheck
Post the debug output, as suggested in the FAQ, "man" page, web pages, and daily on this list.
I posted the freeradius -X output into the linked file... Aren't you referring to that?
Given the following properties: radcheck: F000001 MD5-Password := somemd5hash radusergroup F000001 HuntGroup01 radgroupcheck F000001 Huntgroup-Name =~ nas04|nas05
the user is always authenticated, even if the connection comes from a nas which is not nas04 or nas05.
I think you're confused about huntgroups. NASes are placed into huntgroups via the "huntgroups" file. Not SQL. When you check group membership, you check for the huntgroup name, not the NAS name.
According to [1] huntgroups can be checked via SQL as well...
From the debug output i posted here [2] you can see the huntgroup is correctly identified from SQL...
[1] http://wiki.freeradius.org/guide/SQL_Huntgroup_HOWTO [2] https://dl.dropbox.com/u/706934/check01.gz
You're using Huntgroup-Name to check the *nas* name. It won't work.
I omitted to say that in my radhuntgroup table I defined HG with the same names as nases in the nas table. Can this be a problem? thanks -- Lorenzo Milesi - lorenzo.milesi@yetopen.it GPG/PGP Key-Id: 0xE704E230 - http://keyserver.linux.it
Lorenzo Milesi wrote:
Post the debug output, as suggested in the FAQ, "man" page, web pages, and daily on this list.
I posted the freeradius -X output into the linked file... Aren't you referring to that?
The debug output should be posted here. There's no reason put a zipped version on a separate web site.
According to [1] huntgroups can be checked via SQL as well... From the debug output i posted here [2] you can see the huntgroup is correctly identified from SQL...
That works, too.
Please post the relevant bits here. If you make it hard for me to help you, I'll just ignore your messages.
I omitted to say that in my radhuntgroup table I defined HG with the same names as nases in the nas table. Can this be a problem?
No. It helps to state *accurately* what you're doing. Alan DeKok.
The debug output should be posted here. There's no reason put a zipped version on a separate web site.
I just wanted to write a more "clean" email. Here it is... Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 50056, id=46, length=66 User-Name = "F0000001" User-Password = "002784226600" NAS-IP-Address = 109.70.200.xxx NAS-Port = 0 Framed-Protocol = PPP # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok sql_xlat expand: %{User-Name} -> F0000001 sql_set_user escaped user --> 'F0000001' expand: SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{NAS-IP-Address}' -> SELECT groupname FROM radhuntgroup WHERE nasipaddress='109.70.200.xxx' rlm_sql (sql): Reserving sql socket id: 3 sql_xlat finished rlm_sql (sql): Released sql socket id: 3 expand: %{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{NAS-IP-Address}'} -> nas04 ++[request] returns ok ++? if (Huntgroup-Name == '') ? Evaluating (Huntgroup-Name == '') -> FALSE ++? if (Huntgroup-Name == '') -> FALSE ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "F0000001", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry DEFAULT at line 172 ++[files] returns ok [sql] expand: %{User-Name} -> F0000001 [sql] sql_set_user escaped user --> 'F0000001' rlm_sql (sql): Reserving sql socket id: 2 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'F0000001' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'F0000001' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'F0000001' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' OR groupname = '%{Huntgroup-Name}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'huntgroup01' OR groupname = 'nas04' ORDER BY id [sql] expand: %{Huntgroup-Name} -> nas04 rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing MD5-Password from hex encoding ++[pap] returns updated rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair ++[noresetcounter] returns noop rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair ++[dailycounter] returns noop rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair ++[monthlycounter] returns noop Found Auth-Type = PAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group PAP {...} [pap] login attempt with password "002784226600" [pap] Using MD5 encryption. [pap] User authenticated successfully ++[pap] returns ok # Executing section post-auth from file /etc/freeradius/sites-enabled/default +- entering group post-auth {...} [sql] expand: %{User-Name} -> F0000001 [sql] sql_set_user escaped user --> 'F0000001' [sql] expand: %{User-Password} -> 002784226600 [sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'F0000001', '002784226600', 'Access-Accept', '2013-02-21 17:14:56') rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'F0000001', '002784226600', 'Access-Accept', '2013-02-21 17:14:56') rlm_sql (sql): Reserving sql socket id: 1 rlm_sql (sql): Released sql socket id: 1 ++[sql] returns ok ++[exec] returns noop Sending Access-Accept of id 46 to 127.0.0.1 port 50056 Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP Finished request 0. Going to the next request Waking up in 4.9 seconds. -- Lorenzo Milesi - lorenzo.milesi@yetopen.it GPG/PGP Key-Id: 0xE704E230 - http://keyserver.linux.it
Summarizing: Nas: 4 109.70.200.x yop101 other NULL SECRET NULL NULL YetOpen NAS 01 TEST 5 109.69.131.x ufficyo01 other NULL SECRET NULL NULL RADIUS Client 6 1.2.3.4 hg01 other NULL yetopen-radsecret NULL NULL RADIUS Client 7 1.2.3.5 hg02 other NULL yetopen-radsecret NULL NULL RADIUS Client RadHuntgroup: 1 ufficyohg 109.69.131.x NULL 2 maxxerhg 109.70.200.x NULL 3 hg01 1.2.3.4 NULL 4 hg02 1.2.3.5 NULL Radgroupcheck: 10 federazione Huntgroup-Name =~ ufficyohg|maxxerhg 11 federazione2 Huntgroup-Name =~ hg02|hg01 Radusergroup: 34 F0073404 federazione2 10 full debug of a test login from 1.2.3.5 and a second from 109.70.200.x, they are both accepted :( FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Sep 11 2012 at 17:06:46 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/ntlm_auth including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/opendirectory including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/dynamic_clients including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/sql.conf including configuration file /etc/freeradius/sql/mysql/dialup.conf including configuration file /etc/freeradius/sql/mysql/counter.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default main { user = "freerad" group = "freerad" allow_core_dumps = no } including dictionary file /etc/freeradius/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 irt = 2 mrt = 16 mrc = 5 mrd = 30 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "yetopen-radsecret" shortname = "localhost" nastype = "other" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/freeradius/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/freeradius/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/freeradius/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/freeradius/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { # from file /etc/freeradius/radiusd.conf modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/freeradius/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/freeradius/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap mschap { use_mppe = yes require_encryption = yes require_strong = yes with_ntdomain_hack = no } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/freeradius/eap.conf eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/etc/freeradius/certs" pem_file_type = yes private_key_file = "/etc/freeradius/certs/server.key" certificate_file = "/etc/freeradius/certs/server.pem" CA_file = "/etc/freeradius/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/freeradius/certs/dh" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/freeradius/certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } verify { } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/freeradius/modules/preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_always Module: Instantiating module "reject" from file /etc/freeradius/modules/always always reject { rcode = "reject" simulcount = 0 mpp = no } Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/freeradius/modules/files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } Module: Linked to module rlm_sql Module: Instantiating module "sql" from file /etc/freeradius/sql.conf sql { driver = "rlm_sql_mysql" server = "localhost" port = "" login = "radius" password = "password" radius_db = "radius" read_groups = yes sqltrace = no sqltracefile = "/var/log/freeradius/sqltrace.sql" readclients = yes deletestalesessions = yes num_sql_socks = 5 lifetime = 0 max_queries = 0 sql_user_name = "%{User-Name}" default_user_profile = "" nas_query = "SELECT id, nasname, shortname, type, secret, server FROM nas" authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' # OR groupname = '%{Huntgroup-Name}' ORDER BY id" authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' # OR groupname = '%{Huntgroup-Name}' ORDER BY id" accounting_onoff_query = " UPDATE radacct SET acctstoptime = '%S', acctsessiontime = unix_timestamp('%S') - unix_timestamp(acctstarttime), acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = %{%{Acct-Delay-Time}:-0} WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= '%S'" accounting_update_query = " UPDATE radacct SET framedipaddress = '%{Framed-IP-Address}', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'" accounting_update_query_alt = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctsessiontime, acctauthentic, connectinfo_start, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, servicetype, framedprotocol, framedipaddress, acctstartdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{%{Acct-Session-Time}:-0} + %{%{Acct-Delay-Time}:-0}) SECOND), '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{X-Ascend-Session-Svr-Key}')" accounting_start_query = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{%{Acct-Delay-Time}:-0}', '0', '%{X-Ascend-Session-Svr-Key}')" accounting_start_query_alt = " UPDATE radacct SET acctstarttime = '%S', acctstartdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_start = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'" accounting_stop_query = " UPDATE radacct SET acctstoptime = '%S', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_stop = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'" accounting_stop_query_alt = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{%{Acct-Session-Time}:-0} + %{%{Acct-Delay-Time}:-0}) SECOND), '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Connect-Info}', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{%{Acct-Delay-Time}:-0}')" group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority" connect_failure_retry_delay = 60 simul_count_query = "SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL" simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL" postauth_query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')" safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" } rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql): Attempting to connect to radius@localhost:/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 rlm_sql_mysql: Starting connect to MySQL server for #0 rlm_sql (sql): Connected new DB handle, #0 rlm_sql (sql): starting 1 rlm_sql (sql): Attempting to connect rlm_sql_mysql #1 rlm_sql_mysql: Starting connect to MySQL server for #1 rlm_sql (sql): Connected new DB handle, #1 rlm_sql (sql): starting 2 rlm_sql (sql): Attempting to connect rlm_sql_mysql #2 rlm_sql_mysql: Starting connect to MySQL server for #2 rlm_sql (sql): Connected new DB handle, #2 rlm_sql (sql): starting 3 rlm_sql (sql): Attempting to connect rlm_sql_mysql #3 rlm_sql_mysql: Starting connect to MySQL server for #3 rlm_sql (sql): Connected new DB handle, #3 rlm_sql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_mysql #4 rlm_sql_mysql: Starting connect to MySQL server for #4 rlm_sql (sql): Connected new DB handle, #4 rlm_sql (sql): Processing generate_sql_clients rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret, server FROM nas rlm_sql (sql): Reserving sql socket id: 4 rlm_sql (sql): Read entry nasname=109.70.200.x,shortname=yop101,secret=yetopen-radsecret rlm_sql (sql): Adding client 109.70.200.x (yop101, server=<none>) to clients list rlm_sql (sql): Read entry nasname=109.69.131.x,shortname=ufficyo01,secret=yetopen-radsecret rlm_sql (sql): Adding client 109.69.131.x (ufficyo01, server=<none>) to clients list rlm_sql (sql): Read entry nasname=1.2.3.4,shortname=hg01,secret=yetopen-radsecret rlm_sql (sql): Adding client 1.2.3.4 (hg01, server=<none>) to clients list rlm_sql (sql): Read entry nasname=1.2.3.5,shortname=hg02,secret=yetopen-radsecret rlm_sql (sql): Adding client 1.2.3.5 (hg02, server=<none>) to clients list rlm_sql (sql): Released sql socket id: 4 Module: Linked to module rlm_sqlcounter Module: Instantiating module "noresetcounter" from file /etc/freeradius/sql/mysql/counter.conf sqlcounter noresetcounter { counter-name = "Max-All-Session-Time" check-name = "Max-All-Session" key = "User-Name" sqlmod-inst = "sql" query = "SELECT IFNULL(SUM(AcctSessionTime),0) FROM radacct WHERE UserName='%{%k}'" reset = "never" safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" } rlm_sqlcounter: Reply attribute set to Session-Timeout. rlm_sqlcounter: Counter attribute Max-All-Session-Time is number 11273 rlm_sqlcounter: Check attribute Max-All-Session is number 11274 rlm_sqlcounter: Current Time: 1361869554 [2013-02-26 10:05:54], Next reset 0 [2013-02-26 10:00:00] rlm_sqlcounter: Current Time: 1361869554 [2013-02-26 10:05:54], Prev reset 0 [2013-02-26 10:00:00] Module: Instantiating module "dailycounter" from file /etc/freeradius/sql/mysql/counter.conf sqlcounter dailycounter { counter-name = "Daily-Session-Time" check-name = "Max-Daily-Session" reply-name = "Session-Timeout" key = "User-Name" sqlmod-inst = "sql" query = "SELECT SUM(acctsessiontime - GREATEST((%b - UNIX_TIMESTAMP(acctstarttime)), 0)) FROM radacct WHERE username = '%{%k}' AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '%b'" reset = "daily" safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" } rlm_sqlcounter: Reply attribute Session-Timeout is number 27 rlm_sqlcounter: Counter attribute Daily-Session-Time is number 11275 rlm_sqlcounter: Check attribute Max-Daily-Session is number 11276 rlm_sqlcounter: Current Time: 1361869554 [2013-02-26 10:05:54], Next reset 1361919600 [2013-02-27 00:00:00] rlm_sqlcounter: Current Time: 1361869554 [2013-02-26 10:05:54], Prev reset 1361833200 [2013-02-26 00:00:00] Module: Instantiating module "monthlycounter" from file /etc/freeradius/sql/mysql/counter.conf sqlcounter monthlycounter { counter-name = "Monthly-Session-Time" check-name = "Max-Monthly-Session" reply-name = "Session-Timeout" key = "User-Name" sqlmod-inst = "sql" query = "SELECT SUM(acctsessiontime - GREATEST((%b - UNIX_TIMESTAMP(acctstarttime)), 0)) FROM radacct WHERE username='%{%k}' AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '%b'" reset = "monthly" safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" } rlm_sqlcounter: Reply attribute Session-Timeout is number 27 rlm_sqlcounter: Counter attribute Monthly-Session-Time is number 11277 rlm_sqlcounter: Check attribute Max-Monthly-Session is number 11278 rlm_sqlcounter: Current Time: 1361869554 [2013-02-26 10:05:54], Next reset 1362092400 [2013-03-01 00:00:00] rlm_sqlcounter: Current Time: 1361869554 [2013-02-26 10:05:54], Prev reset 1359673200 [2013-02-01 00:00:00] Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/freeradius/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /etc/freeradius/modules/detail detail { detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/freeradius/modules/unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" } } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 37591, id=81, length=66 User-Name = "F0073404" User-Password = "002784226600" NAS-IP-Address = 1.2.3.5 NAS-Port = 0 Framed-Protocol = PPP # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok sql_xlat expand: %{User-Name} -> F0073404 sql_set_user escaped user --> 'F0073404' expand: SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{NAS-IP-Address}' -> SELECT groupname FROM radhuntgroup WHERE nasipaddress='1.2.3.5' rlm_sql (sql): Reserving sql socket id: 3 sql_xlat finished rlm_sql (sql): Released sql socket id: 3 expand: %{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{NAS-IP-Address}'} -> hg02 ++[request] returns ok ++? if (Huntgroup-Name == '') ? Evaluating (Huntgroup-Name == '') -> FALSE ++? if (Huntgroup-Name == '') -> FALSE ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "F0073404", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry DEFAULT at line 172 ++[files] returns ok [sql] expand: %{User-Name} -> F0073404 [sql] sql_set_user escaped user --> 'F0073404' rlm_sql (sql): Reserving sql socket id: 2 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'F0073404' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'F0073404' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'F0073404' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' # OR groupname = '%{Huntgroup-Name}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'federazione2' # OR groupname = 'hg02' ORDER BY id [sql] expand: %{Huntgroup-Name} -> hg02 [sql] User found in group federazione2 [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' # OR groupname = '%{Huntgroup-Name}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'federazione2' # OR groupname = 'hg02' ORDER BY id rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing MD5-Password from hex encoding ++[pap] returns updated rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair ++[noresetcounter] returns noop rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair ++[dailycounter] returns noop rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair ++[monthlycounter] returns noop Found Auth-Type = PAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group PAP {...} [pap] login attempt with password "002784226600" [pap] Using MD5 encryption. [pap] User authenticated successfully ++[pap] returns ok # Executing section post-auth from file /etc/freeradius/sites-enabled/default +- entering group post-auth {...} [sql] expand: %{User-Name} -> F0073404 [sql] sql_set_user escaped user --> 'F0073404' [sql] expand: %{User-Password} -> 002784226600 [sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'F0073404', '002784226600', 'Access-Accept', '2013-02-26 10:06:18') rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'F0073404', '002784226600', 'Access-Accept', '2013-02-26 10:06:18') rlm_sql (sql): Reserving sql socket id: 1 rlm_sql (sql): Released sql socket id: 1 ++[sql] returns ok ++[exec] returns noop Sending Access-Accept of id 81 to 127.0.0.1 port 37591 Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 81 with timestamp +24 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 42133, id=131, length=66 User-Name = "F0073404" User-Password = "002784226600" NAS-IP-Address = 109.70.200.x NAS-Port = 0 Framed-Protocol = PPP # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok sql_xlat expand: %{User-Name} -> F0073404 sql_set_user escaped user --> 'F0073404' expand: SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{NAS-IP-Address}' -> SELECT groupname FROM radhuntgroup WHERE nasipaddress='109.70.200.x' rlm_sql (sql): Reserving sql socket id: 0 sql_xlat finished rlm_sql (sql): Released sql socket id: 0 expand: %{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{NAS-IP-Address}'} -> maxxerhg ++[request] returns ok ++? if (Huntgroup-Name == '') ? Evaluating (Huntgroup-Name == '') -> FALSE ++? if (Huntgroup-Name == '') -> FALSE ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "F0073404", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry DEFAULT at line 172 ++[files] returns ok [sql] expand: %{User-Name} -> F0073404 [sql] sql_set_user escaped user --> 'F0073404' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'F0073404' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'F0073404' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'F0073404' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' # OR groupname = '%{Huntgroup-Name}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'federazione2' # OR groupname = 'maxxerhg' ORDER BY id [sql] expand: %{Huntgroup-Name} -> maxxerhg rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing MD5-Password from hex encoding ++[pap] returns updated rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair ++[noresetcounter] returns noop rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair ++[dailycounter] returns noop rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair ++[monthlycounter] returns noop Found Auth-Type = PAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group PAP {...} [pap] login attempt with password "002784226600" [pap] Using MD5 encryption. [pap] User authenticated successfully ++[pap] returns ok # Executing section post-auth from file /etc/freeradius/sites-enabled/default +- entering group post-auth {...} [sql] expand: %{User-Name} -> F0073404 [sql] sql_set_user escaped user --> 'F0073404' [sql] expand: %{User-Password} -> 002784226600 [sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'F0073404', '002784226600', 'Access-Accept', '2013-02-26 10:10:32') rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'F0073404', '002784226600', 'Access-Accept', '2013-02-26 10:10:32') rlm_sql (sql): Reserving sql socket id: 3 rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok ++[exec] returns noop Sending Access-Accept of id 131 to 127.0.0.1 port 42133 Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP Finished request 1. Going to the next request Waking up in 4.9 seconds. -- Lorenzo Milesi - lorenzo.milesi@yetopen.it YetOpen S.r.l. - http://www.yetopen.it/
participants (2)
-
Alan DeKok -
Lorenzo Milesi