radgroupcheck v1.x and v2.x difference ?
upgraded freeradius from 1.x to 2.x version and some parts of radgroupcheck are now refusing to work as they did in first version. 1. i have user 'evdo@evdo.lattelecom' in usergroup it has 'LTK' group. 2. in radgroupcheck group 'LTK' has been given the attribute 'Calling-Station-Id' so the look is LTK|Calling-Station-Id|=~|14703371 The meaning of this(how i understend it) is that if calling-station-id in radgroupcheck differs from incoming calling-station-id it would give reject. But it doesnt. How can i limit one pool of Calling-Station-Ids from using different logins ? ------------------ Debug of how entered wrong calling-station-id(LTK|Calling-Station-Id|=~|14703371) to radgroupcheck, and it still returned ok --- rad_recv: Access-Request packet from host 192.168.145.1 port 1812, id=74, length=180 3GPP2-Correlation-Id = "36267509" 3GPP2-Service-Option = 59 User-Name = "evdo@evdo.lattelecom" CHAP-Challenge = 0x66853bea6d3cb9565a0fcdfcf212ac37 CHAP-Password = 0x01c9f14ad379679686d83e343590d84910 NAS-Port-Type = Virtual Calling-Station-Id = "247033715800852" Service-Type = Framed-User Framed-Protocol = PPP NAS-IP-Address = 192.168.145.1 Framed-IP-Address = 0.0.0.0 Framed-IP-Netmask = 0.0.0.0 Event-Timestamp = "Jan 19 2009 10:12:58 EET" 3GPP2-Prepaid-acct-Capability = 0x010600000003 +- entering group authorize {...} [chap] Setting 'Auth-Type := CHAP' ++[chap] returns ok ++[mschap] returns noop [suffix] Looking up realm "evdo.lattelecom" for User-Name = "evdo@evdo.lattelecom" [suffix] No such realm "evdo.lattelecom" ++[suffix] returns noop [sql] expand: %{User-Name} -> evdo@evdo.lattelecom [sql] sql_set_user escaped user --> 'evdo@evdo.lattelecom' rlm_sql (sql): Reserving sql socket id: 18 [sql] expand: SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'evdo@evdo.lattelecom' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = '%{SQL-User-Name}' union SELECT id, UserName, Attribute, Value, op FROM station_id WHERE Username = '%{Calling-Station-Id}' ORDER BY id -> SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'evdo@evdo.lattelecom' union SELECT id, UserName, Attribute, Value, op FROM station_id WHERE Username = '247033715800852' ORDER BY id [sql] expand: SELECT GroupName FROM usergroup WHERE UserName = '%{SQL-User-Name}' ORDER BY id -> SELECT GroupName FROM usergroup WHERE UserName = 'evdo@evdo.lattelecom' ORDER BY id [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'LTK' ORDER BY id [sql] expand: %{Calling-Station-Id} -> 247033715800852 [sql] User found in group LTK [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'LTK' ORDER BY id rlm_sql (sql): Released sql socket id: 18 ++[sql] returns ok [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = CHAP ---------------------- queries are: -------------- nas_query = "SELECT id,nasname,shortname,type,secret FROM nas" authorize_check_query = "SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id" authorize_reply_query = "SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = '%{SQL-User-Name}' union SELECT id, UserName, Attribute, Value, op FROM station_id WHERE Username = '%{Calling-Station-Id}' ORDER BY id" authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id" authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id" accounting_onoff_query = "" accounting_update_query = "" accounting_update_query_alt = "" accounting_start_query = "" accounting_start_query_alt = "" accounting_stop_query = "" accounting_stop_query_alt = "" group_membership_query = "SELECT GroupName FROM usergroup WHERE UserName = '%{SQL-User-Name}' ORDER BY id" -- View this message in context: http://www.nabble.com/radgroupcheck-v1.x-and-v2.x-difference---tp21538835p21... Sent from the FreeRadius - User mailing list archive at Nabble.com.
lamersons wrote:
upgraded freeradius from 1.x to 2.x version and some parts of radgroupcheck are now refusing to work as they did in first version.
Read doc/rlm_sql for a detailed explanation as to how the queries work in 2.x.
1. i have user 'evdo@evdo.lattelecom' in usergroup it has 'LTK' group. 2. in radgroupcheck group 'LTK' has been given the attribute 'Calling-Station-Id' so the look is LTK|Calling-Station-Id|=~|14703371
The meaning of this(how i understend it) is that if calling-station-id in radgroupcheck differs from incoming calling-station-id it would give reject.
No. It means that the check would not match. It is up to you to tell the server to reject the user if it doesn't match.
But it doesnt. How can i limit one pool of Calling-Station-Ids from using different logins ?
I don't know what that means. Alan DeKok.
Ok ill try to explain. I have some clients, they all have different calling-station-ids, like phone numbers. a. 24703137.. b. 24703237.. c. 24703337.. and i have different usernames that clients use to login to network a. triatel@triatel.lv b. evdo@evdo.lattelecom c. triatel@evdo.triatel.lv i need to make clients with calling-station-id(a.) could use only username(a.), but if client(a.) tryes to use username(b.) it would get rejected. Is it more clear or you need some additional info ? aland wrote:
lamersons wrote:
upgraded freeradius from 1.x to 2.x version and some parts of radgroupcheck are now refusing to work as they did in first version.
Read doc/rlm_sql for a detailed explanation as to how the queries work in 2.x.
1. i have user 'evdo@evdo.lattelecom' in usergroup it has 'LTK' group. 2. in radgroupcheck group 'LTK' has been given the attribute 'Calling-Station-Id' so the look is LTK|Calling-Station-Id|=~|14703371
The meaning of this(how i understend it) is that if calling-station-id in radgroupcheck differs from incoming calling-station-id it would give reject.
No. It means that the check would not match. It is up to you to tell the server to reject the user if it doesn't match.
But it doesnt. How can i limit one pool of Calling-Station-Ids from using different logins ?
I don't know what that means.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- View this message in context: http://www.nabble.com/radgroupcheck-v1.x-and-v2.x-difference---tp21538835p21... Sent from the FreeRadius - User mailing list archive at Nabble.com.
lamersons wrote:
Ok ill try to explain. I have some clients, they all have different calling-station-ids, like phone numbers. a. 24703137.. b. 24703237.. c. 24703337..
and i have different usernames that clients use to login to network a. triatel@triatel.lv b. evdo@evdo.lattelecom c. triatel@evdo.triatel.lv
i need to make clients with calling-station-id(a.) could use only username(a.), but if client(a.) tryes to use username(b.) it would get rejected.
So configure an SQL table to contain that information, and write an SQL query: table: user name (key) | calling-station-id configuration, "authorize" sub-section: ... update control { Tmp-String-0 = "{%sql: SELECT ... from ... where username = '%{USer-Name}'" } if ((Tmp-String-0 != "") && (Calling-Station-Id != "%{Tmp-String-0}")) { reject } ... i.e. if they don't match... reject. This is what you want. Trying to use huntgroup functionality is not necessary. Alan DeKok.
participants (2)
-
Alan DeKok -
lamersons