Huntgroups and SQL not being enforced
Hello. I need some help to debug my configuration of Huntgroups in SQL and why they are not being enforced. Probably missing something obvious here. I´ve been staring myself blind with this problem. User gets Access-Accept although NAS-IP-Address is not a match. Here is the setup: Freeradius 2.1.6, MySQL. Tables in MySQL: RADCHECK mysql> select * from radcheck; +----+--------------+--------------------+----+----------+ | id | username | attribute | op | value | +----+--------------+--------------------+----+----------+ | 33 | testuser | Cleartext-Password | := | testuser | +----+--------------+--------------------+----+----------+ USERGROUP: mysql> select * from usergroup; +--------------+-----------+----------+ | UserName | GroupName | priority | +--------------+-----------+----------+ | testuser | VPN-AUTH | 0 | +--------------+-----------+----------+ RADGROUPCHECK: mysql> select * from radgroupcheck; +----+-----------+----------------+----+-------------+ | id | groupname | attribute | op | value | +----+-----------+----------------+----+-------------+ | 8 | VPN-AUTH | Huntgroup-Name | == | VPN-Service | +----+-----------+----------------+----+-------------+ RADHUNTGROUP: mysql> select * from radhuntgroup; +----+-------------+--------------+-----------+ | id | groupname | nasipaddress | nasportid | +----+-------------+--------------+-----------+ | 6 | VPN-Service | 10.10.10.10 | NULL | +----+-------------+--------------+-----------+ sites-enabled/default: authorize # SQL query huntgroups update request { Huntgroup-Name := "%{sql:select groupname from radhuntgroup where nasipaddress=\"%{NAS-IP-Address}\"}" } Debug with correct NAS-IP-Address: rad_recv: Access-Request packet from host x.x.x.x port 1812, id=20, length=54 User-Name = "testuser" User-Password = "testuser" NAS-IP-Address = 10.10.10.10 +- entering group authorize {...} ++[preprocess] returns ok sql_xlat expand: %{User-Name} -> testuser sql_set_user escaped user --> 'testuser' expand: select groupname from radhuntgroup where nasipaddress="%{NAS-IP-Address}" -> select groupname from radhuntgroup where nasipaddress="10.10.10.10" rlm_sql (sql): Reserving sql socket id: 3 sql_xlat finished rlm_sql (sql): Released sql socket id: 3 expand: %{sql:select groupname from radhuntgroup where nasipaddress="%{NAS-IP-Address}"} -> VPN-Service ++[request] returns ok sql_xlat expand: %{User-Name} -> testuser sql_set_user escaped user --> 'testuser' expand: select authserver from authmethod where username ="%{User-Name}" -> select authserver from authmethod where username ="testuser" rlm_sql (sql): Reserving sql socket id: 2 sql_xlat finished rlm_sql (sql): Released sql socket id: 2 expand: %{sql:select authserver from authmethod where username ="%{User-Name}"} -> LOCAL ++[control] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "testuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop [sql] expand: %{User-Name} -> testuser [sql] sql_set_user escaped user --> 'testuser' rlm_sql (sql): Reserving sql socket id: 1 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'testuser' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'testuser' ORDER BY id [sql] expand: SELECT groupname FROM usergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM usergroup WHERE username = 'testuser' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'VPN-AUTH' ORDER BY id [sql] User found in group VPN-AUTH [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'VPN-AUTH' ORDER BY id rlm_sql (sql): Released sql socket id: 1 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password "testuser" [pap] Using clear text password "testuser" [pap] User authenticated successfully ++[pap] returns ok +- entering group post-auth {...} [sql] expand: %{User-Name} -> testuser [sql] sql_set_user escaped user --> 'testuser' [sql] expand: %{User-Password} -> testuser [sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'testuser', 'testuser', 'Access-Accept', '2009-08-17 16:15:17') rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'testuser', 'testuser', 'Access-Accept', '2009-08-17 16:15:17') rlm_sql (sql): Reserving sql socket id: 0 rlm_sql (sql): Released sql socket id: 0 ++[sql] returns ok ++[exec] returns noop Sending Access-Accept of id 20 to x.x.x.x port 1812 Finished request 0. Debug from Wrong NAS-IP-Address: rad_recv: Access-Request packet from host x.x.x.x port 1812, id=26, length=54 User-Name = "testuser" User-Password = "testuser" NAS-IP-Address = 10.10.10.11 +- entering group authorize {...} ++[preprocess] returns ok sql_xlat expand: %{User-Name} -> testuser sql_set_user escaped user --> 'testuser' expand: select groupname from radhuntgroup where nasipaddress="%{NAS-IP-Address}" -> select groupname from radhuntgroup where nasipaddress="10.10.10.11" rlm_sql (sql): Reserving sql socket id: 3 SQL query did not return any results rlm_sql (sql): Released sql socket id: 3 expand: %{sql:select groupname from radhuntgroup where nasipaddress="%{NAS-IP-Address}"} -> ++[request] returns ok sql_xlat expand: %{User-Name} -> testuser sql_set_user escaped user --> 'testuser' expand: select authserver from authmethod where username ="%{User-Name}" -> select authserver from authmethod where username ="testuser" rlm_sql (sql): Reserving sql socket id: 2 sql_xlat finished rlm_sql (sql): Released sql socket id: 2 expand: %{sql:select authserver from authmethod where username ="%{User-Name}"} -> LOCAL ++[control] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "testuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop [sql] expand: %{User-Name} -> testuser [sql] sql_set_user escaped user --> 'testuser' rlm_sql (sql): Reserving sql socket id: 1 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'testuser' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'testuser' ORDER BY id [sql] expand: SELECT groupname FROM usergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM usergroup WHERE username = 'testuser' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'VPN-AUTH' ORDER BY id rlm_sql (sql): Released sql socket id: 1 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password "testuser" [pap] Using clear text password "testuser" [pap] User authenticated successfully ++[pap] returns ok +- entering group post-auth {...} [sql] expand: %{User-Name} -> testuser [sql] sql_set_user escaped user --> 'testuser' [sql] expand: %{User-Password} -> testuser [sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'testuser', 'testuser', 'Access-Accept', '2009-08-17 16:18:58') rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'testuser', 'testuser', 'Access-Accept', '2009-08-17 16:18:58') rlm_sql (sql): Reserving sql socket id: 0 rlm_sql (sql): Released sql socket id: 0 ++[sql] returns ok ++[exec] returns noop Sending Access-Accept of id 26 to x.x.x.x port 1812 Finished request 0. -- View this message in context: http://www.nabble.com/Huntgroups-and-SQL-not-being-enforced-tp25019815p25019... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Hi. For info, i followed the information in the below link for my Huntgroups, but without Auth-Type since it is not recommended. http://wiki.freeradius.org/SQL_Huntgroup_HOWTO I still can´t get huntgroups to be enforced properly. If i add Huntgroup-Name == VPN-Service to the radcheck table, it works for my local users (the ones with a Cleartext-Password in Freeradius), but not for my proxied users. Any hints? /M -- View this message in context: http://www.nabble.com/Huntgroups-and-SQL-not-being-enforced-tp25019815p25024... Sent from the FreeRadius - User mailing list archive at Nabble.com.
participants (1)
-
mikoi