FreeRadius 2 w/ MySQL - Group check issue
I recently setup a freeradius 2 server with MySQL and I am having an issue where it doesn't appear to be doing group checks. If I have a user set to a group it doesn't appear to check the attributes set in that group: +----+----------+--------------+----+------------------------------------------+ | id | username | attribute | op | value | +----+----------+--------------+----+------------------------------------------+ | 15 | user1 | SHA-Password | := | 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 | +----+----------+--------------+----+------------------------------------------+ 1 row in set (0.00 sec) mysql> select * from radusergroup where username = 'user1'; +----------+-----------+----------+ | username | groupname | priority | +----------+-----------+----------+ | user1 | admin | 1 | +----------+-----------+----------+ 1 row in set (0.00 sec) mysql> select * from radgroupcheck where groupname = 'admin'; +----+-----------+----------------+----+--------+ | id | groupname | attribute | op | value | +----+-----------+----------------+----+--------+ | 3 | admin | NAS-Identifier | == | Adtran | +----+-----------+----------------+----+--------+ 1 row in set (0.00 sec) If I understand correctly the following request should be denied because the NAS-Identifier in the request doesn't match the one specified in the groupcheck table. However, it is replying with Accept-Accept. rad_recv: Access-Request packet from host 64.185.12.105 port 7458, id=61, length=56 User-Name = "user1" User-Password = "password" NAS-Identifier = "Zhone MxK" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "user1", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop expand: %{User-Name} -> user1 rlm_sql (sql): sql_set_user escaped user --> 'user1' rlm_sql (sql): Reserving sql socket id: 3 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'user1' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'user1' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'user1' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'user1' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'user1' ORDER BY priority rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = 'user1' ORDER BY priority expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'admin' ORDER BY id rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'admin' ORDER BY id rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Normalizing SHA-Password from hex encoding ++[pap] returns updated rad_check_password: Found Auth-Type auth: type "PAP" +- entering group PAP rlm_pap: login attempt with password "password" rlm_pap: Using SHA1 encryption. rlm_pap: User authenticated successfully ++[pap] returns ok Login OK: [user1/password] (from client lab-mxk-1 port 0) +- entering group post-auth rlm_sql (sql): Processing sql_postauth expand: %{User-Name} -> user1 rlm_sql (sql): sql_set_user escaped user --> 'user1' expand: %{User-Password} -> password expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'user1', 'password', 'Access-Accept', '2010-02-24 10:56:24') expand: /var/log/freeradius/sqltrace.sql -> /var/log/freeradius/sqltrace.sql rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'user1', 'password', 'Access-Accept', '2010-02-24 10:56:24') rlm_sql (sql): Reserving sql socket id: 2 rlm_sql_mysql: query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'user1', 'password', 'Access-Accept', '2010-02-24 10:56:24') rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok ++[exec] returns noop Sending Access-Accept of id 61 to 64.185.12.105 port 7458 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 61 with timestamp +9 Ready to process requests. Any help would be greatly appreciated. Thanks, Craig
Alan, Apparently I am misunderstood the rlm_sql docs. I see that it is running the mysql group check and reply queries. /doc/rlm_sql reads:
5. For each group this user is a member of, the corresponding check items are pulled from radgroupcheck table and compared with the request. If there is a match, the reply items for this group are pulled from the radgroupreply table and applied.
If no attributes in the radgroupcheck table are matched I have a group with a higher priority number to act as an implicit deny. One last question, is there a max priority for groups? The mysql field allows 11 characters, so the max priority I could store would be 99999999999, but I wasn't sure if there was anything that would limit it other than that character limit. Thanks, Craig On Sat, Feb 27, 2010 at 1:58 AM, Alan DeKok <aland@deployingradius.com>wrote:
Craig Schurr wrote:
If I understand correctly the following request should be denied because the NAS-Identifier in the request doesn't match the one specified in the groupcheck table.
No. Read doc/rlm_sql. The Wiki also has a copy of that page.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Craig Schurr wrote:
If no attributes in the radgroupcheck table are matched I have a group with a higher priority number to act as an implicit deny.
There is no "implicit deny". The documentations aays "if there is a match, the reply items are applied". It does NOT say "if there is no match, the user is rejected". If you want a user to be rejected, you have to configure that. Alan DeKok.
Alan, Initially, I made the assumption that there was an implicit deny. After re-reading the docs, I have created an "implicitdeny" group that I assign to all new users with a priority of 1000. The only attribute set in this group is Auth-Type = Reject. So, if there is a match for any other groups with a priority number less than 1000, the customer is accepted and those group rules are applied. I was just wondering if there was a maximum priority number, other than the character limit in my mysql field. Thanks again for all the help, Craig On Sat, Feb 27, 2010 at 1:05 PM, Alan DeKok <aland@deployingradius.com>wrote:
Craig Schurr wrote:
If no attributes in the radgroupcheck table are matched I have a group with a higher priority number to act as an implicit deny.
There is no "implicit deny". The documentations aays "if there is a match, the reply items are applied".
It does NOT say "if there is no match, the user is rejected".
If you want a user to be rejected, you have to configure that.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Alan DeKok -
Craig Schurr