Hello. I have freeradius 2.1.6 with rlm_sql_oracle. There is a plenty of users in radcheck table and several of them are a members of a group. As stated in comments in the dialup.conf all other users are a members of the group DEFAULT if I understood it right. I put the fields DEFAULT Auth-Type := Reject in the radgroupcheck table but it seems that radius doesn't process the group checks if there is no explict group record for the user in radusergroup table even if I set read_groups. The radius accepts the requests if the username and password matches. How can I reject users not stated in the group without explictly assigning them to the DEFAULT group in radusergroup? Regards, Maxim S. Denisov
Hi,
I have freeradius 2.1.6 with rlm_sql_oracle. There is a plenty of users in radcheck table and several of them are a members of a group. As stated in comments in the dialup.conf all other users are a members of the group DEFAULT if I understood it right. I put the fields DEFAULT Auth-Type := Reject in the radgroupcheck table but it seems that radius doesn't process the group checks if there is no explict group record for the user in radusergroup table even if I set read_groups. The radius accepts the requests if the username and password matches. How can I reject users not stated in the group without explictly assigning them to the DEFAULT group in radusergroup?
if you run briefly in full debug mode - ie 'radiusd -X' and then spend some time with a coffee or herbal tea or Jolt..or whatever - you can read exactly what the server is doing...you can watch and disect its logic and see exactly why its not doing what you want. then you can change it :-) alan
Hello. 12.10.2010, в 13:54, Alan Buxey написал(а):
I have freeradius 2.1.6 with rlm_sql_oracle. There is a plenty of users in radcheck table and several of them are a members of a group. As stated in comments in the dialup.conf all other users are a members of the group DEFAULT if I understood it right. I put the fields DEFAULT Auth-Type := Reject in the radgroupcheck table but it seems that radius doesn't process the group checks if there is no explict group record for the user in radusergroup table even if I set read_groups. The radius accepts the requests if the username and password matches. How can I reject users not stated in the group without explictly assigning them to the DEFAULT group in radusergroup?
if you run briefly in full debug mode - ie 'radiusd -X' and then spend some time with a coffee or herbal tea or Jolt..or whatever - you can read exactly what the server is doing...you can watch and disect its logic and see exactly why its not doing what you want. then you can change it :-)
I have alredy checked the debug output and saw that radiusd doesn't check radgroupckeck table if the username is not associated with any group in radusergroup. I have the record DEFAULT Auth-Type := Reject in the radgroupreply table and if I explictly associate the user with the DEFAULT group i getting the reject. This is the output of the radiusd -X -f: ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop [sql] expand: %{Stripped-User-Name} -> [sql] expand: %{User-Name} -> 1001 [sql] expand: %{%{User-Name}:-DEFAULT} -> 1001 [sql] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> 1001 [sql] sql_set_user escaped user --> '1001' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '1001' ORDER BY id SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '1001' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '1001' ORDER BY id SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '1001' ORDER BY id [sql] expand: SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' -> SELECT GroupName FROM radusergroup WHERE UserName='1001' SELECT GroupName FROM radusergroup WHERE UserName='1001' rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password "temp" [pap] Using clear text password "temp" [pap] User authenticated successfully ++[pap] returns ok +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 62 to 10.0.0.1 port 1025 How can I reject the users not listed in any group?
participants (2)
-
Alan Buxey -
Maxim S. Denisov