Huntgroups issue - every user is accepted
Dear All, I am trying to implement huntgroups via MySQL according to http://wiki.freeradius.org/SQL_Huntgroup_HOWTO On difference is the assignment of huntgroups not according to NAS-IP, but to Called-Station-Id. The goal is to suppress roaming between hotspot routers, between groups of hotspots. For that purpose I have inserted the code ... update request { Huntgroup-Name := "%{sql02:select groupname from radhuntgroup where calledstationid = '%{Called-Station-Id}'}" } ... In lieu of the module 'preprocess' into group 'authorize', as advised in the HOWTO. I have maintained the following entries in SQL tables: `radhuntgroup` `id`, `groupname`, `calledstationid` 1, 'Test-Rejec', '00-1D-7E-E7-96-9F' `usergroup` `UserName`, `GroupName`, `priority` 'yubvef13', 'TestGroup', 1 `radgroupcheck` `id`, `GroupName`, `Attribute`, `op`, `Value` 1, 'TestGroup', 'Huntgroup-Name', ':=', 'Test' One would expect the user to be rejected if the user tries to log in to the router with the Called-Station-Id '00-1D-7E-E7-96-9F', However, the user is authenticated and not rejected. Here the relevant parts of the debug: ... Mon Jan 19 20:57:03 2009 : Info: sql_xlat Mon Jan 19 20:57:03 2009 : Debug: expand: %{User-Name} -> yubvef13 Mon Jan 19 20:57:03 2009 : Info: sql_set_user escaped user --> 'yubvef13' Mon Jan 19 20:57:03 2009 : Debug: expand: select groupname from radhuntgroup where calledstationid = '%{Called-Station-Id}' -> select groupname from radhuntgroup where calledstationid = '00-1D-7E-E7-96-9F' Mon Jan 19 20:57:03 2009 : Debug: expand: /var/log/freeradius/sqltrace.sql -> /var/log/freeradius/sqltrace.sql Mon Jan 19 20:57:03 2009 : Debug: rlm_sql (sql02): Reserving sql socket id: 3 Mon Jan 19 20:57:03 2009 : Debug: rlm_sql_mysql: query: select groupname from radhuntgroup where calledstationid = '00-1D-7E-E7-96-9F' Mon Jan 19 20:57:03 2009 : Info: sql_xlat finished Mon Jan 19 20:57:03 2009 : Debug: rlm_sql (sql02): Released sql socket id: 3 Mon Jan 19 20:57:03 2009 : Debug: expand: %{sql02:select groupname from radhuntgroup where calledstationid = '%{Called-Station-Id}'} -> Test-Rejec Mon Jan 19 20:57:03 2009 : Info: ++[request] returns notfound Mon Jan 19 20:57:03 2009 : Info: ++[chap] returns noop Mon Jan 19 20:57:03 2009 : Info: ++[mschap] returns noop Mon Jan 19 20:57:03 2009 : Info: [suffix] No '@' in User-Name = "yubvef13", looking up realm NULL Mon Jan 19 20:57:03 2009 : Info: [suffix] No such realm "NULL" Mon Jan 19 20:57:03 2009 : Info: ++[suffix] returns noop Mon Jan 19 20:57:03 2009 : Info: [eap] No EAP-Message, not doing EAP Mon Jan 19 20:57:03 2009 : Info: ++[eap] returns noop Mon Jan 19 20:57:03 2009 : Info: ++- entering redundant-load-balance group sql0203 {...} Mon Jan 19 20:57:03 2009 : Debug: expand: %{User-Name} -> yubvef13 Mon Jan 19 20:57:03 2009 : Info: [sql02] sql_set_user escaped user --> 'yubvef13' Mon Jan 19 20:57:03 2009 : Debug: rlm_sql (sql02): Reserving sql socket id: 2 Mon Jan 19 20:57:03 2009 : Debug: expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = BINARY '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = BINARY 'yubvef13' ORDER BY id Mon Jan 19 20:57:03 2009 : Debug: rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = BINARY 'yubvef13' ORDER BY id Mon Jan 19 20:57:03 2009 : Info: [sql02] User found in radcheck table Mon Jan 19 20:57:03 2009 : Debug: expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = BINARY '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = BINARY 'yubvef13' ORDER BY id Mon Jan 19 20:57:03 2009 : Debug: rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = BINARY 'yubvef13' ORDER BY id Mon Jan 19 20:57:03 2009 : Debug: expand: SELECT groupname FROM usergroup WHERE username = BINARY '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM usergroup WHERE username = BINARY 'yubvef13' ORDER BY priority Mon Jan 19 20:57:03 2009 : Debug: rlm_sql_mysql: query: SELECT groupname FROM usergroup WHERE username = BINARY 'yubvef13' ORDER BY priority Mon Jan 19 20:57:03 2009 : Debug: expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'TestGroup' ORDER BY id Mon Jan 19 20:57:03 2009 : Debug: rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'TestGroup' ORDER BY id Mon Jan 19 20:57:03 2009 : Info: [sql02] User found in group TestGroup Mon Jan 19 20:57:03 2009 : Debug: expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'TestGroup' ORDER BY id Mon Jan 19 20:57:03 2009 : Debug: rlm_sql_mysql: query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'TestGroup' ORDER BY id Mon Jan 19 20:57:03 2009 : Debug: rlm_sql (sql02): Released sql socket id: 2 Mon Jan 19 20:57:03 2009 : Info: +++[sql02] returns ok ... One thing I don't get is, why is the rlm_sql_mysql module finding the Hungroup-Name 'Test-Rejec' correctly, but module 'request' returns not found? The user is found in radgroupchek for the correct usergroup 'TestGroup'. As the values in radgroupcheck and radgroupreplycheck do not match, the user should be rejected, but the user is accepted. What am I doing wrong?
Hanno Schupp wrote:
I am trying to implement huntgroups via MySQL according to http://wiki.freeradius.org/SQL_Huntgroup_HOWTO On difference is the assignment of huntgroups not according to NAS-IP, but to Called-Station-Id. The goal is to suppress roaming between hotspot routers, between groups of hotspots.
For that purpose I have inserted the code ... In lieu of the module ‘preprocess’ into group ‘authorize’, as advised in the HOWTO.
You also seen to be over-riding that in the SQL tables:
`radgroupcheck` `id`, `GroupName`, `Attribute`, `op`, `Value` 1, 'TestGroup', 'Huntgroup-Name', ':=', 'Test'
This sets the Huntgroup-Name to "Test".
One would expect the user to be rejected if the user tries to log in to the router with the Called-Station-Id '00-1D-7E-E7-96-9F’, However, the user is authenticated and not rejected.
You did not configure the server to reject the user if he logs in with that Called-Station-Id. You configured the server to put him in a huntgroup if he logs in with that Called-Station-Id. Did you configure the server to reject users in the "Test-Rejec" huntgroup? It looks like you didn't.
One thing I don’t get is, why is the rlm_sql_mysql module finding the Hungroup-Name ‘Test-Rejec’ correctly, but module ‘request’ returns not found?
There are explanations for that...
The user is found in radgroupchek for the correct usergroup ‘TestGroup’. As the values in radgroupcheck and radgroupreplycheck do not match, the user should be rejected, but the user is accepted.
No. If the values in radgroupcheck do not match.... it means they do not match. You have *other* configurations that let the server authenticate the request. You did *not* configure the server to reject the request if it's in the "Test-Rejec" huntgroup. Alan DeKok.
-----Original Message----- From: Alan DeKok [mailto:aland@deployingradius.com] Sent: Monday, 19 January 2009 10:29 p.m. To: FreeRadius users mailing list Subject: Re: Huntgroups issue - every user is accepted Hanno Schupp wrote:
I am trying to implement huntgroups via MySQL according to http://wiki.freeradius.org/SQL_Huntgroup_HOWTO On difference is the assignment of huntgroups not according to NAS-IP, but to Called-Station-Id. The goal is to suppress roaming between hotspot routers, between groups of hotspots.
For that purpose I have inserted the code ... In lieu of the module ‘preprocess’ into group ‘authorize’, as advised in the HOWTO.
You also seen to be over-riding that in the SQL tables:
`radgroupcheck` `id`, `GroupName`, `Attribute`, `op`, `Value` 1, 'TestGroup', 'Huntgroup-Name', ':=', 'Test'
This sets the Huntgroup-Name to "Test".
You are right, I checked the tutorial again, and the suggested operator in there is indeed == So now the entry reads: `radgroupcheck` `id`, `GroupName`, `Attribute`, `op`, `Value` 1, 'TestGroup', 'Huntgroup-Name', '==', 'Test' Unfortunately it does not make any difference.
One would expect the user to be rejected if the user tries to log in to the router with the Called-Station-Id '00-1D-7E-E7-96-9F’, However, the user is authenticated and not rejected.
You did not configure the server to reject the user if he logs in with that Called-Station-Id. You configured the server to put him in a huntgroup if he logs in with that Called-Station-Id.
Did you configure the server to reject users in the "Test-Rejec" huntgroup? It looks like you didn't.
I do not want the user to be rejected per se. I only want the user to be rejected if her own huntgroup as stored in radgroupcheck is different from the huntgroup of the Called-Station-Id in the radhuntgroup table. The goal is to prevent a user to login to a hotspot router, that does not belong to the huntgroup the user belongs to. I am sorry if I have left out any other configuration, but again, according to the howto in the freeradius wiki, what I have configured is all that is necessary. Or are you saying the instructions on http://wiki.freeradius.org/SQL_Huntgroup_HOWTO are incorrect?
One thing I don’t get is, why is the rlm_sql_mysql module finding the Hungroup-Name ‘Test-Rejec’ correctly, but module ‘request’ returns not found?
There are explanations for that...
Great. Can you please point out where, as neither rlm_sql not /etc/freeradius/sql/mysql/dialup.conf says anything about returned status.
The user is found in radgroupchek for the correct usergroup ‘TestGroup’. As the values in radgroupcheck and radgroupreplycheck do not match, the user should be rejected, but the user is accepted.
No. If the values in radgroupcheck do not match.... it means they do not match.
As per above, the howto on the freeradius wiki suggests something very different. If it is incorrect, that how to should be pulled.
You have *other* configurations that let the server authenticate the request. You did *not* configure the server to reject the request if it's in the "Test-Rejec" huntgroup.
Sure I do, but the wiki documentation suggests that the request would be rejected by the system on reading the radgroupcheck table and realising it has a different huntgroup table than the assigned to the NAS. So let me ask another way, if the documentation is indeed incorrect, how do I reject a request, where Huntgroup of user and NAS do not match?
The goal is to suppress roaming between hotspot routers, between groups of hotspots.
`radhuntgroup`
`id`, `groupname`, `calledstationid`
1, 'Test-Rejec', '00-1D-7E-E7-96-9F'
`usergroup`
`UserName`, `GroupName`, `priority`
'yubvef13', 'TestGroup', 1
This is OK.
`radgroupcheck`
`id`, `GroupName`, `Attribute`, `op`, `Value`
1, 'TestGroup', 'Huntgroup-Name', ':=', 'Test'
This doesn't check anything. It sets huntgroup to Test. As I understand it you want to reject huntgroups that are not Test. So make such a policy: Huntgroup-Name != "Test", Auth-Type := Reject Ivan Kalik Kalik Informatika ISP
-----Original Message----- From: tnt@kalik.net [mailto:tnt@kalik.net] Sent: Monday, 19 January 2009 10:52 p.m. To: FreeRadius users mailing list Subject: Re: Huntgroups issue - every user is accepted
The goal is to suppress roaming between hotspot routers, between groups of hotspots.
`radhuntgroup`
`id`, `groupname`, `calledstationid`
1, 'Test-Rejec', '00-1D-7E-E7-96-9F'
`usergroup`
`UserName`, `GroupName`, `priority`
'yubvef13', 'TestGroup', 1
This is OK.
`radgroupcheck`
`id`, `GroupName`, `Attribute`, `op`, `Value`
1, 'TestGroup', 'Huntgroup-Name', ':=', 'Test'
This doesn't check anything. It sets huntgroup to Test.
As I understand it you want to reject huntgroups that are not Test. So make such a policy:
Huntgroup-Name != "Test", Auth-Type := Reject
Thanks for your response. It overlapped time wise with one from Alan. However, the issue remains: I do not want the user to be rejected per se. I only want the user to be rejected if her own huntgroup as stored in radgroupcheck is different from the huntgroup of the Called-Station-Id in the radhuntgroup table. The goal is to prevent a user to login to a hotspot router, that does not belong to the huntgroup the user belongs to. I am sorry if I have left out any other configuration, but again, according to the howto in the freeradius wiki, what I have configured is all that is necessary. But the wiki seems to be incorrect, so what do I need to configure to have a request rejected, where a user's huntgroup and an NAS huntgroup do not match?
However, the issue remains: I do not want the user to be rejected per se. I only want the user to be rejected if her own huntgroup as stored in radgroupcheck is different from the huntgroup of the Called-Station-Id in the radhuntgroup table. The goal is to prevent a user to login to a hotspot router, that does not belong to the huntgroup the user belongs to.
Hm, and what do you think:
Huntgroup-Name != "Test", Auth-Type := Reject
that does? As a joke, put them in radgroupcheck and see if it does *exactly* what you have described. Ivan Kalik Kalik Informatika ISP
participants (3)
-
Alan DeKok -
Hanno Schupp -
tnt@kalik.net