users file ignored and still checks sql
Hi There, I have been looking at an issue we are having with out deployment and for the life of me cant see what is wrong. We have version 2.1.8 but I couldn't find any mention of a bug like this in releases since. The issue is I want to do a realm based auth for one realm and return some L2TP information. So in proxy.conf I have added the realm, in users I have added a user like this: realm and ip changed to protect the innocent DEFAULT Realm == "womble.co.nz", Auth-Type := Accept Tunnel-Type := L2TP, Tunnel-Medium-Type := IP, Tunnel-Server-Endpoint := 1.1.1.1, Alc-Tunnel-Idle-Timeout := 600, Tunnel-Assignment-Id := Tunnel1, Fall-Through = No In the default enabled site I have file and sql enabled for authorization. When I run freeradius -X I get the output as follows: again changed to protect [suffix] Looking up realm "wombles.co.nz" for User-Name = "wibble@womble.co.nz" [suffix] Found realm "womble.co.nz" [suffix] Adding Stripped-User-Name = "wibble" [suffix] Adding Realm = "womble.co.nz" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [files] users: Matched entry DEFAULT at line 87 ++[files] returns ok [sql] expand: %{Orcon-User-Name} -> [sql] sql_set_user escaped user --> '' rlm_sql (sql): Reserving sql socket id: 0 [sql] expand: CALL authorize_check_query(query) -> CALL authorize_check_query(query) rlm_sql_mysql: query: CALL authorize_check_query(query) rlm_sql_mysql: MYSQL check_error: 1054 received rlm_sql_getvpdata: database query error [sql] SQL query error; rejecting user rlm_sql (sql): Released sql socket id: 0 ++[sql] returns fail Invalid user: [wibble@womble.co.nz] (from client bng1 port 0 cli 103249698) Using Post-Auth-Type Reject I would have thought this configuration should result in the users file being scanned and then returning Auth-Type: Accept and not then processing the sql authorize module. Have I missed something simple, or does this config look right. Any clues appreciated. Paul
Paul Tinson wrote:
The issue is I want to do a realm based auth for one realm and return some L2TP information. So in proxy.conf I have added the realm, in users I have added a user like this: realm and ip changed to protect the innocent
DEFAULT Realm == "womble.co.nz", Auth-Type := Accept
That says "set Accept authentication during the authentication phase" ...
[files] users: Matched entry DEFAULT at line 87 ++[files] returns ok [sql] expand: %{Orcon-User-Name} ->
That's what's supposed to happen.
I would have thought this configuration should result in the users file being scanned and then returning Auth-Type: Accept and not then processing the sql authorize module.
No.
Have I missed something simple, or does this config look right.
The configuration is wrong. Setting "Auth-Type = Accept" doesn't mean "stop authorization". It means "use Accept authentication" If you want to avoid processing the SQL module, use module-failover, or "unlang". See "man unlang" authorize { ... files { ok = return } sql ... } Alan DeKok.
On 24/04/12 11:44 PM, "Alan DeKok" <aland@deployingradius.com> wrote:
Have I missed something simple, or does this config look right.
The configuration is wrong. Setting "Auth-Type = Accept" doesn't mean "stop authorization". It means "use Accept authentication"
OK that makes sense.
If you want to avoid processing the SQL module, use module-failover, or "unlang". See "man unlang"
authorize { ... files { ok = return } sql ... }
That works. If we have files and sql in authorize and the user is in the file and not in sql I thought it would use the details in the file to authorize the user? However it looks like the sql query for that user fails instead of returning no user data. Could that cause it to behave this way? Thanks for the quick help.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Paul Tinson wrote:
If we have files and sql in authorize and the user is in the file and not in sql I thought it would use the details in the file to authorize the user?
I explained this above. You said "that makes sense". I don't see why it isn't clear now.
However it looks like the sql query for that user fails instead of returning no user data. Could that cause it to behave this way?
Because the query isn't valid? Alan DeKok.
participants (2)
-
Alan DeKok -
Paul Tinson