Group checking - Radius AVP retrieval

lenirsantiago at yahoo.com lenirsantiago at yahoo.com
Fri Oct 14 18:15:15 CEST 2005 

Hello list,

Radius authentication works fine. 
The problem is after, when my radiusclient/application sends another radius
Access-Request message but without the User-Password field and freeradius
complains that it requires it since we are using Digest.
What the radiusclient is trying to do is find out if a user (in this case
1000) belongs to a specific group.

In /etc/raddb/users file I have the following at line 152:

DEFAULT Auth-Type = System
        Fall-Through = 1

DEFAULT Service-Type == Group-Check, Auth-Type := None

DEFAULT Service-Type == SIP-Callee-AVPs, Auth-Type := None

-----

These are mysql tables:

+----+----------+-----------+----+----------+
| id | UserName | Attribute | op | Value    |
+----+----------+-----------+----+----------+
|  1 | Jhassell | Password  | == | changeme |
|  2 | Rneis    | Password  | == | changeme |
|  3 | 1000     | Password  | == | 1000     |
|  4 | 2000     | Password  | == | 2000     |
|  5 | 3000     | Password  | == | 3000     |
|  8 | 1000     | Auth-Type | := | Digest   |
+----+----------+-----------+----+----------+

+----+-----------+-----------+----+--------+
| id | GroupName | Attribute | op | Value  |
+----+-----------+-----------+----+--------+
|  6 | Dialin    | Auth-Type | := | Accept |
+----+-----------+-----------+----+--------+

+----+-----------+---------------+----+----------------------------------+--
----+
| id | GroupName | Attribute     | op | Value                            |
prio |
+----+-----------+---------------+----+----------------------------------+--
----+
|  1 | Dialin    | Reply-Message | =  | "Authenticated by group Dialin"  |
0 |
|  2 | Dialin2   | Reply-Message | =  | "Authenticated by group Dialin2" |
0 |
+----+-----------+---------------+----+----------------------------------+--
----+

+----+----------+---------------+----+------------------+
| id | UserName | Attribute     | op | Value            |
+----+----------+---------------+----+------------------+
|  1 | 1000     | Reply-Message | =  | "Authenticated"  |
|  2 | 1000     | Sip-Group     | =  | Dialin           |
|  3 | 1000     | SIP-AVP       | =  | Sip-Group:Dialin |
+----+----------+---------------+----+------------------+

+----+----------+------------+
| id | UserName | GroupName  |
+----+----------+------------+
|  1 | Jhassell | Dialin     |
|  2 | Rneis    | Staticdial |
|  3 | 1000     | Dialin     |
|  4 | 2000     | Dialin     |
|  5 | 3000     | Dialin     |
|  6 | 3000     | Dialin2    |
+----+----------+------------+

------

This is the debug I get from freeradius for the group check:

rad_recv: Access-Request packet from host xx.xx.xx.xx:33025, id=15,
length=67
        User-Name = "1000 at xx.xx.xx.xx"
        Sip-Group = "Dialin2"
        Service-Type = Group-Check
        NAS-IP-Address = 127.0.0.1
        NAS-Port = 0
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 74
  modcall[authorize]: module "preprocess" returns ok for request 74
  modcall[authorize]: module "chap" returns noop for request 74
  modcall[authorize]: module "mschap" returns noop for request 74
  modcall[authorize]: module "digest" returns noop for request 74
    rlm_realm: Looking up realm "xx.xx.xx.xx" for User-Name =
"1000 at xx.xx.xx.xx"
    rlm_realm: Found realm "xx.xx.xx.xx"
    rlm_realm: Adding Stripped-User-Name = "1000"
    rlm_realm: Proxying request from user 1000 to realm xx.xx.xx.xx
    rlm_realm: Adding Realm = "xx.xx.xx.xx"
    rlm_realm: Authentication realm is LOCAL.
  modcall[authorize]: module "suffix" returns noop for request 74
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 74
    users: Matched entry DEFAULT at line 152
    users: Matched entry DEFAULT at line 158
  modcall[authorize]: module "files" returns ok for request 74
radius_xlat:  '1000'
rlm_sql (sql): sql_set_user escaped user --> '1000'
rlm_sql (sql): Released sql socket id: 0
  modcall[authorize]: module "sql" returns ok for request 74
modcall: group authorize returns ok for request 74
  rad_check_password:  Found Auth-Type Digest
auth: type "digest"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 74
ERROR: No Digest-Nonce: Cannot perform Digest authentication
  modcall[authenticate]: module "digest" returns invalid for request 74
modcall: group authenticate returns invalid for request 74
auth: Failed to validate the user.
Delaying request 74 for 1 seconds
Finished request 74
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 15 to xx.xx.xx.xx:33025
        Reply-Message = "Authenticated"
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 74 ID 15 with timestamp 434f1121
Nothing to do.  Sleeping until we see a request.





Any help in this matter would be deeply appreciated,

thanks


Lenir

More information about the Freeradius-Users mailing list