Repost: Properly using the := and = operators?
Mike
mike-freeradius at tiedyenetworks.com
Wed Dec 27 23:17:29 CET 2006
Kevin Bonner wrote:
>> | 5 | suspended | Framed-IP-Address | = | 10.10.0.2+ |
>>
> mysql> select * from radgroupreply ;
>
> The = operator here is incorrect, as you want to always override the
> Framed-IP-Address. Using := will replace any/all Framed-IP-Address
> attributes in the reply with the one listed above.
>
>
>
Yeah that's the problem. The documentation says that's what it does, but
in fact it doesn't. Any Framed-IP-Address in radreply, superceeds and
overrules any Framed-IP-Address from radgroupreply, and no operators
change or alter that. I can put in a Framed-IP-Address in radgroupreply
using = or :=, but it never ever overwrites Framed-IP-Address from
radreply, and I can prove that group processing is happening because if
I change it to +=, I then get both ip addresses in the reply. For example:
mysql> select * from radreply ;
+----+----------+-------------------+----+---------+
| id | UserName | Attribute | op | Value |
+----+----------+-------------------+----+---------+
| 4 | joe.user | Framed-IP-Address | := | 1.2.3.4 |
+----+----------+-------------------+----+---------+
mysql> select * from usergroup where GroupName = 'suspended';
+----------+-----------+----------+
| UserName | GroupName | priority |
+----------+-----------+----------+
| joe.user | suspended | 1 |
+----------+-----------+----------+
mysql> select * from radgroupreply where GroupName = 'suspended' ;
+----+-----------+-------------------+----+-----------------+
| id | GroupName | Attribute | op | Value |
+----+-----------+-------------------+----+-----------------+
| 6 | suspended | Framed-Netmask | = | 255.255.255.255 |
| 5 | suspended | Framed-IP-Address | += | 10.10.0.2+ |
| 10 | suspended | Framed-Filter-Id | = | "natroutes" |
+----+-----------+-------------------+----+-----------------+
3 rows in set (0.00 sec)
radtest joe.user ididntpaymybill localhost 0 testing123 hello
Sending Access-Request of id 58 to 127.0.0.1 port 1812
User-Name = "joe.user"
User-Password = "ididntpaymybill"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
Framed-Protocol = PPP
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=58, length=62
Framed-IP-Address = 1.2.3.4
Framed-IP-Address = 10.10.0.2
Framed-IP-Netmask = 255.255.255.255
Framed-Route = "40.0.0.0/16"
Filter-Id = "natroutes"
So you can see both Framed-IP-Address from above. I got two because +=
added the 10.10.0.2 to the reply.
And now I'll change it back to := for show:
mysql> select * from radgroupreply where GroupName = 'suspended' ;
+----+-----------+-------------------+----+-----------------+
| id | GroupName | Attribute | op | Value |
+----+-----------+-------------------+----+-----------------+
| 6 | suspended | Framed-Netmask | = | 255.255.255.255 |
| 5 | suspended | Framed-IP-Address | := | 10.10.0.2+ |
| 10 | suspended | Framed-Filter-Id | = | "natroutes" |
+----+-----------+-------------------+----+-----------------+
3 rows in set (0.00 sec)
radtest joe.user ididntpaymybill localhost 0 testing123 hello
Sending Access-Request of id 166 to 127.0.0.1 port 1812
User-Name = "joe.user"
User-Password = "ididntpaymybill"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
Framed-Protocol = PPP
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=166, length=56
Framed-IP-Address = 1.2.3.4
Framed-IP-Netmask = 255.255.255.255
Framed-Route = "40.0.0.0/16"
Filter-Id = "natroutes"
Now you can see the Framed-IP-Address is 1.2.3.4 - it was not
overwritten by the 10.10.0.2 from radgroupreply despite what the
documentation seems to suggest and what you have stated. Can you suggest
changes that will allow radgroupreply to set a Framed-IP-Address
attribute that overwrites any set from radreply?
--
> --
> Do not try to make the creditors stop calling, for that is impossibe.
> Instead, only try to realise the truth: THERE IS NO PHONE!
> <a href="http://speedtest.dslreports.com"><img border=0 src="http://www.dslreports.com/im/18224717/86472.png"></a>
>
>
More information about the Freeradius-Users
mailing list