freeradius authorization without "username"
???????, ?? ????????
const at one.lv
Mon Feb 27 15:36:56 CET 2006
I have a freeradius, and I need "Calling-Station-Id" for authorization. This is the one attribute, which I select in the radiusd.conf
checkval {
# The attribute to look for in the request
item-name = Calling-Station-Id
# The attribute to look for in check items. Can be multi valued
check-name = Calling-Station-Id
# The data type. Can be
# string,integer,ipaddr,date,abinary,octets
data-type = string
# If set to yes and we dont find the item-name attribute in the
# request then we send back a reject
# DEFAULT is no
notfound-reject = yes
}
(But in fact, I do not use this)
Why, when freeradius rescieve the access-request packet, and "username" field is empty, then we got access-denied?
I use SQL authorization module.
In the database (I use it as a blacklist, id Calling-Station-Id exist in the list, then access denied.):
+----+------------+-----------+----+--------+
| id | UserName | Attribute | op | Value |
+----+------------+-----------+----+--------+
| 2 | 3339222222 | Auth-Type | == | Reject |
| 1 | all_users_not_in_black_list | Auth-Type | == | Accept |
+----+------------+-----------+----+--------+
>From sql.conf:
authorize_check_query = "SELECT id, UserName, Attribute, Value, op \
FROM ${authcheck_table} \
WHERE Username = IF(Username='%{SQL-User-Name}','%{SQL-User-Name}','all_users_not_in_black_list') \
LIMIT 1"
authorize_reply_query = "SELECT id, UserName, Attribute, Value, op \
FROM ${authreply_table} \
WHERE Username = 'all_users_not_in_black_list' \
ORDER BY id"
So, info from radiusd in debug mode:
rad_recv: Access-Request packet from host XXX.XXX.XXX.XXX:1812, id=182, length=113
NAS-Identifier = "ggsn2"
User-Name = ""
User-Password = ""
NAS-IP-Address = XXX.XXX.XXX.XXX
NAS-Port-Type = Virtual
Called-Station-Id = "1000"
Calling-Station-Id = "3339222225"
Acct-Session-Id = "d45d6126057478b1"
Acct-Multi-Session-Id = "d45d61260000b77a"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
radius_xlat: '/usr/local/var/log/radius/radacct/auth-detail.log'
rlm_detail: /usr/local/var/log/radius/radacct/auth-detail.log expands to /usr/local/var/log/radius/radacct/auth-detail.log
modcall[authorize]: module "auth_log" returns ok for request 0
rlm_sql (sql): zero length username not permitted
modcall[authorize]: module "sql" returns invalid for request 0
modcall: leaving group authorize (returns invalid) for request 0
Invalid user: [/] (from client ggsn2 port 0 cli 3719248521)
Sending Access-Reject of id 182 to XXX.XXX.XXX.XXX port 1812
I don't care, what kind of username do we have! How I can avoid this problem? :-( Can someone help me with this quesion?
Here is the part of my radiusd.conf file:
<...skipped...>
modules {
checkval {
# The attribute to look for in the request
item-name = Calling-Station-Id
# The attribute to look for in check items. Can be multi valued
check-name = Calling-Station-Id
# The data type. Can be
# string,integer,ipaddr,date,abinary,octets
data-type = string
# If set to yes and we dont find the item-name attribute in the
# request then we send back a reject
# DEFAULT is no
notfound-reject = yes
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
# Livingston-style 'users' file
#
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
preproxy_usersfile = ${confdir}/preproxy_users
# If you want to use the old Cistron 'users' file
# with FreeRADIUS, you should change the next line
# to 'compat = cistron'. You can the copy your 'users'
# file from Cistron.
compat = no
}
# Write a detailed log of all accounting records received.
#
detail {
detailfile = ${radacctdir}/acct-detail.log
detailperm = 0600
}
detail auth_log {
detailfile = ${radacctdir}/auth-detail.log
detailperm = 0600
}
detail reply_log {
detailfile = ${radacctdir}/reply-detail.log
detailperm = 0600
}
$INCLUDE ${confdir}/sql.conf
radutmp {
filename = ${logdir}/radutmp
username = %{Calling-Station-Id}
case_sensitive = yes
check_with_nas = yes
perm = 0600
callerid = "yes"
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
expr {
}
digest {
}
exec {
wait = yes
input_pairs = request
}
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = request
output_pairs = reply
}
}
instantiate {
}
authorize {
auth_log
# See "Authorization Queries" in sql.conf
sql
}
authenticate {
}
accounting {
detail
radutmp
}
session {
radutmp
}
# Post-Authentication
post-auth {
reply_log
}
-------------------------------------------------------------------------------
http://www.one.lv - Tavs mobilais e-pasts!
Tagad lasi savu e-pastu ar mobilo telefonu - wap.one.lv!
More information about the Freeradius-Users
mailing list