rlm_sql functionality

Nils Rønhovde nar at telenor.net
Tue Sep 5 13:47:31 CEST 2006 

Hi,

I am trying to do something with rlm_sql (driver: mysql) that does not 
seem to work as stated in the documentation.

Consider this database:

mysql> select * from radcheck;
| id | UserName | Attribute | op | Value |
|  1 | nar2     | Password  | == | test  |

mysql> select * from radreply;
| id | UserName | Attribute    | op | Value |
|  1 | nar2     | Fall-Through | =  | Yes   |

mysql> select * from usergroup;
| id | UserName | GroupName | priority |
|  1 | nar2     | core-en   |        2 |
|  2 | nar2     | access-en |        1 |

mysql> select * from radgroupcheck;
| id | GroupName | Attribute      | op | Value    |
|  1 | core-en   | NAS-IP-Address | == | 10.1.1.1 |
|  2 | access-en | NAS-IP-Address | == | 10.2.1.1 |

mysql> select * from radgroupreply;
| id | GroupName | Attribute     | op | Value  | prio |
|  1 | core-en   | Reply-Message | =  | Core   |    1 |
|  2 | access-en | Reply-Message | =  | Access |    1 |


The sql.conf is unchanged from the default, except that the server 
connects to a database on a remote host.

The idea is that when nar2 tries to login on the two different NAS'es, 
the authorization would become different.

What happens with this setup is that a request from 10.2.1.1 is rejected 
even if the user supplies the right password.

I then reversed the order of records in radgroupcheck. What happened 
was that the requests coming from 10.1.1.1 was rejected. (The 
NAS-IP-Address that matches the group with the lowest id was accepted, 
and the other rejected.)

Also, even if I did that, the reply-items from the group with the lowest 
id in radgroupreply was returned, as long as the user and group are 
coupled in usergroup.

I have been playing along with this for a while and I can't see that 
this makes sense in any way. I have also changed the ordering in 
radgroupreply and tried different priority's.

The questions remaining are:

1. Can I populate the database differently so that the server does what 
I want?

2. Is there a way to rewrite the queries in sql.conf so the server does 
what I want?

3. Am I completely missing the point of having groups i RADIUS?


What I want from rlm_sql is (this should probably be a bit refined):

1. check if user check-items match, add the reply-items.
2. if they match, check each usergroup coupling, if there are any.
3. a. if the check-items of the group match, add the reply-items from
       radgroupreply.
    b. if the check-items of the group do not match, skip to next group,
       but do not reject unless no groups match, or a group explictly
       says so.
4. if no group matches then Reject.


-- 
best regards
Nils Rønhovde

More information about the Freeradius-Users mailing list