FR not honoring AutzType

Phil Mayers p.mayers at imperial.ac.uk
Thu Feb 1 02:11:52 CET 2007 

Sam Schultz wrote:

> radiusd.conf, authorize block:
> 
>         Autz-Type SQL-BOGUS {
>                 sql-bogus
>         }
> 
> 
> 
> radiusd.conf, authenticate block:
> 
>         Auth-Type SQL-BOGUS {
>                 sql-bogus
>         }
> 

Both of these are incomplete.

The latter is almost certainly not valid - rlm_sql doesn't have an 
"authenticate" handler, so can't sensibly run during the "authenticate" 
block. You need to add config items e.g. User-Password to the request 
and run a different module e.g. PAP, mschap to run the authentication.

> 
> 
> hints:
> 
> DEFAULT Prefix == "BOGUS\", Strip-User-Name = Yes
>         Hint = "MIE Login",
>         Service-Type = Framed-User,
>         Autz-Type := SQL-BOGUS,
>         Auth-Type := SQL-BOGUS

Both wrong. Autz-Type and Auth-Type are configure items and therefore 
get set on the first line of a "users" entry. Since this is a "hints" 
file you've added them to the request items here (which is meaningless).

You also shouldn't set Auth-Type (and anyway are setting it to a 
meaningless value, see above)

> 
> 
> 
> users:
> 
> DEFAULT Realm == "bogus", Autz-Type := SQL-BOGUS

This should work, but you've removed "files" from your "authorize" 
section so it's not running - hence it breaks.

> 
> 
> 
> mysql bogus realms' radcheck table:
> 
> +----+----------+---------------+----+----------+
> | id | UserName | Attribute     | op | Value    |
> +----+----------+---------------+----+----------+
> |  6 | user     | User-Password | == | password |
> |  7 | user     | Auth-Type     | := | Local    |
> +----+----------+---------------+----+----------+


Don't use "==" for User-Password. Use :=


> 
> 
> 
> radiusd -X -A (snippet 1, module instantiation):
> rlm_sql (sql-bogus): Driver rlm_sql_mysql (module rlm_sql_mysql) 
> loaded and linked
> rlm_sql (sql-bogus): Attempting to connect to root at localhost:/radius
> rlm_sql (sql-bogus): starting 0
> rlm_sql (sql-bogus): Attempting to connect rlm_sql_mysql #0
> rlm_sql (sql-bogus): Connected new DB handle, #0
> rlm_sql (sql-bogus): starting 1
> rlm_sql (sql-bogus): Attempting to connect rlm_sql_mysql #1
> rlm_sql (sql-bogus): Connected new DB handle, #1
> rlm_sql (sql-bogus): starting 2
> rlm_sql (sql-bogus): Attempting to connect rlm_sql_mysql #2
> rlm_sql (sql-bogus): Connected new DB handle, #2
> rlm_sql (sql-bogus): starting 3
> rlm_sql (sql-bogus): Attempting to connect rlm_sql_mysql #3
> rlm_sql (sql-bogus): Connected new DB handle, #3
> rlm_sql (sql-bogus): starting 4
> rlm_sql (sql-bogus): Attempting to connect rlm_sql_mysql #4
> rlm_sql (sql-bogus): Connected new DB handle, #4
> Module: Instantiated sql (sql-bogus)
> 
> 
> 
> radiusd -X -A (snippet 2, module *NOT* getting used):
> 
> modcall: entering group authorize for request 0
>   modcall[authorize]: module "preprocess" returns ok for request 0
>     rlm_realm: Looking up realm "bogus" for User-Name = "bogus\user"
>     rlm_realm: Found realm "bogus"
>     rlm_realm: Adding Stripped-User-Name = "user"
>     rlm_realm: Proxying request from user user to realm bogus
>     rlm_realm: Adding Realm = "bogus"
>     rlm_realm: Authentication realm is LOCAL.
>   modcall[authorize]: module "ntdomain" returns noop for request 0
>   rlm_eap: EAP packet type response id 0 length 15
>   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>   modcall[authorize]: module "eap" returns updated for request 0
>   modcall[authorize]: module "chap" returns noop for request 0
>   modcall[authorize]: module "mschap" returns noop for request 0
> modcall: leaving group authorize (returns updated) for request 0


Note, no: module "files"

...hence your entry in the "users" file is not being processed and as 
discussed your entry in the "hints" file is formatted wrong.

> 
> 
> 
> NOTE: My module order, and the fact that radius found the "bogus" 
> realm means that there should be SQL auth lines appearing 
> immediately after the "mschap returns noop" line. They don't show 
> up, which means FR either wasn't seeing Autz-Type at that point, or 
> some other module changed it.

I disagree. I think you've broken your configuration. The details you've 
posted above are clearly incomplete so I can only guess. Please post 
your actual, full configs - not extracts - and your actual full debug 
output - not extracts.

More information about the Freeradius-Users mailing list