FR not honoring AutzType

Sam Schultz segfault90 at hushmail.com
Wed Jan 31 22:12:59 CET 2007 

I've been trying to set up FR in a realm-based configuration using 
only LOCAL realms that are passed to different MySQL tables via 
different instances.  This setup, like several previous questions 
posted to this list for similar setups, requires conditional 
branching.  The solution as suggested in those posts was to use an 
Autz-Type block within the authorize block, and an Auth-Type block 
within the authenticate block to use appropriate module instances 
for the given realm. The problem I am having is that no matter what 
I set Autz-Type to, or where I set it, FR doesn't seem to honor it. 
I've tried putting it in hints entries, user entries, and realm 
entries; all suggestions that had been posted in response to 
similar issues. Another problem that compounds this one is that 
different posters refer to Autz-Type differently: autztype, 
AutzType, & Autz-Type. Is the difference significant, or is this 
one of those cases where they ALL are valid, but do exactly the 
same thing?

I would have thought there would be some way to use the Realm 
variable that the rlm_realm strips from the User-Name attribute 
directly within the Authorize & Authenticate blocks, but it appears 
the most straight-forward way of using a block like 'realm bogus 
{}' causes FR to confuse the block for another module instance 
definition.

Any insights anyone may have on this would be appreciated. 
Following are the relevant configuration & output segments:

radiusd.conf, authorize block:

        Autz-Type SQL-BOGUS {
                sql-bogus
        }



radiusd.conf, authenticate block:

        Auth-Type SQL-BOGUS {
                sql-bogus
        }



hints:

DEFAULT Prefix == "BOGUS\", Strip-User-Name = Yes
        Hint = "MIE Login",
        Service-Type = Framed-User,
        Autz-Type := SQL-BOGUS,
        Auth-Type := SQL-BOGUS



users:

DEFAULT Realm == "bogus", Autz-Type := SQL-BOGUS



mysql bogus realms' radcheck table:

+----+----------+---------------+----+----------+
| id | UserName | Attribute     | op | Value    |
+----+----------+---------------+----+----------+
|  6 | user     | User-Password | == | password |
|  7 | user     | Auth-Type     | := | Local    |
+----+----------+---------------+----+----------+



radiusd -X -A (snippet 1, module instantiation):
rlm_sql (sql-bogus): Driver rlm_sql_mysql (module rlm_sql_mysql) 
loaded and linked
rlm_sql (sql-bogus): Attempting to connect to root at localhost:/radius
rlm_sql (sql-bogus): starting 0
rlm_sql (sql-bogus): Attempting to connect rlm_sql_mysql #0
rlm_sql (sql-bogus): Connected new DB handle, #0
rlm_sql (sql-bogus): starting 1
rlm_sql (sql-bogus): Attempting to connect rlm_sql_mysql #1
rlm_sql (sql-bogus): Connected new DB handle, #1
rlm_sql (sql-bogus): starting 2
rlm_sql (sql-bogus): Attempting to connect rlm_sql_mysql #2
rlm_sql (sql-bogus): Connected new DB handle, #2
rlm_sql (sql-bogus): starting 3
rlm_sql (sql-bogus): Attempting to connect rlm_sql_mysql #3
rlm_sql (sql-bogus): Connected new DB handle, #3
rlm_sql (sql-bogus): starting 4
rlm_sql (sql-bogus): Attempting to connect rlm_sql_mysql #4
rlm_sql (sql-bogus): Connected new DB handle, #4
Module: Instantiated sql (sql-bogus)



radiusd -X -A (snippet 2, module *NOT* getting used):

modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
    rlm_realm: Looking up realm "bogus" for User-Name = "bogus\user"
    rlm_realm: Found realm "bogus"
    rlm_realm: Adding Stripped-User-Name = "user"
    rlm_realm: Proxying request from user user to realm bogus
    rlm_realm: Adding Realm = "bogus"
    rlm_realm: Authentication realm is LOCAL.
  modcall[authorize]: module "ntdomain" returns noop for request 0
  rlm_eap: EAP packet type response id 0 length 15
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
modcall: leaving group authorize (returns updated) for request 0



NOTE: My module order, and the fact that radius found the "bogus" 
realm means that there should be SQL auth lines appearing 
immediately after the "mschap returns noop" line. They don't show 
up, which means FR either wasn't seeing Autz-Type at that point, or 
some other module changed it.




Concerned about your privacy? Instantly send FREE secure email, no 
account required
http://www.hushmail.com/send?l=480

Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?l=485





Concerned about your privacy? Instantly send FREE secure email, no account required
http://www.hushmail.com/send?l=480

Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?l=485

More information about the Freeradius-Users mailing list