Restricting dialup users to certain client definitions only
Todd R.
tjrlist at lightwavetech.com
Tue Dec 23 07:18:39 CET 2008
>>>>>>>>>>>>>>>>>>>>>>>>>>
Subject: Re: Restricting dialup users to certain client definitions only
>Can't post now but, yes I do see the groups table being queried
Is there something else in the group entry that doesn't match?
Ivan Kalik
Kalik Informatika ISP
>>>>>>>>>>>>>>>>>>>>>>>>>>>
OK, took me a while but here is the SQL dump and the Debug output. One thing
that's interesting is that I only seem to get my reply attributes from the
radgroupreply table when I am coming from the allowed client-ip-address,
when coming from any other IP I still get an accept but I get not reply
attributes. So, FR seems to know the difference but I guess I am just not
sending the reject or something?
Thanks in advance!
Todd R.
Here is the MySQL output:
mysql> select * from radcheck;
+----+-------------------+--------------------+----+------------------------
+
| id | username | attribute | op | value
|
+----+-------------------+--------------------+----+------------------------
+
| 9 | testuser | Cleartext-Password | := | testpass
|
+----+-------------------+--------------------+----+------------------------
+
mysql> select * from radgroupcheck;
+----+------------------+-------------------+----+----------------+
| id | groupname | attribute | op | value |
+----+------------------+-------------------+----+----------------+
| 0 | dialusers | Client-IP-Address | == | 66.221.123.122 |
| 3 | dialusers-suspnd | Auth-Type | := | Reject |
+----+------------------+-------------------+----+----------------+
mysql> select * from radusergroup;
+-------------------+------------------+----------+
| username | groupname | priority |
+-------------------+------------------+----------+
| blahsampleuser | dialusers-suspnd | 1 |
| testuser | dialusers | 1 |
+-------------------+------------------+----------+
mysql> select * from radgroupreply;
+----+------------------+--------------------+----+-------------------------
--------------+
| id | groupname | attribute | op | value
|
+----+------------------+--------------------+----+-------------------------
--------------+
| 1 | dialusers | Framed-Protocol | = | PPP
|
| 9 | dialusers | Idle-Timeout | = | 900
|
| 10 | dialusers-suspnd | Reply-Message | = | Dialup account suspended
|
+----+------------------+--------------------+----+-------------------------
--------------+
Here is the debug:
#######################################################
rad_recv: Access-Request packet from host 66.221.123.134 port 49794, id=2,
length=60
User-Name = "testuser at myrealm.com"
User-Password = "testpass"
+- entering group authorize {...}
++[preprocess] returns ok
[suffix] Looking up realm "myrealm.com" for User-Name =
"testuser at myrealm.com"
[suffix] Found realm "DEFAULT"
[suffix] Adding Stripped-User-Name = "testuser"
[suffix] Adding Realm = "DEFAULT"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[sql] expand: %{Stripped-User-Name} -> testuser
[sql] sql_set_user escaped user --> 'testuser'
rlm_sql (sql): Reserving sql socket id: 2
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
-> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'testuser' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
-> SELECT id, username, attribute, value, op FROM radreply
WHERE username = 'testuser' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
groupname FROM radusergroup WHERE username = 'testuser'
ORDER BY priority
[sql] expand: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = '%{Sql-Group}'
ORDER BY id -> SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = 'dialusers' ORDER
BY id
[sql] expand: %{Client-IP-Address} -> 66.221.123.134
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "testpass"
[pap] Using clear text password "testpass"
[pap] User authenticated successfully
++[pap] returns ok
Login OK: [testuser at myrealm.com] (from client ToddHome port 0)
+- entering group post-auth {...}
[sql] expand: %{Stripped-User-Name} -> testuser
[sql] sql_set_user escaped user --> 'testuser'
[sql] expand: %{User-Password} -> testpass
[sql] expand: INSERT INTO radpostauth (username,
pass, reply, rejectreason, authdate) VALUES (
'%{User-Name}',
'%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%{Module-Failure-Message}-%{reply:Reply-Message}',
'%S') -> INSERT INTO radpostauth (username, pass,
reply, rejectreason, authdate) VALUES (
'testuser at myrealm.com', 'testpass',
'Access-Accept', '-', '2008-12-23 00:01:00')
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth
(username, pass, reply, rejectreason, authdate)
VALUES ( 'testuser at myrealm.com',
'testpass', 'Access-Accept', '-', '2008-12-23
00:01:00')
rlm_sql (sql): Reserving sql socket id: 1
rlm_sql (sql): Released sql socket id: 1
++[sql] returns ok
++[exec] returns noop
Sending Access-Accept of id 2 to 66.221.123.134 port 49794
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 1 ID 2 with timestamp +33
Ready to process requests.
############################################################################
#######
More information about the Freeradius-Users
mailing list