Checking NAS-Identifier in the radgroupcheck table

super_tomtom super_tomtom at hotmail.com
Thu Oct 2 10:36:29 CEST 2008


Ok... so, here is my DB structure :

Table radgroupcheck :
+----+-----------+----------------+----+-------+
| id | groupname | attribute      | op | value |
+----+-----------+----------------+----+-------+
|  4 | hotel1    | Auth-Type      | := | Local | 
|  5 | hotel1    | NAS-Identifier | == | LMS1  | 
+----+-----------+----------------+----+-------+

Table radusergroup :
+----------+-----------+----------+
| username | groupname | priority |
+----------+-----------+----------+
| user1    | hotel1    |        1 | 
+----------+-----------+----------+

Table radcheck:
+----+----------+--------------------+----+----------------------------------+
| id | username | attribute          | op | value                           
|
+----+----------+--------------------+----+----------------------------------+
| 33 | user1    | Cleartext-Password | := | 5f4dcc3b5aa765d61d8327deb882cf99
| 
+----+----------+--------------------+----+----------------------------------+

Now when I log in with user1 from a NAS identified by "LMS2", here is the
radius output :

rad_recv: Access-Request packet from host 127.0.0.1 port 32782, id=37,
length=225
        Vendor-14559-Attr-8 = 0x312e302e3132
        User-Name = "user1"
        CHAP-Challenge = 0xdb7c1d07effaa75dc2a70e21957a6c16
        CHAP-Password = 0x003d1437701d38d34412b7379d215605df
        NAS-IP-Address = 10.101.0.1
        Service-Type = Login-User
        Framed-IP-Address = 10.101.101.1
        Calling-Station-Id = "00-1D-09-50-17-B2"
        Called-Station-Id = "00-1E-4F-DF-E2-58"
        NAS-Identifier = "LMS2"
        Acct-Session-Id = "48e484ab00000002"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 2
        WISPr-Logoff-URL = "http://10.101.0.1:3990/logoff"
        Message-Authenticator = 0x88ff270956703c81baa051c0bc3965fc
+- entering group authorize
++[preprocess] returns ok
  rlm_chap: Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
    rlm_realm: No '@' in User-Name = "user1", looking up realm NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
        expand: %{User-Name} -> user1
rlm_sql (sql): sql_set_user escaped user --> 'user1'
rlm_sql (sql): Reserving sql socket id: 2
        expand: SELECT id, username, attribute, value, op           FROM
radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id
-> SELECT id, username, attribute, value, op           FROM radcheck          
WHERE username = 'user1'           ORDER BY id
rlm_sql (sql): User found in radcheck table
        expand: SELECT id, username, attribute, value, op           FROM
radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id
-> SELECT id, username, attribute, value, op           FROM radreply          
WHERE username = 'user1'           ORDER BY id
        expand: SELECT groupname           FROM radusergroup           WHERE
username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT
groupname           FROM radusergroup           WHERE username = 'user1'          
ORDER BY priority
        expand: SELECT id, groupname, attribute,           Value, op          
FROM radgroupcheck           WHERE groupname = '%{Sql-Group}'          
ORDER BY id -> SELECT id, groupname, attribute,           Value, op          
FROM radgroupcheck           WHERE groupname = 'hotel1'           ORDER BY
id
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[noresetcounter] returns noop
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
  rad_check_password:  Found Auth-Type CHAP
auth: type "CHAP"
+- entering group CHAP
  rlm_chap: login attempt by "user1" with CHAP password
  rlm_chap: Using clear text password "5f4dcc3b5aa765d61d8327deb882cf99" for
user user1 authentication.
  rlm_chap: chap user user1 authenticated succesfully
++[chap] returns ok
+- entering group post-auth
++[exec] returns noop
Sending Access-Accept of id 37 to 127.0.0.1 port 32782

Now as you can see, the radgroupcheck parameter NAS-Identifier == LMS1 did
not mismatch... why ?


super_tomtom wrote:
> 
> Hi !
> I am actually setting up a freeradius server that will manage
> authentication from different places (hotels actually).
> I am just a beginner toward that technology, and i have one problem :
> I need to create some accounts that can be enabled at different places:
> for example you have an account in a hotel in London, then you could use
> the same account in another hotel of the same chain in ... Madrid for
> example.
> But, you could not not use this account in another hotel using the same
> solution (all my hotels will talk to the same freeradius server).
> ... I hope you understand my English, sorry about that...
> So here is the point: I need to check for each account in the radcheck
> table where does the Access-Request comes from. As some of the NAS will
> get their IP dynamically from their ISP, I cannot use the NAS-IP-Address
> parameter, so I would like to use the NAS-Identifier.
> As some of my accounts could be active for requests coming from several
> NAS, I thought I could use the radgroupcheck table, in a way like that :
> 
> radgroupcheck table :
> groupname   |   attribute             |   op   |   value
> myGroup       |   NAS-Identifier   |   ==   |   myNASName
> 
> This parameter works in the radcheck tables, if the request comes from a
> wrong NAS Identifier freeradius sends a Access-Reject, but in the
> radgroupcheck table, nothing happens ...
> 
> Does anyone have an idea about that ?
> Thanks !
> 
> 
> 

-- 
View this message in context: http://www.nabble.com/Checking-NAS-Identifier-in-the-radgroupcheck-table-tp19763949p19775361.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.




More information about the Freeradius-Users mailing list