Huntgroups and SQL not being enforced
mikoi
mika.koivisto at logica.com
Tue Aug 18 09:28:36 CEST 2009
Hello.
I need some help to debug my configuration of Huntgroups in SQL and why they
are not being enforced.
Probably missing something obvious here. I´ve been staring myself blind with
this problem.
User gets Access-Accept although NAS-IP-Address is not a match.
Here is the setup:
Freeradius 2.1.6, MySQL.
Tables in MySQL:
RADCHECK
mysql> select * from radcheck;
+----+--------------+--------------------+----+----------+
| id | username | attribute | op | value |
+----+--------------+--------------------+----+----------+
| 33 | testuser | Cleartext-Password | := | testuser |
+----+--------------+--------------------+----+----------+
USERGROUP:
mysql> select * from usergroup;
+--------------+-----------+----------+
| UserName | GroupName | priority |
+--------------+-----------+----------+
| testuser | VPN-AUTH | 0 |
+--------------+-----------+----------+
RADGROUPCHECK:
mysql> select * from radgroupcheck;
+----+-----------+----------------+----+-------------+
| id | groupname | attribute | op | value |
+----+-----------+----------------+----+-------------+
| 8 | VPN-AUTH | Huntgroup-Name | == | VPN-Service |
+----+-----------+----------------+----+-------------+
RADHUNTGROUP:
mysql> select * from radhuntgroup;
+----+-------------+--------------+-----------+
| id | groupname | nasipaddress | nasportid |
+----+-------------+--------------+-----------+
| 6 | VPN-Service | 10.10.10.10 | NULL |
+----+-------------+--------------+-----------+
sites-enabled/default:
authorize
# SQL query huntgroups
update request {
Huntgroup-Name := "%{sql:select groupname from radhuntgroup
where nasipaddress=\"%{NAS-IP-Address}\"}"
}
Debug with correct NAS-IP-Address:
rad_recv: Access-Request packet from host x.x.x.x port 1812, id=20,
length=54
User-Name = "testuser"
User-Password = "testuser"
NAS-IP-Address = 10.10.10.10
+- entering group authorize {...}
++[preprocess] returns ok
sql_xlat
expand: %{User-Name} -> testuser
sql_set_user escaped user --> 'testuser'
expand: select groupname from radhuntgroup where
nasipaddress="%{NAS-IP-Address}" -> select groupname from radhuntgroup where
nasipaddress="10.10.10.10"
rlm_sql (sql): Reserving sql socket id: 3
sql_xlat finished
rlm_sql (sql): Released sql socket id: 3
expand: %{sql:select groupname from radhuntgroup where
nasipaddress="%{NAS-IP-Address}"} -> VPN-Service
++[request] returns ok
sql_xlat
expand: %{User-Name} -> testuser
sql_set_user escaped user --> 'testuser'
expand: select authserver from authmethod where username
="%{User-Name}" -> select authserver from authmethod where username
="testuser"
rlm_sql (sql): Reserving sql socket id: 2
sql_xlat finished
rlm_sql (sql): Released sql socket id: 2
expand: %{sql:select authserver from authmethod where username
="%{User-Name}"} -> LOCAL
++[control] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
[sql] expand: %{User-Name} -> testuser
[sql] sql_set_user escaped user --> 'testuser'
rlm_sql (sql): Reserving sql socket id: 1
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
-> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'testuser' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
-> SELECT id, username, attribute, value, op FROM radreply
WHERE username = 'testuser' ORDER BY id
[sql] expand: SELECT groupname FROM usergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
groupname FROM usergroup WHERE username = 'testuser'
ORDER BY priority
[sql] expand: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = '%{Sql-Group}'
ORDER BY id -> SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = 'VPN-AUTH' ORDER BY
id
[sql] User found in group VPN-AUTH
[sql] expand: SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = '%{Sql-Group}'
ORDER BY id -> SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = 'VPN-AUTH' ORDER BY
id
rlm_sql (sql): Released sql socket id: 1
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "testuser"
[pap] Using clear text password "testuser"
[pap] User authenticated successfully
++[pap] returns ok
+- entering group post-auth {...}
[sql] expand: %{User-Name} -> testuser
[sql] sql_set_user escaped user --> 'testuser'
[sql] expand: %{User-Password} -> testuser
[sql] expand: INSERT INTO radpostauth (username,
pass, reply, authdate) VALUES (
'%{User-Name}',
'%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES (
'testuser', 'testuser',
'Access-Accept', '2009-08-17 16:15:17')
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES (
'testuser', 'testuser',
'Access-Accept', '2009-08-17 16:15:17')
rlm_sql (sql): Reserving sql socket id: 0
rlm_sql (sql): Released sql socket id: 0
++[sql] returns ok
++[exec] returns noop
Sending Access-Accept of id 20 to x.x.x.x port 1812
Finished request 0.
Debug from Wrong NAS-IP-Address:
rad_recv: Access-Request packet from host x.x.x.x port 1812, id=26,
length=54
User-Name = "testuser"
User-Password = "testuser"
NAS-IP-Address = 10.10.10.11
+- entering group authorize {...}
++[preprocess] returns ok
sql_xlat
expand: %{User-Name} -> testuser
sql_set_user escaped user --> 'testuser'
expand: select groupname from radhuntgroup where
nasipaddress="%{NAS-IP-Address}" -> select groupname from radhuntgroup where
nasipaddress="10.10.10.11"
rlm_sql (sql): Reserving sql socket id: 3
SQL query did not return any results
rlm_sql (sql): Released sql socket id: 3
expand: %{sql:select groupname from radhuntgroup where
nasipaddress="%{NAS-IP-Address}"} ->
++[request] returns ok
sql_xlat
expand: %{User-Name} -> testuser
sql_set_user escaped user --> 'testuser'
expand: select authserver from authmethod where username
="%{User-Name}" -> select authserver from authmethod where username
="testuser"
rlm_sql (sql): Reserving sql socket id: 2
sql_xlat finished
rlm_sql (sql): Released sql socket id: 2
expand: %{sql:select authserver from authmethod where username
="%{User-Name}"} -> LOCAL
++[control] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
[sql] expand: %{User-Name} -> testuser
[sql] sql_set_user escaped user --> 'testuser'
rlm_sql (sql): Reserving sql socket id: 1
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
-> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'testuser' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
-> SELECT id, username, attribute, value, op FROM radreply
WHERE username = 'testuser' ORDER BY id
[sql] expand: SELECT groupname FROM usergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
groupname FROM usergroup WHERE username = 'testuser'
ORDER BY priority
[sql] expand: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = '%{Sql-Group}'
ORDER BY id -> SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = 'VPN-AUTH' ORDER BY
id
rlm_sql (sql): Released sql socket id: 1
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "testuser"
[pap] Using clear text password "testuser"
[pap] User authenticated successfully
++[pap] returns ok
+- entering group post-auth {...}
[sql] expand: %{User-Name} -> testuser
[sql] sql_set_user escaped user --> 'testuser'
[sql] expand: %{User-Password} -> testuser
[sql] expand: INSERT INTO radpostauth (username,
pass, reply, authdate) VALUES (
'%{User-Name}',
'%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES (
'testuser', 'testuser',
'Access-Accept', '2009-08-17 16:18:58')
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES (
'testuser', 'testuser',
'Access-Accept', '2009-08-17 16:18:58')
rlm_sql (sql): Reserving sql socket id: 0
rlm_sql (sql): Released sql socket id: 0
++[sql] returns ok
++[exec] returns noop
Sending Access-Accept of id 26 to x.x.x.x port 1812
Finished request 0.
--
View this message in context: http://www.nabble.com/Huntgroups-and-SQL-not-being-enforced-tp25019815p25019815.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
More information about the Freeradius-Users
mailing list