Huntgroups issue - every user is accepted
Hanno Schupp
hanno.schupp at gmail.com
Mon Jan 19 09:05:58 CET 2009
Dear All,
I am trying to implement huntgroups via MySQL according to
http://wiki.freeradius.org/SQL_Huntgroup_HOWTO On difference is the
assignment of huntgroups not according to NAS-IP, but to Called-Station-Id.
The goal is to suppress roaming between hotspot routers, between groups of
hotspots.
For that purpose I have inserted the code
...
update request {
Huntgroup-Name := "%{sql02:select groupname from
radhuntgroup where calledstationid = '%{Called-Station-Id}'}"
}
...
In lieu of the module 'preprocess' into group 'authorize', as advised in the
HOWTO.
I have maintained the following entries in SQL tables:
`radhuntgroup`
`id`, `groupname`, `calledstationid`
1, 'Test-Rejec', '00-1D-7E-E7-96-9F'
`usergroup`
`UserName`, `GroupName`, `priority`
'yubvef13', 'TestGroup', 1
`radgroupcheck`
`id`, `GroupName`, `Attribute`, `op`, `Value`
1, 'TestGroup', 'Huntgroup-Name', ':=', 'Test'
One would expect the user to be rejected if the user tries to log in to the
router with the Called-Station-Id '00-1D-7E-E7-96-9F', However, the user is
authenticated and not rejected.
Here the relevant parts of the debug:
...
Mon Jan 19 20:57:03 2009 : Info: sql_xlat
Mon Jan 19 20:57:03 2009 : Debug: expand: %{User-Name} -> yubvef13
Mon Jan 19 20:57:03 2009 : Info: sql_set_user escaped user --> 'yubvef13'
Mon Jan 19 20:57:03 2009 : Debug: expand: select groupname from
radhuntgroup where calledstationid = '%{Called-Station-Id}' -> select
groupname from radhuntgroup where calledstationid = '00-1D-7E-E7-96-9F'
Mon Jan 19 20:57:03 2009 : Debug: expand:
/var/log/freeradius/sqltrace.sql -> /var/log/freeradius/sqltrace.sql
Mon Jan 19 20:57:03 2009 : Debug: rlm_sql (sql02): Reserving sql socket id:
3
Mon Jan 19 20:57:03 2009 : Debug: rlm_sql_mysql: query: select groupname
from radhuntgroup where calledstationid = '00-1D-7E-E7-96-9F'
Mon Jan 19 20:57:03 2009 : Info: sql_xlat finished
Mon Jan 19 20:57:03 2009 : Debug: rlm_sql (sql02): Released sql socket id: 3
Mon Jan 19 20:57:03 2009 : Debug: expand: %{sql02:select groupname
from radhuntgroup where calledstationid = '%{Called-Station-Id}'} ->
Test-Rejec
Mon Jan 19 20:57:03 2009 : Info: ++[request] returns notfound
Mon Jan 19 20:57:03 2009 : Info: ++[chap] returns noop
Mon Jan 19 20:57:03 2009 : Info: ++[mschap] returns noop
Mon Jan 19 20:57:03 2009 : Info: [suffix] No '@' in User-Name = "yubvef13",
looking up realm NULL
Mon Jan 19 20:57:03 2009 : Info: [suffix] No such realm "NULL"
Mon Jan 19 20:57:03 2009 : Info: ++[suffix] returns noop
Mon Jan 19 20:57:03 2009 : Info: [eap] No EAP-Message, not doing EAP
Mon Jan 19 20:57:03 2009 : Info: ++[eap] returns noop
Mon Jan 19 20:57:03 2009 : Info: ++- entering redundant-load-balance group
sql0203 {...}
Mon Jan 19 20:57:03 2009 : Debug: expand: %{User-Name} -> yubvef13
Mon Jan 19 20:57:03 2009 : Info: [sql02] sql_set_user escaped user -->
'yubvef13'
Mon Jan 19 20:57:03 2009 : Debug: rlm_sql (sql02): Reserving sql socket id:
2
Mon Jan 19 20:57:03 2009 : Debug: expand: SELECT id, username,
attribute, value, op FROM radcheck WHERE username =
BINARY '%{SQL-User-Name}' ORDER BY id -> SELECT id, username,
attribute, value, op FROM radcheck WHERE username =
BINARY 'yubvef13' ORDER BY id
Mon Jan 19 20:57:03 2009 : Debug: rlm_sql_mysql: query: SELECT id,
username, attribute, value, op FROM radcheck WHERE
username = BINARY 'yubvef13' ORDER BY id
Mon Jan 19 20:57:03 2009 : Info: [sql02] User found in radcheck table
Mon Jan 19 20:57:03 2009 : Debug: expand: SELECT id, username,
attribute, value, op FROM radreply WHERE username =
BINARY '%{SQL-User-Name}' ORDER BY id -> SELECT id, username,
attribute, value, op FROM radreply WHERE username =
BINARY 'yubvef13' ORDER BY id
Mon Jan 19 20:57:03 2009 : Debug: rlm_sql_mysql: query: SELECT id,
username, attribute, value, op FROM radreply WHERE
username = BINARY 'yubvef13' ORDER BY id
Mon Jan 19 20:57:03 2009 : Debug: expand: SELECT groupname
FROM usergroup WHERE username = BINARY '%{SQL-User-Name}'
ORDER BY priority -> SELECT groupname FROM usergroup
WHERE username = BINARY 'yubvef13' ORDER BY priority
Mon Jan 19 20:57:03 2009 : Debug: rlm_sql_mysql: query: SELECT groupname
FROM usergroup WHERE username = BINARY 'yubvef13' ORDER
BY priority
Mon Jan 19 20:57:03 2009 : Debug: expand: SELECT id, groupname,
attribute, Value, op FROM radgroupcheck WHERE
groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname,
attribute, Value, op FROM radgroupcheck WHERE
groupname = 'TestGroup' ORDER BY id
Mon Jan 19 20:57:03 2009 : Debug: rlm_sql_mysql: query: SELECT id,
groupname, attribute, Value, op FROM radgroupcheck
WHERE groupname = 'TestGroup' ORDER BY id
Mon Jan 19 20:57:03 2009 : Info: [sql02] User found in group TestGroup
Mon Jan 19 20:57:03 2009 : Debug: expand: SELECT id, groupname,
attribute, value, op FROM radgroupreply WHERE
groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname,
attribute, value, op FROM radgroupreply WHERE
groupname = 'TestGroup' ORDER BY id
Mon Jan 19 20:57:03 2009 : Debug: rlm_sql_mysql: query: SELECT id,
groupname, attribute, value, op FROM radgroupreply
WHERE groupname = 'TestGroup' ORDER BY id
Mon Jan 19 20:57:03 2009 : Debug: rlm_sql (sql02): Released sql socket id: 2
Mon Jan 19 20:57:03 2009 : Info: +++[sql02] returns ok
...
One thing I don't get is, why is the rlm_sql_mysql module finding the
Hungroup-Name 'Test-Rejec' correctly, but module 'request' returns not
found? The user is found in radgroupchek for the correct usergroup
'TestGroup'. As the values in radgroupcheck and radgroupreplycheck do not
match, the user should be rejected, but the user is accepted.
What am I doing wrong?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090119/5a25d8fc/attachment.html>
More information about the Freeradius-Users
mailing list