Huntgroups issue - every user is accepted
Alan DeKok
aland at deployingradius.com
Mon Jan 19 10:29:01 CET 2009
Hanno Schupp wrote:
> I am trying to implement huntgroups via MySQL according to
> http://wiki.freeradius.org/SQL_Huntgroup_HOWTO On difference is the
> assignment of huntgroups not according to NAS-IP, but to
> Called-Station-Id. The goal is to suppress roaming between hotspot
> routers, between groups of hotspots.
>
> For that purpose I have inserted the code
...
> In lieu of the module ‘preprocess’ into group ‘authorize’, as advised in
> the HOWTO.
You also seen to be over-riding that in the SQL tables:
> `radgroupcheck`
> `id`, `GroupName`, `Attribute`, `op`, `Value`
> 1, 'TestGroup', 'Huntgroup-Name', ':=', 'Test'
This sets the Huntgroup-Name to "Test".
> One would expect the user to be rejected if the user tries to log in to
> the router with the Called-Station-Id '00-1D-7E-E7-96-9F’, However, the
> user is authenticated and not rejected.
You did not configure the server to reject the user if he logs in with
that Called-Station-Id. You configured the server to put him in a
huntgroup if he logs in with that Called-Station-Id.
Did you configure the server to reject users in the "Test-Rejec"
huntgroup? It looks like you didn't.
> One thing I don’t get is, why is the rlm_sql_mysql module finding the
> Hungroup-Name ‘Test-Rejec’ correctly, but module ‘request’ returns not
> found?
There are explanations for that...
> The user is found in radgroupchek for the correct usergroup
> ‘TestGroup’. As the values in radgroupcheck and radgroupreplycheck do
> not match, the user should be rejected, but the user is accepted.
No. If the values in radgroupcheck do not match.... it means they do
not match.
You have *other* configurations that let the server authenticate the
request. You did *not* configure the server to reject the request if
it's in the "Test-Rejec" huntgroup.
Alan DeKok.
More information about the Freeradius-Users
mailing list