mysql radgroupcheck, deny access

Michael Bowe mbowe at pipeline.com.au
Mon Oct 19 07:39:06 CEST 2009 

I had some older Debian 4.0 (etch) servers, with freeradius v1.1.3 installed
from packages.

I then upgraded to Debian 5.0 (lenny), which comes with freeradius v2.0.4

After upgrading I ran into some problems with my radgroupcheck rules.
 
In radgroupcheck, I have some rules to restrict which NAS users are allowed
to connect to.

Here's an example :


mysql> select * from radcheck where username = 'mbowe-test';
+------+------------+----------------+----+---------------------------------
---+
| id   | username   | attribute      | op | value
|
+------+------------+----------------+----+---------------------------------
---+
|  708 | mbowe-test | Crypt-Password | := | <SNIPPED>                      |
+------+------------+----------------+----+---------------------------------
---+


mysql> select * from radreply where username = 'mbowe-test';           
Empty set (0.00 sec)


mysql> select * from radusergroup where username = 'mbowe-test';
+------------+----------------+----------+
| username   | groupname      | priority |
+------------+----------------+----------+
| mbowe-test | dialup-freedom |        1 | 
+------------+----------------+----------+


mysql> select * from radgroupcheck where groupname = 'dialup-freedom';
+----+----------------+------------------+----+-----------------------------
+
| id | groupname      | attribute        | op | value
|
+----+----------------+------------------+----+-----------------------------
+
|  3 | dialup-freedom | NAS-IP-Address   | !~ | ^111.222.333.(1|2|3|4|5|6)$
| 
|  4 | dialup-freedom | Simultaneous-Use | := | 1
| 
+----+----------------+------------------+----+-----------------------------
+


mysql> select * from radgroupreply where groupname = 'dialup-freedom';     
+----+----------------+--------------------+----+---------------------+
| id | groupname      | attribute          | op | value               |
+----+----------------+--------------------+----+---------------------+
|  9 | dialup-freedom | Service-Type       | := | Framed-User         | 
| 10 | dialup-freedom | Framed-Protocol    | := | PPP                 | 
| 11 | dialup-freedom | Framed-IP-Address  | =  | 255.255.255.254     | 
| 12 | dialup-freedom | Framed-IP-Netmask  | := | 255.255.255.255     | 
| 13 | dialup-freedom | Framed-Compression | := | Van-Jacobson-TCP-IP | 
| 14 | dialup-freedom | Idle-Timeout       | := | 1800                | 
| 15 | dialup-freedom | Session-Timeout    | := | 14400               | 
| 16 | dialup-freedom | Port-Limit         | := | 1                   | 
+----+----------------+--------------------+----+---------------------+


Under the older freeradius, if the mbowe-test user tried to connect to a NAS
with IP 111.222.333.1|2|3|4|5|6 then their access would be rejected.

However under the newer freeradius, the user can now get online OK. (The
group doesn't match so the 'dialup-freedom' attributes are not returned)

In my sql.conf I have read_groups = yes

I tried installing the freeradius 2.1.7 from source, and it gives the same
result as the 2.0.4 from packages (user can get online).

Am I doing something wrong? Let me know if you would like me to paste some
debugs.


Michael.

More information about the Freeradius-Users mailing list