mysql radgroupcheck, deny access

Ivan Kalik tnt at kalik.net
Mon Oct 19 11:15:50 CEST 2009


> I had some older Debian 4.0 (etch) servers, with freeradius v1.1.3
> installed
> from packages.
>
> I then upgraded to Debian 5.0 (lenny), which comes with freeradius v2.0.4
>
> After upgrading I ran into some problems with my radgroupcheck rules.
>
> In radgroupcheck, I have some rules to restrict which NAS users are
> allowed
> to connect to.
>
> Here's an example :
>
>
> mysql> select * from radcheck where username = 'mbowe-test';
> +------+------------+----------------+----+---------------------------------
> ---+
> | id   | username   | attribute      | op | value
> |
> +------+------------+----------------+----+---------------------------------
> ---+
> |  708 | mbowe-test | Crypt-Password | := | <SNIPPED>
> |
> +------+------------+----------------+----+---------------------------------
> ---+
>
>
> mysql> select * from radreply where username = 'mbowe-test';
> Empty set (0.00 sec)
>
>
> mysql> select * from radusergroup where username = 'mbowe-test';
> +------------+----------------+----------+
> | username   | groupname      | priority |
> +------------+----------------+----------+
> | mbowe-test | dialup-freedom |        1 |
> +------------+----------------+----------+
>
>
> mysql> select * from radgroupcheck where groupname = 'dialup-freedom';
> +----+----------------+------------------+----+-----------------------------
> +
> | id | groupname      | attribute        | op | value
> |
> +----+----------------+------------------+----+-----------------------------
> +
> |  3 | dialup-freedom | NAS-IP-Address   | !~ |
> ^111.222.333.(1|2|3|4|5|6)$
> |
> |  4 | dialup-freedom | Simultaneous-Use | := | 1
> |
> +----+----------------+------------------+----+-----------------------------
> +
>
>
> mysql> select * from radgroupreply where groupname = 'dialup-freedom';
> +----+----------------+--------------------+----+---------------------+
> | id | groupname      | attribute          | op | value               |
> +----+----------------+--------------------+----+---------------------+
> |  9 | dialup-freedom | Service-Type       | := | Framed-User         |
> | 10 | dialup-freedom | Framed-Protocol    | := | PPP                 |
> | 11 | dialup-freedom | Framed-IP-Address  | =  | 255.255.255.254     |
> | 12 | dialup-freedom | Framed-IP-Netmask  | := | 255.255.255.255     |
> | 13 | dialup-freedom | Framed-Compression | := | Van-Jacobson-TCP-IP |
> | 14 | dialup-freedom | Idle-Timeout       | := | 1800                |
> | 15 | dialup-freedom | Session-Timeout    | := | 14400               |
> | 16 | dialup-freedom | Port-Limit         | := | 1                   |
> +----+----------------+--------------------+----+---------------------+
>
>
> Under the older freeradius, if the mbowe-test user tried to connect to a
> NAS
> with IP 111.222.333.1|2|3|4|5|6 then their access would be rejected.
>
> However under the newer freeradius, the user can now get online OK. (The
> group doesn't match so the 'dialup-freedom' attributes are not returned)
>
> In my sql.conf I have read_groups = yes
>
> I tried installing the freeradius 2.1.7 from source, and it gives the same
> result as the 2.0.4 from packages (user can get online).
>
> Am I doing something wrong?

No. That is the correct behaviour. Groups emulate DEFAULT entries in users
file. If check doesn't match reply is ignored but user is not rejected. If
you want to reject the user not matching NAS-IP-Address for this group you
need to add:

if(SQL-Group == "dialup-freedom") {
     if(NAS-IP-Address !~ "^111.222.333.(1|2|3|4|5|6)$") {
          ok
     }
     else {
          reject
     }
}

Ivan Kalik
Kalik Informatika ISP




More information about the Freeradius-Users mailing list