radius does not check table radgroupcheck

Erick de A. Fabbio erickfabbio at gmail.com
Fri Aug 6 23:02:24 CEST 2010 

Hi!

I'm having the following problem:
Any item that I put in radgroupcheck is not being considered by the radius
... the radius only checks the table radcheck ...

I'm using Radius 2 with mysql database.

*nas
*id: 200
idrevenda: 1
nasname: 192.168.0.10
shortname: rb45g
type: other
ports: 1812
secret: 123

*radcheck*
idrevenda: 1
username: "john"
attribute: "user-password"
op: "=="
value: "123456"

*radgroupcheck*
idrevenda: 1
groupname: "office"
attribute: "Calling-Station-Id"
op: "=="
value: "00:00:00:00:00:00"

*radusergroup*
idrevenda: 1
username: "john"
groupname: "office"
priority: 1

Suppose that the John's MAC Address is 00:a2:bf:66:dd:ff ... the radius
should not allow the access...

# radtest john 123456 192.168.0.10 10 123
Sending Access-Request of id 218 to 192.168.0.10 port 1812
        User-Name = "john"
        User-Password = "123456"
        NAS-IP-Address = 192.168.0.10
        NAS-Port = 10
rad_recv: Access-Accept packet from host 192.168.0.10 port 1812, id=218,
length=20


#radius -X
...
rad_recv: Access-Request packet from host 192.168.0.10 port 44307, id=218,
length=56
        User-Name = "john"
        User-Password = "123456"
        NAS-IP-Address = 192.168.0.10
        NAS-Port = 10
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[files] returns noop
[sql]   expand: %{User-Name} -> john
[sql] sql_set_user escaped user --> 'john'
rlm_sql (sql): Reserving sql socket id: 3
[sql]   expand: SELECT aut.id, aut.username, aut.attribute, aut.value,
aut.op           FROM radcheck  aut           WHERE aut.username =
'%{SQL-User-Name}' and aut.idrevenda = (SELECT distinct n.idrevenda FROM nas
n WHERE n.nasname = '%{NAS-IP-Address}' LIMIT 0,1)           ORDER BY
aut.id-> SELECT
aut.id, aut.username, aut.attribute, aut.value, aut.op           FROM
radcheck  aut           WHERE aut.username = 'john'           and
aut.idrevenda = (SELECT distinct n.idrevenda FROM nas n WHERE n.nasname =
'192.168.0.10' LIMIT 0,1)           ORDER BY aut.id
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
[sql] User found in radcheck table
[sql]   expand: SELECT rp.id, rp.username, rp.attribute, rp.value,
rp.op           FROM radreply rp           WHERE rp.username =
'%{SQL-User-Name}'        and rp.idrevenda = (SELECT distinct n.idrevenda
FROM nas n WHERE n.nasname = '%{NAS-IP-Address}' LIMIT 0,1)           ORDER
BY rp.id -> SELECT rp.id, rp.username, rp.attribute, rp.value,
rp.op           FROM radreply rp           WHERE rp.username =
'john'              and rp.idrevenda = (SELECT distinct n.idrevenda FROM nas
n WHERE n.nasname = '192.168.0.10' LIMIT 0,1)           ORDER BY rp.id
[sql]   expand: SELECT ug.groupname           FROM radusergroup ug
WHERE ug.username = '%{SQL-User-Name}'             and ug.idrevenda =
(SELECT distinct n.idrevenda FROM nas n WHERE n.nasname =
'%{NAS-IP-Address}' LIMIT 0,1)           ORDER BY ug.priority -> SELECT
ug.groupname           FROM radusergroup ug           WHERE ug.username =
'john'             and ug.idrevenda = (SELECT distinct n.idrevenda FROM nas
n WHERE n.nasname = '192.168.0.10' LIMIT 0,1)           ORDER BY ug.priority
[sql]   expand: SELECT gc.id, gc.groupname, gc.attribute,
gc.Value, gc.op           FROM radgroupcheck  gc           WHERE
gc.groupname = '%{Sql-Group}'           and gc.idrevenda = (SELECT distinct
n.idrevenda FROM nas n WHERE n.nasname = '%{NAS-IP-Address}' LIMIT
0,1)           ORDER BY gc.id -> SELECT gc.id, gc.groupname,
gc.attribute,           gc.Value, gc.op           FROM radgroupcheck
gc           WHERE gc.groupname = '27'             and gc.idrevenda =
(SELECT distinct n.idrevenda FROM nas n WHERE n.nasname = '192.168.0.10'
LIMIT 0,1)           ORDER BY gc.id
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!    Replacing User-Password in config items with Cleartext-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good"
!!!
!!! clear text password is in Cleartext-Password, and not in User-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+- entering group PAP {...}
[pap] login attempt with password "123456"
[pap] Using clear text password "123456"
[pap] User authenticated successfully
++[pap] returns ok
        expand:  ->
Login OK: [john/123456] (from client radtest port 10)
+- entering group post-auth {...}
[sql]   expand: %{User-Name} -> john
[sql] sql_set_user escaped user --> 'john'
[sql]   expand: %{User-Password} -> 123456
[sql]   expand: INSERT INTO radpostauth                           (username,
pass, reply, authdate)                           VALUES
(                           '%{User-Name}',
'%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S') -> INSERT INTO
radpostauth                           (username, pass, reply,
authdate)                           VALUES (
'john',                           '123456',
'Access-Accept', '2010-08-06 17:30:29')
rlm_sql (sql) in sql_postauth: query is INSERT INTO
radpostauth                           (username, pass, reply,
authdate)                           VALUES (
'john',                           '123456',
'Access-Accept', '2010-08-06 17:30:29')
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
++[exec] returns noop
Sending Access-Accept of id 218 to 192.168.0.10 port 44307
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 218 with timestamp +6
Ready to process requests.


*dialup.conf:
*authorize_check_query = "SELECT aut.id, aut.username, aut.attribute,
aut.value, aut.op \
          FROM ${authcheck_table}  aut \
          WHERE aut.username = '%{SQL-User-Name}' \
        and aut.idrevenda = (SELECT distinct n.idrevenda FROM ${nas_table} n
WHERE n.nasname = '%{NAS-IP-Address}' LIMIT 0,1) \
          ORDER BY aut.id"

    authorize_reply_query = "SELECT rp.id, rp.username, rp.attribute,
rp.value, rp.op \
          FROM ${authreply_table} rp \
          WHERE rp.username = '%{SQL-User-Name}' \
        and rp.idrevenda = (SELECT distinct n.idrevenda FROM ${nas_table} n
WHERE n.nasname = '%{NAS-IP-Address}' LIMIT 0,1) \
          ORDER BY rp.id"

group_membership_query = "SELECT ug.groupname \
          FROM ${usergroup_table} ug \
          WHERE ug.username = '%{SQL-User-Name}' \
        and ug.idrevenda = (SELECT distinct n.idrevenda FROM ${nas_table} n
WHERE n.nasname = '%{NAS-IP-Address}' LIMIT 0,1) \
          ORDER BY ug.priority"

    authorize_group_check_query = "SELECT gc.id, gc.groupname, gc.attribute,
\
          gc.Value, gc.op \
          FROM ${groupcheck_table}  gc \
          WHERE gc.groupname = '%{Sql-Group}' \
        and gc.idrevenda = (SELECT distinct n.idrevenda FROM ${nas_table} n
WHERE n.nasname = '%{NAS-IP-Address}' LIMIT 0,1) \
          ORDER BY gc.id"

    authorize_group_reply_query = "SELECT gr.id, gr.groupname, gr.attribute,
\
          gr.value, gr.op \
          FROM ${groupreply_table} gr \
          WHERE gr.groupname = '%{Sql-Group}' \
        and gr.idrevenda = (SELECT distinct n.idrevenda FROM ${nas_table} n
WHERE n.nasname = '%{NAS-IP-Address}' LIMIT 0,1) \
          ORDER BY gr.id"*

*What can it be?

Thank's you for help!

-- 
Erick de A. Fabbio
MSN/GTalk: erickfabbio at gmail.com
Skype: erickfabbio
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100806/ba52d85b/attachment.html>

More information about the Freeradius-Users mailing list