FreeRadius 2 w/ MySQL - Group check issue

Craig Schurr craigschurr at gmail.com
Fri Feb 26 22:42:10 CET 2010


I recently setup a freeradius 2 server with MySQL and I am having an issue
where it doesn't appear to be doing group checks.

If I have a user set to a group it doesn't appear to check the attributes
set in that group:

+----+----------+--------------+----+------------------------------------------+

| id | username | attribute | op | value |
+----+----------+--------------+----+------------------------------------------+

| 15 | user1 | SHA-Password | := | 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8
|
+----+----------+--------------+----+------------------------------------------+

1 row in set (0.00 sec)

mysql> select * from radusergroup where username = 'user1';
+----------+-----------+----------+
| username | groupname | priority |
+----------+-----------+----------+
| user1 | admin | 1 |
+----------+-----------+----------+
1 row in set (0.00 sec)

mysql> select * from radgroupcheck where groupname = 'admin';
+----+-----------+----------------+----+--------+
| id | groupname | attribute | op | value |
+----+-----------+----------------+----+--------+
| 3 | admin | NAS-Identifier | == | Adtran |
+----+-----------+----------------+----+--------+
1 row in set (0.00 sec)


If I understand correctly the following request should be denied because the
NAS-Identifier in the request doesn't match the one specified in the
groupcheck table. However, it is replying with Accept-Accept.



rad_recv: Access-Request packet from host 64.185.12.105 port 7458, id=61,
length=56
User-Name = "user1"
User-Password = "password"
NAS-Identifier = "Zhone MxK"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "user1", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
expand: %{User-Name} -> user1
rlm_sql (sql): sql_set_user escaped user --> 'user1'
rlm_sql (sql): Reserving sql socket id: 3
expand: SELECT id, username, attribute, value, op FROM radcheck WHERE
username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute,
value, op FROM radcheck WHERE username = 'user1' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = 'user1' ORDER BY id
rlm_sql (sql): User found in radcheck table
expand: SELECT id, username, attribute, value, op FROM radreply WHERE
username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute,
value, op FROM radreply WHERE username = 'user1' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM
radreply WHERE username = 'user1' ORDER BY id
expand: SELECT groupname FROM radusergroup WHERE username =
'%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup
WHERE username = 'user1' ORDER BY priority
rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username =
'user1' ORDER BY priority
expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE
groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute,
Value, op FROM radgroupcheck WHERE groupname = 'admin' ORDER BY id
rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op FROM
radgroupcheck WHERE groupname = 'admin' ORDER BY id
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Normalizing SHA-Password from hex encoding
++[pap] returns updated
rad_check_password: Found Auth-Type
auth: type "PAP"
+- entering group PAP
rlm_pap: login attempt with password "password"
rlm_pap: Using SHA1 encryption.
rlm_pap: User authenticated successfully
++[pap] returns ok
Login OK: [user1/password] (from client lab-mxk-1 port 0)
+- entering group post-auth
rlm_sql (sql): Processing sql_postauth
expand: %{User-Name} -> user1
rlm_sql (sql): sql_set_user escaped user --> 'user1'
expand: %{User-Password} -> password
expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES (
'%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass,
reply, authdate) VALUES ( 'user1', 'password', 'Access-Accept', '2010-02-24
10:56:24')
expand: /var/log/freeradius/sqltrace.sql -> /var/log/freeradius/sqltrace.sql

rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username,
pass, reply, authdate) VALUES ( 'user1', 'password', 'Access-Accept',
'2010-02-24 10:56:24')
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql_mysql: query: INSERT INTO radpostauth (username, pass, reply,
authdate) VALUES ( 'user1', 'password', 'Access-Accept', '2010-02-24
10:56:24')
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
++[exec] returns noop
Sending Access-Accept of id 61 to 64.185.12.105 port 7458
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 61 with timestamp +9
Ready to process requests.


Any help would be greatly appreciated.

Thanks,
Craig
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100226/f2ece2d7/attachment.html>


More information about the Freeradius-Users mailing list