Problems with group cheking attributes

Andrei Petru Mura mapandrei at gmail.com
Thu Aug 2 14:58:21 CEST 2012


I have a user called "test150" that belongs to group "testgroup123". Bellow
you can see what I have in my database related to "test150" user and
"testgroup123" group:

select * from radcheck where username = 'test150';

   id         | username |     attribute              |op |  value
--------------+---------------+-----------------------------+----+---------
 1523812 | test150     | Cleartext-Password | := | test150


select * from radgroupcheck where groupname = 'testgroup123';

 id |  groupname    |        attribute                      | op |  value
----+--------------------+----------------------------------------+----+----------
 11 | testgroup123 | NAS-IP-Address                | := | 10.3.1.1
 15 | testgroup123 | CarboSolutions-Max-Users | <  | 5

 CarboSolutions-Max-Users is an attribute declared of myself.


select * from radusergroup where username = 'test150';

 username |  groupname   | priority
---------------+--------------------+----------
 test150    | testgroup123  |        0

select * from radgroupreply where groupname = 'testgroup123';

 id  |  groupname   |        attribute                        | op | value
-----+--------------------+------------------------------------------+----+--------
 14 | testgroup123 | WISPr-Bandwidth-Max-Down | := | 256000

*The problem:*
*
*
When I try to log in with "test150" and  CarboSolutions-Max-Users attribute
is < 5, the bandwidth limitation is working (in debug output I can see that
FR sends  WISPr-Bandwidth-Max-Down attribute in reply - and it applies).
But when CarboSolutions-Max-Users check isn't fulfilled (I mean is greater
or equal to 5)  WISPr-Bandwidth-Max-Down attribute isn't shown in FR debug
output as reply attrtibute - and not working bandwidth limitation.

*N.B.1 *I set the  CarboSolutions-Max-Users attribute in default site's
file in authorize section. Looks like this:

update request {

                CarboSolutions-Max-Users="%{sql:SELECT COUNT(DISTINCT
radacct.UserName) FROM radacct INNER JOIN radusergroup ON
radusergroup.UserName = radacct.UserName WHERE radusergroup.GroupName =
(SELECT GroupName FROM radusergroup ...}"

}

I understand that when group's check conditions aren't meet, I can login
neglecting the group's attributes. Can anybody tell me how to avoid that
behavior? I think that if a user belongs to a group and the checks for the
group aren't meet, the user shoudn't be able to be authenticated. Am I
wrong? If not, what's the problem to my issue?

*N.B.2 *The output from running FR with -XXX switch is (when it is not
working well):

rad_recv: Access-Request packet from host 127.0.0.1 port 34173, id=225,
length=276
ChilliSpot-Version = "1.2.9"
User-Name = "test150"
User-Password = "test150"
Service-Type = Login-User
Acct-Session-Id = "501a75b300000001"
Framed-IP-Address = 10.3.1.3
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
NAS-Port-Id = "00000001"
Calling-Station-Id = "00-25-22-83-95-C5"
Called-Station-Id = "F8-D1-11-05-93-01"
NAS-IP-Address = 10.3.1.1
NAS-Identifier = "nas-1"
WISPr-Location-ID = "isocc=,cc=,ac=,network=netNFork,"
WISPr-Location-Name = "netNFork_LAN"
WISPr-Logoff-URL = "http://10.3.1.1:3001/logoff"
Message-Authenticator = 0x0c4075cf2f111445caff3fb367ddd776
Thu Aug  2 15:43:44 2012 : Info: # Executing section authorize from file
/netnfork/radius//etc/raddb/sites-enabled/default
Thu Aug  2 15:43:44 2012 : Info: +- entering group authorize {...}
Thu Aug  2 15:43:44 2012 : Info: expand: %S -> 2012-08-02 15:43:44
Thu Aug  2 15:43:44 2012 : Info: sql_xlat
Thu Aug  2 15:43:44 2012 : Info: expand: %{User-Name} -> test150
Thu Aug  2 15:43:44 2012 : Info: sql_set_user escaped user --> 'test150'
Thu Aug  2 15:43:44 2012 : Info: expand: SELECT COUNT(DISTINCT
CallingStationId) FROM radacct WHERE UserName='%{User-Name}' AND
CallingStationId != '%{Calling-Station-Id}' -> SELECT COUNT(DISTINCT
CallingStationId) FROM radacct WHERE UserName='test150' AND
CallingStationId != '00-25-22-83-95-C5'
Thu Aug  2 15:43:44 2012 : Debug: rlm_sql (sql): Reserving sql socket id: 30
Thu Aug  2 15:43:45 2012 : Debug: rlm_sql_postgresql: Status:
PGRES_TUPLES_OK
Thu Aug  2 15:43:45 2012 : Debug: rlm_sql_postgresql: query affected rows =
1 , fields = 1
Thu Aug  2 15:43:45 2012 : Info: sql_xlat finished
Thu Aug  2 15:43:45 2012 : Debug: rlm_sql (sql): Released sql socket id: 30
Thu Aug  2 15:43:45 2012 : Info: expand: %{sql:SELECT COUNT(DISTINCT
CallingStationId) FROM radacct WHERE UserName='%{User-Name}' AND
CallingStationId != '%{Calling-Station-Id}'} -> 0
Thu Aug  2 15:43:45 2012 : Info: sql_xlat
Thu Aug  2 15:43:45 2012 : Info: expand: %{User-Name} -> test150
Thu Aug  2 15:43:45 2012 : Info: sql_set_user escaped user --> 'test150'

//*** this interests (bellow)-->

Thu Aug  2 15:43:45 2012 : Info: expand: SELECT COUNT(DISTINCT
radacct.UserName) FROM radacct INNER JOIN radusergroup ON
radusergroup.UserName = radacct.UserName WHERE radusergroup.GroupName =
(SELECT GroupName FROM radusergroup WHERE UserName='%{User-Name}') AND
AcctStopTime ISNULL -> SELECT COUNT(DISTINCT radacct.UserName) FROM radacct
INNER JOIN radusergroup ON radusergroup.UserName = radacct.UserName WHERE
radusergroup.GroupName = (SELECT GroupName FROM radusergroup WHERE
UserName='test150') AND AcctStopTime ISNULL
Thu Aug  2 15:43:45 2012 : Debug: rlm_sql (sql): Reserving sql socket id: 29
Thu Aug  2 15:43:45 2012 : Debug: rlm_sql_postgresql: Status:
PGRES_TUPLES_OK
Thu Aug  2 15:43:45 2012 : Debug: rlm_sql_postgresql: query affected rows =
1 , fields = 1
Thu Aug  2 15:43:45 2012 : Info: sql_xlat finished
Thu Aug  2 15:43:45 2012 : Debug: rlm_sql (sql): Released sql socket id: 29
Thu Aug  2 15:43:45 2012 : Info: expand: %{sql:SELECT COUNT(DISTINCT
radacct.UserName) FROM radacct INNER JOIN radusergroup ON
radusergroup.UserName = radacct.UserName WHERE radusergroup.GroupName =
(SELECT GroupName FROM radusergroup WHERE UserName='%{User-Name}') AND
AcctStopTime ISNULL} -> 1
Thu Aug  2 15:43:45 2012 : Info: ++[request] returns notfound
Thu Aug  2 15:43:45 2012 : Info: [sql] expand: %{User-Name} -> test150
Thu Aug  2 15:43:45 2012 : Info: [sql] sql_set_user escaped user -->
'test150'
Thu Aug  2 15:43:45 2012 : Debug: rlm_sql (sql): Reserving sql socket id: 28
Thu Aug  2 15:43:45 2012 : Info: [sql] expand: SELECT id, UserName,
Attribute, Value, Op   FROM radcheck   WHERE Username = '%{SQL-User-Name}'
  ORDER BY id -> SELECT id, UserName, Attribute, Value, Op   FROM radcheck
  WHERE Username = 'test150'   ORDER BY id
Thu Aug  2 15:43:45 2012 : Debug: rlm_sql_postgresql: Status:
PGRES_TUPLES_OK
Thu Aug  2 15:43:45 2012 : Debug: rlm_sql_postgresql: query affected rows =
1 , fields = 5
Thu Aug  2 15:43:45 2012 : Info: [sql] User found in radcheck table
Thu Aug  2 15:43:45 2012 : Info: [sql] expand: SELECT id, UserName,
Attribute, Value, Op   FROM radreply   WHERE Username = '%{SQL-User-Name}'
  ORDER BY id -> SELECT id, UserName, Attribute, Value, Op   FROM radreply
  WHERE Username = 'test150'   ORDER BY id
Thu Aug  2 15:43:45 2012 : Debug: rlm_sql_postgresql: Status:
PGRES_TUPLES_OK
Thu Aug  2 15:43:45 2012 : Debug: rlm_sql_postgresql: query affected rows =
0 , fields = 5
Thu Aug  2 15:43:45 2012 : Info: [sql] expand: SELECT GroupName FROM
radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority -> SELECT
GroupName FROM radusergroup WHERE UserName='test150' ORDER BY priority
Thu Aug  2 15:43:45 2012 : Debug: rlm_sql_postgresql: Status:
PGRES_TUPLES_OK
Thu Aug  2 15:43:45 2012 : Debug: rlm_sql_postgresql: query affected rows =
1 , fields = 1
Thu Aug  2 15:43:45 2012 : Info: [sql] expand: SELECT id, GroupName,
Attribute, Value, op   FROM radgroupcheck   WHERE GroupName =
'%{Sql-Group}'   ORDER BY id -> SELECT id, GroupName, Attribute, Value, op
  FROM radgroupcheck   WHERE GroupName = 'testgroup123'   ORDER BY id
Thu Aug  2 15:43:45 2012 : Debug: rlm_sql_postgresql: Status:
PGRES_TUPLES_OK
Thu Aug  2 15:43:45 2012 : Debug: rlm_sql_postgresql: query affected rows =
2 , fields = 5
Thu Aug  2 15:43:45 2012 : Debug: rlm_sql (sql): Released sql socket id: 28
Thu Aug  2 15:43:45 2012 : Info: ++[sql] returns ok
Thu Aug  2 15:43:45 2012 : Info: ++[expiration] returns noop
Thu Aug  2 15:43:45 2012 : Info: ++[logintime] returns noop
Thu Aug  2 15:43:45 2012 : Info: WARNING: Please update your configuration,
and remove 'Auth-Type = Local'
Thu Aug  2 15:43:45 2012 : Info: WARNING: Use the PAP or CHAP modules
instead.
Thu Aug  2 15:43:45 2012 : Info: User-Password in the request is correct.
Thu Aug  2 15:43:45 2012 : Info: # Executing section post-auth from file
/netnfork/radius//etc/raddb/sites-enabled/default
Thu Aug  2 15:43:45 2012 : Info: +- entering group post-auth {...}
Thu Aug  2 15:43:45 2012 : Info: ++[exec] returns noop
Sending Access-Accept of id 225 to 127.0.0.1 port 34173
Thu Aug  2 15:43:45 2012 : Info: Finished request 14.
Thu Aug  2 15:43:45 2012 : Debug: Going to the next request
Thu Aug  2 15:43:45 2012 : Debug: Waking up in 2.9 seconds.

//*** bellow is the accounting log, I think it shouldn't present interest

rad_recv: Accounting-Request packet from host 127.0.0.1 port 41985, id=8,
length=223
ChilliSpot-Version = "1.2.9"
ChilliSpot-Attr-10 = 0x00000002
Event-Timestamp = "Aug  2 2012 15:43:44 EEST"
User-Name = "test150"
Acct-Status-Type = Start
Acct-Session-Id = "501a75b300000001"
Framed-IP-Address = 10.3.1.3
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
NAS-Port-Id = "00000001"
Calling-Station-Id = "00-25-22-83-95-C5"
Called-Station-Id = "F8-D1-11-05-93-01"
NAS-IP-Address = 10.3.1.1
NAS-Identifier = "nas-1"
WISPr-Location-ID = "isocc=,cc=,ac=,network=netNFork,"
WISPr-Location-Name = "netNFork_LAN"
Thu Aug  2 15:43:45 2012 : Info: # Executing section preacct from file
/netnfork/radius//etc/raddb/sites-enabled/default
Thu Aug  2 15:43:45 2012 : Info: +- entering group preacct {...}
Thu Aug  2 15:43:45 2012 : Info: ++[preprocess] returns ok
Thu Aug  2 15:43:45 2012 : Info: [acct_unique] Hashing 'NAS-Port =
1,Client-IP-Address = 127.0.0.1,NAS-IP-Address = 10.3.1.1,Acct-Session-Id =
"501a75b300000001",User-Name = "test150"'
Thu Aug  2 15:43:45 2012 : Info: [acct_unique] Acct-Unique-Session-ID =
"84a01adb8bcce762".
Thu Aug  2 15:43:45 2012 : Info: ++[acct_unique] returns ok
Thu Aug  2 15:43:45 2012 : Info: [suffix] No '@' in User-Name = "test150",
looking up realm NULL
Thu Aug  2 15:43:45 2012 : Info: [suffix] No such realm "NULL"
Thu Aug  2 15:43:45 2012 : Info: ++[suffix] returns noop
Thu Aug  2 15:43:45 2012 : Info: # Executing section accounting from file
/netnfork/radius//etc/raddb/sites-enabled/default
Thu Aug  2 15:43:45 2012 : Info: +- entering group accounting {...}
Thu Aug  2 15:43:45 2012 : Info: [detail] expand: %{Packet-Src-IP-Address}
-> 127.0.0.1
Thu Aug  2 15:43:45 2012 : Info: [detail] expand:
/netnfork/radius//var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
-> /netnfork/radius//var/log/radius/radacct/127.0.0.1/detail-20120802
Thu Aug  2 15:43:45 2012 : Info: [detail]
/netnfork/radius//var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
expands to /netnfork/radius//var/log/radius/radacct/
127.0.0.1/detail-20120802
Thu Aug  2 15:43:45 2012 : Info: [detail] expand: %t -> Thu Aug  2 15:43:45
2012
Thu Aug  2 15:43:45 2012 : Info: ++[detail] returns ok
Thu Aug  2 15:43:45 2012 : Info: [sql] expand: %{User-Name} -> test150
Thu Aug  2 15:43:45 2012 : Info: [sql] sql_set_user escaped user -->
'test150'
Thu Aug  2 15:43:45 2012 : Info: [sql] expand: %{NAS-Port} -> 1
Thu Aug  2 15:43:45 2012 : Info: [sql] expand: %{Acct-Delay-Time} ->
Thu Aug  2 15:43:45 2012 : Info: [sql] ... expanding second conditional
Thu Aug  2 15:43:45 2012 : Info: [sql] expand: INSERT INTO radacct
(AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress,    NASPortId,
NASPortType, AcctStartTime, AcctAuthentic,   ConnectInfo_start,
CalledStationId, CallingStationId, ServiceType,   FramedProtocol,
FramedIPAddress, AcctStartDelay, XAscendSessionSvrKey)
VALUES('%{Acct-Session-Id}',   '%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}',   NULLIF('%{Realm}', ''),   '%{NAS-IP-Address}',
%{%{NAS-Port}:-NULL},   '%{NAS-Port-Type}',   ('%S'::timestamp -
'%{%{Acct-Delay-Time}:-0}'::interval),   '%{Acct-Authentic}',
'%{Connect-Info}',   '%{Called-Station-Id}',   '%{Calling-Station-Id}',
'%{Service-Type}',   '%{Framed-Protocol}',   NULLIF('%{Framed-IP-Address}',
'')::inet,   0,   '%{X-Ascend-Session-Svr-Key}') -> INSERT INTO radacct
(AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress,    NASPortId,
NASPortType, AcctStartTime, AcctAuthentic,   ConnectInfo_start,
CalledStationId, CallingStationId, ServiceType,   FramedProtocol,
FramedIPAddress, AcctStartDelay,
Thu Aug  2 15:43:45 2012 : Debug: rlm_sql (sql): Reserving sql socket id: 27
Thu Aug  2 15:43:45 2012 : Debug: rlm_sql_postgresql: Status:
PGRES_COMMAND_OK
Thu Aug  2 15:43:45 2012 : Debug: rlm_sql_postgresql: query affected rows =
1
Thu Aug  2 15:43:45 2012 : Debug: rlm_sql (sql): Released sql socket id: 27
Thu Aug  2 15:43:45 2012 : Info: ++[sql] returns ok
Thu Aug  2 15:43:45 2012 : Info: [attr_filter.accounting_response] expand:
%{User-Name} -> test150
Thu Aug  2 15:43:45 2012 : Debug: attr_filter: Matched entry DEFAULT at
line 12
Thu Aug  2 15:43:45 2012 : Info: ++[attr_filter.accounting_response]
returns updated
Sending Accounting-Response of id 8 to 127.0.0.1 port 41985
Thu Aug  2 15:43:45 2012 : Info: Finished request 15.
Thu Aug  2 15:43:45 2012 : Info: Cleaning up request 15 ID 8 with timestamp
+1230
Thu Aug  2 15:43:45 2012 : Debug: Going to the next request
Thu Aug  2 15:43:45 2012 : Debug: Waking up in 2.9 seconds.
Thu Aug  2 15:43:48 2012 : Info: Cleaning up request 14 ID 225 with
timestamp +1229
Thu Aug  2 15:43:48 2012 : Info: Ready to process requests.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120802/ef9609de/attachment-0001.html>


More information about the Freeradius-Users mailing list