Problems with group cheking attributes
Andrei Petru Mura
mapandrei at gmail.com
Thu Aug 2 14:58:21 CEST 2012
I have a user called "test150" that belongs to group "testgroup123". Bellow
you can see what I have in my database related to "test150" user and
"testgroup123" group:
select * from radcheck where username = 'test150';
id | username | attribute |op | value
--------------+---------------+-----------------------------+----+---------
1523812 | test150 | Cleartext-Password | := | test150
select * from radgroupcheck where groupname = 'testgroup123';
id | groupname | attribute | op | value
----+--------------------+----------------------------------------+----+----------
11 | testgroup123 | NAS-IP-Address | := | 10.3.1.1
15 | testgroup123 | CarboSolutions-Max-Users | < | 5
CarboSolutions-Max-Users is an attribute declared of myself.
select * from radusergroup where username = 'test150';
username | groupname | priority
---------------+--------------------+----------
test150 | testgroup123 | 0
select * from radgroupreply where groupname = 'testgroup123';
id | groupname | attribute | op | value
-----+--------------------+------------------------------------------+----+--------
14 | testgroup123 | WISPr-Bandwidth-Max-Down | := | 256000
*The problem:*
*
*
When I try to log in with "test150" and CarboSolutions-Max-Users attribute
is < 5, the bandwidth limitation is working (in debug output I can see that
FR sends WISPr-Bandwidth-Max-Down attribute in reply - and it applies).
But when CarboSolutions-Max-Users check isn't fulfilled (I mean is greater
or equal to 5) WISPr-Bandwidth-Max-Down attribute isn't shown in FR debug
output as reply attrtibute - and not working bandwidth limitation.
*N.B.1 *I set the CarboSolutions-Max-Users attribute in default site's
file in authorize section. Looks like this:
update request {
CarboSolutions-Max-Users="%{sql:SELECT COUNT(DISTINCT
radacct.UserName) FROM radacct INNER JOIN radusergroup ON
radusergroup.UserName = radacct.UserName WHERE radusergroup.GroupName =
(SELECT GroupName FROM radusergroup ...}"
}
I understand that when group's check conditions aren't meet, I can login
neglecting the group's attributes. Can anybody tell me how to avoid that
behavior? I think that if a user belongs to a group and the checks for the
group aren't meet, the user shoudn't be able to be authenticated. Am I
wrong? If not, what's the problem to my issue?
*N.B.2 *The output from running FR with -XXX switch is (when it is not
working well):
rad_recv: Access-Request packet from host 127.0.0.1 port 34173, id=225,
length=276
ChilliSpot-Version = "1.2.9"
User-Name = "test150"
User-Password = "test150"
Service-Type = Login-User
Acct-Session-Id = "501a75b300000001"
Framed-IP-Address = 10.3.1.3
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
NAS-Port-Id = "00000001"
Calling-Station-Id = "00-25-22-83-95-C5"
Called-Station-Id = "F8-D1-11-05-93-01"
NAS-IP-Address = 10.3.1.1
NAS-Identifier = "nas-1"
WISPr-Location-ID = "isocc=,cc=,ac=,network=netNFork,"
WISPr-Location-Name = "netNFork_LAN"
WISPr-Logoff-URL = "http://10.3.1.1:3001/logoff"
Message-Authenticator = 0x0c4075cf2f111445caff3fb367ddd776
Thu Aug 2 15:43:44 2012 : Info: # Executing section authorize from file
/netnfork/radius//etc/raddb/sites-enabled/default
Thu Aug 2 15:43:44 2012 : Info: +- entering group authorize {...}
Thu Aug 2 15:43:44 2012 : Info: expand: %S -> 2012-08-02 15:43:44
Thu Aug 2 15:43:44 2012 : Info: sql_xlat
Thu Aug 2 15:43:44 2012 : Info: expand: %{User-Name} -> test150
Thu Aug 2 15:43:44 2012 : Info: sql_set_user escaped user --> 'test150'
Thu Aug 2 15:43:44 2012 : Info: expand: SELECT COUNT(DISTINCT
CallingStationId) FROM radacct WHERE UserName='%{User-Name}' AND
CallingStationId != '%{Calling-Station-Id}' -> SELECT COUNT(DISTINCT
CallingStationId) FROM radacct WHERE UserName='test150' AND
CallingStationId != '00-25-22-83-95-C5'
Thu Aug 2 15:43:44 2012 : Debug: rlm_sql (sql): Reserving sql socket id: 30
Thu Aug 2 15:43:45 2012 : Debug: rlm_sql_postgresql: Status:
PGRES_TUPLES_OK
Thu Aug 2 15:43:45 2012 : Debug: rlm_sql_postgresql: query affected rows =
1 , fields = 1
Thu Aug 2 15:43:45 2012 : Info: sql_xlat finished
Thu Aug 2 15:43:45 2012 : Debug: rlm_sql (sql): Released sql socket id: 30
Thu Aug 2 15:43:45 2012 : Info: expand: %{sql:SELECT COUNT(DISTINCT
CallingStationId) FROM radacct WHERE UserName='%{User-Name}' AND
CallingStationId != '%{Calling-Station-Id}'} -> 0
Thu Aug 2 15:43:45 2012 : Info: sql_xlat
Thu Aug 2 15:43:45 2012 : Info: expand: %{User-Name} -> test150
Thu Aug 2 15:43:45 2012 : Info: sql_set_user escaped user --> 'test150'
//*** this interests (bellow)-->
Thu Aug 2 15:43:45 2012 : Info: expand: SELECT COUNT(DISTINCT
radacct.UserName) FROM radacct INNER JOIN radusergroup ON
radusergroup.UserName = radacct.UserName WHERE radusergroup.GroupName =
(SELECT GroupName FROM radusergroup WHERE UserName='%{User-Name}') AND
AcctStopTime ISNULL -> SELECT COUNT(DISTINCT radacct.UserName) FROM radacct
INNER JOIN radusergroup ON radusergroup.UserName = radacct.UserName WHERE
radusergroup.GroupName = (SELECT GroupName FROM radusergroup WHERE
UserName='test150') AND AcctStopTime ISNULL
Thu Aug 2 15:43:45 2012 : Debug: rlm_sql (sql): Reserving sql socket id: 29
Thu Aug 2 15:43:45 2012 : Debug: rlm_sql_postgresql: Status:
PGRES_TUPLES_OK
Thu Aug 2 15:43:45 2012 : Debug: rlm_sql_postgresql: query affected rows =
1 , fields = 1
Thu Aug 2 15:43:45 2012 : Info: sql_xlat finished
Thu Aug 2 15:43:45 2012 : Debug: rlm_sql (sql): Released sql socket id: 29
Thu Aug 2 15:43:45 2012 : Info: expand: %{sql:SELECT COUNT(DISTINCT
radacct.UserName) FROM radacct INNER JOIN radusergroup ON
radusergroup.UserName = radacct.UserName WHERE radusergroup.GroupName =
(SELECT GroupName FROM radusergroup WHERE UserName='%{User-Name}') AND
AcctStopTime ISNULL} -> 1
Thu Aug 2 15:43:45 2012 : Info: ++[request] returns notfound
Thu Aug 2 15:43:45 2012 : Info: [sql] expand: %{User-Name} -> test150
Thu Aug 2 15:43:45 2012 : Info: [sql] sql_set_user escaped user -->
'test150'
Thu Aug 2 15:43:45 2012 : Debug: rlm_sql (sql): Reserving sql socket id: 28
Thu Aug 2 15:43:45 2012 : Info: [sql] expand: SELECT id, UserName,
Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}'
ORDER BY id -> SELECT id, UserName, Attribute, Value, Op FROM radcheck
WHERE Username = 'test150' ORDER BY id
Thu Aug 2 15:43:45 2012 : Debug: rlm_sql_postgresql: Status:
PGRES_TUPLES_OK
Thu Aug 2 15:43:45 2012 : Debug: rlm_sql_postgresql: query affected rows =
1 , fields = 5
Thu Aug 2 15:43:45 2012 : Info: [sql] User found in radcheck table
Thu Aug 2 15:43:45 2012 : Info: [sql] expand: SELECT id, UserName,
Attribute, Value, Op FROM radreply WHERE Username = '%{SQL-User-Name}'
ORDER BY id -> SELECT id, UserName, Attribute, Value, Op FROM radreply
WHERE Username = 'test150' ORDER BY id
Thu Aug 2 15:43:45 2012 : Debug: rlm_sql_postgresql: Status:
PGRES_TUPLES_OK
Thu Aug 2 15:43:45 2012 : Debug: rlm_sql_postgresql: query affected rows =
0 , fields = 5
Thu Aug 2 15:43:45 2012 : Info: [sql] expand: SELECT GroupName FROM
radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority -> SELECT
GroupName FROM radusergroup WHERE UserName='test150' ORDER BY priority
Thu Aug 2 15:43:45 2012 : Debug: rlm_sql_postgresql: Status:
PGRES_TUPLES_OK
Thu Aug 2 15:43:45 2012 : Debug: rlm_sql_postgresql: query affected rows =
1 , fields = 1
Thu Aug 2 15:43:45 2012 : Info: [sql] expand: SELECT id, GroupName,
Attribute, Value, op FROM radgroupcheck WHERE GroupName =
'%{Sql-Group}' ORDER BY id -> SELECT id, GroupName, Attribute, Value, op
FROM radgroupcheck WHERE GroupName = 'testgroup123' ORDER BY id
Thu Aug 2 15:43:45 2012 : Debug: rlm_sql_postgresql: Status:
PGRES_TUPLES_OK
Thu Aug 2 15:43:45 2012 : Debug: rlm_sql_postgresql: query affected rows =
2 , fields = 5
Thu Aug 2 15:43:45 2012 : Debug: rlm_sql (sql): Released sql socket id: 28
Thu Aug 2 15:43:45 2012 : Info: ++[sql] returns ok
Thu Aug 2 15:43:45 2012 : Info: ++[expiration] returns noop
Thu Aug 2 15:43:45 2012 : Info: ++[logintime] returns noop
Thu Aug 2 15:43:45 2012 : Info: WARNING: Please update your configuration,
and remove 'Auth-Type = Local'
Thu Aug 2 15:43:45 2012 : Info: WARNING: Use the PAP or CHAP modules
instead.
Thu Aug 2 15:43:45 2012 : Info: User-Password in the request is correct.
Thu Aug 2 15:43:45 2012 : Info: # Executing section post-auth from file
/netnfork/radius//etc/raddb/sites-enabled/default
Thu Aug 2 15:43:45 2012 : Info: +- entering group post-auth {...}
Thu Aug 2 15:43:45 2012 : Info: ++[exec] returns noop
Sending Access-Accept of id 225 to 127.0.0.1 port 34173
Thu Aug 2 15:43:45 2012 : Info: Finished request 14.
Thu Aug 2 15:43:45 2012 : Debug: Going to the next request
Thu Aug 2 15:43:45 2012 : Debug: Waking up in 2.9 seconds.
//*** bellow is the accounting log, I think it shouldn't present interest
rad_recv: Accounting-Request packet from host 127.0.0.1 port 41985, id=8,
length=223
ChilliSpot-Version = "1.2.9"
ChilliSpot-Attr-10 = 0x00000002
Event-Timestamp = "Aug 2 2012 15:43:44 EEST"
User-Name = "test150"
Acct-Status-Type = Start
Acct-Session-Id = "501a75b300000001"
Framed-IP-Address = 10.3.1.3
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
NAS-Port-Id = "00000001"
Calling-Station-Id = "00-25-22-83-95-C5"
Called-Station-Id = "F8-D1-11-05-93-01"
NAS-IP-Address = 10.3.1.1
NAS-Identifier = "nas-1"
WISPr-Location-ID = "isocc=,cc=,ac=,network=netNFork,"
WISPr-Location-Name = "netNFork_LAN"
Thu Aug 2 15:43:45 2012 : Info: # Executing section preacct from file
/netnfork/radius//etc/raddb/sites-enabled/default
Thu Aug 2 15:43:45 2012 : Info: +- entering group preacct {...}
Thu Aug 2 15:43:45 2012 : Info: ++[preprocess] returns ok
Thu Aug 2 15:43:45 2012 : Info: [acct_unique] Hashing 'NAS-Port =
1,Client-IP-Address = 127.0.0.1,NAS-IP-Address = 10.3.1.1,Acct-Session-Id =
"501a75b300000001",User-Name = "test150"'
Thu Aug 2 15:43:45 2012 : Info: [acct_unique] Acct-Unique-Session-ID =
"84a01adb8bcce762".
Thu Aug 2 15:43:45 2012 : Info: ++[acct_unique] returns ok
Thu Aug 2 15:43:45 2012 : Info: [suffix] No '@' in User-Name = "test150",
looking up realm NULL
Thu Aug 2 15:43:45 2012 : Info: [suffix] No such realm "NULL"
Thu Aug 2 15:43:45 2012 : Info: ++[suffix] returns noop
Thu Aug 2 15:43:45 2012 : Info: # Executing section accounting from file
/netnfork/radius//etc/raddb/sites-enabled/default
Thu Aug 2 15:43:45 2012 : Info: +- entering group accounting {...}
Thu Aug 2 15:43:45 2012 : Info: [detail] expand: %{Packet-Src-IP-Address}
-> 127.0.0.1
Thu Aug 2 15:43:45 2012 : Info: [detail] expand:
/netnfork/radius//var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
-> /netnfork/radius//var/log/radius/radacct/127.0.0.1/detail-20120802
Thu Aug 2 15:43:45 2012 : Info: [detail]
/netnfork/radius//var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
expands to /netnfork/radius//var/log/radius/radacct/
127.0.0.1/detail-20120802
Thu Aug 2 15:43:45 2012 : Info: [detail] expand: %t -> Thu Aug 2 15:43:45
2012
Thu Aug 2 15:43:45 2012 : Info: ++[detail] returns ok
Thu Aug 2 15:43:45 2012 : Info: [sql] expand: %{User-Name} -> test150
Thu Aug 2 15:43:45 2012 : Info: [sql] sql_set_user escaped user -->
'test150'
Thu Aug 2 15:43:45 2012 : Info: [sql] expand: %{NAS-Port} -> 1
Thu Aug 2 15:43:45 2012 : Info: [sql] expand: %{Acct-Delay-Time} ->
Thu Aug 2 15:43:45 2012 : Info: [sql] ... expanding second conditional
Thu Aug 2 15:43:45 2012 : Info: [sql] expand: INSERT INTO radacct
(AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId,
NASPortType, AcctStartTime, AcctAuthentic, ConnectInfo_start,
CalledStationId, CallingStationId, ServiceType, FramedProtocol,
FramedIPAddress, AcctStartDelay, XAscendSessionSvrKey)
VALUES('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}', NULLIF('%{Realm}', ''), '%{NAS-IP-Address}',
%{%{NAS-Port}:-NULL}, '%{NAS-Port-Type}', ('%S'::timestamp -
'%{%{Acct-Delay-Time}:-0}'::interval), '%{Acct-Authentic}',
'%{Connect-Info}', '%{Called-Station-Id}', '%{Calling-Station-Id}',
'%{Service-Type}', '%{Framed-Protocol}', NULLIF('%{Framed-IP-Address}',
'')::inet, 0, '%{X-Ascend-Session-Svr-Key}') -> INSERT INTO radacct
(AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId,
NASPortType, AcctStartTime, AcctAuthentic, ConnectInfo_start,
CalledStationId, CallingStationId, ServiceType, FramedProtocol,
FramedIPAddress, AcctStartDelay,
Thu Aug 2 15:43:45 2012 : Debug: rlm_sql (sql): Reserving sql socket id: 27
Thu Aug 2 15:43:45 2012 : Debug: rlm_sql_postgresql: Status:
PGRES_COMMAND_OK
Thu Aug 2 15:43:45 2012 : Debug: rlm_sql_postgresql: query affected rows =
1
Thu Aug 2 15:43:45 2012 : Debug: rlm_sql (sql): Released sql socket id: 27
Thu Aug 2 15:43:45 2012 : Info: ++[sql] returns ok
Thu Aug 2 15:43:45 2012 : Info: [attr_filter.accounting_response] expand:
%{User-Name} -> test150
Thu Aug 2 15:43:45 2012 : Debug: attr_filter: Matched entry DEFAULT at
line 12
Thu Aug 2 15:43:45 2012 : Info: ++[attr_filter.accounting_response]
returns updated
Sending Accounting-Response of id 8 to 127.0.0.1 port 41985
Thu Aug 2 15:43:45 2012 : Info: Finished request 15.
Thu Aug 2 15:43:45 2012 : Info: Cleaning up request 15 ID 8 with timestamp
+1230
Thu Aug 2 15:43:45 2012 : Debug: Going to the next request
Thu Aug 2 15:43:45 2012 : Debug: Waking up in 2.9 seconds.
Thu Aug 2 15:43:48 2012 : Info: Cleaning up request 14 ID 225 with
timestamp +1229
Thu Aug 2 15:43:48 2012 : Info: Ready to process requests.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120802/ef9609de/attachment-0001.html>
More information about the Freeradius-Users
mailing list