Send Access-Reject when user does not match any group?

Mon Jan 14 14:03:41 CET 2013

Hello again,

> Hi,
>> Hi,
>> Is there a way to configure FreeRadius 2.1.10 to send Access-Reject
>> on users which don't match any of the defined groups?
>>
>> I tried with:
>> DEFAULT         Group-Name !* "", Auth-Type := Reject
>>                  Reply-Message = "Account rejected.",
>>                  Fall-Through = No
>>
>> and
>>
>> DEFAULT         Group !* "", Auth-Type := Reject
>>                  Reply-Message = "Account rejected.",
>>                  Fall-Through = No
>>
>> as the last and only rule in "users" but it isn't working,
>> freeradius still sends Access-Accept, even if the user does not
>> match any groups.
> if the ONLY thing falling through to the end is incorrect stuff (ie you have
> already dealt with group entries correctly above so they dont fall through then
>
> DEFAULT         Auth-Type := Reject
>                  Reply-Message = "No group defined, Request rejected!"
>
> alan
>
I've done that now but it's still not working for me, I guess I'm doing 
something wrong (clearly!)...

Here is what I get from "freeradiusd -X" (the relevant parts):

rad_recv: Access-Request packet from host 10.0.100.108 port 40592, 
id=172, length=118
         Service-Type = Login-User
         User-Name = "bogdan.enache"
         CHAP-Challenge = 0x4a267011731eae5eda2de655b9b87f57
         CHAP-Password = 0x00da19b2696591ba3e8644585715c52c5f
         Calling-Station-Id = "172.16.108.30"
         NAS-Identifier = "MKI"
         NAS-IP-Address = 10.0.100.108
[..........]
[files] users: Matched entry DEFAULT at line 209
++[files] returns ok
[..........]
[sql]   expand: SELECT id, groupname, attribute,           Value, 
op           FROM radgroupcheck           WHERE groupname = 
'%{Sql-Group}'           ORDER BY id -> SELECT id, groupname, 
attribute,           Value, op           FROM radgroupcheck           
WHERE groupname = 'login'           ORDER BY id
[sql] User found in group login
[sql]   expand: SELECT id, groupname, attribute,           value, 
op           FROM radgroupreply           WHERE groupname = 
'%{Sql-Group}'           ORDER BY id -> SELECT id, groupname, 
attribute,           value, op           FROM radgroupreply           
WHERE groupname = 'login'           ORDER BY id
rlm_sql (sql): Released sql socket id: 5
++[sql] returns ok
[..........]
Found Auth-Type = Reject
Auth-Type = Reject, rejecting user
Failed to authenticate the user.
Login incorrect: [bogdan.enache/<CHAP-Password>] (from client MKI port 0 
cli 172.16.108.30)
Using Post-Auth-Type Reject
[..........]

As you can see, it matches the rule in "users" first, and then the group 
named "login" in MySQL. There is no other match.

Here is how I defined the group in MySQL:
mysql> select * from radgroupcheck where groupname = "login";
+----+-----------+--------------+----+------------+
| id | groupname | attribute    | op | value      |
+----+-----------+--------------+----+------------+
|  2 | login     | Service-Type | == | Login-User |
+----+-----------+--------------+----+------------+
1 row in set (0.00 sec)

mysql> select * from radgroupreply where groupname = "login";
+----+-----------+--------------+----+-------+
| id | groupname | attribute    | op | value |
+----+-----------+--------------+----+-------+
| 40 | login     | Fall-Through | =  | No    |
| 32 | login     | Idle-Timeout | := | 1800  |
+----+-----------+--------------+----+-------+
2 rows in set (0.01 sec)

The user itself has only a check for "Cleartext-Password", nothing else.

I'm not sure what I'm doing wrong here...

Thanks!