Send Access-Reject when user does not match any group?

Bogdan Enache enachebogdan at gmx.com
Tue Jan 15 10:47:52 CET 2013 

Hi, I tried something else today.

I created in SQL a group named "disabled", with no check items, only a 
Reply-Message.
A put a user in that group.
I put a rule in the "users" file (commenting everything else out):

DEFAULT Group == "disabled", Auth-Type := Reject
         Reply-Message := "Your account has been disabled.",
         Fall-Through := No

But it isn't working, freeradius sends Acces-Accept because it does not 
match the rule in the "users" file. The group in SQL is matched. 
Attaching related output:

rad_recv: Access-Request packet from host 10.0.100.108 port 50995, 
id=72, length=118
         Service-Type = Login-User
         User-Name = "bogdan.enache"
         CHAP-Challenge = 0x737b6524979d8782cb9615dab30a99d1
         CHAP-Password = 0x005eaa980bfb70736d8f9028506f462f11
         Calling-Station-Id = "172.16.108.30"
         NAS-Identifier = "MKI"
         NAS-IP-Address = 10.0.100.108
[..........]
[sql]   expand: %{User-Name} -> bogdan.enache
[sql] sql_set_user escaped user --> 'bogdan.enache'
rlm_sql (sql): Reserving sql socket id: 6
[..........]
[sql]   expand: SELECT id, groupname, attribute,           Value, 
op           FROM radgroupcheck           WHERE groupname = 
'%{Sql-Group}'           ORDER BY id -> SELECT id, groupname, 
attribute,           Value, op           FROM radgroupcheck           
WHERE groupname = 'disabled' ORDER BY id
[sql] User found in group disabled
[sql]   expand: SELECT id, groupname, attribute,           value, 
op           FROM radgroupreply           WHERE groupname = 
'%{Sql-Group}'           ORDER BY id -> SELECT id, groupname, 
attribute,           value, op           FROM radgroupreply           
WHERE groupname = 'disabled' ORDER BY id
rlm_sql (sql): Released sql socket id: 6
++[sql] returns ok
++[files] returns noop
[..........]
Login OK: [bogdan.enache/<CHAP-Password>] (from client MKI port 0 cli 
172.16.108.30)

And mind you, this is an example from the freeradius wiki: 
http://wiki.freeradius.org/guide/faq#How-do-I-deny-access-to-a-specific-user,-or-group-of-users?

What is wrong here?

Note: If I eliminate the Group check requirement the "files" module 
matches (and sends Access-Reject), so the file is processed. But clearly 
the Group check isn't working...

Thanks!


Pe 14.01.2013 15:43, Bogdan Enache a scris:
> Hi,
>
> Pe 14.01.2013 15:17, A.L.M.Buxey at lboro.ac.uk a scris:
>> Hi,
>>
>>> As you can see, it matches the rule in "users" first, and then the
>>> group named "login" in MySQL. There is no other match.
>> because thats the order that you have them run in.... how can the users
>> file know anything about the groups if you are doing the groups AFTER
>> the users file?  change the order or put some other configuratin into
>> place - eg use unlang after the sql section to check for group and if 
>> one
>> doesnt exist them reject - man unlang
>>
>
> I already tried that, I put "sql" before "files" in "authorize" 
> section in both "default" and "inner-tunnel":
>
> [sql]   expand: %{User-Name} -> bogdan.enache
> [sql] sql_set_user escaped user --> 'bogdan.enache'
> rlm_sql (sql): Reserving sql socket id: 5
> [sql]   expand: SELECT id, username, attribute, value, op FROM 
> radcheck           WHERE username = '%{SQL-User-Name}' ORDER BY id -> 
> SELECT id, username, attribute, value, op           FROM 
> radcheck           WHERE username = 'bogdan.enache'           ORDER BY id
> [sql] User found in radcheck table
> [sql]   expand: SELECT id, username, attribute, value, op FROM 
> radreply           WHERE username = '%{SQL-User-Name}' ORDER BY id -> 
> SELECT id, username, attribute, value, op           FROM 
> radreply           WHERE username = 'bogdan.enache'           ORDER BY id
> [sql]   expand: SELECT groupname           FROM radusergroup           
> WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT 
> groupname           FROM radusergroup           WHERE username = 
> 'bogdan.enache' ORDER BY priority
> [sql]   expand: SELECT id, groupname, attribute,           Value, 
> op           FROM radgroupcheck           WHERE groupname = 
> '%{Sql-Group}'           ORDER BY id -> SELECT id, groupname, 
> attribute,           Value, op           FROM radgroupcheck           
> WHERE groupname = 'login'           ORDER BY id
> [sql] User found in group login
> [sql]   expand: SELECT id, groupname, attribute,           value, 
> op           FROM radgroupreply           WHERE groupname = 
> '%{Sql-Group}'           ORDER BY id -> SELECT id, groupname, 
> attribute,           value, op           FROM radgroupreply           
> WHERE groupname = 'login'           ORDER BY id
> rlm_sql (sql): Released sql socket id: 5
> ++[sql] returns ok
> [files] users: Matched entry DEFAULT at line 209
> ++[files] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING: Auth-Type already set.  Not setting to PAP
> ++[pap] returns noop
> Found Auth-Type = Reject
> Auth-Type = Reject, rejecting user
>
> Still rejecting.
>
> Thank you.
>
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list