How to reject when user is not in the appropiate Huntgroup for site?
Jeroen Bosch
jeroen.bosch at netyce.com
Thu Sep 11 17:50:46 CEST 2014
Dear Alan,
Thank you for your response, I feel really bad bothering everybody on the
list with these basic questions but for some reason it just doesn't work
yet:
I do have the "sql" module listed in the "authorize" section, when I login
with the test user (which is in the Huntgroup) I get the following response:
rad_recv: Access-Request packet from host 192.168.56.2 port 55666, id=170,
length=63
User-Name = "test"
User-Password = "radius"
NAS-Identifier = "TESTRN01701"
NAS-IP-Address = 192.168.56.2
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
sql_xlat
expand: %{User-Name} -> test
sql_set_user escaped user --> 'test'
expand: SELECT groupname FROM radhuntgroup WHERE
nasipaddress='%{NAS-IP-Address}' -> SELECT groupname FROM radhuntgroup
WHERE nasipaddress='192.168.56.2'
rlm_sql (sql): Reserving sql socket id: 0
sql_xlat finished
rlm_sql (sql): Released sql socket id: 0
expand: %{sql:SELECT groupname FROM radhuntgroup WHERE
nasipaddress='%{NAS-IP-Address}'} -> site_a
++[reply] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[sql] expand: %{User-Name} -> test
[sql] sql_set_user escaped user --> 'test'
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY
id -> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'test' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER BY
id -> SELECT id, username, attribute, value, op FROM radreply
WHERE username = 'test' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
groupname FROM radusergroup WHERE username = 'test'
ORDER BY priority
[sql] expand: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = '%{Sql-Group}'
ORDER BY id -> SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = 'site_a_admins'
ORDER BY id
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "radius"
[pap] Using clear text password "radius"
[pap] User authenticated successfully
++[pap] returns ok
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
[reply_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d ->
/var/log/radius/radacct/192.168.56.2/reply-detail-20140911
[reply_log]
/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to
/var/log/radius/radacct/192.168.56.2/reply-detail-20140911
[reply_log] expand: %t -> Thu Sep 11 02:27:31 2014
++[reply_log] returns ok
Sending Access-Accept of id 170 to 192.168.56.2 port 55666
Juniper-Local-User-Name := "super-users"
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 2 ID 170 with timestamp +192
Ready to process requests.
When I try to logon with the test2 user (which is not in the Huntgroup) I
get the following:
rad_recv: Access-Request packet from host 192.168.56.2 port 59531, id=109,
length=64
User-Name = "test2"
User-Password = "radius"
NAS-Identifier = "TESTRN01701"
NAS-IP-Address = 192.168.56.2
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
sql_xlat
expand: %{User-Name} -> test2
sql_set_user escaped user --> 'test2'
expand: SELECT groupname FROM radhuntgroup WHERE
nasipaddress='%{NAS-IP-Address}' -> SELECT groupname FROM radhuntgroup
WHERE nasipaddress='192.168.56.2'
rlm_sql (sql): Reserving sql socket id: 3
sql_xlat finished
rlm_sql (sql): Released sql socket id: 3
expand: %{sql:SELECT groupname FROM radhuntgroup WHERE
nasipaddress='%{NAS-IP-Address}'} -> site_a
++[reply] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "test2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[sql] expand: %{User-Name} -> test2
[sql] sql_set_user escaped user --> 'test2'
rlm_sql (sql): Reserving sql socket id: 2
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY
id -> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'test2' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER BY
id -> SELECT id, username, attribute, value, op FROM radreply
WHERE username = 'test2' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
groupname FROM radusergroup WHERE username = 'test2'
ORDER BY priority
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "radius"
[pap] Using clear text password "radius"
[pap] User authenticated successfully
++[pap] returns ok
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
[reply_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d ->
/var/log/radius/radacct/192.168.56.2/reply-detail-20140911
[reply_log]
/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to
/var/log/radius/radacct/192.168.56.2/reply-detail-20140911
[reply_log] expand: %t -> Thu Sep 11 02:30:39 2014
++[reply_log] returns ok
Sending Access-Accept of id 109 to 192.168.56.2 port 59531
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 3 ID 109 with timestamp +380
Ready to process requests.
Thanks in advance!
Kind regards,
Jeroen Bosch
*Design Driven Networking - Smarter, better, controllable networks *
Jeroen Bosch | Developer
Business Centre Leeuwenveldseweg 5n, 1382 LV Weesp, NL
m: +31 6 22768473 | t: +31 20 894 3412
jeroen.bosch at netyce.com | www.netyce.com
On Thu, Sep 11, 2014 at 5:39 PM, Alan DeKok <aland at deployingradius.com>
wrote:
> Jeroen Bosch wrote:
> > If I understand the guide correctly only the test user should be able to
> > logon to site_a, however I am also granted access using my test2 user
> > credentials: did I overlook something? Again, thanks in advance!
>
> You also need to list the "sql" module in the "authorize" section.
>
> And run the server in debugging mode to see what it's doing. Really.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140911/07651028/attachment-0001.html>
More information about the Freeradius-Users
mailing list