Postgresql groupreply problem
Alan DeKok
aland at deployingradius.com
Mon Aug 31 14:30:54 CEST 2015
On Aug 31, 2015, at 4:15 AM, georg at wojti.de wrote:
> I want to change the user MAC-authentication with an HP-Switch from the users-file to postgresql. The first thing is, that I have a some lines which check whether it is a Call-Check or not. If not then the radius has to reject this. But I think it's ok if I put this into the users-file. I have written the Cleartext-Password in this file, too, because I get an chap error (chap: ERROR: &control:Cleartext-Password is required for authentication), when I put this into the database.
The server doesn't care where it gets the Cleartext-Password from. It doesn't matter if it's in a database, or in the "users" file
> In the Moment my configurations looks like this:
>
> -------------- users file --------------
> DEFAULT Service-Type != Call-Check, Auth-Type := Reject
> Fall-Through = Yes
You should delete that "Fall-Through". It does nothing useful.
> DEFAULT Cleartext-Password := "xxxXXXxxx"
> Fall-Through = Yes
>
> DEFAULT
> Egress-VLANID := 0x3200005C #<-- check in server.conf; reject if it's the same
Why is this entry here? It ALWAYS matches ALL incoming requests. So... you'll always reject all requests.
That doesn't make any sense.
> -------------- server.conf --------------
> ...
> authorize {
> suffix
> if (Realm != "NULL") {
> reject
> }
> chap
> files.sw-hp-mac-v3
> sql.sw-hp-mac-v3
> if (reply:Egress-VLANID == "0x3200005C") {
> reject
> }
> }
That should do something. Depending on what you want, it might to the right thing.
>
> -------------- Database --------------
> (Hope that the format is ok. The tables radreply and radgroupcheck are empty)
>
> +----------------------------------------------------------------------+
> | radcheck |
> +----+-------------------+--------------------+----+-------------------+
> | id | username | attribute | op | value |
> +----+-------------------+--------------------+----+-------------------+
> | 0 | 00:11:22:33:44:55 | Calling-Station-Id | == | 00-11-22-33-44-55 |
> +----+-------------------+--------------------+----+-------------------+
Which does nothing other than check the Calling-Station-Id. It does NOT add a Cleartext-Password.
> +-----------------------------------------------+
> | radusergroup |
> +----+-------------------+-----------+----------+
> | id | username | groupname | priority |
> +----+-------------------+-----------+----------+
> | 0 | 00:11:22:33:44:55 | abc | 0 |
> +----+-------------------+-----------+----------+
>
> +--------------------------------------------------+
> | radgroupreply |
> +----+-----------+---------------+----+------------+
> | id | groupname | attribute | op | value |
> +----+-----------+---------------+----+------------+
> | 0 | abc | Egress-VLANID | := | 0x320000E0 |
> +----+-----------+---------------+----+------------+
>
>
>
> The main problem is that the freeradius does not insert the GroupName in the sql-commands and so there is no correct reply.
Because the radgroupcheck is empty.
If you want to know how the SQL module works, go to the wiki, and search for "rlm_sql". It has an entire page devoted to explaining exactly how the module works, including processing of radcheck / radreply, and radgroupcheck / radgroupreply.
i.e. this is documented. Read the documentation, and you will fi the problem.
Alan DeKok.
More information about the Freeradius-Users
mailing list