Mysql, Radreply attributes are not being merged.

Waqas Toor waqasnasirtoor at gmail.com
Thu Apr 27 21:02:11 CEST 2017


had a look - side by side diffs look pretty similar (barring a few SQL
> socket calls and the radreply (!) - so, do you have something else
> lurking in the config (e.g. in your sql dialup.conf/radgroup/radreply
> queries....or in that check_lease code ?
>
> So far I cant think of anything ... One observation is that I have Nas
type as cisco for my real scenario and Nas type as other for my radtest.
check_lease is my custom binary to do dhcp lease query and update input
paramters.

Right now clueless about it. DB inserts and reads are good.




> alan
>
> On 27 April 2017 at 18:56, Waqas Toor <waqasnasirtoor at gmail.com> wrote:
> > Any help? I am using the latest version.
> >
> >
> > ---------- Forwarded message ----------
> > From: "Waqas Toor" <waqasnasirtoor at gmail.com>
> > Date: Apr 27, 2017 11:12 AM
> > Subject: Mysql, Radreply attributes are not being merged.
> > To: "FreeRadius users mailing list" <freeradius-users at lists.
> freeradius.org>
> > Cc:
> >
> > Hello,
> > I have added attributes in radreply table against the user, but they are
> > not being merged in the Access-Accept Packet.
> > Same i do with radtest utility they are being added. I am unable to
> figure
> > out what is missing.
> >
> > actual Access-Request from NAS
> > ==========================================================
> > (0) Received Access-Request Id 92 from 10.0.0.11:1645 to
> 10.12.32.61:1812
> > length 179
> > (0)   User-Name = "10.48.136.46"
> > (0)   Framed-IP-Address = 10.48.136.46
> > (0)   Cisco-Account-Info = "S10.48.136.46"
> > (0)   User-Password = "cisco"
> > (0)   Calling-Station-Id = "0/0/0/103:00-00-00-00-00-00"
> > (0)   NAS-Port-Type = Virtual
> > (0)   NAS-Port = 0
> > (0)   NAS-Port-Id = "0/0/0/103"
> > (0)   Service-Type = Outbound-User
> > (0)   NAS-IP-Address = 10.0.0.11
> > (0)   NAS-Identifier = "IDC0100ISG02.nms.itcc.com.sa"
> > (0)   Event-Timestamp = "Apr 27 2017 02:05:39 EDT"
> > (0) # Executing section authorize from file /usr/local/etc/raddb/sites-
> > enabled/default
> > (0)   authorize {
> > (0)     policy filter_username {
> > (0)       if (&User-Name) {
> > (0)       if (&User-Name)  -> TRUE
> > (0)       if (&User-Name)  {
> > (0)         if (&User-Name =~ / /) {
> > (0)         if (&User-Name =~ / /)  -> FALSE
> > (0)         if (&User-Name =~ /@[^@]*@/ ) {
> > (0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
> > (0)         if (&User-Name =~ /\.\./ ) {
> > (0)         if (&User-Name =~ /\.\./ )  -> FALSE
> > (0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
> > (0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
>  ->
> > FALSE
> > (0)         if (&User-Name =~ /\.$/)  {
> > (0)         if (&User-Name =~ /\.$/)   -> FALSE
> > (0)         if (&User-Name =~ /@\./)  {
> > (0)         if (&User-Name =~ /@\./)   -> FALSE
> > (0)       } # if (&User-Name)  = notfound
> > (0)     } # policy filter_username = notfound
> > (0)     [preprocess] = ok
> > (0)     [chap] = noop
> > (0)     [mschap] = noop
> > (0)     [digest] = noop
> > (0) lease_check: Executing: /usr/local/bin/leasequery %{User-Name}:
> > (0) lease_check: EXPAND %{User-Name}
> > (0) lease_check:    --> 10.48.136.46
> > (0) lease_check: Program returned code (0) and output 'User-Name :=
> > 1/0A:D824BD511480'
> > (0) lease_check: Program executed successfully
> > (0)     [lease_check] = ok
> > (0) sql: EXPAND %{User-Name}
> > (0) sql:    --> 1/0A:D824BD511480
> > (0) sql: SQL-User-Name set to '1/0A:D824BD511480'
> > rlm_sql (sql): Closing connection (0): Hit idle_timeout, was idle for 264
> > seconds
> > rlm_sql_mysql: Socket destructor called, closing socket
> > rlm_sql (sql): Closing connection (1): Hit idle_timeout, was idle for 264
> > seconds
> > rlm_sql_mysql: Socket destructor called, closing socket
> > rlm_sql (sql): Closing connection (2): Hit idle_timeout, was idle for 264
> > seconds
> > rlm_sql (sql): You probably need to lower "min"
> > rlm_sql_mysql: Socket destructor called, closing socket
> > rlm_sql (sql): Closing connection (3): Hit idle_timeout, was idle for 264
> > seconds
> > rlm_sql (sql): You probably need to lower "min"
> > rlm_sql_mysql: Socket destructor called, closing socket
> > rlm_sql (sql): Closing connection (4): Hit idle_timeout, was idle for 264
> > seconds
> > rlm_sql (sql): You probably need to lower "min"
> > rlm_sql_mysql: Socket destructor called, closing socket
> > rlm_sql (sql): 0 of 0 connections in use.  You  may need to increase
> "spare"
> > rlm_sql (sql): Opening additional connection (5), 1 of 32 pending slots
> used
> > rlm_sql_mysql: Starting connect to MySQL server
> > rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX
> socket,
> > server version 5.5.52-MariaDB, protocol version 10
> > rlm_sql (sql): Reserved connection (5)
> > (0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck
> > WHERE username = '%{SQL-User-Name}' ORDER BY id
> > (0) sql:    --> SELECT id, username, attribute, value, op FROM radcheck
> > WHERE username = '1/0A:D824BD511480' ORDER BY id
> > (0) sql: Executing select query: SELECT id, username, attribute, value,
> op
> > FROM radcheck WHERE username = '1/0A:D824BD511480' ORDER BY id
> > (0) sql: User found in radcheck table
> > (0) sql: Conditional check items matched, merging assignment check items
> > (0) sql:   Cleartext-Password := "cisco"
> > (0) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply
> > WHERE username = '%{SQL-User-Name}' ORDER BY id
> > (0) sql:    --> SELECT id, username, attribute, value, op FROM radreply
> > WHERE username = '1/0A:D824BD511480' ORDER BY id
> > (0) sql: Executing select query: SELECT id, username, attribute, value,
> op
> > FROM radreply WHERE username = '1/0A:D824BD511480' ORDER BY id
> > (0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username =
> > '%{SQL-User-Name}' ORDER BY priority
> > (0) sql:    --> SELECT groupname FROM radusergroup WHERE username =
> > '1/0A:D824BD511480' ORDER BY priority
> > (0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE
> > username = '1/0A:D824BD511480' ORDER BY priority
> > (0) sql: User not found in any groups
> > rlm_sql (sql): Released connection (5)
> > Need 2 more connections to reach min connections (3)
> > rlm_sql (sql): Opening additional connection (6), 1 of 31 pending slots
> used
> > rlm_sql_mysql: Starting connect to MySQL server
> > rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX
> socket,
> > server version 5.5.52-MariaDB, protocol version 10
> > (0)     [sql] = ok
> > (0)     [expiration] = noop
> > (0)     [logintime] = noop
> > (0)     [pap] = updated
> > (0)   } # authorize = updated
> > (0) Found Auth-Type = PAP
> > (0) # Executing group from file /usr/local/etc/raddb/sites-
> enabled/default
> > (0)   Auth-Type PAP {
> > (0) pap: Login attempt with password
> > (0) pap: Comparing with "known good" Cleartext-Password
> > (0) pap: User authenticated successfully
> > (0)     [pap] = ok
> > (0)   } # Auth-Type PAP = ok
> > (0) # Executing section post-auth from file /usr/local/etc/raddb/sites-
> > enabled/default
> > (0)   post-auth {
> > (0)     update {
> > (0)       No attributes updated
> > (0)     } # update = noop
> > (0) sql: EXPAND .query
> > (0) sql:    --> .query
> > (0) sql: Using query template 'query'
> > rlm_sql (sql): Reserved connection (5)
> > (0) sql: EXPAND %{User-Name}
> > (0) sql:    --> 1/0A:D824BD511480
> > (0) sql: SQL-User-Name set to '1/0A:D824BD511480'
> > (0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate)
> > VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}',
> > '%{reply:Packet-Type}', '%S')
> > (0) sql:    --> INSERT INTO radpostauth (username, pass, reply, authdate)
> > VALUES ( '1/0A:D824BD511480', 'cisco', 'Access-Accept', '2017-04-27
> > 02:05:39.425995')
> > (0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply,
> > authdate) VALUES ( '1/0A:D824BD511480', 'cisco', 'Access-Accept',
> > '2017-04-27 02:05:39.425995')
> > (0) sql: SQL query returned: success
> > (0) sql: 1 record(s) updated
> > rlm_sql (sql): Released connection (5)
> > (0)     [sql] = ok
> > (0)     [exec] = noop
> > (0)     policy remove_reply_message_if_eap {
> > (0)       if (&reply:EAP-Message && &reply:Reply-Message) {
> > (0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
> > (0)       else {
> > (0)         [noop] = noop
> > (0)       } # else = noop
> > (0)     } # policy remove_reply_message_if_eap = noop
> > (0)   } # post-auth = ok
> > (0) Sent Access-Accept Id 92 from 10.12.32.61:1812 to 10.0.0.11:1645
> length
> > 0
> > (0) Finished request
> > Waking up in 4.9 seconds.
> > (0) Cleaning up request packet ID 92 with timestamp +264
> > Ready to process requests
> > ===================================================================
> >
> >
> >
> > radtest snippet
> > ==============================================================
> > Received Access-Request Id 120 from 127.0.0.1:39450 to 127.0.0.1:1812
> > length 82
> > (2)   User-Name = "10.48.136.46"
> > (2)   User-Password = "cisco"
> > (2)   NAS-IP-Address = 10.12.32.61
> > (2)   NAS-Port = 0
> > (2)   Message-Authenticator = 0xbd6028760e9fe9fcd41666ca91f382af
> > (2) # Executing section authorize from file /usr/local/etc/raddb/sites-
> > enabled/default
> > (2)   authorize {
> > (2)     policy filter_username {
> > (2)       if (&User-Name) {
> > (2)       if (&User-Name)  -> TRUE
> > (2)       if (&User-Name)  {
> > (2)         if (&User-Name =~ / /) {
> > (2)         if (&User-Name =~ / /)  -> FALSE
> > (2)         if (&User-Name =~ /@[^@]*@/ ) {
> > (2)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
> > (2)         if (&User-Name =~ /\.\./ ) {
> > (2)         if (&User-Name =~ /\.\./ )  -> FALSE
> > (2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
> > (2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
>  ->
> > FALSE
> > (2)         if (&User-Name =~ /\.$/)  {
> > (2)         if (&User-Name =~ /\.$/)   -> FALSE
> > (2)         if (&User-Name =~ /@\./)  {
> > (2)         if (&User-Name =~ /@\./)   -> FALSE
> > (2)       } # if (&User-Name)  = notfound
> > (2)     } # policy filter_username = notfound
> > (2)     [preprocess] = ok
> > (2)     [chap] = noop
> > (2)     [mschap] = noop
> > (2)     [digest] = noop
> > (2) lease_check: Executing: /usr/local/bin/leasequery %{User-Name}:
> > (2) lease_check: EXPAND %{User-Name}
> > (2) lease_check:    --> 10.48.136.46
> > (2) lease_check: Program returned code (0) and output 'User-Name :=
> > 1/0A:D824BD511480'
> > (2) lease_check: Program executed successfully
> > (2)     [lease_check] = ok
> > (2) sql: EXPAND %{User-Name}
> > (2) sql:    --> 1/0A:D824BD511480
> > (2) sql: SQL-User-Name set to '1/0A:D824BD511480'
> > rlm_sql (sql): Closing connection (8): Hit idle_timeout, was idle for 95
> > seconds
> > rlm_sql (sql): You probably need to lower "min"
> > rlm_sql_mysql: Socket destructor called, closing socket
> > rlm_sql (sql): Closing connection (7): Hit idle_timeout, was idle for 95
> > seconds
> > rlm_sql (sql): You probably need to lower "min"
> > rlm_sql_mysql: Socket destructor called, closing socket
> > rlm_sql (sql): 0 of 0 connections in use.  You  may need to increase
> "spare"
> > rlm_sql (sql): Opening additional connection (9), 1 of 32 pending slots
> used
> > rlm_sql_mysql: Starting connect to MySQL server
> > rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX
> socket,
> > server version 5.5.52-MariaDB, protocol version 10
> > rlm_sql (sql): Reserved connection (9)
> > (2) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck
> > WHERE username = '%{SQL-User-Name}' ORDER BY id
> > (2) sql:    --> SELECT id, username, attribute, value, op FROM radcheck
> > WHERE username = '1/0A:D824BD511480' ORDER BY id
> > (2) sql: Executing select query: SELECT id, username, attribute, value,
> op
> > FROM radcheck WHERE username = '1/0A:D824BD511480' ORDER BY id
> > (2) sql: User found in radcheck table
> > (2) sql: Conditional check items matched, merging assignment check items
> > (2) sql:   Cleartext-Password := "cisco"
> > (2) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply
> > WHERE username = '%{SQL-User-Name}' ORDER BY id
> > (2) sql:    --> SELECT id, username, attribute, value, op FROM radreply
> > WHERE username = '1/0A:D824BD511480' ORDER BY id
> > (2) sql: Executing select query: SELECT id, username, attribute, value,
> op
> > FROM radreply WHERE username = '1/0A:D824BD511480' ORDER BY id
> > (2) sql: User found in radreply table, merging reply items
> > (2) sql:   Idle-Timeout := 600
> > (2) sql:   Session-Timeout := 3600
> > (2) sql:   Cisco-Account-Info := "ABB_business_basic_0_100_50"
> > (2) sql:   Cisco-AVPair := "accounting-list=ACCNT_LIST2"
> > (2) sql:   User-Name := "1/0A:D824BD511480"
> > (2) sql: EXPAND SELECT groupname FROM radusergroup WHERE username =
> > '%{SQL-User-Name}' ORDER BY priority
> > (2) sql:    --> SELECT groupname FROM radusergroup WHERE username =
> > '1/0A:D824BD511480' ORDER BY priority
> > (2) sql: Executing select query: SELECT groupname FROM radusergroup WHERE
> > username = '1/0A:D824BD511480' ORDER BY priority
> > (2) sql: User not found in any groups
> > rlm_sql (sql): Released connection (9)
> > Need 2 more connections to reach min connections (3)
> > rlm_sql (sql): Opening additional connection (10), 1 of 31 pending slots
> > used
> > rlm_sql_mysql: Starting connect to MySQL server
> > rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX
> socket,
> > server version 5.5.52-MariaDB, protocol version 10
> > (2)     [sql] = ok
> > (2)     [expiration] = noop
> > (2)     [logintime] = noop
> > (2)     [pap] = updated
> > (2)   } # authorize = updated
> > (2) Found Auth-Type = PAP
> > (2) # Executing group from file /usr/local/etc/raddb/sites-
> enabled/default
> > (2)   Auth-Type PAP {
> > (2) pap: Login attempt with password
> > (2) pap: Comparing with "known good" Cleartext-Password
> > (2) pap: User authenticated successfully
> > (2)     [pap] = ok
> > (2)   } # Auth-Type PAP = ok
> > (2) # Executing section post-auth from file /usr/local/etc/raddb/sites-
> > enabled/default
> > (2)   post-auth {
> > (2)     update {
> > (2)       No attributes updated
> > (2)     } # update = noop
> > (2) sql: EXPAND .query
> > (2) sql:    --> .query
> > (2) sql: Using query template 'query'
> > rlm_sql (sql): Reserved connection (9)
> > (2) sql: EXPAND %{User-Name}
> > (2) sql:    --> 1/0A:D824BD511480
> > (2) sql: SQL-User-Name set to '1/0A:D824BD511480'
> > (2) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate)
> > VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}',
> > '%{reply:Packet-Type}', '%S')
> > (2) sql:    --> INSERT INTO radpostauth (username, pass, reply, authdate)
> > VALUES ( '1/0A:D824BD511480', 'cisco', 'Access-Accept', '2017-04-27
> > 03:24:06.492079')
> > (2) sql: Executing query: INSERT INTO radpostauth (username, pass, reply,
> > authdate) VALUES ( '1/0A:D824BD511480', 'cisco', 'Access-Accept',
> > '2017-04-27 03:24:06.492079')
> > (2) sql: SQL query returned: success
> > (2) sql: 1 record(s) updated
> > rlm_sql (sql): Released connection (9)
> > (2)     [sql] = ok
> > (2)     [exec] = noop
> > (2)     policy remove_reply_message_if_eap {
> > (2)       if (&reply:EAP-Message && &reply:Reply-Message) {
> > (2)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
> > (2)       else {
> > (2)         [noop] = noop
> > (2)       } # else = noop
> > (2)     } # policy remove_reply_message_if_eap = noop
> > (2)   } # post-auth = ok
> > (2) Sent Access-Accept Id 120 from 127.0.0.1:1812 to 127.0.0.1:39450
> length
> > 0
> > (2)   Idle-Timeout = 600
> > (2)   Session-Timeout = 3600
> > (2)   Cisco-Account-Info = "ABB_business_basic_0_100_50"
> > (2)   Cisco-AVPair = "accounting-list=ACCNT_LIST2"
> > (2)   User-Name = "1/0A:D824BD511480"
> > (2) Finished request
> > Waking up in 4.9 seconds.
> > (2) Cleaning up request packet ID 120 with timestamp +4971
> > Ready to process request
> > ==========================================================
> >
> >
> >
> >
> > Waqas Toor
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html


More information about the Freeradius-Users mailing list