Authorize based on Calling-Station-ID | Auth-type issue
Koos Myburgh
koos at rsaweb.co.za
Fri Jan 20 14:34:21 CET 2017
Hi,
I want to authorize subscribers based on calling-station-id, but I am not sure how to correctly set the auth-type. For this I have commented the pap and chap sections.
Do I need to write unlang in the post-auth section for this?
I have seen guys add the post-auth type to the authorize section but don't think this is right.
Below is my debug where you will see it passed all checks for the subscriber but fails on auth-type:
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on proxy address * port 36949
Listening on proxy address :: port 60842
Ready to process requests
(0) Received Access-Request Id 4 from 127.0.0.1:51165 to 127.0.0.1:1812 length 353
(0) Calling-Station-Id = "27842280395"
(0) User-Name = "nouser"
(0) NAS-IP-Address = 10.118.200.45
(0) NAS-Identifier = "GGPS02"
(0) Called-Station-Id = "privateapn"
(0) Service-Type = Framed-User
(0) Framed-Protocol = GPRS-PDP-Context
(0) NAS-Port-Type = Wireless-Other
(0) 3GPP-IMSI = "655018500837935"
(0) 3GPP-IMSI-MCC-MNC = "65501"
(0) 3GPP-NSAPI = "5"
(0) 3GPP-Charging-ID = 1952431649
(0) 3GPP-Charging-Characteristics = "0800"
(0) 3GPP-SGSN-Address = 196.46.161.205
(0) 3GPP-GGSN-Address = 196.46.161.229
(0) 3GPP-RAT-Type = EUTRAN
(0) 3GPP-IMEISV = "3581780428341713"
(0) 3GPP-Location-Info = 0x8256f510501f56f510033fc30a
(0) 3GPP-SGSN-MCC-MNC = "65501"
(0) 3GPP-GGSN-MCC-MNC = "65501"
(0) 3GPP-Selection-Mode = "0"
(0) 3GPP-MS-Time-Zone = 0x8000
(0) 3GPP-GPRS-Negotiated-QoS-profile = "08-0406000F4240000F4240"
(0) 3GPP-PDP-Type = 0
(0) 3GPP-Negotiated-DSCP = 0
(0) NAS-Port = 1441328
(0) User-Password = "nopassword"
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [files] = noop
(0) sql: EXPAND %{User-Name}
(0) sql: --> nouser
(0) sql: SQL-User-Name set to 'nouser'
rlm_sql (sql): Reserved connection (0)
(0) sql: EXPAND SELECT id, CallingStationId, attribute, value, op FROM radcheck WHERE CallingStationId = '%{Calling-Station-Id}' ORDER BY id
(0) sql: --> SELECT id, CallingStationId, attribute, value, op FROM radcheck WHERE CallingStationId = '27842280395' ORDER BY id
(0) sql: Executing select query: SELECT id, CallingStationId, attribute, value, op FROM radcheck WHERE CallingStationId = '27842280395' ORDER BY id
(0) sql: User found in radcheck table
(0) sql: Conditional check items matched, merging assignment check items
(0) sql: Cleartext-Password := "testclear"
(0) sql: EXPAND SELECT id, CallingStationId, attribute, value, op FROM radreply WHERE CallingStationId = '%{Calling-Station-Id}' ORDER BY id
(0) sql: --> SELECT id, CallingStationId, attribute, value, op FROM radreply WHERE CallingStationId = '27842280395' ORDER BY id
(0) sql: Executing select query: SELECT id, CallingStationId, attribute, value, op FROM radreply WHERE CallingStationId = '27842280395' ORDER BY id
(0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{Calling-Station-Id}' ORDER BY priority
(0) sql: --> SELECT groupname FROM radusergroup WHERE username = '27842280395' ORDER BY priority
(0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = '27842280395' ORDER BY priority
(0) sql: User found in the group table
(0) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id
(0) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'privateapn' ORDER BY id
(0) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'privateapn' ORDER BY id
(0) sql: Group "privateapn": Conditional check items matched
(0) sql: Group "privateapn": Merging assignment check items
(0) sql: Pool-Name := "main_pool"
(0) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id
(0) sql: --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'privateapn' ORDER BY id
(0) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'privateapn' ORDER BY id
(0) sql: Group "privateapn": Merging reply items
(0) sql: Cisco-AVPair += "ip:dns-servers=41.215.234.106 41.223.34.154"
(0) sql: Acct-Interim-Interval := 3600
(0) sql: Session-Timeout := 86400
rlm_sql (sql): Released connection (0)
rlm_sql (sql): Need 5 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.7.16-0ubuntu0.16.04.1, protocol version 10
(0) [sql] = ok
(0) [expiration] = noop
(0) [logintime] = noop
(0) } # authorize = ok
(0) WARNING: Please update your configuration, and remove 'Auth-Type = Local'
(0) WARNING: Use the PAP or CHAP modules instead
(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0) Post-Auth-Type REJECT {
(0) sql: EXPAND .query
(0) sql: --> .query
(0) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (1)
(0) sql: EXPAND %{User-Name}
(0) sql: --> nouser
(0) sql: SQL-User-Name set to 'nouser'
(0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate, callingstationid, framedipaddress) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S', '%{Calling-Station-ID}', '%{Framed-IP-Address}')
(0) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate, callingstationid, framedipaddress) VALUES ( 'nouser', 'nopassword', 'Access-Reject', '2017-01-20 14:14:47', '27842280395', '')
(0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate, callingstationid, framedipaddress) VALUES ( 'nouser', 'nopassword', 'Access-Reject', '2017-01-20 14:14:47', '27842280395', '')
(0) sql: SQL query returned: success
(0) sql: 1 record(s) updated
rlm_sql (sql): Released connection (1)
(0) [sql] = ok
(0) } # Post-Auth-Type REJECT = ok
(0) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 4 from 127.0.0.1:1812 to 127.0.0.1:51165 length 83
(0) Cisco-AVPair = "ip:dns-servers=41.215.234.106 41.223.34.154"
(0) Acct-Interim-Interval = 3600
(0) Session-Timeout = 86400
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 4 with timestamp +4
Ready to process requests
(1) Received Status-Server Id 103 from 10.0.10.25:1814 to 10.0.10.28:1813 length 68
(1) Message-Authenticator = 0x48eb832592f3e4b940669596ed2799b6
(1) NAS-Identifier = "Status Check. Are you alive?"
(1) Sent Accounting-Response Id 103 from 10.0.10.28:1813 to 10.0.10.25:1814 length 0
(1) Finished request
Waking up in 4.9 seconds.
(1) Cleaning up request packet ID 103 with timestamp +20
Ready to process requests
(2) Received Status-Server Id 238 from 10.0.10.25:1814 to 10.0.10.28:1813 length 68
(2) Message-Authenticator = 0xed96d2625dbc44dce37c2fa22af10a1f
(2) NAS-Identifier = "Status Check. Are you alive?"
(2) Sent Accounting-Response Id 238 from 10.0.10.28:1813 to 10.0.10.25:1814 length 0
(2) Finished request
Waking up in 4.9 seconds.
(2) Cleaning up request packet ID 238 with timestamp +53
Ready to process requests
(3) Received Status-Server Id 119 from 10.0.10.25:1814 to 10.0.10.28:1813 length 68
(3) Message-Authenticator = 0x920d1b597c9940cf8adcde1203614f21
(3) NAS-Identifier = "Status Check. Are you alive?"
(3) Sent Accounting-Response Id 119 from 10.0.10.28:1813 to 10.0.10.25:1814 length 0
(3) Finished request
Waking up in 4.9 seconds.
(3) Cleaning up request packet ID 119 with timestamp +84
Ready to process requests
(4) Received Accounting-Request Id 42 from 10.0.10.25:1814 to 10.0.10.28:1813 length 401
(4) NAS-IP-Address = 41.71.86.18
(4) NAS-Identifier = "tbepg1"
(4) Called-Station-Id = "acme.rsaweb.mobi"
(4) Framed-Protocol = GPRS-PDP-Context
(4) Service-Type = Framed-User
(4) NAS-Port-Type = Virtual
(4) NAS-Port = 776299053
(4) Calling-Station-Id = "27827864678"
(4) Acct-Status-Type = Interim-Update
(4) Framed-IP-Address = 10.254.117.6
(4) Acct-Session-Id = "29D03603F0BF2FEC"
(4) User-Name = "void"
(4) Acct-Session-Time = 1145
(4) Acct-Input-Gigawords = 0
(4) Acct-Input-Octets = 2548
(4) Acct-Output-Gigawords = 0
(4) Acct-Output-Octets = 1340
(4) Acct-Input-Packets = 12
(4) Acct-Output-Packets = 18
(4) Event-Timestamp = "Jan 20 2017 14:16:47 SAST"
(4) Acct-Authentic = RADIUS
(4) Acct-Delay-Time = 0
(4) 3GPP-IMSI = "655103032261356"
(4) 3GPP-Charging-ID = 4039061484
(4) 3GPP-PDP-Type = 0
(4) 3GPP-Charging-Gateway-Address = 0.0.0.0
(4) 3GPP-SGSN-Address = 41.208.54.246
(4) 3GPP-GGSN-Address = 41.208.54.3
(4) 3GPP-IMSI-MCC-MNC = "65510"
(4) 3GPP-GGSN-MCC-MNC = "65510"
(4) 3GPP-NSAPI = "6"
(4) 3GPP-Selection-Mode = "0"
(4) 3GPP-Charging-Characteristics = "0400"
(4) 3GPP-SGSN-MCC-MNC = "65510"
(4) 3GPP-IMEISV = "3592020767651207"
(4) 3GPP-RAT-Type = UTRAN
(4) 3GPP-Location-Info = 0x0156f5012b144a0d
(4) 3GPP-MS-Time-Zone = 0x8000
(4) Proxy-State = 0x313739
(4) # Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default
(4) preacct {
(4) [preprocess] = ok
(4) policy acct_unique {
(4) update request {
(4) Tmp-String-9 := "ai:"
(4) } # update request = noop
(4) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) {
(4) EXPAND %{hex:&Class}
(4) -->
(4) EXPAND ^%{hex:&Tmp-String-9}
(4) --> ^61693a
(4) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE
(4) else {
(4) update request {
(4) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(4) --> 6c48feca7d893fffd008865d6abc5548
(4) &Acct-Unique-Session-Id := 6c48feca7d893fffd008865d6abc5548
(4) } # update request = noop
(4) } # else = noop
(4) } # policy acct_unique = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "void", looking up realm NULL
(4) suffix: No such realm "NULL"
(4) [suffix] = noop
(4) [files] = noop
(4) } # preacct = ok
(4) # Executing section accounting from file /usr/local/etc/raddb/sites-enabled/default
(4) accounting {
(4) detail: EXPAND /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
(4) detail: --> /usr/local/var/log/radius/radacct/10.0.10.25/detail-20170120
(4) detail: /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.0.10.25/detail-20170120
(4) detail: EXPAND %t
(4) detail: --> Fri Jan 20 14:16:47 2017
(4) [detail] = ok
(4) [unix] = noop
rlm_sql (sql): Closing connection (2): Hit idle_timeout, was idle for 124 seconds
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (3): Hit idle_timeout, was idle for 124 seconds
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (4): Hit idle_timeout, was idle for 124 seconds
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (0): Hit idle_timeout, was idle for 120 seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (5): Hit idle_timeout, was idle for 120 seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (1): Hit idle_timeout, was idle for 120 seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): 0 of 0 connections in use. You may need to increase "spare"
rlm_sql (sql): Opening additional connection (6), 1 of 32 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.7.16-0ubuntu0.16.04.1, protocol version 10
rlm_sql (sql): Reserved connection (6)
(4) sqlippool: EXPAND %{User-Name}
(4) sqlippool: --> void
(4) sqlippool: SQL-User-Name set to 'void'
(4) sqlippool: EXPAND START TRANSACTION
(4) sqlippool: --> START TRANSACTION
(4) sqlippool: Executing query: START TRANSACTION
(4) sqlippool: EXPAND UPDATE radippool SET expiry_time = NOW() + INTERVAL 86400 SECOND WHERE nasipaddress = '%{Nas-IP-Address}' AND pool_key = '%{Calling-Station-Id}' AND username = '%{User-Name}' AND callingstationid = '%{Calling-Station-Id}' AND framedipaddress = '%{Framed-IP-Address}'
(4) sqlippool: --> UPDATE radippool SET expiry_time = NOW() + INTERVAL 86400 SECOND WHERE nasipaddress = '41.71.86.18' AND pool_key = '27827864678' AND username = 'void' AND callingstationid = '27827864678' AND framedipaddress = '10.254.117.6'
(4) sqlippool: Executing query: UPDATE radippool SET expiry_time = NOW() + INTERVAL 86400 SECOND WHERE nasipaddress = '41.71.86.18' AND pool_key = '27827864678' AND username = 'void' AND callingstationid = '27827864678' AND framedipaddress = '10.254.117.6'
rlm_sql_mysql: Rows matched: 1 Changed: 1 Warnings: 0
(4) sqlippool: EXPAND COMMIT
(4) sqlippool: --> COMMIT
(4) sqlippool: Executing query: COMMIT
rlm_sql (sql): Released connection (6)
rlm_sql (sql): Need 2 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (7), 1 of 31 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.7.16-0ubuntu0.16.04.1, protocol version 10
(4) [sqlippool] = ok
(4) sql: EXPAND %{tolower:type.%{Acct-Status-Type}.query}
(4) sql: --> type.interim-update.query
(4) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (6)
(4) sql: EXPAND %{User-Name}
(4) sql: --> void
(4) sql: SQL-User-Name set to 'void'
(4) sql: EXPAND UPDATE radacct SET acctupdatetime = (@acctupdatetime_old:=acctupdatetime), acctupdatetime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctinterval = %{integer:Event-Timestamp} - UNIX_TIMESTAMP(@acctupdatetime_old), framedipaddress = '%{Framed-IP-Address}', acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'
(4) sql: --> UPDATE radacct SET acctupdatetime = (@acctupdatetime_old:=acctupdatetime), acctupdatetime = FROM_UNIXTIME(1484914607), acctinterval = 1484914607 - UNIX_TIMESTAMP(@acctupdatetime_old), framedipaddress = '10.254.117.6', acctsessiontime = 1145, acctinputoctets = '0' << 32 | '2548', acctoutputoctets = '0' << 32 | '1340' WHERE AcctUniqueId = '6c48feca7d893fffd008865d6abc5548'
(4) sql: Executing query: UPDATE radacct SET acctupdatetime = (@acctupdatetime_old:=acctupdatetime), acctupdatetime = FROM_UNIXTIME(1484914607), acctinterval = 1484914607 - UNIX_TIMESTAMP(@acctupdatetime_old), framedipaddress = '10.254.117.6', acctsessiontime = 1145, acctinputoctets = '0' << 32 | '2548', acctoutputoctets = '0' << 32 | '1340' WHERE AcctUniqueId = '6c48feca7d893fffd008865d6abc5548'
rlm_sql_mysql: Rows matched: 1 Changed: 1 Warnings: 0
(4) sql: SQL query returned: success
(4) sql: 1 record(s) updated
rlm_sql (sql): Released connection (6)
(4) [sql] = ok
(4) [exec] = noop
Thanks in advance!
Regards
Kind Regards
Koos Myburgh
Network Engineer
RSAWEB Internet Services
More information about the Freeradius-Users
mailing list