Freeradius3 + SQL -> radusergroup check is not matched
Martin Bednar
mato.bednar at gmail.com
Mon May 15 16:17:01 CEST 2017
Hello Allan,
many thanks for help. To be honest I believe that for me it would be
easier to make it work with tables and queries already in place so if
you don't mind I'd just like to doublecheck what am I not
understanding well from the rlm_sql documentation.
-->Search the radcheck table for any check attributes specific to the user
-->If check attributes are found, and there's a match, pull the reply
items from the radreply table for this user and add them to the reply
In my case it is password
MariaDB [radius]> select * from radcheck where username = "miro";
+----+----------+--------------------+----+-------+
| id | username | attribute | op | value |
+----+----------+--------------------+----+-------+
| 7 | miro | Cleartext-Password | := | miro |
+----+----------+--------------------+----+-------+
nothing is in radreply table
MariaDB [radius]> select * from radreply;
Empty set (0.00 sec)
--> Group processing then begins if any of the following conditions are met:
The user IS NOT found in radcheck
The user IS found in radcheck, but the check items don't match
The user IS found in radcheck, the check items DO match AND
Fall-Through is set in the radreply table
The user IS found in radcheck, the check items DO match AND the
read_groups directive is set to 'yes'
I'm matching last condition:
# grep read_clients /etc/raddb/mods-available/sql
read_clients = yes
--> If groups are to be processed for this user, the first thing that
is done is the list of groups this user is a member of is pulled from
the usergroup table ordered by the priority field.
MariaDB [radius]> select * from radusergroup where username = "miro"
order by priority;
+----------+----------------+----------+
| username | groupname | priority |
+----------+----------------+----------+
| miro | SSID_EMPL-Test | 1 |
| miro | Reject-Profile | 2 |
+----------+----------------+----------+
2 rows in set (0.00 sec)
So group SSID_EMPL-Test is the one which will be checked first :
MariaDB [radius]> select * from radgroupcheck where groupname =
"SSID_EMPL-Test";
+----+----------------+------------------+----+-----------+
| id | groupname | attribute | op | value |
+----+----------------+------------------+----+-----------+
| 6 | SSID_EMPL-Test | Aruba-Essid-Name | == | EMPL-Test |
+----+----------------+------------------+----+-----------+
1 row in set (0.00 sec)
--> If there is a match, the reply items for this group are pulled
from the radgroupreply table and applied.
MariaDB [radius]> select * from radgroupreply where groupname =
"SSID_EMPL-Test";
+----+----------------+-----------+----+--------+
| id | groupname | attribute | op | value |
+----+----------------+-----------+----+--------+
| 6 | SSID_EMPL-Test | Auth-Type | := | Accept |
+----+----------------+-----------+----+--------+
1 row in set (0.00 sec)
--> Processing continues to the next group IF:
There was not a match for the last group's check items
so my understanding is that check won't continue and user will get
Accept. Clearly I'm missing something but I don't know what. You're
saying that
" 6 | SSID_EMPL-Test | Aruba-Essid-Name | == | EMPL-Test
Which says that anyone in the SSID_EMPL-Test is rejected if they use
the EMPL-Test SSID."
If you could show me here right directions I'd really appreciate that.
How should I check if Aruba-Essid-Name has value EMPL-Test and if so
Accept the user ?
Thanks for your time,
Martin
More information about the Freeradius-Users
mailing list