Load default profile if no profile matched

Daniel Finger daniel.finger at ewetel.de
Tue Apr 9 10:39:12 CEST 2019 

Hi!

I am tryiing to recreate the old behaviour I had with freeRADIUS 2:

If User has correct credentials and no group the user belongs to matches, 
read a default group, which rejects access.
We have no Fall-Through Attributes in the Database.

If I configure the sql module in freeRADIUS 3.0.18 like I had with FR2:
     read_groups = yes
     read_profiles = yes
     default_user_profile = "DEFAULT"

Do you have a suggestion for me how to change the configuration, so it 
behaves like the old Radius Server?

The default profile is always read, even if previous groups matched:
(7) sql: EXPAND %{User-Name}
(7) sql:    --> test_account_dsl
(7) sql: SQL-User-Name set to 'test_account_dsl'
rlm_sql (sql): Reserved connection (1)
(7) sql: EXPAND SELECT id, UserName, Attribute, Value, op FROM radcheck 
WHERE username = '%{SQL-User-Name}' AND Status = 1 ORDER BY id
(7) sql:    --> SELECT id, UserName, Attribute, Value, op FROM radcheck 
WHERE username = 'test_account_dsl' AND Status = 1 ORDER BY id
(7) sql: Executing select query: SELECT id, UserName, Attribute, Value, op 
FROM radcheck WHERE username = 'test_account_dsl' AND Status = 1 ORDER BY id
(7) sql: User found in radcheck table
(7) sql: Conditional check items matched, merging assignment check items
(7) sql:   Cleartext-Password := "test12"
(7) sql: EXPAND SELECT id,UserName,Attribute,Value, op FROM radreply WHERE 
username = '%{SQL-User-Name}' ORDER BY id
(7) sql:    --> SELECT id,UserName,Attribute,Value, op FROM radreply WHERE 
username = 'test_account_dsl' ORDER BY id
(7) sql: Executing select query: SELECT id,UserName,Attribute,Value, op FROM 
radreply WHERE username = 'test_account_dsl' ORDER BY id
rlm_sql (sql): Reserved connection (26)
rlm_sql (sql): Released connection (26)
(7) sql: EXPAND SELECT GroupName FROM usergroup WHERE Username = 
'%{SQL-User-Name}' ORDER BY priority
(7) sql:    --> SELECT GroupName FROM usergroup WHERE Username = 
'test_account_dsl' ORDER BY priority
(7) sql: Executing select query: SELECT GroupName FROM usergroup WHERE 
Username = 'test_account_dsl' ORDER BY priority
(7) sql: User found in the group table
(7) sql: EXPAND SELECT id,GroupName,Attribute,Value,op FROM radgroupcheck 
WHERE groupname = '%{sql-SQL-Group}' ORDER BY id
(7) sql:    --> SELECT id,GroupName,Attribute,Value,op FROM radgroupcheck 
WHERE groupname = 'dsl_192_2048_filter' ORDER BY id
(7) sql: Executing select query: SELECT id,GroupName,Attribute,Value,op FROM 
radgroupcheck WHERE groupname = 'dsl_192_2048_filter' ORDER BY id
(7) sql: Group "dsl_192_2048_filter": Conditional check items matched
(7) sql: Group "dsl_192_2048_filter": Merging assignment check items
(7) sql:   Simultaneous-Use := 2
(7) sql: EXPAND SELECT id,GroupName,Attribute,Value,op FROM radgroupreply 
WHERE groupname = '%{sql-SQL-Group}' ORDER BY id
(7) sql:    --> SELECT id,GroupName,Attribute,Value,op FROM radgroupreply 
WHERE groupname = 'dsl_192_2048_filter' ORDER BY id
(7) sql: Executing select query: SELECT id,GroupName,Attribute,Value,op FROM 
radgroupreply WHERE groupname = 'dsl_192_2048_filter' ORDER BY id
(7) sql: Group "dsl_192_2048_filter": Merging reply items
(7) sql:   ERX-Egress-Policy-Name = "ds_2048_filter"
(7) sql:   ERX-Ingress-Policy-Name = "us_192"
(7) sql:   Framed-Protocol = PPP
(7) sql:   Service-Type = Framed-User
(7) sql:   Session-Timeout = 86400
(7) sql: Checking profile DEFAULT
(7) sql: EXPAND DEFAULT
(7) sql:    --> DEFAULT
(7) sql: SQL-User-Name set to 'DEFAULT'
rlm_sql (sql): Reserved connection (2)
rlm_sql (sql): Released connection (2)
(7) sql: EXPAND SELECT GroupName FROM usergroup WHERE Username = 
'%{SQL-User-Name}' ORDER BY priority
(7) sql:    --> SELECT GroupName FROM usergroup WHERE Username = 'DEFAULT' 
ORDER BY priority
(7) sql: Executing select query: SELECT GroupName FROM usergroup WHERE 
Username = 'DEFAULT' ORDER BY priority
(7) sql: User found in the group table
(7) sql: EXPAND SELECT id,GroupName,Attribute,Value,op FROM radgroupcheck 
WHERE groupname = '%{sql-SQL-Group}' ORDER BY id
(7) sql:    --> SELECT id,GroupName,Attribute,Value,op FROM radgroupcheck 
WHERE groupname = 'DEFAULT' ORDER BY id
(7) sql: Executing select query: SELECT id,GroupName,Attribute,Value,op FROM 
radgroupcheck WHERE groupname = 'DEFAULT' ORDER BY id
(7) sql: Group "DEFAULT": Conditional check items matched
(7) sql: Group "DEFAULT": Merging assignment check items
(7) sql:   Auth-Type := Reject
(7) sql: EXPAND SELECT id,GroupName,Attribute,Value,op FROM radgroupreply 
WHERE groupname = '%{sql-SQL-Group}' ORDER BY id
(7) sql:    --> SELECT id,GroupName,Attribute,Value,op FROM radgroupreply 
WHERE groupname = 'DEFAULT' ORDER BY id
(7) sql: Executing select query: SELECT id,GroupName,Attribute,Value,op FROM 
radgroupreply WHERE groupname = 'DEFAULT' ORDER BY id
(7) sql: Group "DEFAULT": Merging reply items
rlm_sql (sql): Released connection (1)
(7)             [sql] = ok


The old behaviour:
[sql]     expand: %{User-Name} -> test_account_dsl
[sql] sql_set_user escaped user --> 'test_account_dsl'
rlm_sql (sql): Reserving sql socket id: 64
[sql]     expand: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE 
Username = '%{SQL-User-Name}' AND Status = 1 ORDER BY id -> SELECT 
id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 
'test_account_dsl' AND Status = 1 ORDER BY id
[sql] User found in radcheck table
[sql]     expand: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE 
Username = '%{SQL-User-Name}' ORDER BY id -> SELECT 
id,UserName,Attribute,Value,op FROM radreply WHERE Username = 
'test_account_dsl' ORDER BY id
[sql]     expand: SELECT GroupName FROM usergroup WHERE 
UserName='%{SQL-User-Name}' ORDER BY priority -> SELECT GroupName FROM 
usergroup WHERE UserName='test_account_dsl' ORDER BY priority
[sql]     expand: SELECT id,GroupName,Attribute,Value,op FROM radgroupcheck 
WHERE GroupName = '%{Sql-Group}' ORDER BY id -> SELECT 
id,GroupName,Attribute,Value,op FROM radgroupcheck WHERE GroupName = 
'dsl_192_2048_filter' ORDER BY id
[sql] User found in group dsl_192_2048_filter
[sql]     expand: SELECT id,GroupName,Attribute,Value,op FROM radgroupreply 
WHERE GroupName = '%{Sql-Group}' ORDER BY id -> SELECT 
id,GroupName,Attribute,Value,op FROM radgroupreply WHERE GroupName = 
'dsl_192_2048_filter' ORDER BY id
rlm_sql (sql): Released sql socket id: 64
++[sql] = ok

and if no check item matches:
[sql]     expand: %{User-Name} -> test_account_dsl
[sql] sql_set_user escaped user --> 'test_account_dsl'
rlm_sql (sql): Reserving sql socket id: 61
[sql]     expand: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE 
Username = '%{SQL-User-Name}' AND Status = 1 ORDER BY id -> SELECT 
id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 
'test_account_dsl' AND Status = 1 ORDER BY id
[sql] User found in radcheck table
[sql]     expand: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE 
Username = '%{SQL-User-Name}' ORDER BY id -> SELECT 
id,UserName,Attribute,Value,op FROM radreply WHERE Username = 
'test_account_dsl' ORDER BY id
[sql]     expand: SELECT GroupName FROM usergroup WHERE 
UserName='%{SQL-User-Name}' ORDER BY priority -> SELECT GroupName FROM 
usergroup WHERE UserName='test_account_dsl' ORDER BY priority
[sql]     expand: SELECT id,GroupName,Attribute,Value,op FROM radgroupcheck 
WHERE GroupName = '%{Sql-Group}' ORDER BY id -> SELECT 
id,GroupName,Attribute,Value,op FROM radgroupcheck WHERE GroupName = 
'dsl_192_2048_filter' ORDER BY id
[sql] Checking profile DEFAULT
[sql] sql_set_user escaped user --> 'DEFAULT'
[sql]     expand: SELECT GroupName FROM usergroup WHERE 
UserName='%{SQL-User-Name}' ORDER BY priority -> SELECT GroupName FROM 
usergroup WHERE UserName='DEFAULT' ORDER BY priority
[sql]     expand: SELECT id,GroupName,Attribute,Value,op FROM radgroupcheck 
WHERE GroupName = '%{Sql-Group}' ORDER BY id -> SELECT 
id,GroupName,Attribute,Value,op FROM radgroupcheck WHERE GroupName = 
'DEFAULT' ORDER BY id
[sql] User found in group DEFAULT
[sql]     expand: SELECT id,GroupName,Attribute,Value,op FROM radgroupreply 
WHERE GroupName = '%{Sql-Group}' ORDER BY id -> SELECT 
id,GroupName,Attribute,Value,op FROM radgroupreply WHERE GroupName = 
'DEFAULT' ORDER BY id
rlm_sql (sql): Released sql socket id: 61
++[sql] = ok


Greetings,
Daniel Finger

More information about the Freeradius-Users mailing list