redis-ippool and multiple pools

Miguel Berniz mberniz at gibfibre.com
Mon Jan 29 20:16:49 UTC 2024 

Hi Nick,

Thanks for the feedback.

From: Freeradius-Users <freeradius-users-bounces+mberniz=gibfibre.com at lists.freeradius.org> on behalf of Nick Porter <nick at portercomputing.co.uk>
Date: Monday, 29 January 2024 at 10:12
To: freeradius-users at lists.freeradius.org <freeradius-users at lists.freeradius.org>
Subject: Re: redis-ippool and multiple pools
On 28/01/2024 19:00, Miguel Berniz wrote:
>>>> (0)        | %redis({hget}{radcheck:, test1}{IP-Pool.Name})
>>>> (0)        | --> Dyn_Internet
>>>> (0)        &control.IP-Pool.Name := "Dyn_Internet"
> (0)      } # update control (noop)
> Issue is this >>>(0)      ERROR: Failed to evaluate required module option pool_name = &control.IP-Pool.Name
> (0)    } # send Access-Accept (fail)
> (0)    default (ok)
> (0)  } # default (ok)
> (0)  Done request

I missed that part of your original post.

How recent is the build of FreeRADIUS v4 that you're using?

AC_RADIUSD_VERSION := 04007e67
AC_RADIUSD_VERSION_COMMIT := d561bdb5
AC_RADIUSD_VERSION_INCRM := 32359
AC_RADIUSD_VERSION_MAJOR := 4
AC_RADIUSD_VERSION_MINOR := 0

A couple of things I would suggest to get to the bottom of what is
happening:

1.  FreeRADIUS v4 does not need update sections any more - and it may be
something in the conversion of updates to the new edit sections which is
not behaving correctly.  That code is temporary and intended to aid
migration from v3 to v4.

Instead of

update control {
     &control.IP-Pool.Name := ...
}

just use

&control.IP-Pool.Name := ....

This is the new syntax for v4, and the code supporting "update" will be
removed at some point.


That made the trick. I had two issues there.
First, I was triggering that in the wrong section (recv Access-Request) instead of in send Access-Accept.
However, this one under recv Access-Request needs the update section and wont work out of it.
recv Access-Request {
        update control {
        &Password.cleartext := %redis(hget, radcheck:%{User-Name}, Cleartext-Password),
        }
It expands properly in the debug
(3)    recv Access-Request {
(3)      | %redis(hget, radcheck:%{User-Name}, Cleartext-Password)
(3)        | %{%redis(hget, radcheck:%{User-Name}, Cleartext-Password)}
(3)        | redis
(3)              | %{User-Name}
(3)              | --> test1
(3)          REDIS command arguments
(3)          Reserved connection (0)
(3)          [1] >>> Sending command(s) to 127.0.0.1:6379
(3)          Executing command: hget
(3)          With arguments
(3)            [1] radcheck:test1
(3)            [2] Cleartext-Password
(3)          [1] <<< Returned: success
(3)          Released connection (0)
(3)        | %redis({hget}{radcheck:, test1}{Cleartext-Password})
(3)        | --> test
(3)      &Password.cleartext := test
…but…
(3)      chap (noop)
(3)      digest (noop)
(3)      pap - Setting &control.Auth-Type = pap
(3)      pap (updated)
(3)    } # recv Access-Request (updated)
(3)    Running 'authenticate pap' from file /usr/local/etc/raddb/sites-enabled/default
(3)    authenticate pap {
(3)      pap - Login attempt with password
(3)      pap - ERROR: No "known good" password found for user
(3)      pap (fail)
(3)    } # authenticate pap (fail)
(3)    Failed to authenticate the user
(3)    Running 'send Access-Reject' from file /usr/local/etc/raddb/sites-enabled/default
Not a complain, obv, just letting you know
This message is intended only for the use of the individual to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure. If the reader of this message is not the intended recipient or an employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the sender and deleting the original document.

More information about the Freeradius-Users mailing list