Sorry for starting a new thread; I had subscribed to digest instead of
individual e-mails.
> You should really upgrade to 1.0.2.
Completed.
radiusd: FreeRADIUS Version 1.0.2, for host , built on May 13 2005 at
09:43:36 (updated from 0.9.3)
Now I get the line I had not been seeing!
huntgroups: Matched wireless at 56
PROBLEMS:
1. Reply to a "wireless" NAS has the 'Dialup_Default' attributes/values
(specifically "Session-Timeout := 14400") instead of 'Wireless_Default'
atttibutes/values (specifically "Session-Timeout := 0") for a user who is
part of both the "Wireless_Default" and "Dialup_Default" groups.
2. Reply to a "dialup" NAS is "Accept" for a user who is a member of only
the "Wireless_Default" group. That should be "reject". The
"Wireless_Default" attribute/values (specifically "Session-Timeout := 0")
are returned.
> How do you define those customers?
select * from radgroupcheck;
+----+-------------------+------------------+----+----------+
| id | GroupName | Attribute | op | Value |
+----+-------------------+------------------+----+----------+
| 15 | DialUp_Default | Simultaneous-Use | := | 1 |
| 6 | EmailOnly_Default | Auth-Type | := | Reject |
| 7 | EmailOnly_Default | Simultaneous-Use | := | 0 |
| 8 | LockOut_Billing | Auth-Type | := | Reject |
| 9 | LockOut_Billing | Simultaneous-Use | := | 0 |
| 14 | Wireless_Default | Simultaneous-Use | := | 1 |
| 11 | Virus_Lockout | Auth-Type | := | Reject |
| 24 | Wireless_Default | Huntgroup-Name | == | wireless |
+----+-------------------+------------------+----+----------+
select * from radgroupreply;
+----+-------------------+--------------------+----+--------------------------------------------------------+------+
| id | GroupName | Attribute | op | Value
| prio |
+----+-------------------+--------------------+----+--------------------------------------------------------+------+
| 16 | DialUp_Default | Session-Timeout | := | 14400
| 0 |
| 15 | DialUp_Default | Service-Type | := | Framed-User
| 0 |
| 14 | DialUp_Default | Framed-Compression | := | Van-Jacobsen-TCP-IP
| 0 |
| 13 | DialUp_Default | Framed-MTU | := | 1500
| 0 |
| 12 | DialUp_Default | Framed-IP-Address | := | 255.255.255.254
| 0 |
| 23 | EmailOnly_Default | Reply-Message | = | "Email only accounts
may not dial up." | 0 |
| 11 | DialUp_Default | Framed-Protocol | := | PPP
| 0 |
| 25 | LockOut_Billing | Reply-Message | = | This account has been
suspended due to billing issues. | 0 |
| 27 | Virus_Lockout | Reply-Message | = | Account suspended for
virus-spam complaints | 0 |
| 31 | Wireless_Default | Framed-Protocol | := | PPP
| 0 |
| 32 | Wireless_Default | Framed-IP-Address | := | 255.255.255.254
| 0 |
| 33 | Wireless_Default | Framed-MTU | := | 1500
| 0 |
| 34 | Wireless_Default | Framed-Compression | := | Van-Jacobsen-TCP-IP
| 0 |
| 35 | Wireless_Default | Service-Type | := | Framed-User
| 0 |
| 36 | Wireless_Default | Session-Timeout | := | 0
| 0 |
| 37 | Wireless_Default | Port-Limit | := | 1
| 0 |
| 17 | DialUp_Default | Idle-Timeout | := | 1200
| 0 |
| 18 | DialUp_Default | Port-Limit | := | 1
| 0 |
+----+-------------------+--------------------+----+--------------------------------------------------------+------+
select * from usergroup where UserName='ME';
+------+----------+------------------+----------------+
| id | UserName | GroupName | LastMod |
+------+----------+------------------+----------------+
| 6522 | ME | DialUp_Default | 20050511100844 |
| 6523 | ME | Wireless_Default | 20050511100915 |
+------+----------+------------------+----------------+
> See the FAQ, you can do group checking via Unix groups. See also
> rlm_passwd in 1.0.2, for non-Unix group checks.
I am NOT using Linux passwd/shadow/groups for RADIUS purposes -- only
administrators have System accounts.
'huntgroups' includes:
dialup NAS-IP-Address == 1.2.3.4
wireless NAS-IP-Address == 1.3.5.7
FROM THE TEST CLIENT:
radtest ME SomeSillyPhrase 1.3.5.1 0 SecretPhrase 0 1.3.5.7
FROM THE RADIUS SERVER (using 'radius -X') (interrpted by the SQL data
being returned):
rad_recv: Access-Request packet from host 1.3.5.7:32873, id=205, length=66
User-Name = "ME"
User-Password = "SomeSillyPhrase"
NAS-IP-Address = 1.3.5.7
NAS-Port = 0
Framed-Protocol = PPP
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
modcall[authorize]: module "chap" returns noop for request 1
modcall[authorize]: module "mschap" returns noop for request 1
rlm_realm: No '@' in User-Name = "ME", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 1
radius_xlat: 'ME'
rlm_sql (sql): sql_set_user escaped user --> 'ME'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = 'ME' ORDER BY id'
+------+----------+----------------+------------------------------------+----+
| id | UserName | Attribute | Value |
op |
+------+----------+----------------+------------------------------------+----+
| 8195 | ME | Crypt-Password | d5Sd4DsAIl9$zfcfVsda13sYYt9HrdBsd0 |
:= |
+------+----------+----------------+------------------------------------+----+
rlm_sql (sql): Reserving sql socket id: 12
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'ME' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
+----+------------------+------------------+----------+----+
| id | GroupName | Attribute | Value | op |
+----+------------------+------------------+----------+----+
| 14 | Wireless_Default | Simultaneous-Use | 1 | := |
| 15 | DialUp_Default | Simultaneous-Use | 1 | := |
| 24 | Wireless_Default | Huntgroup-Name | wireless | == |
+----+------------------+------------------+----------+----+
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Username = 'ME' ORDER BY id'
Empty set (0.00 sec)
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = 'ME' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
+----+------------------+--------------------+---------------------+----+
| id | GroupName | Attribute | Value | op |
+----+------------------+--------------------+---------------------+----+
| 11 | DialUp_Default | Framed-Protocol | PPP | := |
| 12 | DialUp_Default | Framed-IP-Address | 255.255.255.254 | := |
| 13 | DialUp_Default | Framed-MTU | 1500 | := |
| 14 | DialUp_Default | Framed-Compression | Van-Jacobsen-TCP-IP | := |
| 15 | DialUp_Default | Service-Type | Framed-User | := |
| 16 | DialUp_Default | Session-Timeout | 14400 | := |
| 17 | DialUp_Default | Idle-Timeout | 1200 | := |
| 18 | DialUp_Default | Port-Limit | 1 | := |
| 31 | Wireless_Default | Framed-Protocol | PPP | := |
| 32 | Wireless_Default | Framed-IP-Address | 255.255.255.254 | := |
| 33 | Wireless_Default | Framed-MTU | 1500 | := |
| 34 | Wireless_Default | Framed-Compression | Van-Jacobsen-TCP-IP | := |
| 35 | Wireless_Default | Service-Type | Framed-User | := |
| 36 | Wireless_Default | Session-Timeout | 0 | := |
| 37 | Wireless_Default | Port-Limit | 1 | := |
+----+------------------+--------------------+---------------------+----+
huntgroups: Matched wireless at 56
rlm_sql (sql): Released sql socket id: 12
modcall[authorize]: module "sql" returns ok for request 1
modcall: group authorize returns ok for request 1
auth: type Crypt
Processing the session section of radiusd.conf
modcall: entering group session for request 1
radius_xlat: 'ME'
rlm_sql (sql): sql_set_user escaped user --> 'ME'
radius_xlat: 'SELECT COUNT(*) FROM radacct WHERE UserName='ME' AND
AcctStopTime = 0'
+----------+
| COUNT(*) |
+----------+
| 0 |
+----------+
rlm_sql (sql): Reserving sql socket id: 11
radius_xlat: 'SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress,
NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM radacct
WHERE UserName='ME' AND AcctStopTime = 0'
Empty set (0.00 sec)
rlm_sql (sql): Released sql socket id: 11
modcall[session]: module "sql" returns ok for request 1
modcall: group session returns ok for request 1
Login OK: [ME] (from client MyClientName port 0)
Sending Access-Accept of id 205 to 1.3.5.7:32873
Framed-Protocol := PPP
Framed-IP-Address := 255.255.255.254
Framed-MTU := 1500
Framed-Compression := Van-Jacobson-TCP-IP
Service-Type := Framed-User
Session-Timeout := 14400
Idle-Timeout := 1200
Port-Limit := 1
Finished request 1
Going to the next request
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
