Re: radgroupreply do not read (read_grous directive)

Tue, 15 Jan 2008 15:11:13 -0800

Don't take your ball, not good. ;)

 Here's informations:

## radcheck

+----+-----------+--------------------+----+---------+
| id  | UserName  | Attribute             | op  | Value    |
+----+-----------+--------------------+----+---------+
|  3  | test-pap   | Cleartext-Password  | := | pw123  |
+----+-----------+--------------------+----+---------+

## radreply

+----+-----------+---------------------+----+-------+
| id   | UserName | Attribute              | op  | Value  |
+----+-----------+---------------------+----+-------+
|  6  | test-pap   | Upstream-Speed     | =   | 800   |
|  7  | test-pap   | Downstream-Speed  | =   | 800   |
+----+-----------+---------------------+----+-------+

## radgroupcheck

+----+----------------+--------------------+----+-------+
| id   | GroupName    | Attribute             | op   | Value |
+----+----------------+--------------------+----+-------+
|  5   | f_pppoe_250k | Auth-Type           | =   | PAP    |
|  6   | f_pppoe_250k | Simultaneous-Use | =   | 1       |
+----+----------------+--------------------+----+-------+

## radgroupreply

+----+--------------+-----------------------+----+----------------------+
| id | GroupName    | Attribute                 | op  | Value                    |
+----+--------------+-----------------------+----+----------------------+
| 13 | f_pppoe_250k | Framed-Protocol        | =  | PPP                       |
| 14 | f_pppoe_250k | Framed-MTU           | =  | 1492                     |
| 15 | f_pppoe_250k | Framed-Compression | =  | Van-Jacobsen-TCP-IP |
| 16 | f_pppoe_250k | Service-Type            | =  | Framed-User           |
+---+----------------+----------------------+----+----------------------+

## radusergroup (same usergroup table in 1.3 version freeradius, I have both tables)

+-----------+----------------+----------+
| UserName | GroupName    | priority    |
+-----------+----------------+----------+
| teste-pap  | f_pppoe_250k |        1    |
+-----------+----------------+----------+

## radiusd -X

 rad_recv: Access-Request packet from host 7.7.7.1 port 32790, id=163, length=73
        Service-Type = Framed-User
        Framed-Protocol = PPP
        User-Name = "test-pap"
        User-Password = "pw123"
        NAS-IP-Address =
        NAS-Port = 0
  Processing the authorize section of radiusd.conf
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
  rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
radius_xlat:  'test-pap'
rlm_sql (sql): sql_set_user escaped user --> 'test-pap'
rlm_sql (sql): Reserving sql socket id: 3
radius_xlat:  'SELECT id, UserName, Attribute, Value, op           FROM radcheck           WHERE Username = 'test-pap'           ORDER BY id'    ######## loading radcheck table ##########
rlm_sql (sql): User found in radcheck table
radius_xlat:  'SELECT id, UserName, Attribute, Value, op           FROM radreply           WHERE Username = 'test-pap'           ORDER BY id'   ####### loading radreply table ##########
rlm_sql (sql): Released sql socket id: 3                                                                      #### if found "Fall-Through = Yes" attribute, radgroupcheck is loaded, but not radgroupreply #########
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
+- group authorize returns updated
  rad_check_password:  Found Auth-Type
auth: type "PAP"
  Processing the authenticate section of radiusd.conf
+- entering group PAP
rlm_pap: login attempt with password ngc0bqi
rlm_pap: Using clear text password.
rlm_pap: User authenticated successfully
++[pap] returns ok
+- group PAP returns ok
  Processing the post-auth section of radiusd.conf
+- entering group post-auth
rlm_sql (sql): Processing sql_postauth
rlm_sql (sql): sql_set_user escaped user --> 'test-pap'
radius_xlat:  'INSERT into radpostauth (id, user, pass, reply, date) values ('', 'test-pap', 'ngc0bqi', 'Access-Accept', '2008-01-15 20:33:58')'
rlm_sql (sql) in sql_postauth: query is INSERT into radpostauth (id, user, pass, reply, date) values ('', 'test-pap', 'pw123', 'Access-Accept', '2008-01-15 20:33:58')
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
+- group post-auth returns ok
Sending Access-Accept of id 163 to 7.7.7.1 port 32790        ############# Here is when radius server send "items reply" to radiusclient #################
        Upstream-Speed = 800          ######## attribute in radreply ########
        Downstream-Speed = 800     ###### attribute in radreply ########
Finished request 0 state 5
Going to the next request
rad_recv: Accounting-Request packet from host 7.7.7.1 port 32790, id=164, length=101
        Acct-Session-Id = "478D34D61E1F00"
        User-Name = "test-pap"
        Acct-Status-Type = Start
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Acct-Authentic = RADIUS
        NAS-Port-Type = Virtual
        Framed-IP-Address = 7.7.7.123
        NAS-IP-Address = 7.7.7.1
        NAS-Port = 0
        Acct-Delay-Time = 0
  Processing the preacct section of radiusd.conf
+- entering group preacct
++[preprocess] returns ok
rlm_acct_unique: Hashing 'NAS-Port = 0,Framed-IP-Address = 7.7.7.123,NAS-IP-Address = 7.7.7.1,Acct-Session-Id = "478D34D61E1F00",User-Name = "test-pap"'
rlm_acct_unique: Acct-Unique-Session-ID = "a5e052f9f07c2f6f".
++[acct_unique] returns ok
+- group preacct returns ok
  Processing the accounting section of radiusd.conf
+- entering group accounting
radius_xlat:  '/usr/local/var/log/radius/radacct/7.7.7.1/detail-20080115'
rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/7.7.7.1/detail-20080115
radius_xlat:  'Tue Jan 15 20:33:58 2008'
++[detail] returns ok
radius_xlat:  '/usr/local/var/log/radius/radutmp'
radius_xlat:  'test-pap'
++[radutmp] returns ok
radius_xlat:  'test-pap'
rlm_sql (sql): sql_set_user escaped user --> 'test-pap'
radius_xlat:  'INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('478D34D61E1F00', 'a5e052f9f07c2f6f', 'test-pap', '', '7.7.7.1', '0', 'Virtual', '2008-01-15 20:33:58', '0', '0', 'RADIUS', '', '', '0', '0', '', '', '', 'Framed-User', 'PPP', '7.7.7.123', '0', '0')'
rlm_sql (sql): Reserving sql socket id: 1
rlm_sql (sql): Released sql socket id: 1
++[sql] returns ok
radius_xlat:  'test-pap'
 attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
+- group accounting returns updated
Sending Accounting-Response of id 164 to 7.7.7.1 port 32790
Finished request 1 state 6
Going to the next request
Cleaning up request 1 ID 164 with timestamp +15
Waking up in 4 seconds...
Cleaning up request 0 ID 163 with timestamp +15
Nothing to do.  Sleeping until we see a request.
################################

In freeradius documentation say (http://wiki.freeradius.org/Rlm_sql):

  • Search the radcheck table for any check attributes specific to the user
  • If check attributes are found, and there's a match, pull the reply items from the radreply table for this user and add them to the reply
  • Group processing then begins if any of the following conditions are met:
    • The user IS NOT found in radcheck
    • The user IS found in radcheck, but the check items don't match
    • The user IS found in radcheck, the check items DO match AND Fall-Through is set in the radreply table
    • The user IS found in radcheck, the check items DO match AND the read_groups directive is set to 'yes'
  • If groups are to be processed for this user, the first thing that is done is the list of groups this user is a member of is pulled from the usergroup table ordered by the priority field. The priority field of the usergroup table allows us to control the order in which groups are processed, so that we can emulate the ordering in the users file.

    •  

    ###################

    My case matches with last condition, the user is found in radcheck, the check items DO match AND the read_groups directive is set to 'yes'. But... I've testing the read_groups and it don't work. I made an invalid directive and it is ignored by radiusd, it's not appers in debug log. read_groups don't too.

    I have testing the Fall-Through in radreply and it work, but don't load the radgroupreply table. I need this table, because its attributes are replied to radiusclient, and my scripts in NAS side can work it.

    Note: In freeradius 1.3 don't have read_groups directive, but all tables are loaded.


    --------------------------------------------------------------------------------
    OK, can we see database entries for a user (and group he belongs to) and
    the debug of the access request? Or should I get my crystal ball back
    from the polisher?

    Ivan Kalik
    Kalik Informatika ISP


    Dana 15/1/2008, "Arlinelson Fernandes dos Santos" pi¹e:

    >Yes! I did. And I put attributes into all tables ckeck and reply.

    --------------------------------------------------------------------------------

    Did you put something in usergroup table to link users and groups?


    ------------------------------------------------------------------------------------------------------
    Acelerador POP
    Acelere a sua conexão discada em até 19 x. Use o Acelerador POP. É grátis, pegue já o seu.
    http://www.pop.com.br/acelerador 
    -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

    Reply via email to