Re: sequencial order of checks
27-Jan-03 at 22:21, Robert Canary ([EMAIL PROTECTED]) wrote : I am trying to set up the freeradius mysql. However, I really don't know which tables to populate or even why. I made a dry run with a portslave test port just to see what the radius server might be getting. I see freeradius querys radcheck for the username, then it querys radgroupcheck, and radgroupreply before defaulting to the DEFUALT. Can someone explain to me the line of progression and reasoning behind these queries? If it found a username in radcheck, would it still continue on to the radgroupcheck? What sort of scenario would require one to populate all three tables? http://www.frontios.com/freeradius.html Check here and get a test system working if you can, then come back with more questions. Regards, -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sequencial order of checks
Yes I read that, however, there are some details that do not line line up, or do not exist. As the author said they are my personal notes I noticed in the(that) doc the id is repeated, yet the db table(radcheck,usergroup,radreply,radgroupcheck,radgroupreply) has it as auto-increment. I am still unclear about what tables are read and when I understand the radcheck...read as a pasword file for authentication. What is the significance of radgroup, if I pass attributes from the radreply, do I need to populate the radgroupreply? Will radius fail if the user is not listed in radgroup? Is radius suppose to fail if the user's group is not listed in radgroupreply/check? What table is checked first? ANS:radcheck And from what information in that table dose radius use to determin its next action? This far I have determined the following (please correct this if wrong) From a basic request (from porrtslave's radiusclient) User-Name = adialupusername NAS-Port-Type = Async Connect-Info = 26400LAP-M Acct_Session_Id = 3E307D060349 Framed-Protocol = 16777216 Servie-Type = 33554432 User-Password = thepassword NAS-IP-Address = 208.3.6.49 NAS-Port = 9 radius looks for a chap password radius looks for a mschap radiuis looks for a realm @ radius looks in radcheck Now here is where I am not sure what is happening. IF it dosen't find the username in radcheck it still looks for the user in the radgroupcheck, but the radius debug(-x) dosen't indicate what it is looking for, it gose on to query to the radgroupreply, *then* give the statement user not found in radgroupcheck. So how dose the radgroupcheck fall into the scheme of things. It looks as though it is redundant when I can use the radreply to set up the sesssion. I am getting the impression the db table progression is similar to the fall-through function of the user.conf file. Am I getting close? Simon White wrote: 27-Jan-03 at 22:21, Robert Canary ([EMAIL PROTECTED]) wrote : I am trying to set up the freeradius mysql. However, I really don't know which tables to populate or even why. I made a dry run with a portslave test port just to see what the radius server might be getting. I see freeradius querys radcheck for the username, then it querys radgroupcheck, and radgroupreply before defaulting to the DEFUALT. Can someone explain to me the line of progression and reasoning behind these queries? If it found a username in radcheck, would it still continue on to the radgroupcheck? What sort of scenario would require one to populate all three tables? http://www.frontios.com/freeradius.html Check here and get a test system working if you can, then come back with more questions. Regards, -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sequencial order of checks
At 10:23 AM 1/28/2003 -0600, Robert Canary wrote: Yes I read that, however, there are some details that do not line line up, or do not exist. As the author said they are my personal notes I noticed in the(that) doc the id is repeated, yet the db table(radcheck,usergroup,radreply,radgroupcheck,radgroupreply) has it as auto-increment. I am still unclear about what tables are read and when I understand the radcheck...read as a pasword file for authentication. What is the significance of radgroup, if I pass attributes from the radreply, do I need to populate the radgroupreply? No. Think of radcheck as a specific entry in the 'users' file. Will radius fail if the user is not listed in radgroup? No. Think of radgroup[check|reply] as a DEFAULT entry that is hit because the specific 'users' entry has 'Fall-Through = Yes'. Is radius suppose to fail if the user's group is not listed in radgroupreply/check? No. radgroup[check|reply] serve to allow you to place the common elements of your user profiles into a single db entry, thus reducing DB table size. What table is checked first? ANS:radcheck And from what information in that table dose radius use to determin its next action? Nothing. It uses radgroup[check|reply] if you have an entry in usergroup. This far I have determined the following (please correct this if wrong) radius looks for a chap password radius looks for a mschap radiuis looks for a realm @ radius looks in radcheck Now here is where I am not sure what is happening. IF it dosen't find the username in radcheck it still looks for the user in the radgroupcheck, but the radius debug(-x) dosen't indicate what it is looking for, it gose on to query to the radgroupreply, *then* give the statement user not found in radgroupcheck. So how dose the radgroupcheck fall into the scheme of things. It looks as though it is redundant when I can use the radreply to set up the sesssion. You can. As stated above radgroup allows you to 'group' the common attributes shared by a 'group' of users with a common profile. IE, you put the password in 'radcheck', an entry for the user in 'usergroup', and the remainder of the a/v pairs in radgroupreply. I am getting the impression the db table progression is similar to the fall-through function of the user.conf file. Am I getting close? Yes, see the explanation above. Hope this helps, -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sequencial order of checks
I am trying to set up the freeradius mysql. However, I really don't know which tables to populate or even why. I made a dry run with a portslave test port just to see what the radius server might be getting. I see freeradius querys radcheck for the username, then it querys radgroupcheck, and radgroupreply before defaulting to the DEFUALT. Can someone explain to me the line of progression and reasoning behind these queries? If it found a username in radcheck, would it still continue on to the radgroupcheck? What sort of scenario would require one to populate all three tables? thanks in advances :-) -- robert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
