Re: User in Multiple Groups
OK, Phil, you got me. I thought all I did was copy the to address, but must have used a reply instead. Sorry.
Thanks for the code suggestions. I understand what you see as the issue. Makes sense. I will experiment with what you suggest and see what I get.
Scott Reed
Owner
NewWays
Wireless Networking
Network Design, Installation and Administration
www.nwwnet.net
-- Original Message
---
From: Phil Mayers [EMAIL PROTECTED]
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Sent: Fri, 07 Apr 2006 11:09:48 +0100
Subject: Re: User in Multiple Groups
Scott Reed wrote:
I did not usurp a thread, I reposted my own.
Really? How odd:
Message-ID: [EMAIL PROTECTED]
From: debik [EMAIL PROTECTED]
Subject: Re: Couldn't stop freeradius server!!
From: Scott Reed [EMAIL PROTECTED]
Date: Wed, 5 Apr 2006 07:25:29 -0500
Message-Id: [EMAIL PROTECTED]
In-Reply-To: [EMAIL PROTECTED]
Subject: User in Multiple Groups
I changed radcheck to have := instead of ==. No change.
First query returns:
++--+--+-++
| id | GroupName | Attribute | Value
| op |
++--+--+-++
| 28 | MS1-AP1 | Service-Type | Framed-User | == |
| 31 | Router-Admin | Service-Type | Login-User | == |
++--+--+-++
Ah ok. Lightbulb moment.
Disclaimer: I'm not an expert w.r.t. rlm_sql (or much else in the server
in fact)
BUT I've taken quite a detailed look at the code in the past, and as far
as I can tell it does this:
check_items = []
radcheck_items = query(radcheck query)
check_items += radcheck_items
groupcheck_items = query(radgroupcheck query)
check_items += groupcheck_items
...that is, ALL the groupcheck items for a user are added to the check
items (see src/modules/rlm_sql/rlm_sql.c line 782, at least in 1.1.0
source).
So, in your case the check items from both groups will be merged:
username Service-Type == Framed-User, Service-Type == Login-User
...and obviously will never match. So you're correct, with the default
queries 1 groupcheck where the groups have the same check item will
seldom (if ever) work as expected.
You could try changing the groupcheck query to something like:
SELECT
${groupcheck_table}.id,
${groupcheck_table}.GroupName,
${groupcheck_table}.Attribute,
${groupcheck_table}.Value,
${groupcheck_table}.op
FROM
${groupcheck_table},
${usergroup_table}
WHERE
${usergroup_table}.Username = '%{SQL-User-Name}'
AND
${usergroup_table}.GroupName = ${groupcheck_table}.GroupName
-- this bit has been added
AND
(
-- all groups without Service-Type checks
NOT EXISTS (
select 1 from ${groupcheck_table} as ot
where ot.Attribute=='Service-Type'
and ot.GroupName==${groupcheck_table}.GroupName
)
OR
-- all groups with Service-Type checks matching our Service-Type
EXISTS (
select 1 from ${groupcheck_table} as ot
where ot.Attribute=='Service-Type'
-- WARNING: this assumes ot.Op is ==
and ot.Value=='%{Service-Type}'
and ot.GroupName==${groupcheck_table}.GroupName
)
)
-- the above bit has been added
ORDER BY ${groupcheck_table}.id
...which is a bit complex (and untested / off the top of my head) but
should work. Having said that I note you're using MySQL, which I can't
remember if it support sub-selects.
Really the module should be recoded IMHO to do this:
usercheck = query(radcheck query)
if usercheck AND paircmp(usercheck, request):
userreply = query(radreply query)
pairxlatmove(request.reply, userreply)
groups = query(usergroup query order by priority)
for group in groups:
groupcheck = query(groupcheck query WHERE
GroupName=$group)
if groupcheck and paircmp(groupcheck, request):
groupreply = query(groupreply query WHERE
GroupName=$group)
pairxlatmove(request.reply, groupreply)
...but I don't know if there's any interest in doing that.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--- End
of Original Message
---
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User in Multiple Groups
OK, Phil, you got me. I thought all I did was copy the to address, but must
have used a reply instead. Sorry.
Thanks for the code suggestions. I understand what you see as the issue.
Makes sense. I will experiment with what you suggest and see what I get.
Scott Reed
Owner
NewWays
Wireless Networking
Network Design, Installation and Administration
www.nwwnet.net
-- Original Message ---
From: Phil Mayers [EMAIL PROTECTED]
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Sent: Fri, 07 Apr 2006 11:09:48 +0100
Subject: Re: User in Multiple Groups
Scott Reed wrote:
I did not usurp a thread, I reposted my own.
Really? How odd:
Message-ID: [EMAIL PROTECTED]
From: debik [EMAIL PROTECTED]
Subject: Re: Couldn't stop freeradius server!!
From: Scott Reed [EMAIL PROTECTED]
Date: Wed, 5 Apr 2006 07:25:29 -0500
Message-Id: [EMAIL PROTECTED]
In-Reply-To: [EMAIL PROTECTED]
Subject: User in Multiple Groups
I changed radcheck to have := instead of ==. No change.
First query returns:
++--+--+-++
| id | GroupName| Attribute| Value | op |
++--+--+-++
| 28 | MS1-AP1 | Service-Type | Framed-User | == |
| 31 | Router-Admin | Service-Type | Login-User | == |
++--+--+-++
Ah ok. Lightbulb moment.
Disclaimer: I'm not an expert w.r.t. rlm_sql (or much else in the server
in fact)
BUT I've taken quite a detailed look at the code in the past, and as far
as I can tell it does this:
check_items = []
radcheck_items = query(radcheck query)
check_items += radcheck_items
groupcheck_items = query(radgroupcheck query)
check_items += groupcheck_items
...that is, ALL the groupcheck items for a user are added to the check
items (see src/modules/rlm_sql/rlm_sql.c line 782, at least in 1.1.0
source).
So, in your case the check items from both groups will be merged:
username Service-Type == Framed-User, Service-Type == Login-User
...and obviously will never match. So you're correct, with the default
queries 1 groupcheck where the groups have the same check item will
seldom (if ever) work as expected.
You could try changing the groupcheck query to something like:
SELECT
${groupcheck_table}.id,
${groupcheck_table}.GroupName,
${groupcheck_table}.Attribute,
${groupcheck_table}.Value,
${groupcheck_table}.op
FROM
${groupcheck_table},
${usergroup_table}
WHERE
${usergroup_table}.Username = '%{SQL-User-Name}'
AND
${usergroup_table}.GroupName = ${groupcheck_table}.GroupName
-- this bit has been added
AND
(
-- all groups without Service-Type checks
NOT EXISTS (
select 1 from ${groupcheck_table} as ot
where ot.Attribute=='Service-Type'
and ot.GroupName==${groupcheck_table}.GroupName
)
OR
-- all groups with Service-Type checks matching our Service-Type
EXISTS (
select 1 from ${groupcheck_table} as ot
where ot.Attribute=='Service-Type'
-- WARNING: this assumes ot.Op is ==
and ot.Value=='%{Service-Type}'
and ot.GroupName==${groupcheck_table}.GroupName
)
)
-- the above bit has been added
ORDER BY ${groupcheck_table}.id
...which is a bit complex (and untested / off the top of my head) but
should work. Having said that I note you're using MySQL, which I can't
remember if it support sub-selects.
Really the module should be recoded IMHO to do this:
usercheck = query(radcheck query)
if usercheck AND paircmp(usercheck, request):
userreply = query(radreply query)
pairxlatmove(request.reply, userreply)
groups = query(usergroup query order by priority)
for group in groups:
groupcheck = query(groupcheck query WHERE GroupName=$group)
if groupcheck and paircmp(groupcheck, request):
groupreply = query(groupreply query WHERE GroupName=$group)
pairxlatmove(request.reply, groupreply)
...but I don't know if there's any interest in doing that.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--- End of Original Message ---
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User in Multiple Groups
I did not usurp a thread, I reposted my own. I changed radcheck to have := instead of ==. No change. First query returns: ++--+--+-++ | id | GroupName | Attribute | Value | op | ++--+--+-++ | 28 | MS1-AP1 | Service-Type | Framed-User | == | | 31 | Router-Admin | Service-Type | Login-User | == | ++--+--+-++ Second query returns ++--++---++ | id | GroupName | Attribute | Value | op | ++--++---++ | 34 | Router-Admin | Mikrotik-Group | full | = | | 39 | Router-Admin | Fall-Through | Yes | = | | 37 | MS1-AP1 | Fall-Through | Yes | = | | 33 | MS1-AP1 | Port-Limit | 128k | = | ++--++---++ I have a document from the FreeRadius WIKI (rlm_sql) that says, Processing continues to the next group IF: There was not a match for the last group's check items OR Fall-Through was set in the last group's reply items. If the user logs into a router, the request is for Login-User and they should get the Router-Admin replies. If they log in to an AP, the request is Framed-User and they should get the AP replies. Scott Reed Owner NewWays Wireless Networking Network Design, Installation and Administration www.nwwnet.net -- Original Message --- From: Phil Mayers [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Thu, 06 Apr 2006 13:22:39 +0100 Subject: Re: User in Multiple Groups Scott Reed wrote: I have searched the archive and came close to figuring this out, but I have not Don't start your query as part of another thread please. Configuration tables: 1 USERGROUP 2 80 sreed MS1-AP1 3 76 treed MS1-AP1 4 78 sreed Router-Admin 5 79 treed Router-Admin 6 81 dreed Router-Admin 7 8 RADCHECK 9 331 dreed User-Password == password 10 269 treed User-Password == password 11 267 sreed User-Password == password This should be := for User-Password. If the match is failing, that may be the issue. 12 13 RADGROUPCHECK 14 31 Router-Admin Service-Type == Login-User 15 28 MS1-AP1 Service-Type == Framed-User 16 17 RADREPLY 18 33 sreed Fall-Through = yes 19 43 treed Fall-Through = yes 20 21 RADGROUPREPLY 22 33 MS1-AP1 Port-Limit = 128k 15 23 34 Router-Admin Mikrotik-Group = full 10 24 39 Router-Admin Fall-Through = Yes 10 25 37 MS1-AP1 Fall-Through = Yes 15 I don't think Fall-Through does anything in rlm_sql. What are you expecting it to do? rad_recv: Access-Request packet from host 192.168.100.13:1201, id=166, length=83 Service-Type = Login-User User-Name = treed User-Password = password Calling-Station-Id = 192.168.100.240 NAS-Identifier = HotSpot NAS-IP-Address = 192.168.100.13 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 modcall[authorize]: module chap returns noop for request 1 modcall[authorize]: module mschap returns noop for request 1 rlm_realm: No '@' in User-Name = treed, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 1 radius_xlat: 'treed' rlm_sql (sql): sql_set_user escaped user -- 'treed' rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'treed' ORDER BY id rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'treed' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id What is the result of this query if you execute it directly against the database? rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'treed' ORDER BY id rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'treed
Re: User in Multiple Groups
Someone posted that many readers of this list don't have HTML mail readers, so I cleaned up the spacing on the tables and am reposting this in text so all can read it. Scott Reed Owner NewWays Wireless Networking Network Design, Installation and Administration www.nwwnet.net -- Original Message --- From: Scott Reed [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Thu, 6 Apr 2006 07:54:08 -0500 Subject: Re: User in Multiple Groups I did not usurp a thread, I reposted my own. I changed radcheck to have := instead of ==. No change. First query returns: ++--+--+-++ | id | GroupName| Attribute| Value | op | ++--+--+-++ | 28 | MS1-AP1 | Service-Type | Framed-User | == | | 31 | Router-Admin | Service-Type | Login-User | == | ++--+--+-++ Second query returns ++--+---+---++ | id | GroupName| Attribute | Value | op | ++--+---+---++ | 34 | Router-Admin | Mikrotik-Group| full | = | | 39 | Router-Admin | Fall-Through | Yes | = | | 37 | MS1-AP1 | Fall-Through | Yes | = | | 33 | MS1-AP1 | Port-Limit| 128k | = | ++--+---+---++ I have a document from the FreeRadius WIKI (rlm_sql) that says, Processing continues to the next group IF: There was not a match for the last group's check items OR Fall-Through was set in the last group's reply items. If the user logs into a router, the request is for Login-User and they should get the Router-Admin replies. If they log in to an AP, the request is Framed-User and they should get the AP replies. Scott Reed Owner NewWays Wireless Networking Network Design, Installation and Administration www.nwwnet.net -- Original Message --- From: Phil Mayers [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Thu, 06 Apr 2006 13:22:39 +0100 Subject: Re: User in Multiple Groups Scott Reed wrote: I have searched the archive and came close to figuring this out, but I have not Don't start your query as part of another thread please. Configuration tables: 1 USERGROUP 2 80 sreed MS1-AP1 3 76 treed MS1-AP1 4 78 sreed Router-Admin 5 79 treed Router-Admin 6 81 dreed Router-Admin 7 8 RADCHECK 9 331 dreed User-Password == password 10 269 treed User-Password == password 11 267 sreed User-Password == password This should be := for User-Password. If the match is failing, that may be the issue. 12 13 RADGROUPCHECK 14 31 Router-Admin Service-Type == Login-User 15 28 MS1-AP1 Service-Type == Framed-User 16 17 RADREPLY 18 33 sreed Fall-Through = yes 19 43 treed Fall-Through = yes 20 21 RADGROUPREPLY 22 33 MS1-AP1 Port-Limit = 128k 15 23 34 Router-Admin Mikrotik-Group = full 10 24 39 Router-Admin Fall-Through = Yes 10 25 37 MS1-AP1 Fall-Through = Yes 15 I don't think Fall-Through does anything in rlm_sql. What are you expecting it to do? rad_recv: Access-Request packet from host 192.168.100.13:1201, id=166, length=83 Service-Type = Login-User User-Name = treed User-Password = password Calling-Station-Id = 192.168.100.240 NAS-Identifier = HotSpot NAS-IP-Address = 192.168.100.13 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 modcall[authorize]: module chap returns noop for request 1 modcall[authorize]: module mschap returns noop for request 1 rlm_realm: No '@' in User-Name = treed, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 1 radius_xlat: 'treed' rlm_sql (sql): sql_set_user escaped user -- 'treed' rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'treed' ORDER BY id rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'treed' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id What is the result of this query if you execute it directly against the database? rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'treed' ORDER BY id rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
User in Multiple Groups
,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'treed' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.prio
rlm_sql (sql): No matching entry in the database for request from user [treed]
rlm_sql (sql): Released sql socket id: 2
modcall[authorize]: module sql returns notfound for request 1
modcall: group authorize returns ok for request 1
auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
auth: Failed to validate the user.
Login incorrect: [treed/password] (from client hotspot port 0 cli 192.168.100.240)
Processing the post-auth section of radiusd.conf
modcall: entering group Post-Auth-Type for request 1
rlm_sql (sql): Processing sql_postauth
radius_xlat: 'treed'
rlm_sql (sql): sql_set_user escaped user -- 'treed'
radius_xlat: 'INSERT into radpostauth (id, user, pass, reply, date) values ('', 'treed', 'password', 'Access-Reject', NOW())'
radius_xlat: '/var/log/radius/sqltrace.sql'
rlm_sql (sql) in sql_postauth: query is INSERT into radpostauth (id, user, pass, reply, date) values ('', 'treed', 'password', 'Access-Reject', NOW())
rlm_sql (sql): Reserving sql socket id: 1
rlm_sql_mysql: query: INSERT into radpostauth (id, user, pass, reply, date) values ('', 'treed', 'password', 'Access-Reject', NOW())
rlm_sql (sql): Released sql socket id: 1
modcall[post-auth]: module sql returns ok for request 1
modcall: group Post-Auth-Type returns ok for request 1
Delaying request 1 for 1 seconds
Finished request 1
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
rad_recv: Access-Request packet from host 192.168.100.13:1201, id=166, length=83
Sending Access-Reject of id 166 to 192.168.100.13:1201
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 3 seconds...
Scott Reed
Owner
NewWays
Wireless Networking
Network Design, Installation and Administration
www.nwwnet.net
-- Original Message
---
From: debik [EMAIL PROTECTED]
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Sent: Wed, 5 Apr 2006 20:26:14 +0200
Subject: Re: Couldn't stop freeradius server!!
Try killall radiusd or killall
freeradius.
I have debian and that commands are allwright.
- Original Message -
From: lmyho [EMAIL PROTECTED]
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Sent: Tuesday, April 04, 2006 6:19 PM
Subject: Re: Couldn't stop freeradius server!!
--- monish ar [EMAIL PROTECTED] wrote:
Instead of using the command to stop the radius daemon, herez
another
simple way.
At the console type ps -ax | grep radiusd , this
will give u the list
of
radius servers currently
along with its process IDs. The next thing u do is type
kill pid# ,
PID# refers to the process
id number of ur currently running radius daemon. Hope it helps...
Dunno bout the NAS list though...
Hi Monish,
Thank you for the idea! I checked, and found the process. but
on this
debian
system, the process is actually named freeradius, instead of
the
traditional
radiusd.:( So there are indeed some changes on how the
freeradius is
run on
debian. Do you have more idea about it?
Can anyone tell me more on how the debian is running the freeradius and
how I can
stop the server from command line in debian system? (pls see problem
detail below)
Thanks a lot!!
leo
On 4/4/06, lmyho [EMAIL PROTECTED] wrote:
Hi All,
Installed freeradius 1.1.0-1 on debian system (2.6.15-1-686).
The
radius
server started automatically well each time when the system
booting.
But I
wanted to stop it to do some testing using my modified configuration
files. I tried
to stop the server using command: 'freeradius stop' ('radiusd' doesn't
work on this
debian - anyone knows why??)
But so werid, no matter what command I gave, with parameter
stop|start|restart, the server ALWAYS goes to START again!! even
from
the
/etc/init.d/freeradius I can read that the 'stop' param should stop the
server! Can
anyone tell me why the command couldn't stop the server?? and how should I
stop it??
The log file shows entries like this for each of my trying, even
the
command given was to stop:
Tue Apr 4 01:14:13 2006 : Info: Using deprecated naslist
file.
Support
for this will go away soon.
Tue Apr 4 01:14:13 2006 : Error: There appears to be another
RADIUS
server running on the authenticat
What is happenning here? (I couldn't top the running deamon,
so is the
2nd line above)
Also, from the log file I noticed
Re: radtest
radiusd not running? Scott Reed Owner NewWays www.nwwnet.net -- Original Message --- From: [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Thu, 17 Mar 2005 16:52:31 +0100 Subject: radtest Hi all, I'm trying to do a simple radtest but it doesn't go through. Here is what I get : $ radtest bob bob localhost 0 testing123 Sending Access-Request of id 227 to 127.0.0.1:1812 User-Name = bob User-Password = bob NAS-IP-Address = localhost.localdomain NAS-Port = 0 radclient: no response from server for ID 227 I running on Fedora with very simple configurations. Does anyone have any idea about what is going on? Cheers Vicky This message was sent using IMP, the Internet Messaging Program. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- End of Original Message --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
