Sorry, i always tend to think more than i write/talk What i meant was that you can pass the necessary information during the authentication using the auth_radius module or during feature request using the avp_radius depending on what you are trying to do with the feature
Lenir wrote: >I will try that as a workaround. > >For the SER-DEVEL and OPENSER-DEVEL guys...can any of you comment on this? > >Thanks > >-----Original Message----- >From: Tavis P [mailto:[EMAIL PROTECTED] >Sent: Wednesday, October 19, 2005 4:40 PM >To: Lenir >Cc: [email protected]; [EMAIL PROTECTED] >Subject: Re: group_radius radius_is_user_in > >I've never used the group_radius module so i'm not certain what it >expects from the radius server (its not well documented currently) > >Although you may be able to optimize a bit and skip the >radius_is_user_in function call and simply pass the users group back as >an SIP-AVP attribute in the radreply table, and then check for that AVP >in the OpenSER script > >What i've done is commented the group checking SQL from the freeradius >sql.conf file so that when a user authenticates or when an avp_radius >call is made only 2 SQL queries are sent, instead of the 4-5 used when >group check is enabled. > >Try this, it should work and it will save you ~10 sql queries and a >radius request/response > > >Lenir wrote: > > > >>I'm trying to use group_radius module to check if the user is in a >>particular radius group. I'm calling radius_is_user_in function to do this. >>Here is the snippet in my config that calls that function: >> >>route[2] { >> >> # ----------------------------------------------------------------- >> # REGISTER Message Handler >> # ---------------------------------------------------------------- >> sl_send_reply("100", "Trying"); >> >> if (!radius_www_authorize("")) { >> xlog("L_INFO","$ci - $fu - User not authenticated, Radius >>Authenticating...\n"); >> www_challenge("","0"); >> return; >> } else { >> xlog("L_INFO","$ci - $fu - User authenticated...\n"); >> }; >> >> if (radius_is_user_in("From", "Dialin")){ >> xlog("L_INFO","From: User is in Radius Group >> >> >Dialin!!!!\n"); > > >> } else { >> xlog("L_INFO","From: User *IS NOT* Group Dialin!!!!!\n"); >> }; >> >> if (radius_is_user_in("From", "Dialin2")){ >> xlog("L_INFO","From: User is in Radius Group >>Dialin2!!!!\n"); >> } else { >> xlog("L_INFO","From: User *IS NOT* Group Dialin2!!!!!\n"); >> }; >> >> #if (!radius_check_to()) { >> # sl_send_reply("401", "Unauthorized"); >> # return; >> #}; >> >> consume_credentials(); >> >> if (!save("location")) { >> sl_reply_error(); >> }; >>} >> >> >>-----Original Message----- >>From: Tavis P [mailto:[EMAIL PROTECTED] >>Sent: Wednesday, October 19, 2005 3:59 PM >>To: Lenir >>Cc: [email protected]; [EMAIL PROTECTED] >>Subject: Re: group_radius radius_is_user_in >> >>Well either way the radius server is going to respond with an >>"Access-Accept" because you have set the auth-type to "none" (which is >>necessary because you are not authenticating and can not provide the >>necessary credentials). >> >>>From the trace you showed me below, i see two radius requests both for >>the user 1000 and both of which respond as i would expect. >> >>I'm not what you are trying to accomplish, are you using the >>group_radius module or just loading the group information using avp_radius? >> >> >>Lenir wrote: >> >> >> >> >> >>>This is my users file: >>> >>>DEFAULT Auth-Type = System >>> Fall-Through = 1 >>> >>>DEFAULT Service-Type == Call-Check, Auth-Type := None >>> >>>DEFAULT Service-Type == Group-Check, Auth-Type := None >>> >>>DEFAULT Service-Type == SIP-Session, Auth-Type := Digest >>> >>>DEFAULT Service-Type == SIP-Callee-AVPs, Auth-Type := None >>> >>>DEFAULT Service-Type == SIP-Caller-AVPs, Auth-Type := None >>> >>> >>>mysql> select * from radcheck; >>>+----+----------+-----------+----+----------+ >>>| id | UserName | Attribute | op | Value | >>>+----+----------+-----------+----+----------+ >>>| 1 | Jhassell | Password | == | changeme | >>>| 2 | Rneis | Password | == | changeme | >>>| 3 | 1000 | Password | == | 1000 | >>>| 4 | 2000 | Password | == | 2000 | >>>| 5 | 3000 | Password | == | 3000 | >>>+----+----------+-----------+----+----------+ >>>5 rows in set (0.00 sec) >>> >>>mysql> select * from radreply; >>>Empty set (0.00 sec) >>> >>>mysql> select * from usergroup; >>>+----+----------+------------+ >>>| id | UserName | GroupName | >>>+----+----------+------------+ >>>| 1 | Jhassell | Dialin | >>>| 2 | Rneis | Staticdial | >>>| 3 | 1000 | Dialin | >>>| 4 | 2000 | Dialin | >>>| 5 | 3000 | Dialin | >>>| 6 | 3000 | Dialin2 | >>>+----+----------+------------+ >>>6 rows in set (0.00 sec) >>> >>>mysql> select * from radgroupcheck; >>>Empty set (0.00 sec) >>> >>>mysql> select * from radgroupreply; >>>+----+-----------+---------------+----+----------------------------------+ >>> >>> >- > > >>> >>> >>> >>> >>- >> >> >> >> >>>---+ >>>| id | GroupName | Attribute | op | Value | >>>prio | >>>+----+-----------+---------------+----+----------------------------------+ >>> >>> >- > > >>> >>> >>> >>> >>- >> >> >> >> >>>----+ >>>| 1 | Dialin | Reply-Message | = | "Authenticated by group Dialin" | >>>0 | >>>| 2 | Dialin2 | Reply-Message | = | "Authenticated by group Dialin2" | >>>0 | >>>| 3 | Dialin | SIP-AVP | = | Sip-Group:Dialin | >>>0 | >>>+----+-----------+---------------+----+----------------------------------+ >>> >>> >- > > >>> >>> >>> >>> >>- >> >> >> >> >>>----+ >>>3 rows in set (0.00 sec) >>> >>>mysql> select * from radpostauth; >>>Empty set (0.00 sec) >>> >>> >>> >>>Here's the debug, notice how it returns access-accept whether its in the >>>right group or not. Shouldn't it return access-reject for group Dialin2? >>>----------------- >>>rad_recv: Access-Request packet from host xx.xx.xx.xx:33167, id=152, >>>length=66 >>> User-Name = "[EMAIL PROTECTED]" >>> Sip-Group = "Dialin" >>> Service-Type = Group-Check >>> NAS-IP-Address = 127.0.0.1 >>> NAS-Port = 0 >>>Processing the authorize section of radiusd.conf >>>modcall: entering group authorize for request 4 >>>modcall[authorize]: module "preprocess" returns ok for request 4 >>>modcall[authorize]: module "chap" returns noop for request 4 >>>modcall[authorize]: module "mschap" returns noop for request 4 >>>modcall[authorize]: module "digest" returns noop for request 4 >>> rlm_realm: Looking up realm "xx.xx.xx.xx" for User-Name = >>>"[EMAIL PROTECTED]" >>> rlm_realm: Found realm "xx.xx.xx.xx" >>> rlm_realm: Adding Stripped-User-Name = "1000" >>> rlm_realm: Proxying request from user 1000 to realm xx.xx.xx.xx >>> rlm_realm: Adding Realm = "xx.xx.xx.xx" >>> rlm_realm: Authentication realm is LOCAL. >>>modcall[authorize]: module "suffix" returns noop for request 4 >>>rlm_eap: No EAP-Message, not doing EAP >>>modcall[authorize]: module "eap" returns noop for request 4 >>> users: Matched entry DEFAULT at line 156 >>> users: Matched entry DEFAULT at line 161 >>>modcall[authorize]: module "files" returns ok for request 4 >>>radius_xlat: '1000' >>>rlm_sql (sql): sql_set_user escaped user --> '1000' >>>radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM >>>radcheck WHERE Username = '1000' ORDER BY id' >>>rlm_sql (sql): Reserving sql socket id: 0 >>>rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op >>> >>> >>> >>> >>>FROM radcheck WHERE Username = '1000' ORDER BY id >> >> >> >> >>>radius_xlat: 'SELECT >>>radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupc >>> >>> >h > > >>> >>> >>> >>> >>e >> >> >> >> >>>ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE >>>usergroup.Username = '1000' AND usergroup.GroupName = >>>radgroupcheck.GroupName ORDER BY radgroupcheck.id' >>>rlm_sql_mysql: query: SELECT >>>radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupc >>> >>> >h > > >>> >>> >>> >>> >>e >> >> >> >> >>>ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE >>>usergroup.Username = '1000' AND usergroup.GroupName = >>>radgroupcheck.GroupName ORDER BY radgroupcheck.id >>>radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM >>>radreply WHERE Username = '1000' ORDER BY id' >>>rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op >>> >>> >>> >>> >>>FROM radreply WHERE Username = '1000' ORDER BY id >> >> >> >> >>>radius_xlat: 'SELECT >>>radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupr >>> >>> >e > > >>> >>> >>> >>> >>p >> >> >> >> >>>ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE >>>usergroup.Username = '1000' AND usergroup.GroupName = >>>radgroupreply.GroupName ORDER BY radgroupreply.id' >>>rlm_sql_mysql: query: SELECT >>>radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupr >>> >>> >e > > >>> >>> >>> >>> >>p >> >> >> >> >>>ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE >>>usergroup.Username = '1000' AND usergroup.GroupName = >>>radgroupreply.GroupName ORDER BY radgroupreply.id >>>rlm_sql (sql): Checking profile DEFAULT >>>rlm_sql (sql): sql_set_user escaped user --> 'DEFAULT' >>>radius_xlat: 'SELECT >>>radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupc >>> >>> >h > > >>> >>> >>> >>> >>e >> >> >> >> >>>ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE >>>usergroup.Username = 'DEFAULT' AND usergroup.GroupName = >>>radgroupcheck.GroupName ORDER BY radgroupcheck.id' >>>rlm_sql_mysql: query: SELECT >>>radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupc >>> >>> >h > > >>> >>> >>> >>> >>e >> >> >> >> >>>ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE >>>usergroup.Username = 'DEFAULT' AND usergroup.GroupName = >>>radgroupcheck.GroupName ORDER BY radgroupcheck.id >>>radius_xlat: 'SELECT >>>radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupr >>> >>> >e > > >>> >>> >>> >>> >>p >> >> >> >> >>>ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE >>>usergroup.Username = 'DEFAULT' AND usergroup.GroupName = >>>radgroupreply.GroupName ORDER BY radgroupreply.id' >>>rlm_sql_mysql: query: SELECT >>>radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupr >>> >>> >e > > >>> >>> >>> >>> >>p >> >> >> >> >>>ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE >>>usergroup.Username = 'DEFAULT' AND usergroup.GroupName = >>>radgroupreply.GroupName ORDER BY radgroupreply.id >>>rlm_sql (sql): Released sql socket id: 0 >>>modcall[authorize]: module "sql" returns ok for request 4 >>>modcall: group authorize returns ok for request 4 >>>rad_check_password: Found Auth-Type None >>>rad_check_password: Auth-Type = Accept, accepting the user >>>radius_xlat: 'Authenticated by group Dialin' >>>Sending Access-Accept of id 152 to xx.xx.xx.xx:33167 >>> Reply-Message = "Authenticated by group Dialin" >>> SIP-AVP = "Sip-Group:Dialin" >>>Finished request 4 >>>Going to the next request >>>Waking up in 6 seconds... >>>rad_recv: Access-Request packet from host xx.xx.xx.xx:33167, id=153, >>>length=67 >>> User-Name = "[EMAIL PROTECTED]" >>> Sip-Group = "Dialin2" >>> Service-Type = Group-Check >>> NAS-IP-Address = 127.0.0.1 >>> NAS-Port = 0 >>>Processing the authorize section of radiusd.conf >>>modcall: entering group authorize for request 5 >>>modcall[authorize]: module "preprocess" returns ok for request 5 >>>modcall[authorize]: module "chap" returns noop for request 5 >>>modcall[authorize]: module "mschap" returns noop for request 5 >>>modcall[authorize]: module "digest" returns noop for request 5 >>> rlm_realm: Looking up realm "xx.xx.xx.xx" for User-Name = >>>"[EMAIL PROTECTED]" >>> rlm_realm: Found realm "xx.xx.xx.xx" >>> rlm_realm: Adding Stripped-User-Name = "1000" >>> rlm_realm: Proxying request from user 1000 to realm xx.xx.xx.xx >>> rlm_realm: Adding Realm = "xx.xx.xx.xx" >>> rlm_realm: Authentication realm is LOCAL. >>>modcall[authorize]: module "suffix" returns noop for request 5 >>>rlm_eap: No EAP-Message, not doing EAP >>>modcall[authorize]: module "eap" returns noop for request 5 >>> users: Matched entry DEFAULT at line 156 >>> users: Matched entry DEFAULT at line 161 >>>modcall[authorize]: module "files" returns ok for request 5 >>>radius_xlat: '1000' >>>rlm_sql (sql): sql_set_user escaped user --> '1000' >>>radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM >>>radcheck WHERE Username = '1000' ORDER BY id' >>>rlm_sql (sql): Reserving sql socket id: 4 >>>rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op >>> >>> >>> >>> >>>FROM radcheck WHERE Username = '1000' ORDER BY id >> >> >> >> >>>radius_xlat: 'SELECT >>>radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupc >>> >>> >h > > >>> >>> >>> >>> >>e >> >> >> >> >>>ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE >>>usergroup.Username = '1000' AND usergroup.GroupName = >>>radgroupcheck.GroupName ORDER BY radgroupcheck.id' >>>rlm_sql_mysql: query: SELECT >>>radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupc >>> >>> >h > > >>> >>> >>> >>> >>e >> >> >> >> >>>ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE >>>usergroup.Username = '1000' AND usergroup.GroupName = >>>radgroupcheck.GroupName ORDER BY radgroupcheck.id >>>radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM >>>radreply WHERE Username = '1000' ORDER BY id' >>>rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op >>> >>> >>> >>> >>>FROM radreply WHERE Username = '1000' ORDER BY id >> >> >> >> >>>radius_xlat: 'SELECT >>>radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupr >>> >>> >e > > >>> >>> >>> >>> >>p >> >> >> >> >>>ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE >>>usergroup.Username = '1000' AND usergroup.GroupName = >>>radgroupreply.GroupName ORDER BY radgroupreply.id' >>>rlm_sql_mysql: query: SELECT >>>radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupr >>> >>> >e > > >>> >>> >>> >>> >>p >> >> >> >> >>>ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE >>>usergroup.Username = '1000' AND usergroup.GroupName = >>>radgroupreply.GroupName ORDER BY radgroupreply.id >>>rlm_sql (sql): Checking profile DEFAULT >>>rlm_sql (sql): sql_set_user escaped user --> 'DEFAULT' >>>radius_xlat: 'SELECT >>>radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupc >>> >>> >h > > >>> >>> >>> >>> >>e >> >> >> >> >>>ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE >>>usergroup.Username = 'DEFAULT' AND usergroup.GroupName = >>>radgroupcheck.GroupName ORDER BY radgroupcheck.id' >>>rlm_sql_mysql: query: SELECT >>>radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupc >>> >>> >h > > >>> >>> >>> >>> >>e >> >> >> >> >>>ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE >>>usergroup.Username = 'DEFAULT' AND usergroup.GroupName = >>>radgroupcheck.GroupName ORDER BY radgroupcheck.id >>>radius_xlat: 'SELECT >>>radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupr >>> >>> >e > > >>> >>> >>> >>> >>p >> >> >> >> >>>ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE >>>usergroup.Username = 'DEFAULT' AND usergroup.GroupName = >>>radgroupreply.GroupName ORDER BY radgroupreply.id' >>>rlm_sql_mysql: query: SELECT >>>radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupr >>> >>> >e > > >>> >>> >>> >>> >>p >> >> >> >> >>>ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE >>>usergroup.Username = 'DEFAULT' AND usergroup.GroupName = >>>radgroupreply.GroupName ORDER BY radgroupreply.id >>>rlm_sql (sql): Released sql socket id: 4 >>>modcall[authorize]: module "sql" returns ok for request 5 >>>modcall: group authorize returns ok for request 5 >>>rad_check_password: Found Auth-Type None >>>rad_check_password: Auth-Type = Accept, accepting the user >>>radius_xlat: 'Authenticated by group Dialin' >>>Sending Access-Accept of id 153 to xx.xx.xx.xx:33167 >>> Reply-Message = "Authenticated by group Dialin" >>> SIP-AVP = "Sip-Group:Dialin" >>>Finished request 5 >>> >>>-----Original Message----- >>>From: Tavis P [mailto:[EMAIL PROTECTED] >>>Sent: Friday, October 14, 2005 7:21 PM >>>To: Lenir >>>Cc: [email protected]; [EMAIL PROTECTED] >>>Subject: Re: group_radius radius_is_user_in >>> >>>Ugh the subject line is getting really munged up ;P >>> >>>Hmmm, what does the output from "radiusd -X" look like for the exchange? >>> >>> >>>Lenir wrote: >>> >>> >>> >>> >>> >>> >>> >>>>Tavis, >>>> >>>>Thanks for your input, that did fix the problem. I did have the "files" >>>>before "sql" in radiusd.conf. Also I followed your advice about taking >>>> >>>> >out > > >>>>"Auth-Type" out of mysql table and let DEFAULT in users file do the >>>> >>>> >trick. > > >>>> >>>> >>>> >>>> >> >> >> >> >>>>However it's semi-working. >>>> >>>>Accourding to the snippet from my ser.cfg file, now I get the following >>>> >>>> >in > > >>>>stderr: >>>>0(4866) [EMAIL PROTECTED] - >>>>sip:[EMAIL PROTECTED] - User authenticated... >>>>0(4866) Credentials: User is in Radius Group Dialin!!!! >>>>0(4866) Credentials: User is in Radius Group Dialin2!!!! >>>> >>>>No matter which parameter I use for the function radius_is_user_in(), it >>>>always returns TRUE. When in fact it should return FALSE for Group >>>> >>>> >>>> >>>> >>Dialin2. >> >> >> >> >>>>I've tried: >>>> >>>>if (radius_is_user_in("From", "Dialin2")){... >>>>if (radius_is_user_in("Credentials", "Dialin2")){... >>>> >>>> >>>> >>>> >>>> >>>>Here's what I did to fix future problems: >>>> >>>>EFAULT Auth-Type = System >>>> Fall-Through = 1 >>>> >>>>DEFAULT Service-Type == Call-Check, Auth-Type := Digest >>>> >>>>DEFAULT Service-Type == Group-Check, Auth-Type := None >>>> >>>>DEFAULT Service-Type == SIP-Session, Auth-Type := Digest >>>> >>>>DEFAULT Service-Type == SIP-Callee-AVPs, Auth-Type := None >>>> >>>>DEFAULT Service-Type == SIP-Caller-AVPs, Auth-Type := None >>>> >>>> >>>>Also, for those of you using the latest version of freeradius, you may >>>> >>>> >>>> >>>> >>have >> >> >> >> >>>>to comment out the following lines as they conflict with dictionary.ser >>>> >>>> >>>> >>>> >>>> >>>> >>>(SER >>> >>> >>> >>> >>> >>> >>>>CVS) and dictionary.sip (comes with radiusclient-NG) >>>> >>>>#VALUE Service-Type Voice 12 >>>>#VALUE Service-Type Fax 13 >>>>#VALUE Service-Type Modem-Relay 14 >>>>#VALUE Service-Type IAPP-Register 15 >>>>#VALUE Service-Type IAPP-AP-Check 16 >>>> >>>> >>>>Thanks, >>>> >>>> >>>>Lenir >>>> >>>> >>>>-----Original Message----- >>>>From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On >>>>Behalf Of Tavis P >>>>Sent: Friday, October 14, 2005 1:49 PM >>>>To: [EMAIL PROTECTED] >>>>Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [email protected]; >>>>[email protected] >>>>Subject: [Serusers] Re: [Serdev] group_radius radius_is_user_in >>>> >>>>Oops, i spoke too soon >>>> >>>>It looks like you have placed the "files" module before the "sql" module >>>>in your radiusd.conf >>>> >>>>Its matching your DEFAULT entry in files (setting the Auth-Type to none) >>>>but the sql module is later changing the Auth-Type to "digest" >>>> >>>>Changing the order would solve this problem, as you want it to match the >>>>SQL statement first and than the section in the files last (which >>>>changes the Auth-Type) >>>> >>>>Also, you may want to reduce the load on your database by not setting >>>>the Auth-Type in the database and instead setting in the users file with >>>>a DEFAULT statement as (at least in my case) it isn't somthing that need >>>>to be dynamic. >>>> >>>>[EMAIL PROTECTED] wrote: >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>>>Hello list, >>>>> >>>>>I've been trying my hardest today to get group_radius to work, and its >>>>>function radius_is_user_in(). >>>>>I'm running ser0.9.4 and freeradius 1.0.4 with the mysql backend and >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>digest >>> >>> >>> >>> >>> >>> >>>>>authentication. >>>>> >>>>>Radius authentication works fine. >>>>>The problem is that when radius_is_user_in() function gets called, it >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>sends >>> >>> >>> >>> >>> >>> >>>>>a radius message but without the User-Password field and freeradius >>>>>complains that it requires it since we are using Digest. >>>>>I've seen a couple of posts here, but they were never answered: >>>>>http://mail.iptel.org/pipermail/serusers/2005-March/017342.html >>>>>http://mail.iptel.org/pipermail/serusers/2005-March/017075.html >>>>> >>>>>----- >>>>>I have a small test in my ser.cfg file: >>>>> if (!radius_www_authorize("")) { >>>>> xlog("L_I","%ci - %fu - User not authenticated, Radius >>>>>Authenticating...\n"); >>>>> www_challenge("","0"); >>>>> break; >>>>> } else { >>>>> xlog("L_I","%ci - %fu - User authenticated...\n"); >>>>> }; >>>>> >>>>> if (radius_is_user_in("From", "Dialin")){ >>>>> xlog("L_I","From: User is in Radius Group Dialin!!!!\n"); >>>>> } else { >>>>> xlog("L_I","From: User *IS NOT* Group Dialin!!!!!\n"); >>>>> }; >>>>> >>>>> if (radius_is_user_in("Credentials", "Dialin2")){ >>>>> xlog("L_I","From: User is in Radius Group Dialin2!!!!\n"); >>>>> } else { >>>>> xlog("L_I","From: User *IS NOT* Group Dialin2!!!!!\n"); >>>>> }; >>>>> >>>>>----- >>>>>In /etc/raddb/users file I have the following at line 152: >>>>>DEFAULT Auth-Type = System >>>>> Fall-Through = 1 >>>>> >>>>>DEFAULT Service-Type == Group-Check, Auth-Type := None >>>>> >>>>>DEFAULT Service-Type == SIP-Callee-AVPs, Auth-Type := None >>>>> >>>>>----- >>>>> >>>>>These are mysql tables: >>>>> >>>>>+----+----------+-----------+----+----------+ >>>>>| id | UserName | Attribute | op | Value | >>>>>+----+----------+-----------+----+----------+ >>>>>| 1 | Jhassell | Password | == | changeme | >>>>>| 2 | Rneis | Password | == | changeme | >>>>>| 3 | 1000 | Password | == | 1000 | >>>>>| 4 | 2000 | Password | == | 2000 | >>>>>| 5 | 3000 | Password | == | 3000 | >>>>>| 8 | 1000 | Auth-Type | := | Digest | >>>>>+----+----------+-----------+----+----------+ >>>>> >>>>>+----+-----------+-----------+----+--------+ >>>>>| id | GroupName | Attribute | op | Value | >>>>>+----+-----------+-----------+----+--------+ >>>>>| 6 | Dialin | Auth-Type | := | Accept | >>>>>+----+-----------+-----------+----+--------+ >>>>> >>>>>+----+-----------+---------------+----+--------------------------------- >>>>> >>>>> >- > > >>>>> >>>>> >>>>> >>>>> >>+ >> >> >> >> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>- >>> >>> >>> >>> >>> >>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>- >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>>>----+ >>>>>| id | GroupName | Attribute | op | Value >>>>> >>>>> >>>>> >>>>> >>| >> >> >> >> >>>>>prio | >>>>>+----+-----------+---------------+----+--------------------------------- >>>>> >>>>> >- > > >>>>> >>>>> >>>>> >>>>> >>+ >> >> >> >> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>- >>> >>> >>> >>> >>> >>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>- >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>>>----+ >>>>>| 1 | Dialin | Reply-Message | = | "Authenticated by group Dialin" >>>>> >>>>> >>>>> >>>>> >>| >> >> >> >> >>>>>0 | >>>>>| 2 | Dialin2 | Reply-Message | = | "Authenticated by group Dialin2" >>>>> >>>>> >>>>> >>>>> >>| >> >> >> >> >>>>>0 | >>>>>+----+-----------+---------------+----+--------------------------------- >>>>> >>>>> >- > > >>>>> >>>>> >>>>> >>>>> >>+ >> >> >> >> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>- >>> >>> >>> >>> >>> >>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>- >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>>>----+ >>>>> >>>>>+----+----------+---------------+----+------------------+ >>>>>| id | UserName | Attribute | op | Value | >>>>>+----+----------+---------------+----+------------------+ >>>>>| 1 | 1000 | Reply-Message | = | "Authenticated" | >>>>>| 2 | 1000 | Sip-Group | = | Dialin | >>>>>| 3 | 1000 | SIP-AVP | = | Sip-Group:Dialin | >>>>>+----+----------+---------------+----+------------------+ >>>>> >>>>>+----+----------+------------+ >>>>>| id | UserName | GroupName | >>>>>+----+----------+------------+ >>>>>| 1 | Jhassell | Dialin | >>>>>| 2 | Rneis | Staticdial | >>>>>| 3 | 1000 | Dialin | >>>>>| 4 | 2000 | Dialin | >>>>>| 5 | 3000 | Dialin | >>>>>| 6 | 3000 | Dialin2 | >>>>>+----+----------+------------+ >>>>> >>>>>------ >>>>> >>>>>This is the debug I get from freeradius for the group check: >>>>> >>>>>rad_recv: Access-Request packet from host xx.xx.xx.xx:33025, id=15, >>>>>length=67 >>>>> User-Name = "[EMAIL PROTECTED]" >>>>> Sip-Group = "Dialin2" >>>>> Service-Type = Group-Check >>>>> NAS-IP-Address = 127.0.0.1 >>>>> NAS-Port = 0 >>>>>Processing the authorize section of radiusd.conf >>>>>modcall: entering group authorize for request 74 >>>>>modcall[authorize]: module "preprocess" returns ok for request 74 >>>>>modcall[authorize]: module "chap" returns noop for request 74 >>>>>modcall[authorize]: module "mschap" returns noop for request 74 >>>>>modcall[authorize]: module "digest" returns noop for request 74 >>>>>rlm_realm: Looking up realm "xx.xx.xx.xx" for User-Name = >>>>>"[EMAIL PROTECTED]" >>>>>rlm_realm: Found realm "xx.xx.xx.xx" >>>>>rlm_realm: Adding Stripped-User-Name = "1000" >>>>>rlm_realm: Proxying request from user 1000 to realm xx.xx.xx.xx >>>>>rlm_realm: Adding Realm = "xx.xx.xx.xx" >>>>>rlm_realm: Authentication realm is LOCAL. >>>>>modcall[authorize]: module "suffix" returns noop for request 74 >>>>>rlm_eap: No EAP-Message, not doing EAP >>>>>modcall[authorize]: module "eap" returns noop for request 74 >>>>>users: Matched entry DEFAULT at line 152 >>>>>users: Matched entry DEFAULT at line 158 >>>>>modcall[authorize]: module "files" returns ok for request 74 >>>>>radius_xlat: '1000' >>>>>rlm_sql (sql): sql_set_user escaped user --> '1000' >>>>>rlm_sql (sql): Released sql socket id: 0 >>>>>modcall[authorize]: module "sql" returns ok for request 74 >>>>>modcall: group authorize returns ok for request 74 >>>>>rad_check_password: Found Auth-Type Digest >>>>>auth: type "digest" >>>>>Processing the authenticate section of radiusd.conf >>>>>modcall: entering group authenticate for request 74 >>>>>ERROR: No Digest-Nonce: Cannot perform Digest authentication >>>>>modcall[authenticate]: module "digest" returns invalid for request 74 >>>>>modcall: group authenticate returns invalid for request 74 >>>>>auth: Failed to validate the user. >>>>>Delaying request 74 for 1 seconds >>>>>Finished request 74 >>>>>Going to the next request >>>>>--- Walking the entire request list --- >>>>>Waking up in 1 seconds... >>>>>--- Walking the entire request list --- >>>>>Waking up in 1 seconds... >>>>>--- Walking the entire request list --- >>>>>Sending Access-Reject of id 15 to xx.xx.xx.xx:33025 >>>>> Reply-Message = "Authenticated" >>>>>Waking up in 4 seconds... >>>>>--- Walking the entire request list --- >>>>>Cleaning up request 74 ID 15 with timestamp 434f1121 >>>>>Nothing to do. Sleeping until we see a request. >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>Any help in this matter would be deeply appreciated, >>>>> >>>>> >>>>> >>>>> >>>>>Lenir >>>>> >>>>> >>>>> >>>>> >>>>>_______________________________________________ >>>>>Serdev mailing list >>>>>[EMAIL PROTECTED] >>>>>http://mail.iptel.org/mailman/listinfo/serdev >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>_______________________________________________ >>>>Serusers mailing list >>>>[EMAIL PROTECTED] >>>>http://mail.iptel.org/mailman/listinfo/serusers >>>> >>>> >>>>_______________________________________________ >>>>Serdev mailing list >>>>[EMAIL PROTECTED] >>>>http://mail.iptel.org/mailman/listinfo/serdev >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>> >>> >>> >>> >>> >>> >> >> >> >> >> >> > > > > > > _______________________________________________ Users mailing list [email protected] http://openser.org/cgi-bin/mailman/listinfo/users
