Oops, i spoke too soon
It looks like you have placed the "files" module before the "sql"
module
in your radiusd.conf
Its matching your DEFAULT entry in files (setting the Auth-Type to none)
but the sql module is later changing the Auth-Type to "digest"
Changing the order would solve this problem, as you want it to match the
SQL statement first and than the section in the files last (which
changes the Auth-Type)
Also, you may want to reduce the load on your database by not setting
the Auth-Type in the database and instead setting in the users file with
a DEFAULT statement as (at least in my case) it isn't somthing that need
to be dynamic.
lenirsantiago(a)yahoo.com wrote:
Hello list,
I've been trying my hardest today to get group_radius to work, and its
function radius_is_user_in().
I'm running ser0.9.4 and freeradius 1.0.4 with the mysql backend and digest
authentication.
Radius authentication works fine.
The problem is that when radius_is_user_in() function gets called, it sends
a radius message but without the User-Password field and freeradius
complains that it requires it since we are using Digest.
I've seen a couple of posts here, but they were never answered:
http://mail.iptel.org/pipermail/serusers/2005-March/017342.html
http://mail.iptel.org/pipermail/serusers/2005-March/017075.html
-----
I have a small test in my ser.cfg file:
if (!radius_www_authorize("")) {
xlog("L_I","%ci - %fu - User not authenticated, Radius
Authenticating...\n");
www_challenge("","0");
break;
} else {
xlog("L_I","%ci - %fu - User authenticated...\n");
};
if (radius_is_user_in("From", "Dialin")){
xlog("L_I","From: User is in Radius Group
Dialin!!!!\n");
} else {
xlog("L_I","From: User *IS NOT* Group
Dialin!!!!!\n");
};
if (radius_is_user_in("Credentials", "Dialin2")){
xlog("L_I","From: User is in Radius Group
Dialin2!!!!\n");
} else {
xlog("L_I","From: User *IS NOT* Group
Dialin2!!!!!\n");
};
-----
In /etc/raddb/users file I have the following at line 152:
DEFAULT Auth-Type = System
Fall-Through = 1
DEFAULT Service-Type == Group-Check, Auth-Type := None
DEFAULT Service-Type == SIP-Callee-AVPs, Auth-Type := None
-----
These are mysql tables:
+----+----------+-----------+----+----------+
| id | UserName | Attribute | op | Value |
+----+----------+-----------+----+----------+
| 1 | Jhassell | Password | == | changeme |
| 2 | Rneis | Password | == | changeme |
| 3 | 1000 | Password | == | 1000 |
| 4 | 2000 | Password | == | 2000 |
| 5 | 3000 | Password | == | 3000 |
| 8 | 1000 | Auth-Type | := | Digest |
+----+----------+-----------+----+----------+
+----+-----------+-----------+----+--------+
| id | GroupName | Attribute | op | Value |
+----+-----------+-----------+----+--------+
| 6 | Dialin | Auth-Type | := | Accept |
+----+-----------+-----------+----+--------+
+----+-----------+---------------+----+----------------------------------+--
----+
| id | GroupName | Attribute | op | Value |
prio |
+----+-----------+---------------+----+----------------------------------+--
----+
| 1 | Dialin | Reply-Message | = | "Authenticated by group Dialin" |
0 |
| 2 | Dialin2 | Reply-Message | = | "Authenticated by group Dialin2" |
0 |
+----+-----------+---------------+----+----------------------------------+--
----+
+----+----------+---------------+----+------------------+
| id | UserName | Attribute | op | Value |
+----+----------+---------------+----+------------------+
| 1 | 1000 | Reply-Message | = | "Authenticated" |
| 2 | 1000 | Sip-Group | = | Dialin |
| 3 | 1000 | SIP-AVP | = | Sip-Group:Dialin |
+----+----------+---------------+----+------------------+
+----+----------+------------+
| id | UserName | GroupName |
+----+----------+------------+
| 1 | Jhassell | Dialin |
| 2 | Rneis | Staticdial |
| 3 | 1000 | Dialin |
| 4 | 2000 | Dialin |
| 5 | 3000 | Dialin |
| 6 | 3000 | Dialin2 |
+----+----------+------------+
------
This is the debug I get from freeradius for the group check:
rad_recv: Access-Request packet from host xx.xx.xx.xx:33025, id=15,
length=67
User-Name = "1000(a)xx.xx.xx.xx"
Sip-Group = "Dialin2"
Service-Type = Group-Check
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 74
modcall[authorize]: module "preprocess" returns ok for request 74
modcall[authorize]: module "chap" returns noop for request 74
modcall[authorize]: module "mschap" returns noop for request 74
modcall[authorize]: module "digest" returns noop for request 74
rlm_realm: Looking up realm "xx.xx.xx.xx" for User-Name =
"1000(a)xx.xx.xx.xx"
rlm_realm: Found realm "xx.xx.xx.xx"
rlm_realm: Adding Stripped-User-Name = "1000"
rlm_realm: Proxying request from user 1000 to realm xx.xx.xx.xx
rlm_realm: Adding Realm = "xx.xx.xx.xx"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "suffix" returns noop for request 74
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 74
users: Matched entry DEFAULT at line 152
users: Matched entry DEFAULT at line 158
modcall[authorize]: module "files" returns ok for request 74
radius_xlat: '1000'
rlm_sql (sql): sql_set_user escaped user --> '1000'
rlm_sql (sql): Released sql socket id: 0
modcall[authorize]: module "sql" returns ok for request 74
modcall: group authorize returns ok for request 74
rad_check_password: Found Auth-Type Digest
auth: type "digest"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 74
ERROR: No Digest-Nonce: Cannot perform Digest authentication
modcall[authenticate]: module "digest" returns invalid for request 74
modcall: group authenticate returns invalid for request 74
auth: Failed to validate the user.
Delaying request 74 for 1 seconds
Finished request 74
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 15 to xx.xx.xx.xx:33025
Reply-Message = "Authenticated"
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 74 ID 15 with timestamp 434f1121
Nothing to do. Sleeping until we see a request.
Any help in this matter would be deeply appreciated,
Lenir
_______________________________________________
Serdev mailing list
Serdev(a)iptel.org
http://mail.iptel.org/mailman/listinfo/serdev