19 Oct
2005
19 Oct
'05
10:39 p.m.
I've never used the group_radius module so i'm not certain what it
expects from the radius server (its not well documented currently)
Although you may be able to optimize a bit and skip the
radius_is_user_in function call and simply pass the users group back as
an SIP-AVP attribute in the radreply table, and then check for that AVP
in the OpenSER script
What i've done is commented the group checking SQL from the freeradius
sql.conf file so that when a user authenticates or when an avp_radius
call is made only 2 SQL queries are sent, instead of the 4-5 used when
group check is enabled.
Try this, it should work and it will save you ~10 sql queries and a
radius request/response
Lenir wrote:
I'm trying to use group_radius module to check if
the user is in a
particular radius group. I'm calling radius_is_user_in function to do this.
Here is the snippet in my config that calls that function:
route[2] {
# -----------------------------------------------------------------
# REGISTER Message Handler
# ----------------------------------------------------------------
sl_send_reply("100", "Trying");
if (!radius_www_authorize("")) {
xlog("L_INFO","$ci - $fu - User not authenticated, Radius
Authenticating...\n");
www_challenge("","0");
return;
} else {
xlog("L_INFO","$ci - $fu - User authenticated...\n");
};
if (radius_is_user_in("From", "Dialin")){
xlog("L_INFO","From: User is in Radius Group
Dialin!!!!\n");
} else {
xlog("L_INFO","From: User *IS NOT* Group
Dialin!!!!!\n");
};
if (radius_is_user_in("From", "Dialin2")){
xlog("L_INFO","From: User is in Radius Group
Dialin2!!!!\n");
} else {
xlog("L_INFO","From: User *IS NOT* Group
Dialin2!!!!!\n");
};
#if (!radius_check_to()) {
# sl_send_reply("401", "Unauthorized");
# return;
#};
consume_credentials();
if (!save("location")) {
sl_reply_error();
};
}
-----Original Message-----
From: Tavis P [mailto:tavis.lists@galaxytelecom.net]
Sent: Wednesday, October 19, 2005 3:59 PM
To: Lenir
Cc: users(a)openser.org; serusers(a)iptel.org
Subject: Re: group_radius radius_is_user_in
Well either way the radius server is going to respond with an
"Access-Accept" because you have set the auth-type to "none" (which
is
necessary because you are not authenticating and can not provide the
necessary credentials).
+
|
|
From the trace you showed me below, i see two
radius requests both for
the user 1000 and both of which respond as i would expect.
I'm not what you are trying to accomplish, are you using the
group_radius module or just loading the group information using avp_radius?
Lenir wrote:
This is my users file:
DEFAULT Auth-Type = System
Fall-Through = 1
DEFAULT Service-Type == Call-Check, Auth-Type := None
DEFAULT Service-Type == Group-Check, Auth-Type := None
DEFAULT Service-Type == SIP-Session, Auth-Type := Digest
DEFAULT Service-Type == SIP-Callee-AVPs, Auth-Type := None
DEFAULT Service-Type == SIP-Caller-AVPs, Auth-Type := None
mysql> select * from radcheck;
+----+----------+-----------+----+----------+
| id | UserName | Attribute | op | Value |
+----+----------+-----------+----+----------+
| 1 | Jhassell | Password | == | changeme |
| 2 | Rneis | Password | == | changeme |
| 3 | 1000 | Password | == | 1000 |
| 4 | 2000 | Password | == | 2000 |
| 5 | 3000 | Password | == | 3000 |
+----+----------+-----------+----+----------+
5 rows in set (0.00 sec)
mysql> select * from radreply;
Empty set (0.00 sec)
mysql> select * from usergroup;
+----+----------+------------+
| id | UserName | GroupName |
+----+----------+------------+
| 1 | Jhassell | Dialin |
| 2 | Rneis | Staticdial |
| 3 | 1000 | Dialin |
| 4 | 2000 | Dialin |
| 5 | 3000 | Dialin |
| 6 | 3000 | Dialin2 |
+----+----------+------------+
6 rows in set (0.00 sec)
mysql> select * from radgroupcheck;
Empty set (0.00 sec)
mysql> select * from radgroupreply;
+----+-----------+---------------+----+----------------------------------+-
-
---+
| id | GroupName | Attribute | op | Value |
prio |
+----+-----------+---------------+----+----------------------------------+-
-
----+
| 1 | Dialin | Reply-Message | = | "Authenticated by group Dialin" |
0 |
| 2 | Dialin2 | Reply-Message | = | "Authenticated by group Dialin2" |
0 |
| 3 | Dialin | SIP-AVP | = | Sip-Group:Dialin |
0 |
+----+-----------+---------------+----+----------------------------------+-
-
----+
3 rows in set (0.00 sec)
mysql> select * from radpostauth;
Empty set (0.00 sec)
Here's the debug, notice how it returns access-accept whether its in the
right group or not. Shouldn't it return access-reject for group Dialin2?
-----------------
rad_recv: Access-Request packet from host xx.xx.xx.xx:33167, id=152,
length=66
User-Name = "1000(a)xx.xx.xx.xx"
Sip-Group = "Dialin"
Service-Type = Group-Check
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
modcall[authorize]: module "preprocess" returns ok for request 4
modcall[authorize]: module "chap" returns noop for request 4
modcall[authorize]: module "mschap" returns noop for request 4
modcall[authorize]: module "digest" returns noop for request 4
rlm_realm: Looking up realm "xx.xx.xx.xx" for User-Name =
"1000(a)xx.xx.xx.xx"
rlm_realm: Found realm "xx.xx.xx.xx"
rlm_realm: Adding Stripped-User-Name = "1000"
rlm_realm: Proxying request from user 1000 to realm xx.xx.xx.xx
rlm_realm: Adding Realm = "xx.xx.xx.xx"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "suffix" returns noop for request 4
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 4
users: Matched entry DEFAULT at line 156
users: Matched entry DEFAULT at line 161
modcall[authorize]: module "files" returns ok for request 4
radius_xlat: '1000'
rlm_sql (sql): sql_set_user escaped user --> '1000'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
radcheck WHERE Username = '1000' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 0
rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op
FROM radcheck WHERE Username = '1000' ORDER BY id
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupch
e
ck.Value,radgroupcheck.op FROM
radgroupcheck,usergroup WHERE
usergroup.Username = '1000' AND usergroup.GroupName =
radgroupcheck.GroupName ORDER BY radgroupcheck.id'
rlm_sql_mysql: query: SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupch
e
ck.Value,radgroupcheck.op FROM
radgroupcheck,usergroup WHERE
usergroup.Username = '1000' AND usergroup.GroupName =
radgroupcheck.GroupName ORDER BY radgroupcheck.id
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
radreply WHERE Username = '1000' ORDER BY id'
rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op
FROM radreply WHERE Username = '1000' ORDER BY id
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupre
p
ly.Value,radgroupreply.op FROM
radgroupreply,usergroup WHERE
usergroup.Username = '1000' AND usergroup.GroupName =
radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql_mysql: query: SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupre
p
>ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
>usergroup.Username = '1000' AND usergroup.GroupName =
>radgroupreply.GroupName ORDER BY radgroupreply.id
>rlm_sql (sql): Checking profile DEFAULT
>rlm_sql (sql): sql_set_user escaped user --> 'DEFAULT'
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupch
e
ck.Value,radgroupcheck.op FROM
radgroupcheck,usergroup WHERE
usergroup.Username = 'DEFAULT' AND usergroup.GroupName =
radgroupcheck.GroupName ORDER BY radgroupcheck.id'
rlm_sql_mysql: query: SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupch
e
>ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
>usergroup.Username = 'DEFAULT' AND usergroup.GroupName =
>radgroupcheck.GroupName ORDER BY radgroupcheck.id
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupre
p
ly.Value,radgroupreply.op FROM
radgroupreply,usergroup WHERE
usergroup.Username = 'DEFAULT' AND usergroup.GroupName =
radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql_mysql: query: SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupre
p
ly.Value,radgroupreply.op FROM
radgroupreply,usergroup WHERE
usergroup.Username = 'DEFAULT' AND usergroup.GroupName =
radgroupreply.GroupName ORDER BY radgroupreply.id
rlm_sql (sql): Released sql socket id: 0
modcall[authorize]: module "sql" returns ok for request 4
modcall: group authorize returns ok for request 4
rad_check_password: Found Auth-Type None
rad_check_password: Auth-Type = Accept, accepting the user
radius_xlat: 'Authenticated by group Dialin'
Sending Access-Accept of id 152 to xx.xx.xx.xx:33167
Reply-Message = "Authenticated by group Dialin"
SIP-AVP = "Sip-Group:Dialin"
Finished request 4
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host xx.xx.xx.xx:33167, id=153,
length=67
User-Name = "1000(a)xx.xx.xx.xx"
Sip-Group = "Dialin2"
Service-Type = Group-Check
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
modcall[authorize]: module "preprocess" returns ok for request 5
modcall[authorize]: module "chap" returns noop for request 5
modcall[authorize]: module "mschap" returns noop for request 5
modcall[authorize]: module "digest" returns noop for request 5
rlm_realm: Looking up realm "xx.xx.xx.xx" for User-Name =
"1000(a)xx.xx.xx.xx"
rlm_realm: Found realm "xx.xx.xx.xx"
rlm_realm: Adding Stripped-User-Name = "1000"
rlm_realm: Proxying request from user 1000 to realm xx.xx.xx.xx
rlm_realm: Adding Realm = "xx.xx.xx.xx"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "suffix" returns noop for request 5
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 5
users: Matched entry DEFAULT at line 156
users: Matched entry DEFAULT at line 161
modcall[authorize]: module "files" returns ok for request 5
radius_xlat: '1000'
rlm_sql (sql): sql_set_user escaped user --> '1000'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
radcheck WHERE Username = '1000' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op
FROM radcheck WHERE Username = '1000' ORDER BY id
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupch
e
ck.Value,radgroupcheck.op FROM
radgroupcheck,usergroup WHERE
usergroup.Username = '1000' AND usergroup.GroupName =
radgroupcheck.GroupName ORDER BY radgroupcheck.id'
rlm_sql_mysql: query: SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupch
e
ck.Value,radgroupcheck.op FROM
radgroupcheck,usergroup WHERE
usergroup.Username = '1000' AND usergroup.GroupName =
radgroupcheck.GroupName ORDER BY radgroupcheck.id
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
radreply WHERE Username = '1000' ORDER BY id'
rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op
FROM radreply WHERE Username = '1000' ORDER BY id
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupre
p
ly.Value,radgroupreply.op FROM
radgroupreply,usergroup WHERE
usergroup.Username = '1000' AND usergroup.GroupName =
radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql_mysql: query: SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupre
p
>ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
>usergroup.Username = '1000' AND usergroup.GroupName =
>radgroupreply.GroupName ORDER BY radgroupreply.id
>rlm_sql (sql): Checking profile DEFAULT
>rlm_sql (sql): sql_set_user escaped user --> 'DEFAULT'
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupch
e
ck.Value,radgroupcheck.op FROM
radgroupcheck,usergroup WHERE
usergroup.Username = 'DEFAULT' AND usergroup.GroupName =
radgroupcheck.GroupName ORDER BY radgroupcheck.id'
rlm_sql_mysql: query: SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupch
e
>ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
>usergroup.Username = 'DEFAULT' AND usergroup.GroupName =
>radgroupcheck.GroupName ORDER BY radgroupcheck.id
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupre
p
ly.Value,radgroupreply.op FROM
radgroupreply,usergroup WHERE
usergroup.Username = 'DEFAULT' AND usergroup.GroupName =
radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql_mysql: query: SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupre
p
ly.Value,radgroupreply.op FROM
radgroupreply,usergroup WHERE
usergroup.Username = 'DEFAULT' AND usergroup.GroupName =
radgroupreply.GroupName ORDER BY radgroupreply.id
rlm_sql (sql): Released sql socket id: 4
modcall[authorize]: module "sql" returns ok for request 5
modcall: group authorize returns ok for request 5
rad_check_password: Found Auth-Type None
rad_check_password: Auth-Type = Accept, accepting the user
radius_xlat: 'Authenticated by group Dialin'
Sending Access-Accept of id 153 to xx.xx.xx.xx:33167
Reply-Message = "Authenticated by group Dialin"
SIP-AVP = "Sip-Group:Dialin"
Finished request 5
-----Original Message-----
From: Tavis P [mailto:tavis.lists@galaxytelecom.net]
Sent: Friday, October 14, 2005 7:21 PM
To: Lenir
Cc: users(a)openser.org; serusers(a)iptel.org
Subject: Re: group_radius radius_is_user_in
Ugh the subject line is getting really munged up ;P
Hmmm, what does the output from "radiusd -X" look like for the exchange?
Lenir wrote:
>Tavis,
>
>Thanks for your input, that did fix the problem. I did have the "files"
>before "sql" in radiusd.conf. Also I followed your advice about taking out
>"Auth-Type" out of mysql table and let DEFAULT in users file do the trick.
>
>
>However it's semi-working.
>
>Accourding to the snippet from my ser.cfg file, now I get the following in
>stderr:
>0(4866) 000d2890-d47f0003-4a230347-53c6189b(a)yy.yy.yy.yy -
>sip:1000@xx.xx.xx.xx - User authenticated...
>0(4866) Credentials: User is in Radius Group Dialin!!!!
>0(4866) Credentials: User is in Radius Group Dialin2!!!!
>
>No matter which parameter I use for the function radius_is_user_in(), it
>always returns TRUE. When in fact it should return FALSE for Group
>
>
Dialin2.
>I've tried:
>
>if (radius_is_user_in("From", "Dialin2")){...
>if (radius_is_user_in("Credentials", "Dialin2")){...
>
>
>
>
>
>Here's what I did to fix future problems:
>
>EFAULT Auth-Type = System
> Fall-Through = 1
>
>DEFAULT Service-Type == Call-Check, Auth-Type := Digest
>
>DEFAULT Service-Type == Group-Check, Auth-Type := None
>
>DEFAULT Service-Type == SIP-Session, Auth-Type := Digest
>
>DEFAULT Service-Type == SIP-Callee-AVPs, Auth-Type := None
>
>DEFAULT Service-Type == SIP-Caller-AVPs, Auth-Type := None
>
>
>Also, for those of you using the latest version of freeradius, you may
>
>
have
to comment
out the following lines as they conflict with dictionary.ser
(SER
CVS) and dictionary.sip (comes with
radiusclient-NG)
#VALUE Service-Type Voice 12
#VALUE Service-Type Fax 13
#VALUE Service-Type Modem-Relay 14
#VALUE Service-Type IAPP-Register 15
#VALUE Service-Type IAPP-AP-Check 16
Thanks,
Lenir
-----Original Message-----
From: serusers-bounces(a)iptel.org [mailto:serusers-bounces@iptel.org] On
Behalf Of Tavis P
Sent: Friday, October 14, 2005 1:49 PM
To: lsantiago(a)globalgatewaycom.com
Cc: serdev(a)iptel.org; serusers(a)iptel.org; devel(a)openser.org;
users(a)openser.org
Subject: [Serusers] Re: [Serdev] group_radius radius_is_user_in
Oops, i spoke too soon
It looks like you have placed the "files" module before the "sql"
module
in your radiusd.conf
Its matching your DEFAULT entry in files (setting the Auth-Type to none)
but the sql module is later changing the Auth-Type to "digest"
Changing the order would solve this problem, as you want it to match the
SQL statement first and than the section in the files last (which
changes the Auth-Type)
Also, you may want to reduce the load on your database by not setting
the Auth-Type in the database and instead setting in the users file with
a DEFAULT statement as (at least in my case) it isn't somthing that need
to be dynamic.
lenirsantiago(a)yahoo.com wrote:
>Hello list,
>
>I've been trying my hardest today to get group_radius to work, and its
>function radius_is_user_in().
>I'm running ser0.9.4 and freeradius 1.0.4 with the mysql backend and
>
>
>
>
digest
>authentication.
>
>Radius authentication works fine.
>The problem is that when radius_is_user_in() function gets called, it
>
>
>
>
sends
>>a radius message but without the User-Password field and freeradius
>>complains that it requires it since we are using Digest.
>>I've seen a couple of posts here, but they were never answered:
>>http://mail.iptel.org/pipermail/serusers/2005-March/017342.html
>>http://mail.iptel.org/pipermail/serusers/2005-March/017075.html
>>
>>-----
>>I have a small test in my ser.cfg file:
>> if (!radius_www_authorize("")) {
>> xlog("L_I","%ci - %fu - User not authenticated,
Radius
>>Authenticating...\n");
>> www_challenge("","0");
>> break;
>> } else {
>> xlog("L_I","%ci - %fu - User
authenticated...\n");
>> };
>>
>> if (radius_is_user_in("From", "Dialin")){
>> xlog("L_I","From: User is in Radius Group
Dialin!!!!\n");
>> } else {
>> xlog("L_I","From: User *IS NOT* Group
Dialin!!!!!\n");
>> };
>>
>> if (radius_is_user_in("Credentials", "Dialin2")){
>> xlog("L_I","From: User is in Radius Group
Dialin2!!!!\n");
>> } else {
>> xlog("L_I","From: User *IS NOT* Group
Dialin2!!!!!\n");
>> };
>>
>>-----
>>In /etc/raddb/users file I have the following at line 152:
>>DEFAULT Auth-Type = System
>> Fall-Through = 1
>>
>>DEFAULT Service-Type == Group-Check, Auth-Type := None
>>
>>DEFAULT Service-Type == SIP-Callee-AVPs, Auth-Type := None
>>
>>-----
>>
>>These are mysql tables:
>>
>>+----+----------+-----------+----+----------+
>>| id | UserName | Attribute | op | Value |
>>+----+----------+-----------+----+----------+
>>| 1 | Jhassell | Password | == | changeme |
>>| 2 | Rneis | Password | == | changeme |
>>| 3 | 1000 | Password | == | 1000 |
>>| 4 | 2000 | Password | == | 2000 |
>>| 5 | 3000 | Password | == | 3000 |
>>| 8 | 1000 | Auth-Type | := | Digest |
>>+----+----------+-----------+----+----------+
>>
>>+----+-----------+-----------+----+--------+
>>| id | GroupName | Attribute | op | Value |
>>+----+-----------+-----------+----+--------+
>>| 6 | Dialin | Auth-Type | := | Accept |
>>+----+-----------+-----------+----+--------+
>>
>>+----+-----------+---------------+----+----------------------------------
>>
>> >
>
>
>
-
>>
>>
>
>
>
>
>-
>
>
>
>
>
>
>>----+
>>| id | GroupName | Attribute | op | Value
>>
>> >>prio |
>>+----+-----------+---------------+----+----------------------------------
>>
>>
+
>
>
>
>
-
>>
>>
>
>
>
>
>-
>
>
>
>
>
>
>>----+
>>| 1 | Dialin | Reply-Message | = | "Authenticated by group Dialin"
>>
>> >>0 |
>>| 2 | Dialin2 | Reply-Message | = | "Authenticated by group
Dialin2"
>>
>>
|
>>0 |
>>+----+-----------+---------------+----+----------------------------------
>>
>>
+
>
>
>
>
-
>>
>>
>
>
>
>
>-
>
>
>
>
>
>
>>----+
>>
>>+----+----------+---------------+----+------------------+
>>| id | UserName | Attribute | op | Value |
>>+----+----------+---------------+----+------------------+
>>| 1 | 1000 | Reply-Message | = | "Authenticated" |
>>| 2 | 1000 | Sip-Group | = | Dialin |
>>| 3 | 1000 | SIP-AVP | = | Sip-Group:Dialin |
>>+----+----------+---------------+----+------------------+
>>
>>+----+----------+------------+
>>| id | UserName | GroupName |
>>+----+----------+------------+
>>| 1 | Jhassell | Dialin |
>>| 2 | Rneis | Staticdial |
>>| 3 | 1000 | Dialin |
>>| 4 | 2000 | Dialin |
>>| 5 | 3000 | Dialin |
>>| 6 | 3000 | Dialin2 |
>>+----+----------+------------+
>>
>>------
>>
>>This is the debug I get from freeradius for the group check:
>>
>>rad_recv: Access-Request packet from host xx.xx.xx.xx:33025, id=15,
>>length=67
>> User-Name = "1000(a)xx.xx.xx.xx"
>> Sip-Group = "Dialin2"
>> Service-Type = Group-Check
>> NAS-IP-Address = 127.0.0.1
>> NAS-Port = 0
>>Processing the authorize section of radiusd.conf
>>modcall: entering group authorize for request 74
>>modcall[authorize]: module "preprocess" returns ok for request 74
>>modcall[authorize]: module "chap" returns noop for request 74
>>modcall[authorize]: module "mschap" returns noop for request 74
>>modcall[authorize]: module "digest" returns noop for request 74
>> rlm_realm: Looking up realm "xx.xx.xx.xx" for User-Name =
>>"1000(a)xx.xx.xx.xx"
>> rlm_realm: Found realm "xx.xx.xx.xx"
>> rlm_realm: Adding Stripped-User-Name = "1000"
>> rlm_realm: Proxying request from user 1000 to realm xx.xx.xx.xx
>> rlm_realm: Adding Realm = "xx.xx.xx.xx"
>> rlm_realm: Authentication realm is LOCAL.
>>modcall[authorize]: module "suffix" returns noop for request 74
>>rlm_eap: No EAP-Message, not doing EAP
>>modcall[authorize]: module "eap" returns noop for request 74
>> users: Matched entry DEFAULT at line 152
>> users: Matched entry DEFAULT at line 158
>>modcall[authorize]: module "files" returns ok for request 74
>>radius_xlat: '1000'
>>rlm_sql (sql): sql_set_user escaped user --> '1000'
>>rlm_sql (sql): Released sql socket id: 0
>>modcall[authorize]: module "sql" returns ok for request 74
>>modcall: group authorize returns ok for request 74
>>rad_check_password: Found Auth-Type Digest
>>auth: type "digest"
>>Processing the authenticate section of radiusd.conf
>>modcall: entering group authenticate for request 74
>>ERROR: No Digest-Nonce: Cannot perform Digest authentication
>>modcall[authenticate]: module "digest" returns invalid for request 74
>>modcall: group authenticate returns invalid for request 74
>>auth: Failed to validate the user.
>>Delaying request 74 for 1 seconds
>>Finished request 74
>>Going to the next request
>>--- Walking the entire request list ---
>>Waking up in 1 seconds...
>>--- Walking the entire request list ---
>>Waking up in 1 seconds...
>>--- Walking the entire request list ---
>>Sending Access-Reject of id 15 to xx.xx.xx.xx:33025
>> Reply-Message = "Authenticated"
>>Waking up in 4 seconds...
>>--- Walking the entire request list ---
>>Cleaning up request 74 ID 15 with timestamp 434f1121
>>Nothing to do. Sleeping until we see a request.
>>
>>
>>
>>
>>
>>Any help in this matter would be deeply appreciated,
>>
>>
>>
>>
>>Lenir
>>
>>
>>
>>
>>_______________________________________________
>>Serdev mailing list
>>Serdev(a)iptel.org
>>http://mail.iptel.org/mailman/listinfo/serdev
>>
>>
>>
>>
>>
>>
>
>
>
>
>_______________________________________________
>Serusers mailing list
>Serusers(a)iptel.org
>http://mail.iptel.org/mailman/listinfo/serusers
>
>
>_______________________________________________
>Serdev mailing list
>Serdev(a)iptel.org
>http://mail.iptel.org/mailman/listinfo/serdev
>
>
>
>
>
>
>
>
19 Oct
19 Oct
11:29 p.m.
New subject: [Serusers] RE: group_radius radius_is_user_in
I will try that as a workaround.
For the SER-DEVEL and OPENSER-DEVEL guys...can any of you comment on this?
Thanks
-----Original Message-----
From: Tavis P [mailto:tavis.lists@galaxytelecom.net]
Sent: Wednesday, October 19, 2005 4:40 PM
To: Lenir
Cc: users(a)openser.org; serusers(a)lists.iptel.org
Subject: Re: group_radius radius_is_user_in
I've never used the group_radius module so i'm not certain what it
expects from the radius server (its not well documented currently)
Although you may be able to optimize a bit and skip the
radius_is_user_in function call and simply pass the users group back as
an SIP-AVP attribute in the radreply table, and then check for that AVP
in the OpenSER script
What i've done is commented the group checking SQL from the freeradius
sql.conf file so that when a user authenticates or when an avp_radius
call is made only 2 SQL queries are sent, instead of the 4-5 used when
group check is enabled.
Try this, it should work and it will save you ~10 sql queries and a
radius request/response
Lenir wrote:
-
>---+
>| id | GroupName | Attribute | op | Value |
>prio |
>+----+-----------+---------------+----+----------------------------------+ -
-
>----+
>| 1 | Dialin | Reply-Message | = | "Authenticated by group Dialin" |
>0 |
>| 2 | Dialin2 | Reply-Message | = | "Authenticated by group Dialin2" |
>0 |
>| 3 | Dialin | SIP-AVP | = | Sip-Group:Dialin |
>0 |
>+----+-----------+---------------+----+----------------------------------+ -
-
>----+
>3 rows in set (0.00 sec)
>
>mysql> select * from radpostauth;
>Empty set (0.00 sec)
>
>
>
>Here's the debug, notice how it returns access-accept whether its in the
>right group or not. Shouldn't it return access-reject for group Dialin2?
>-----------------
>rad_recv: Access-Request packet from host xx.xx.xx.xx:33167, id=152,
>length=66
> User-Name = "1000(a)xx.xx.xx.xx"
> Sip-Group = "Dialin"
> Service-Type = Group-Check
> NAS-IP-Address = 127.0.0.1
> NAS-Port = 0
> Processing the authorize section of radiusd.conf
>modcall: entering group authorize for request 4
> modcall[authorize]: module "preprocess" returns ok for request 4
> modcall[authorize]: module "chap" returns noop for request 4
> modcall[authorize]: module "mschap" returns noop for request 4
> modcall[authorize]: module "digest" returns noop for request 4
> rlm_realm: Looking up realm "xx.xx.xx.xx" for User-Name =
>"1000(a)xx.xx.xx.xx"
> rlm_realm: Found realm "xx.xx.xx.xx"
> rlm_realm: Adding Stripped-User-Name = "1000"
> rlm_realm: Proxying request from user 1000 to realm xx.xx.xx.xx
> rlm_realm: Adding Realm = "xx.xx.xx.xx"
> rlm_realm: Authentication realm is LOCAL.
> modcall[authorize]: module "suffix" returns noop for request 4
> rlm_eap: No EAP-Message, not doing EAP
> modcall[authorize]: module "eap" returns noop for request 4
> users: Matched entry DEFAULT at line 156
> users: Matched entry DEFAULT at line 161
> modcall[authorize]: module "files" returns ok for request 4
>radius_xlat: '1000'
>rlm_sql (sql): sql_set_user escaped user --> '1000'
>radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
>radcheck WHERE Username = '1000' ORDER BY id'
>rlm_sql (sql): Reserving sql socket id: 0
>rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op
>FROM radcheck WHERE Username = '1000' ORDER BY id
>radius_xlat: 'SELECT
>radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupc h
e
>ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
>usergroup.Username = '1000' AND usergroup.GroupName =
>radgroupcheck.GroupName ORDER BY radgroupcheck.id'
>rlm_sql_mysql: query: SELECT
>radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupc h
e
>ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
>usergroup.Username = '1000' AND usergroup.GroupName =
>radgroupcheck.GroupName ORDER BY radgroupcheck.id
>radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
>radreply WHERE Username = '1000' ORDER BY id'
>rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op
>FROM radreply WHERE Username = '1000' ORDER BY id
>radius_xlat: 'SELECT
>radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupr e
p
>ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
>usergroup.Username = '1000' AND usergroup.GroupName =
>radgroupreply.GroupName ORDER BY radgroupreply.id'
>rlm_sql_mysql: query: SELECT
>radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupr e
p
>ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
>usergroup.Username = '1000' AND usergroup.GroupName =
>radgroupreply.GroupName ORDER BY radgroupreply.id
>rlm_sql (sql): Checking profile DEFAULT
>rlm_sql (sql): sql_set_user escaped user --> 'DEFAULT'
>radius_xlat: 'SELECT
>radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupc h
e
>ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
>usergroup.Username = 'DEFAULT' AND usergroup.GroupName =
>radgroupcheck.GroupName ORDER BY radgroupcheck.id'
>rlm_sql_mysql: query: SELECT
>radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupc h
e
>ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
>usergroup.Username = 'DEFAULT' AND usergroup.GroupName =
>radgroupcheck.GroupName ORDER BY radgroupcheck.id
>radius_xlat: 'SELECT
>radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupr e
p
>ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
>usergroup.Username = 'DEFAULT' AND usergroup.GroupName =
>radgroupreply.GroupName ORDER BY radgroupreply.id'
>rlm_sql_mysql: query: SELECT
>radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupr e
p
>ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
>usergroup.Username = 'DEFAULT' AND usergroup.GroupName =
>radgroupreply.GroupName ORDER BY radgroupreply.id
>rlm_sql (sql): Released sql socket id: 0
> modcall[authorize]: module "sql" returns ok for request 4
>modcall: group authorize returns ok for request 4
> rad_check_password: Found Auth-Type None
> rad_check_password: Auth-Type = Accept, accepting the user
>radius_xlat: 'Authenticated by group Dialin'
>Sending Access-Accept of id 152 to xx.xx.xx.xx:33167
> Reply-Message = "Authenticated by group Dialin"
> SIP-AVP = "Sip-Group:Dialin"
>Finished request 4
>Going to the next request
>Waking up in 6 seconds...
>rad_recv: Access-Request packet from host xx.xx.xx.xx:33167, id=153,
>length=67
> User-Name = "1000(a)xx.xx.xx.xx"
> Sip-Group = "Dialin2"
> Service-Type = Group-Check
> NAS-IP-Address = 127.0.0.1
> NAS-Port = 0
> Processing the authorize section of radiusd.conf
>modcall: entering group authorize for request 5
> modcall[authorize]: module "preprocess" returns ok for request 5
> modcall[authorize]: module "chap" returns noop for request 5
> modcall[authorize]: module "mschap" returns noop for request 5
> modcall[authorize]: module "digest" returns noop for request 5
> rlm_realm: Looking up realm "xx.xx.xx.xx" for User-Name =
>"1000(a)xx.xx.xx.xx"
> rlm_realm: Found realm "xx.xx.xx.xx"
> rlm_realm: Adding Stripped-User-Name = "1000"
> rlm_realm: Proxying request from user 1000 to realm xx.xx.xx.xx
> rlm_realm: Adding Realm = "xx.xx.xx.xx"
> rlm_realm: Authentication realm is LOCAL.
> modcall[authorize]: module "suffix" returns noop for request 5
> rlm_eap: No EAP-Message, not doing EAP
> modcall[authorize]: module "eap" returns noop for request 5
> users: Matched entry DEFAULT at line 156
> users: Matched entry DEFAULT at line 161
> modcall[authorize]: module "files" returns ok for request 5
>radius_xlat: '1000'
>rlm_sql (sql): sql_set_user escaped user --> '1000'
>radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
>radcheck WHERE Username = '1000' ORDER BY id'
>rlm_sql (sql): Reserving sql socket id: 4
>rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op
>FROM radcheck WHERE Username = '1000' ORDER BY id
>radius_xlat: 'SELECT
>radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupc h
e
>ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
>usergroup.Username = '1000' AND usergroup.GroupName =
>radgroupcheck.GroupName ORDER BY radgroupcheck.id'
>rlm_sql_mysql: query: SELECT
>radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupc h
e
>ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
>usergroup.Username = '1000' AND usergroup.GroupName =
>radgroupcheck.GroupName ORDER BY radgroupcheck.id
>radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
>radreply WHERE Username = '1000' ORDER BY id'
>rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op
>FROM radreply WHERE Username = '1000' ORDER BY id
>radius_xlat: 'SELECT
>radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupr e
p
>ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
>usergroup.Username = '1000' AND usergroup.GroupName =
>radgroupreply.GroupName ORDER BY radgroupreply.id'
>rlm_sql_mysql: query: SELECT
>radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupr e
p
>ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
>usergroup.Username = '1000' AND usergroup.GroupName =
>radgroupreply.GroupName ORDER BY radgroupreply.id
>rlm_sql (sql): Checking profile DEFAULT
>rlm_sql (sql): sql_set_user escaped user --> 'DEFAULT'
>radius_xlat: 'SELECT
>radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupc h
e
>ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
>usergroup.Username = 'DEFAULT' AND usergroup.GroupName =
>radgroupcheck.GroupName ORDER BY radgroupcheck.id'
>rlm_sql_mysql: query: SELECT
>radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupc h
e
>ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
>usergroup.Username = 'DEFAULT' AND usergroup.GroupName =
>radgroupcheck.GroupName ORDER BY radgroupcheck.id
>radius_xlat: 'SELECT
>radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupr e
p
>ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
>usergroup.Username = 'DEFAULT' AND usergroup.GroupName =
>radgroupreply.GroupName ORDER BY radgroupreply.id'
>rlm_sql_mysql: query: SELECT
>radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupr e
p
>ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
>usergroup.Username = 'DEFAULT' AND usergroup.GroupName =
>radgroupreply.GroupName ORDER BY radgroupreply.id
>rlm_sql (sql): Released sql socket id: 4
> modcall[authorize]: module "sql" returns ok for request 5
>modcall: group authorize returns ok for request 5
> rad_check_password: Found Auth-Type None
> rad_check_password: Auth-Type = Accept, accepting the user
>radius_xlat: 'Authenticated by group Dialin'
>Sending Access-Accept of id 153 to xx.xx.xx.xx:33167
> Reply-Message = "Authenticated by group Dialin"
> SIP-AVP = "Sip-Group:Dialin"
>Finished request 5
>
>-----Original Message-----
>From: Tavis P [mailto:tavis.lists@galaxytelecom.net]
>Sent: Friday, October 14, 2005 7:21 PM
>To: Lenir
>Cc: users(a)openser.org; serusers(a)lists.iptel.org
>Subject: Re: group_radius radius_is_user_in
>
>Ugh the subject line is getting really munged up ;P
>
>Hmmm, what does the output from "radiusd -X" look like for the exchange?
>
>
>Lenir wrote:
>
>
>
>>Tavis,
>>
>>Thanks for your input, that did fix the problem. I did have the "files"
>>before "sql" in radiusd.conf. Also I followed your advice about taking
out
in
-
-
-
I'm trying to use group_radius module to check if
the user is in a
particular radius group. I'm calling radius_is_user_in function to do this.
Here is the snippet in my config that calls that function:
route[2] {
# -----------------------------------------------------------------
# REGISTER Message Handler
# ----------------------------------------------------------------
sl_send_reply("100", "Trying");
if (!radius_www_authorize("")) {
xlog("L_INFO","$ci - $fu - User not authenticated, Radius
Authenticating...\n");
www_challenge("","0");
return;
} else {
xlog("L_INFO","$ci - $fu - User authenticated...\n");
};
if (radius_is_user_in("From", "Dialin")){
xlog("L_INFO","From: User is in Radius Group
Dialin!!!!\n");
} else {
xlog("L_INFO","From: User *IS NOT* Group
Dialin!!!!!\n");
};
if (radius_is_user_in("From", "Dialin2")){
xlog("L_INFO","From: User is in Radius Group
Dialin2!!!!\n");
} else {
xlog("L_INFO","From: User *IS NOT* Group
Dialin2!!!!!\n");
};
#if (!radius_check_to()) {
# sl_send_reply("401", "Unauthorized");
# return;
#};
consume_credentials();
if (!save("location")) {
sl_reply_error();
};
}
-----Original Message-----
From: Tavis P [mailto:tavis.lists@galaxytelecom.net]
Sent: Wednesday, October 19, 2005 3:59 PM
To: Lenir
Cc: users(a)openser.org; serusers(a)lists.iptel.org
Subject: Re: group_radius radius_is_user_in
Well either way the radius server is going to respond with an
"Access-Accept" because you have set the auth-type to "none" (which
is
necessary because you are not authenticating and can not provide the
necessary credentials).
-
From the trace you showed me below, i see two
radius requests both for
the user 1000 and both of which respond as i would expect.
I'm not what you are trying to accomplish, are you using the
group_radius module or just loading the group information using avp_radius?
Lenir wrote:
>This is my users file:
>
>DEFAULT Auth-Type = System
> Fall-Through = 1
>
>DEFAULT Service-Type == Call-Check, Auth-Type := None
>
>DEFAULT Service-Type == Group-Check, Auth-Type := None
>
>DEFAULT Service-Type == SIP-Session, Auth-Type := Digest
>
>DEFAULT Service-Type == SIP-Callee-AVPs, Auth-Type := None
>
>DEFAULT Service-Type == SIP-Caller-AVPs, Auth-Type := None
>
>
>mysql> select * from radcheck;
>+----+----------+-----------+----+----------+
>| id | UserName | Attribute | op | Value |
>+----+----------+-----------+----+----------+
>| 1 | Jhassell | Password | == | changeme |
>| 2 | Rneis | Password | == | changeme |
>| 3 | 1000 | Password | == | 1000 |
>| 4 | 2000 | Password | == | 2000 |
>| 5 | 3000 | Password | == | 3000 |
>+----+----------+-----------+----+----------+
>5 rows in set (0.00 sec)
>
>mysql> select * from radreply;
>Empty set (0.00 sec)
>
>mysql> select * from usergroup;
>+----+----------+------------+
>| id | UserName | GroupName |
>+----+----------+------------+
>| 1 | Jhassell | Dialin |
>| 2 | Rneis | Staticdial |
>| 3 | 1000 | Dialin |
>| 4 | 2000 | Dialin |
>| 5 | 3000 | Dialin |
>| 6 | 3000 | Dialin2 |
>+----+----------+------------+
>6 rows in set (0.00 sec)
>
>mysql> select * from radgroupcheck;
>Empty set (0.00 sec)
>
>mysql> select * from radgroupreply;
>+----+-----------+---------------+----+----------------------------------+ >>"Auth-Type" out of mysql table and
let DEFAULT in users file do the
trick.
>
>
>>However it's semi-working.
>>
>>Accourding to the snippet from my ser.cfg file, now I get the following >stderr:
>0(4866) 000d2890-d47f0003-4a230347-53c6189b(a)yy.yy.yy.yy -
>sip:1000@xx.xx.xx.xx - User authenticated...
>0(4866) Credentials: User is in Radius Group Dialin!!!!
>0(4866) Credentials: User is in Radius Group Dialin2!!!!
>
>No matter which parameter I use for the function radius_is_user_in(), it
>always returns TRUE. When in fact it should return FALSE for Group
>
>
Dialin2.
>I've tried:
>
>if (radius_is_user_in("From", "Dialin2")){...
>if (radius_is_user_in("Credentials", "Dialin2")){...
>
>
>
>
>
>Here's what I did to fix future problems:
>
>EFAULT Auth-Type = System
> Fall-Through = 1
>
>DEFAULT Service-Type == Call-Check, Auth-Type := Digest
>
>DEFAULT Service-Type == Group-Check, Auth-Type := None
>
>DEFAULT Service-Type == SIP-Session, Auth-Type := Digest
>
>DEFAULT Service-Type == SIP-Callee-AVPs, Auth-Type := None
>
>DEFAULT Service-Type == SIP-Caller-AVPs, Auth-Type := None
>
>
>Also, for those of you using the latest version of freeradius, you may
>
>
have
>>to comment out the following lines as they conflict with dictionary.ser
>>
>>
>>
>>
>(SER
>
>
>
>
>>CVS) and dictionary.sip (comes with radiusclient-NG)
>>
>>#VALUE Service-Type Voice 12
>>#VALUE Service-Type Fax 13
>>#VALUE Service-Type Modem-Relay 14
>>#VALUE Service-Type IAPP-Register 15
>>#VALUE Service-Type IAPP-AP-Check 16
>>
>>
>>Thanks,
>>
>>
>>Lenir
>>
>>
>>-----Original Message-----
>>From: serusers-bounces(a)iptel.org [mailto:serusers-bounces@lists.iptel.org] On
>>Behalf Of Tavis P
>>Sent: Friday, October 14, 2005 1:49 PM
>>To: lsantiago(a)globalgatewaycom.com
>>Cc: serdev(a)lists.iptel.org; serusers(a)lists.iptel.org; devel(a)openser.org;
>>users(a)openser.org
>>Subject: [Serusers] Re: [Serdev] group_radius radius_is_user_in
>>
>>Oops, i spoke too soon
>>
>>It looks like you have placed the "files" module before the
"sql" module
>>in your radiusd.conf
>>
>>Its matching your DEFAULT entry in files (setting the Auth-Type to none)
>>but the sql module is later changing the Auth-Type to "digest"
>>
>>Changing the order would solve this problem, as you want it to match the
>>SQL statement first and than the section in the files last (which
>>changes the Auth-Type)
>>
>>Also, you may want to reduce the load on your database by not setting
>>the Auth-Type in the database and instead setting in the users file with
>>a DEFAULT statement as (at least in my case) it isn't somthing that need
>>to be dynamic.
>>
>>lenirsantiago(a)yahoo.com wrote:
>>
>>
>>
>>
>>
>>
>>
>>>Hello list,
>>>
>>>I've been trying my hardest today to get group_radius to work, and its
>>>function radius_is_user_in().
>>>I'm running ser0.9.4 and freeradius 1.0.4 with the mysql backend and
>>>
>>>
>>>
>>>
>digest
>
>
>
>
>>>authentication.
>>>
>>>Radius authentication works fine.
>>>The problem is that when radius_is_user_in() function gets called, it
>>>
>>>
>>>
>>>
>sends
>
>
>
>
>>>a radius message but without the User-Password field and freeradius
>>>complains that it requires it since we are using Digest.
>>>I've seen a couple of posts here, but they were never answered:
>>>http://lists.iptel.org/pipermail/serusers/2005-March/017342.html
>>>http://lists.iptel.org/pipermail/serusers/2005-March/017075.html
>>>
>>>-----
>>>I have a small test in my ser.cfg file:
>>> if (!radius_www_authorize("")) {
>>> xlog("L_I","%ci - %fu - User not authenticated,
Radius
>>>Authenticating...\n");
>>> www_challenge("","0");
>>> break;
>>> } else {
>>> xlog("L_I","%ci - %fu - User
authenticated...\n");
>>> };
>>>
>>> if (radius_is_user_in("From", "Dialin")){
>>> xlog("L_I","From: User is in Radius Group
Dialin!!!!\n");
>>> } else {
>>> xlog("L_I","From: User *IS NOT* Group
Dialin!!!!!\n");
>>> };
>>>
>>> if (radius_is_user_in("Credentials", "Dialin2")){
>>> xlog("L_I","From: User is in Radius Group
Dialin2!!!!\n");
>>> } else {
>>> xlog("L_I","From: User *IS NOT* Group
Dialin2!!!!!\n");
>>> };
>>>
>>>-----
>>>In /etc/raddb/users file I have the following at line 152:
>>>DEFAULT Auth-Type = System
>>> Fall-Through = 1
>>>
>>>DEFAULT Service-Type == Group-Check, Auth-Type := None
>>>
>>>DEFAULT Service-Type == SIP-Callee-AVPs, Auth-Type := None
>>>
>>>-----
>>>
>>>These are mysql tables:
>>>
>>>+----+----------+-----------+----+----------+
>>>| id | UserName | Attribute | op | Value |
>>>+----+----------+-----------+----+----------+
>>>| 1 | Jhassell | Password | == | changeme |
>>>| 2 | Rneis | Password | == | changeme |
>>>| 3 | 1000 | Password | == | 1000 |
>>>| 4 | 2000 | Password | == | 2000 |
>>>| 5 | 3000 | Password | == | 3000 |
>>>| 8 | 1000 | Auth-Type | := | Digest |
>>>+----+----------+-----------+----+----------+
>>>
>>>+----+-----------+-----------+----+--------+
>>>| id | GroupName | Attribute | op | Value |
>>>+----+-----------+-----------+----+--------+
>>>| 6 | Dialin | Auth-Type | := | Accept |
>>>+----+-----------+-----------+----+--------+
>>>
>>>+----+-----------+---------------+----+---------------------------------
>>
>>
+
>>>
>>>
>>
>>
>-
>
>
>
>
>>>
>>>
>>>
>>>
>>
>>
>>-
>>
>>
>>
>>
>>
>>
>>>----+
>>>| id | GroupName | Attribute | op | Value
>>
>>
|
>>>prio |
>>>+----+-----------+---------------+----+---------------------------------
>>
>>
+
>>>
>>>
>>
>>
>-
>
>
>
>
>>>
>>>
>>>
>>>
>>
>>
>>-
>>
>>
>>
>>
>>
>>
>>>----+
>>>| 1 | Dialin | Reply-Message | = | "Authenticated by group
Dialin"
>>
>>
|
>>>0 |
>>>| 2 | Dialin2 | Reply-Message | = | "Authenticated by group
Dialin2"
>>
>>
|
>>>0 |
>>>+----+-----------+---------------+----+---------------------------------
>>
>>
+
>>>
>>>
>>
>>
>-
>
>
>
>
>>>
>>>
>>>
>>>
>>
>>
>>-
>>
>>
>>
>>
>>
>>
>>>----+
>>>
>>>+----+----------+---------------+----+------------------+
>>>| id | UserName | Attribute | op | Value |
>>>+----+----------+---------------+----+------------------+
>>>| 1 | 1000 | Reply-Message | = | "Authenticated" |
>>>| 2 | 1000 | Sip-Group | = | Dialin |
>>>| 3 | 1000 | SIP-AVP | = | Sip-Group:Dialin |
>>>+----+----------+---------------+----+------------------+
>>>
>>>+----+----------+------------+
>>>| id | UserName | GroupName |
>>>+----+----------+------------+
>>>| 1 | Jhassell | Dialin |
>>>| 2 | Rneis | Staticdial |
>>>| 3 | 1000 | Dialin |
>>>| 4 | 2000 | Dialin |
>>>| 5 | 3000 | Dialin |
>>>| 6 | 3000 | Dialin2 |
>>>+----+----------+------------+
>>>
>>>------
>>>
>>>This is the debug I get from freeradius for the group check:
>>>
>>>rad_recv: Access-Request packet from host xx.xx.xx.xx:33025, id=15,
>>>length=67
>>> User-Name = "1000(a)xx.xx.xx.xx"
>>> Sip-Group = "Dialin2"
>>> Service-Type = Group-Check
>>> NAS-IP-Address = 127.0.0.1
>>> NAS-Port = 0
>>>Processing the authorize section of radiusd.conf
>>>modcall: entering group authorize for request 74
>>>modcall[authorize]: module "preprocess" returns ok for request 74
>>>modcall[authorize]: module "chap" returns noop for request 74
>>>modcall[authorize]: module "mschap" returns noop for request 74
>>>modcall[authorize]: module "digest" returns noop for request 74
>>> rlm_realm: Looking up realm "xx.xx.xx.xx" for User-Name =
>>>"1000(a)xx.xx.xx.xx"
>>> rlm_realm: Found realm "xx.xx.xx.xx"
>>> rlm_realm: Adding Stripped-User-Name = "1000"
>>> rlm_realm: Proxying request from user 1000 to realm xx.xx.xx.xx
>>> rlm_realm: Adding Realm = "xx.xx.xx.xx"
>>> rlm_realm: Authentication realm is LOCAL.
>>>modcall[authorize]: module "suffix" returns noop for request 74
>>>rlm_eap: No EAP-Message, not doing EAP
>>>modcall[authorize]: module "eap" returns noop for request 74
>>> users: Matched entry DEFAULT at line 152
>>> users: Matched entry DEFAULT at line 158
>>>modcall[authorize]: module "files" returns ok for request 74
>>>radius_xlat: '1000'
>>>rlm_sql (sql): sql_set_user escaped user --> '1000'
>>>rlm_sql (sql): Released sql socket id: 0
>>>modcall[authorize]: module "sql" returns ok for request 74
>>>modcall: group authorize returns ok for request 74
>>>rad_check_password: Found Auth-Type Digest
>>>auth: type "digest"
>>>Processing the authenticate section of radiusd.conf
>>>modcall: entering group authenticate for request 74
>>>ERROR: No Digest-Nonce: Cannot perform Digest authentication
>>>modcall[authenticate]: module "digest" returns invalid for request
74
>>>modcall: group authenticate returns invalid for request 74
>>>auth: Failed to validate the user.
>>>Delaying request 74 for 1 seconds
>>>Finished request 74
>>>Going to the next request
>>>--- Walking the entire request list ---
>>>Waking up in 1 seconds...
>>>--- Walking the entire request list ---
>>>Waking up in 1 seconds...
>>>--- Walking the entire request list ---
>>>Sending Access-Reject of id 15 to xx.xx.xx.xx:33025
>>> Reply-Message = "Authenticated"
>>>Waking up in 4 seconds...
>>>--- Walking the entire request list ---
>>>Cleaning up request 74 ID 15 with timestamp 434f1121
>>>Nothing to do. Sleeping until we see a request.
>>>
>>>
>>>
>>>
>>>
>>>Any help in this matter would be deeply appreciated,
>>>
>>>
>>>
>>>
>>>Lenir
>>>
>>>
>>>
>>>
>>>_______________________________________________
>>>Serdev mailing list
>>>serdev(a)lists.iptel.org
>>>http://lists.iptel.org/mailman/listinfo/serdev
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>>_______________________________________________
>>Serusers mailing list
>>serusers(a)lists.iptel.org
>>http://lists.iptel.org/mailman/listinfo/serusers
>>
>>
>>_______________________________________________
>>Serdev mailing list
>>serdev(a)lists.iptel.org
>>http://lists.iptel.org/mailman/listinfo/serdev
>>
>>
>>
>>
>>
>>
>>
>>
>
>
>
>
>
>
11:29 p.m.
New subject: [Users] RE: group_radius radius_is_user_in
I will try that as a workaround.
For the SER-DEVEL and OPENSER-DEVEL guys...can any of you comment on this?
Thanks
-----Original Message-----
From: Tavis P [mailto:tavis.lists@galaxytelecom.net]
Sent: Wednesday, October 19, 2005 4:40 PM
To: Lenir
Cc: users(a)openser.org; serusers(a)iptel.org
Subject: Re: group_radius radius_is_user_in
I've never used the group_radius module so i'm not certain what it
expects from the radius server (its not well documented currently)
Although you may be able to optimize a bit and skip the
radius_is_user_in function call and simply pass the users group back as
an SIP-AVP attribute in the radreply table, and then check for that AVP
in the OpenSER script
What i've done is commented the group checking SQL from the freeradius
sql.conf file so that when a user authenticates or when an avp_radius
call is made only 2 SQL queries are sent, instead of the 4-5 used when
group check is enabled.
Try this, it should work and it will save you ~10 sql queries and a
radius request/response
Lenir wrote:
-
>---+
>| id | GroupName | Attribute | op | Value |
>prio |
>+----+-----------+---------------+----+----------------------------------+ -
-
>----+
>| 1 | Dialin | Reply-Message | = | "Authenticated by group Dialin" |
>0 |
>| 2 | Dialin2 | Reply-Message | = | "Authenticated by group Dialin2" |
>0 |
>| 3 | Dialin | SIP-AVP | = | Sip-Group:Dialin |
>0 |
>+----+-----------+---------------+----+----------------------------------+ -
-
>----+
>3 rows in set (0.00 sec)
>
>mysql> select * from radpostauth;
>Empty set (0.00 sec)
>
>
>
>Here's the debug, notice how it returns access-accept whether its in the
>right group or not. Shouldn't it return access-reject for group Dialin2?
>-----------------
>rad_recv: Access-Request packet from host xx.xx.xx.xx:33167, id=152,
>length=66
> User-Name = "1000(a)xx.xx.xx.xx"
> Sip-Group = "Dialin"
> Service-Type = Group-Check
> NAS-IP-Address = 127.0.0.1
> NAS-Port = 0
> Processing the authorize section of radiusd.conf
>modcall: entering group authorize for request 4
> modcall[authorize]: module "preprocess" returns ok for request 4
> modcall[authorize]: module "chap" returns noop for request 4
> modcall[authorize]: module "mschap" returns noop for request 4
> modcall[authorize]: module "digest" returns noop for request 4
> rlm_realm: Looking up realm "xx.xx.xx.xx" for User-Name =
>"1000(a)xx.xx.xx.xx"
> rlm_realm: Found realm "xx.xx.xx.xx"
> rlm_realm: Adding Stripped-User-Name = "1000"
> rlm_realm: Proxying request from user 1000 to realm xx.xx.xx.xx
> rlm_realm: Adding Realm = "xx.xx.xx.xx"
> rlm_realm: Authentication realm is LOCAL.
> modcall[authorize]: module "suffix" returns noop for request 4
> rlm_eap: No EAP-Message, not doing EAP
> modcall[authorize]: module "eap" returns noop for request 4
> users: Matched entry DEFAULT at line 156
> users: Matched entry DEFAULT at line 161
> modcall[authorize]: module "files" returns ok for request 4
>radius_xlat: '1000'
>rlm_sql (sql): sql_set_user escaped user --> '1000'
>radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
>radcheck WHERE Username = '1000' ORDER BY id'
>rlm_sql (sql): Reserving sql socket id: 0
>rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op
>FROM radcheck WHERE Username = '1000' ORDER BY id
>radius_xlat: 'SELECT
>radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupc h
e
>ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
>usergroup.Username = '1000' AND usergroup.GroupName =
>radgroupcheck.GroupName ORDER BY radgroupcheck.id'
>rlm_sql_mysql: query: SELECT
>radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupc h
e
>ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
>usergroup.Username = '1000' AND usergroup.GroupName =
>radgroupcheck.GroupName ORDER BY radgroupcheck.id
>radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
>radreply WHERE Username = '1000' ORDER BY id'
>rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op
>FROM radreply WHERE Username = '1000' ORDER BY id
>radius_xlat: 'SELECT
>radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupr e
p
>ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
>usergroup.Username = '1000' AND usergroup.GroupName =
>radgroupreply.GroupName ORDER BY radgroupreply.id'
>rlm_sql_mysql: query: SELECT
>radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupr e
p
>ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
>usergroup.Username = '1000' AND usergroup.GroupName =
>radgroupreply.GroupName ORDER BY radgroupreply.id
>rlm_sql (sql): Checking profile DEFAULT
>rlm_sql (sql): sql_set_user escaped user --> 'DEFAULT'
>radius_xlat: 'SELECT
>radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupc h
e
>ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
>usergroup.Username = 'DEFAULT' AND usergroup.GroupName =
>radgroupcheck.GroupName ORDER BY radgroupcheck.id'
>rlm_sql_mysql: query: SELECT
>radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupc h
e
>ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
>usergroup.Username = 'DEFAULT' AND usergroup.GroupName =
>radgroupcheck.GroupName ORDER BY radgroupcheck.id
>radius_xlat: 'SELECT
>radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupr e
p
>ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
>usergroup.Username = 'DEFAULT' AND usergroup.GroupName =
>radgroupreply.GroupName ORDER BY radgroupreply.id'
>rlm_sql_mysql: query: SELECT
>radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupr e
p
>ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
>usergroup.Username = 'DEFAULT' AND usergroup.GroupName =
>radgroupreply.GroupName ORDER BY radgroupreply.id
>rlm_sql (sql): Released sql socket id: 0
> modcall[authorize]: module "sql" returns ok for request 4
>modcall: group authorize returns ok for request 4
> rad_check_password: Found Auth-Type None
> rad_check_password: Auth-Type = Accept, accepting the user
>radius_xlat: 'Authenticated by group Dialin'
>Sending Access-Accept of id 152 to xx.xx.xx.xx:33167
> Reply-Message = "Authenticated by group Dialin"
> SIP-AVP = "Sip-Group:Dialin"
>Finished request 4
>Going to the next request
>Waking up in 6 seconds...
>rad_recv: Access-Request packet from host xx.xx.xx.xx:33167, id=153,
>length=67
> User-Name = "1000(a)xx.xx.xx.xx"
> Sip-Group = "Dialin2"
> Service-Type = Group-Check
> NAS-IP-Address = 127.0.0.1
> NAS-Port = 0
> Processing the authorize section of radiusd.conf
>modcall: entering group authorize for request 5
> modcall[authorize]: module "preprocess" returns ok for request 5
> modcall[authorize]: module "chap" returns noop for request 5
> modcall[authorize]: module "mschap" returns noop for request 5
> modcall[authorize]: module "digest" returns noop for request 5
> rlm_realm: Looking up realm "xx.xx.xx.xx" for User-Name =
>"1000(a)xx.xx.xx.xx"
> rlm_realm: Found realm "xx.xx.xx.xx"
> rlm_realm: Adding Stripped-User-Name = "1000"
> rlm_realm: Proxying request from user 1000 to realm xx.xx.xx.xx
> rlm_realm: Adding Realm = "xx.xx.xx.xx"
> rlm_realm: Authentication realm is LOCAL.
> modcall[authorize]: module "suffix" returns noop for request 5
> rlm_eap: No EAP-Message, not doing EAP
> modcall[authorize]: module "eap" returns noop for request 5
> users: Matched entry DEFAULT at line 156
> users: Matched entry DEFAULT at line 161
> modcall[authorize]: module "files" returns ok for request 5
>radius_xlat: '1000'
>rlm_sql (sql): sql_set_user escaped user --> '1000'
>radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
>radcheck WHERE Username = '1000' ORDER BY id'
>rlm_sql (sql): Reserving sql socket id: 4
>rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op
>FROM radcheck WHERE Username = '1000' ORDER BY id
>radius_xlat: 'SELECT
>radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupc h
e
>ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
>usergroup.Username = '1000' AND usergroup.GroupName =
>radgroupcheck.GroupName ORDER BY radgroupcheck.id'
>rlm_sql_mysql: query: SELECT
>radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupc h
e
>ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
>usergroup.Username = '1000' AND usergroup.GroupName =
>radgroupcheck.GroupName ORDER BY radgroupcheck.id
>radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
>radreply WHERE Username = '1000' ORDER BY id'
>rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op
>FROM radreply WHERE Username = '1000' ORDER BY id
>radius_xlat: 'SELECT
>radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupr e
p
>ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
>usergroup.Username = '1000' AND usergroup.GroupName =
>radgroupreply.GroupName ORDER BY radgroupreply.id'
>rlm_sql_mysql: query: SELECT
>radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupr e
p
>ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
>usergroup.Username = '1000' AND usergroup.GroupName =
>radgroupreply.GroupName ORDER BY radgroupreply.id
>rlm_sql (sql): Checking profile DEFAULT
>rlm_sql (sql): sql_set_user escaped user --> 'DEFAULT'
>radius_xlat: 'SELECT
>radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupc h
e
>ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
>usergroup.Username = 'DEFAULT' AND usergroup.GroupName =
>radgroupcheck.GroupName ORDER BY radgroupcheck.id'
>rlm_sql_mysql: query: SELECT
>radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupc h
e
>ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
>usergroup.Username = 'DEFAULT' AND usergroup.GroupName =
>radgroupcheck.GroupName ORDER BY radgroupcheck.id
>radius_xlat: 'SELECT
>radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupr e
p
>ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
>usergroup.Username = 'DEFAULT' AND usergroup.GroupName =
>radgroupreply.GroupName ORDER BY radgroupreply.id'
>rlm_sql_mysql: query: SELECT
>radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupr e
p
>ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
>usergroup.Username = 'DEFAULT' AND usergroup.GroupName =
>radgroupreply.GroupName ORDER BY radgroupreply.id
>rlm_sql (sql): Released sql socket id: 4
> modcall[authorize]: module "sql" returns ok for request 5
>modcall: group authorize returns ok for request 5
> rad_check_password: Found Auth-Type None
> rad_check_password: Auth-Type = Accept, accepting the user
>radius_xlat: 'Authenticated by group Dialin'
>Sending Access-Accept of id 153 to xx.xx.xx.xx:33167
> Reply-Message = "Authenticated by group Dialin"
> SIP-AVP = "Sip-Group:Dialin"
>Finished request 5
>
>-----Original Message-----
>From: Tavis P [mailto:tavis.lists@galaxytelecom.net]
>Sent: Friday, October 14, 2005 7:21 PM
>To: Lenir
>Cc: users(a)openser.org; serusers(a)iptel.org
>Subject: Re: group_radius radius_is_user_in
>
>Ugh the subject line is getting really munged up ;P
>
>Hmmm, what does the output from "radiusd -X" look like for the exchange?
>
>
>Lenir wrote:
>
>
>
>>Tavis,
>>
>>Thanks for your input, that did fix the problem. I did have the "files"
>>before "sql" in radiusd.conf. Also I followed your advice about taking
out
in
-
-
-
I'm trying to use group_radius module to check if
the user is in a
particular radius group. I'm calling radius_is_user_in function to do this.
Here is the snippet in my config that calls that function:
route[2] {
# -----------------------------------------------------------------
# REGISTER Message Handler
# ----------------------------------------------------------------
sl_send_reply("100", "Trying");
if (!radius_www_authorize("")) {
xlog("L_INFO","$ci - $fu - User not authenticated, Radius
Authenticating...\n");
www_challenge("","0");
return;
} else {
xlog("L_INFO","$ci - $fu - User authenticated...\n");
};
if (radius_is_user_in("From", "Dialin")){
xlog("L_INFO","From: User is in Radius Group
Dialin!!!!\n");
} else {
xlog("L_INFO","From: User *IS NOT* Group
Dialin!!!!!\n");
};
if (radius_is_user_in("From", "Dialin2")){
xlog("L_INFO","From: User is in Radius Group
Dialin2!!!!\n");
} else {
xlog("L_INFO","From: User *IS NOT* Group
Dialin2!!!!!\n");
};
#if (!radius_check_to()) {
# sl_send_reply("401", "Unauthorized");
# return;
#};
consume_credentials();
if (!save("location")) {
sl_reply_error();
};
}
-----Original Message-----
From: Tavis P [mailto:tavis.lists@galaxytelecom.net]
Sent: Wednesday, October 19, 2005 3:59 PM
To: Lenir
Cc: users(a)openser.org; serusers(a)iptel.org
Subject: Re: group_radius radius_is_user_in
Well either way the radius server is going to respond with an
"Access-Accept" because you have set the auth-type to "none" (which
is
necessary because you are not authenticating and can not provide the
necessary credentials).
-
From the trace you showed me below, i see two
radius requests both for
the user 1000 and both of which respond as i would expect.
I'm not what you are trying to accomplish, are you using the
group_radius module or just loading the group information using avp_radius?
Lenir wrote:
>This is my users file:
>
>DEFAULT Auth-Type = System
> Fall-Through = 1
>
>DEFAULT Service-Type == Call-Check, Auth-Type := None
>
>DEFAULT Service-Type == Group-Check, Auth-Type := None
>
>DEFAULT Service-Type == SIP-Session, Auth-Type := Digest
>
>DEFAULT Service-Type == SIP-Callee-AVPs, Auth-Type := None
>
>DEFAULT Service-Type == SIP-Caller-AVPs, Auth-Type := None
>
>
>mysql> select * from radcheck;
>+----+----------+-----------+----+----------+
>| id | UserName | Attribute | op | Value |
>+----+----------+-----------+----+----------+
>| 1 | Jhassell | Password | == | changeme |
>| 2 | Rneis | Password | == | changeme |
>| 3 | 1000 | Password | == | 1000 |
>| 4 | 2000 | Password | == | 2000 |
>| 5 | 3000 | Password | == | 3000 |
>+----+----------+-----------+----+----------+
>5 rows in set (0.00 sec)
>
>mysql> select * from radreply;
>Empty set (0.00 sec)
>
>mysql> select * from usergroup;
>+----+----------+------------+
>| id | UserName | GroupName |
>+----+----------+------------+
>| 1 | Jhassell | Dialin |
>| 2 | Rneis | Staticdial |
>| 3 | 1000 | Dialin |
>| 4 | 2000 | Dialin |
>| 5 | 3000 | Dialin |
>| 6 | 3000 | Dialin2 |
>+----+----------+------------+
>6 rows in set (0.00 sec)
>
>mysql> select * from radgroupcheck;
>Empty set (0.00 sec)
>
>mysql> select * from radgroupreply;
>+----+-----------+---------------+----+----------------------------------+ >>"Auth-Type" out of mysql table and
let DEFAULT in users file do the
trick.
>
>
>>However it's semi-working.
>>
>>Accourding to the snippet from my ser.cfg file, now I get the following >stderr:
>0(4866) 000d2890-d47f0003-4a230347-53c6189b(a)yy.yy.yy.yy -
>sip:1000@xx.xx.xx.xx - User authenticated...
>0(4866) Credentials: User is in Radius Group Dialin!!!!
>0(4866) Credentials: User is in Radius Group Dialin2!!!!
>
>No matter which parameter I use for the function radius_is_user_in(), it
>always returns TRUE. When in fact it should return FALSE for Group
>
>
Dialin2.
>I've tried:
>
>if (radius_is_user_in("From", "Dialin2")){...
>if (radius_is_user_in("Credentials", "Dialin2")){...
>
>
>
>
>
>Here's what I did to fix future problems:
>
>EFAULT Auth-Type = System
> Fall-Through = 1
>
>DEFAULT Service-Type == Call-Check, Auth-Type := Digest
>
>DEFAULT Service-Type == Group-Check, Auth-Type := None
>
>DEFAULT Service-Type == SIP-Session, Auth-Type := Digest
>
>DEFAULT Service-Type == SIP-Callee-AVPs, Auth-Type := None
>
>DEFAULT Service-Type == SIP-Caller-AVPs, Auth-Type := None
>
>
>Also, for those of you using the latest version of freeradius, you may
>
>
have
>>to comment out the following lines as they conflict with dictionary.ser
>>
>>
>>
>>
>(SER
>
>
>
>
>>CVS) and dictionary.sip (comes with radiusclient-NG)
>>
>>#VALUE Service-Type Voice 12
>>#VALUE Service-Type Fax 13
>>#VALUE Service-Type Modem-Relay 14
>>#VALUE Service-Type IAPP-Register 15
>>#VALUE Service-Type IAPP-AP-Check 16
>>
>>
>>Thanks,
>>
>>
>>Lenir
>>
>>
>>-----Original Message-----
>>From: serusers-bounces(a)iptel.org [mailto:serusers-bounces@iptel.org] On
>>Behalf Of Tavis P
>>Sent: Friday, October 14, 2005 1:49 PM
>>To: lsantiago(a)globalgatewaycom.com
>>Cc: serdev(a)iptel.org; serusers(a)iptel.org; devel(a)openser.org;
>>users(a)openser.org
>>Subject: [Serusers] Re: [Serdev] group_radius radius_is_user_in
>>
>>Oops, i spoke too soon
>>
>>It looks like you have placed the "files" module before the
"sql" module
>>in your radiusd.conf
>>
>>Its matching your DEFAULT entry in files (setting the Auth-Type to none)
>>but the sql module is later changing the Auth-Type to "digest"
>>
>>Changing the order would solve this problem, as you want it to match the
>>SQL statement first and than the section in the files last (which
>>changes the Auth-Type)
>>
>>Also, you may want to reduce the load on your database by not setting
>>the Auth-Type in the database and instead setting in the users file with
>>a DEFAULT statement as (at least in my case) it isn't somthing that need
>>to be dynamic.
>>
>>lenirsantiago(a)yahoo.com wrote:
>>
>>
>>
>>
>>
>>
>>
>>>Hello list,
>>>
>>>I've been trying my hardest today to get group_radius to work, and its
>>>function radius_is_user_in().
>>>I'm running ser0.9.4 and freeradius 1.0.4 with the mysql backend and
>>>
>>>
>>>
>>>
>digest
>
>
>
>
>>>authentication.
>>>
>>>Radius authentication works fine.
>>>The problem is that when radius_is_user_in() function gets called, it
>>>
>>>
>>>
>>>
>sends
>
>
>
>
>>>a radius message but without the User-Password field and freeradius
>>>complains that it requires it since we are using Digest.
>>>I've seen a couple of posts here, but they were never answered:
>>>http://mail.iptel.org/pipermail/serusers/2005-March/017342.html
>>>http://mail.iptel.org/pipermail/serusers/2005-March/017075.html
>>>
>>>-----
>>>I have a small test in my ser.cfg file:
>>> if (!radius_www_authorize("")) {
>>> xlog("L_I","%ci - %fu - User not authenticated,
Radius
>>>Authenticating...\n");
>>> www_challenge("","0");
>>> break;
>>> } else {
>>> xlog("L_I","%ci - %fu - User
authenticated...\n");
>>> };
>>>
>>> if (radius_is_user_in("From", "Dialin")){
>>> xlog("L_I","From: User is in Radius Group
Dialin!!!!\n");
>>> } else {
>>> xlog("L_I","From: User *IS NOT* Group
Dialin!!!!!\n");
>>> };
>>>
>>> if (radius_is_user_in("Credentials", "Dialin2")){
>>> xlog("L_I","From: User is in Radius Group
Dialin2!!!!\n");
>>> } else {
>>> xlog("L_I","From: User *IS NOT* Group
Dialin2!!!!!\n");
>>> };
>>>
>>>-----
>>>In /etc/raddb/users file I have the following at line 152:
>>>DEFAULT Auth-Type = System
>>> Fall-Through = 1
>>>
>>>DEFAULT Service-Type == Group-Check, Auth-Type := None
>>>
>>>DEFAULT Service-Type == SIP-Callee-AVPs, Auth-Type := None
>>>
>>>-----
>>>
>>>These are mysql tables:
>>>
>>>+----+----------+-----------+----+----------+
>>>| id | UserName | Attribute | op | Value |
>>>+----+----------+-----------+----+----------+
>>>| 1 | Jhassell | Password | == | changeme |
>>>| 2 | Rneis | Password | == | changeme |
>>>| 3 | 1000 | Password | == | 1000 |
>>>| 4 | 2000 | Password | == | 2000 |
>>>| 5 | 3000 | Password | == | 3000 |
>>>| 8 | 1000 | Auth-Type | := | Digest |
>>>+----+----------+-----------+----+----------+
>>>
>>>+----+-----------+-----------+----+--------+
>>>| id | GroupName | Attribute | op | Value |
>>>+----+-----------+-----------+----+--------+
>>>| 6 | Dialin | Auth-Type | := | Accept |
>>>+----+-----------+-----------+----+--------+
>>>
>>>+----+-----------+---------------+----+---------------------------------
>>
>>
+
>>>
>>>
>>
>>
>-
>
>
>
>
>>>
>>>
>>>
>>>
>>
>>
>>-
>>
>>
>>
>>
>>
>>
>>>----+
>>>| id | GroupName | Attribute | op | Value
>>
>>
|
>>>prio |
>>>+----+-----------+---------------+----+---------------------------------
>>
>>
+
>>>
>>>
>>
>>
>-
>
>
>
>
>>>
>>>
>>>
>>>
>>
>>
>>-
>>
>>
>>
>>
>>
>>
>>>----+
>>>| 1 | Dialin | Reply-Message | = | "Authenticated by group
Dialin"
>>
>>
|
>>>0 |
>>>| 2 | Dialin2 | Reply-Message | = | "Authenticated by group
Dialin2"
>>
>>
|
>>>0 |
>>>+----+-----------+---------------+----+---------------------------------
>>
>>
+
>>>
>>>
>>
>>
>-
>
>
>
>
>>>
>>>
>>>
>>>
>>
>>
>>-
>>
>>
>>
>>
>>
>>
>>>----+
>>>
>>>+----+----------+---------------+----+------------------+
>>>| id | UserName | Attribute | op | Value |
>>>+----+----------+---------------+----+------------------+
>>>| 1 | 1000 | Reply-Message | = | "Authenticated" |
>>>| 2 | 1000 | Sip-Group | = | Dialin |
>>>| 3 | 1000 | SIP-AVP | = | Sip-Group:Dialin |
>>>+----+----------+---------------+----+------------------+
>>>
>>>+----+----------+------------+
>>>| id | UserName | GroupName |
>>>+----+----------+------------+
>>>| 1 | Jhassell | Dialin |
>>>| 2 | Rneis | Staticdial |
>>>| 3 | 1000 | Dialin |
>>>| 4 | 2000 | Dialin |
>>>| 5 | 3000 | Dialin |
>>>| 6 | 3000 | Dialin2 |
>>>+----+----------+------------+
>>>
>>>------
>>>
>>>This is the debug I get from freeradius for the group check:
>>>
>>>rad_recv: Access-Request packet from host xx.xx.xx.xx:33025, id=15,
>>>length=67
>>> User-Name = "1000(a)xx.xx.xx.xx"
>>> Sip-Group = "Dialin2"
>>> Service-Type = Group-Check
>>> NAS-IP-Address = 127.0.0.1
>>> NAS-Port = 0
>>>Processing the authorize section of radiusd.conf
>>>modcall: entering group authorize for request 74
>>>modcall[authorize]: module "preprocess" returns ok for request 74
>>>modcall[authorize]: module "chap" returns noop for request 74
>>>modcall[authorize]: module "mschap" returns noop for request 74
>>>modcall[authorize]: module "digest" returns noop for request 74
>>> rlm_realm: Looking up realm "xx.xx.xx.xx" for User-Name =
>>>"1000(a)xx.xx.xx.xx"
>>> rlm_realm: Found realm "xx.xx.xx.xx"
>>> rlm_realm: Adding Stripped-User-Name = "1000"
>>> rlm_realm: Proxying request from user 1000 to realm xx.xx.xx.xx
>>> rlm_realm: Adding Realm = "xx.xx.xx.xx"
>>> rlm_realm: Authentication realm is LOCAL.
>>>modcall[authorize]: module "suffix" returns noop for request 74
>>>rlm_eap: No EAP-Message, not doing EAP
>>>modcall[authorize]: module "eap" returns noop for request 74
>>> users: Matched entry DEFAULT at line 152
>>> users: Matched entry DEFAULT at line 158
>>>modcall[authorize]: module "files" returns ok for request 74
>>>radius_xlat: '1000'
>>>rlm_sql (sql): sql_set_user escaped user --> '1000'
>>>rlm_sql (sql): Released sql socket id: 0
>>>modcall[authorize]: module "sql" returns ok for request 74
>>>modcall: group authorize returns ok for request 74
>>>rad_check_password: Found Auth-Type Digest
>>>auth: type "digest"
>>>Processing the authenticate section of radiusd.conf
>>>modcall: entering group authenticate for request 74
>>>ERROR: No Digest-Nonce: Cannot perform Digest authentication
>>>modcall[authenticate]: module "digest" returns invalid for request
74
>>>modcall: group authenticate returns invalid for request 74
>>>auth: Failed to validate the user.
>>>Delaying request 74 for 1 seconds
>>>Finished request 74
>>>Going to the next request
>>>--- Walking the entire request list ---
>>>Waking up in 1 seconds...
>>>--- Walking the entire request list ---
>>>Waking up in 1 seconds...
>>>--- Walking the entire request list ---
>>>Sending Access-Reject of id 15 to xx.xx.xx.xx:33025
>>> Reply-Message = "Authenticated"
>>>Waking up in 4 seconds...
>>>--- Walking the entire request list ---
>>>Cleaning up request 74 ID 15 with timestamp 434f1121
>>>Nothing to do. Sleeping until we see a request.
>>>
>>>
>>>
>>>
>>>
>>>Any help in this matter would be deeply appreciated,
>>>
>>>
>>>
>>>
>>>Lenir
>>>
>>>
>>>
>>>
>>>_______________________________________________
>>>Serdev mailing list
>>>Serdev(a)iptel.org
>>>http://mail.iptel.org/mailman/listinfo/serdev
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>>_______________________________________________
>>Serusers mailing list
>>Serusers(a)iptel.org
>>http://mail.iptel.org/mailman/listinfo/serusers
>>
>>
>>_______________________________________________
>>Serdev mailing list
>>Serdev(a)iptel.org
>>http://mail.iptel.org/mailman/listinfo/serdev
>>
>>
>>
>>
>>
>>
>>
>>
>
>
>
>
>
>
6965
days inactive
6965
days old
2 comments
2 participants
participants (2)
-
Lenir -
Tavis P