[Devel] Re: [Serdev] RE: group_radius radius_is_user_in
Greger V. Teigre
greger at teigre.com
Mon Oct 24 07:18:56 CEST 2005
I think it's Juha who maintains it, possibly Jan? I'm not sure how many
people actually use it, though. You get one RADIUS request per call to
readius_is_usr_in(). After avpairs were introduced, you will
scalability-wise (as suggested) be better off with returning SIP-AVP.
g-)
----- Original Message -----
From: "Lenir" <lenirsantiago at yahoo.com>
To: <devel at openser.org>
Cc: <serdev at iptel.org>
Sent: Monday, October 24, 2005 04:14 AM
Subject: RE: [Serdev] RE: group_radius radius_is_user_in
> Any comments? Suggestions? Thoughts?
>
> Thanks,
>
> Lenir
>
> -----Original Message-----
> From: serdev-bounces at iptel.org [mailto:serdev-bounces at iptel.org] On Behalf
> Of Lenir
> Sent: Thursday, October 20, 2005 6:54 PM
> To: devel at openser.org
> Cc: serdev at iptel.org
> Subject: RE: [Serdev] RE: group_radius radius_is_user_in
>
> can any of you comment on this? Is the group_radius module still being
> supported?
>
> Thanks in advance
>
>
> Lenir
>
> -----Original Message-----
> From: serdev-bounces at iptel.org [mailto:serdev-bounces at iptel.org] On Behalf
> Of Lenir
> Sent: Wednesday, October 19, 2005 5:30 PM
> To: 'Tavis P'
> Cc: serdev at iptel.org; serusers at iptel.org; devel at openser.org;
> users at openser.org
> Subject: [Serdev] RE: group_radius radius_is_user_in
>
> I will try that as a workaround.
>
> For the SER-DEVEL and OPENSER-DEVEL guys...can any of you comment on this?
>
> Thanks
>
> -----Original Message-----
> From: Tavis P [mailto:tavis.lists at galaxytelecom.net]
> Sent: Wednesday, October 19, 2005 4:40 PM
> To: Lenir
> Cc: users at openser.org; serusers at iptel.org
> Subject: Re: group_radius radius_is_user_in
>
> I've never used the group_radius module so i'm not certain what it
> expects from the radius server (its not well documented currently)
>
> Although you may be able to optimize a bit and skip the
> radius_is_user_in function call and simply pass the users group back as
> an SIP-AVP attribute in the radreply table, and then check for that AVP
> in the OpenSER script
>
> What i've done is commented the group checking SQL from the freeradius
> sql.conf file so that when a user authenticates or when an avp_radius
> call is made only 2 SQL queries are sent, instead of the 4-5 used when
> group check is enabled.
>
> Try this, it should work and it will save you ~10 sql queries and a
> radius request/response
>
>
> Lenir wrote:
>
>>I'm trying to use group_radius module to check if the user is in a
>>particular radius group. I'm calling radius_is_user_in function to do
>>this.
>>Here is the snippet in my config that calls that function:
>>
>>route[2] {
>>
>> # -----------------------------------------------------------------
>> # REGISTER Message Handler
>> # ----------------------------------------------------------------
>> sl_send_reply("100", "Trying");
>>
>> if (!radius_www_authorize("")) {
>> xlog("L_INFO","$ci - $fu - User not authenticated, Radius
>>Authenticating...\n");
>> www_challenge("","0");
>> return;
>> } else {
>> xlog("L_INFO","$ci - $fu - User authenticated...\n");
>> };
>>
>> if (radius_is_user_in("From", "Dialin")){
>> xlog("L_INFO","From: User is in Radius Group
> Dialin!!!!\n");
>> } else {
>> xlog("L_INFO","From: User *IS NOT* Group Dialin!!!!!\n");
>> };
>>
>> if (radius_is_user_in("From", "Dialin2")){
>> xlog("L_INFO","From: User is in Radius Group
>>Dialin2!!!!\n");
>> } else {
>> xlog("L_INFO","From: User *IS NOT* Group Dialin2!!!!!\n");
>> };
>>
>> #if (!radius_check_to()) {
>> # sl_send_reply("401", "Unauthorized");
>> # return;
>> #};
>>
>> consume_credentials();
>>
>> if (!save("location")) {
>> sl_reply_error();
>> };
>>}
>>
>>
>>-----Original Message-----
>>From: Tavis P [mailto:tavis.lists at galaxytelecom.net]
>>Sent: Wednesday, October 19, 2005 3:59 PM
>>To: Lenir
>>Cc: users at openser.org; serusers at iptel.org
>>Subject: Re: group_radius radius_is_user_in
>>
>>Well either way the radius server is going to respond with an
>>"Access-Accept" because you have set the auth-type to "none" (which is
>>necessary because you are not authenticating and can not provide the
>>necessary credentials).
>>
>>>From the trace you showed me below, i see two radius requests both for
>>the user 1000 and both of which respond as i would expect.
>>
>>I'm not what you are trying to accomplish, are you using the
>>group_radius module or just loading the group information using
>>avp_radius?
>>
>>
>>Lenir wrote:
>>
>>
>>
>>>This is my users file:
>>>
>>>DEFAULT Auth-Type = System
>>> Fall-Through = 1
>>>
>>>DEFAULT Service-Type == Call-Check, Auth-Type := None
>>>
>>>DEFAULT Service-Type == Group-Check, Auth-Type := None
>>>
>>>DEFAULT Service-Type == SIP-Session, Auth-Type := Digest
>>>
>>>DEFAULT Service-Type == SIP-Callee-AVPs, Auth-Type := None
>>>
>>>DEFAULT Service-Type == SIP-Caller-AVPs, Auth-Type := None
>>>
>>>
>>>mysql> select * from radcheck;
>>>+----+----------+-----------+----+----------+
>>>| id | UserName | Attribute | op | Value |
>>>+----+----------+-----------+----+----------+
>>>| 1 | Jhassell | Password | == | changeme |
>>>| 2 | Rneis | Password | == | changeme |
>>>| 3 | 1000 | Password | == | 1000 |
>>>| 4 | 2000 | Password | == | 2000 |
>>>| 5 | 3000 | Password | == | 3000 |
>>>+----+----------+-----------+----+----------+
>>>5 rows in set (0.00 sec)
>>>
>>>mysql> select * from radreply;
>>>Empty set (0.00 sec)
>>>
>>>mysql> select * from usergroup;
>>>+----+----------+------------+
>>>| id | UserName | GroupName |
>>>+----+----------+------------+
>>>| 1 | Jhassell | Dialin |
>>>| 2 | Rneis | Staticdial |
>>>| 3 | 1000 | Dialin |
>>>| 4 | 2000 | Dialin |
>>>| 5 | 3000 | Dialin |
>>>| 6 | 3000 | Dialin2 |
>>>+----+----------+------------+
>>>6 rows in set (0.00 sec)
>>>
>>>mysql> select * from radgroupcheck;
>>>Empty set (0.00 sec)
>>>
>>>mysql> select * from radgroupreply;
>>>+----+-----------+---------------+----+----------------------------------+
> -
>>>
>>>
>>-
>>
>>
>>>---+
>>>| id | GroupName | Attribute | op | Value
>>>|
>>>prio |
>>>+----+-----------+---------------+----+----------------------------------+
> -
>>>
>>>
>>-
>>
>>
>>>----+
>>>| 1 | Dialin | Reply-Message | = | "Authenticated by group Dialin"
>>>|
>>>0 |
>>>| 2 | Dialin2 | Reply-Message | = | "Authenticated by group Dialin2"
>>>|
>>>0 |
>>>| 3 | Dialin | SIP-AVP | = | Sip-Group:Dialin
>>>|
>>>0 |
>>>+----+-----------+---------------+----+----------------------------------+
> -
>>>
>>>
>>-
>>
>>
>>>----+
>>>3 rows in set (0.00 sec)
>>>
>>>mysql> select * from radpostauth;
>>>Empty set (0.00 sec)
>>>
>>>
>>>
>>>Here's the debug, notice how it returns access-accept whether its in the
>>>right group or not. Shouldn't it return access-reject for group Dialin2?
>>>-----------------
>>>rad_recv: Access-Request packet from host xx.xx.xx.xx:33167, id=152,
>>>length=66
>>> User-Name = "1000 at xx.xx.xx.xx"
>>> Sip-Group = "Dialin"
>>> Service-Type = Group-Check
>>> NAS-IP-Address = 127.0.0.1
>>> NAS-Port = 0
>>> Processing the authorize section of radiusd.conf
>>>modcall: entering group authorize for request 4
>>> modcall[authorize]: module "preprocess" returns ok for request 4
>>> modcall[authorize]: module "chap" returns noop for request 4
>>> modcall[authorize]: module "mschap" returns noop for request 4
>>> modcall[authorize]: module "digest" returns noop for request 4
>>> rlm_realm: Looking up realm "xx.xx.xx.xx" for User-Name =
>>>"1000 at xx.xx.xx.xx"
>>> rlm_realm: Found realm "xx.xx.xx.xx"
>>> rlm_realm: Adding Stripped-User-Name = "1000"
>>> rlm_realm: Proxying request from user 1000 to realm xx.xx.xx.xx
>>> rlm_realm: Adding Realm = "xx.xx.xx.xx"
>>> rlm_realm: Authentication realm is LOCAL.
>>> modcall[authorize]: module "suffix" returns noop for request 4
>>> rlm_eap: No EAP-Message, not doing EAP
>>> modcall[authorize]: module "eap" returns noop for request 4
>>> users: Matched entry DEFAULT at line 156
>>> users: Matched entry DEFAULT at line 161
>>> modcall[authorize]: module "files" returns ok for request 4
>>>radius_xlat: '1000'
>>>rlm_sql (sql): sql_set_user escaped user --> '1000'
>>>radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
>>>radcheck WHERE Username = '1000' ORDER BY id'
>>>rlm_sql (sql): Reserving sql socket id: 0
>>>rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op
>>>
>>>
>>>FROM radcheck WHERE Username = '1000' ORDER BY id
>>
>>
>>>radius_xlat: 'SELECT
>>>radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupc
> h
>>>
>>>
>>e
>>
>>
>>>ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
>>>usergroup.Username = '1000' AND usergroup.GroupName =
>>>radgroupcheck.GroupName ORDER BY radgroupcheck.id'
>>>rlm_sql_mysql: query: SELECT
>>>radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupc
> h
>>>
>>>
>>e
>>
>>
>>>ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
>>>usergroup.Username = '1000' AND usergroup.GroupName =
>>>radgroupcheck.GroupName ORDER BY radgroupcheck.id
>>>radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
>>>radreply WHERE Username = '1000' ORDER BY id'
>>>rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op
>>>
>>>
>>>FROM radreply WHERE Username = '1000' ORDER BY id
>>
>>
>>>radius_xlat: 'SELECT
>>>radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupr
> e
>>>
>>>
>>p
>>
>>
>>>ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
>>>usergroup.Username = '1000' AND usergroup.GroupName =
>>>radgroupreply.GroupName ORDER BY radgroupreply.id'
>>>rlm_sql_mysql: query: SELECT
>>>radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupr
> e
>>>
>>>
>>p
>>
>>
>>>ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
>>>usergroup.Username = '1000' AND usergroup.GroupName =
>>>radgroupreply.GroupName ORDER BY radgroupreply.id
>>>rlm_sql (sql): Checking profile DEFAULT
>>>rlm_sql (sql): sql_set_user escaped user --> 'DEFAULT'
>>>radius_xlat: 'SELECT
>>>radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupc
> h
>>>
>>>
>>e
>>
>>
>>>ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
>>>usergroup.Username = 'DEFAULT' AND usergroup.GroupName =
>>>radgroupcheck.GroupName ORDER BY radgroupcheck.id'
>>>rlm_sql_mysql: query: SELECT
>>>radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupc
> h
>>>
>>>
>>e
>>
>>
>>>ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
>>>usergroup.Username = 'DEFAULT' AND usergroup.GroupName =
>>>radgroupcheck.GroupName ORDER BY radgroupcheck.id
>>>radius_xlat: 'SELECT
>>>radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupr
> e
>>>
>>>
>>p
>>
>>
>>>ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
>>>usergroup.Username = 'DEFAULT' AND usergroup.GroupName =
>>>radgroupreply.GroupName ORDER BY radgroupreply.id'
>>>rlm_sql_mysql: query: SELECT
>>>radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupr
> e
>>>
>>>
>>p
>>
>>
>>>ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
>>>usergroup.Username = 'DEFAULT' AND usergroup.GroupName =
>>>radgroupreply.GroupName ORDER BY radgroupreply.id
>>>rlm_sql (sql): Released sql socket id: 0
>>> modcall[authorize]: module "sql" returns ok for request 4
>>>modcall: group authorize returns ok for request 4
>>> rad_check_password: Found Auth-Type None
>>> rad_check_password: Auth-Type = Accept, accepting the user
>>>radius_xlat: 'Authenticated by group Dialin'
>>>Sending Access-Accept of id 152 to xx.xx.xx.xx:33167
>>> Reply-Message = "Authenticated by group Dialin"
>>> SIP-AVP = "Sip-Group:Dialin"
>>>Finished request 4
>>>Going to the next request
>>>Waking up in 6 seconds...
>>>rad_recv: Access-Request packet from host xx.xx.xx.xx:33167, id=153,
>>>length=67
>>> User-Name = "1000 at xx.xx.xx.xx"
>>> Sip-Group = "Dialin2"
>>> Service-Type = Group-Check
>>> NAS-IP-Address = 127.0.0.1
>>> NAS-Port = 0
>>> Processing the authorize section of radiusd.conf
>>>modcall: entering group authorize for request 5
>>> modcall[authorize]: module "preprocess" returns ok for request 5
>>> modcall[authorize]: module "chap" returns noop for request 5
>>> modcall[authorize]: module "mschap" returns noop for request 5
>>> modcall[authorize]: module "digest" returns noop for request 5
>>> rlm_realm: Looking up realm "xx.xx.xx.xx" for User-Name =
>>>"1000 at xx.xx.xx.xx"
>>> rlm_realm: Found realm "xx.xx.xx.xx"
>>> rlm_realm: Adding Stripped-User-Name = "1000"
>>> rlm_realm: Proxying request from user 1000 to realm xx.xx.xx.xx
>>> rlm_realm: Adding Realm = "xx.xx.xx.xx"
>>> rlm_realm: Authentication realm is LOCAL.
>>> modcall[authorize]: module "suffix" returns noop for request 5
>>> rlm_eap: No EAP-Message, not doing EAP
>>> modcall[authorize]: module "eap" returns noop for request 5
>>> users: Matched entry DEFAULT at line 156
>>> users: Matched entry DEFAULT at line 161
>>> modcall[authorize]: module "files" returns ok for request 5
>>>radius_xlat: '1000'
>>>rlm_sql (sql): sql_set_user escaped user --> '1000'
>>>radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
>>>radcheck WHERE Username = '1000' ORDER BY id'
>>>rlm_sql (sql): Reserving sql socket id: 4
>>>rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op
>>>
>>>
>>>FROM radcheck WHERE Username = '1000' ORDER BY id
>>
>>
>>>radius_xlat: 'SELECT
>>>radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupc
> h
>>>
>>>
>>e
>>
>>
>>>ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
>>>usergroup.Username = '1000' AND usergroup.GroupName =
>>>radgroupcheck.GroupName ORDER BY radgroupcheck.id'
>>>rlm_sql_mysql: query: SELECT
>>>radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupc
> h
>>>
>>>
>>e
>>
>>
>>>ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
>>>usergroup.Username = '1000' AND usergroup.GroupName =
>>>radgroupcheck.GroupName ORDER BY radgroupcheck.id
>>>radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
>>>radreply WHERE Username = '1000' ORDER BY id'
>>>rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op
>>>
>>>
>>>FROM radreply WHERE Username = '1000' ORDER BY id
>>
>>
>>>radius_xlat: 'SELECT
>>>radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupr
> e
>>>
>>>
>>p
>>
>>
>>>ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
>>>usergroup.Username = '1000' AND usergroup.GroupName =
>>>radgroupreply.GroupName ORDER BY radgroupreply.id'
>>>rlm_sql_mysql: query: SELECT
>>>radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupr
> e
>>>
>>>
>>p
>>
>>
>>>ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
>>>usergroup.Username = '1000' AND usergroup.GroupName =
>>>radgroupreply.GroupName ORDER BY radgroupreply.id
>>>rlm_sql (sql): Checking profile DEFAULT
>>>rlm_sql (sql): sql_set_user escaped user --> 'DEFAULT'
>>>radius_xlat: 'SELECT
>>>radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupc
> h
>>>
>>>
>>e
>>
>>
>>>ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
>>>usergroup.Username = 'DEFAULT' AND usergroup.GroupName =
>>>radgroupcheck.GroupName ORDER BY radgroupcheck.id'
>>>rlm_sql_mysql: query: SELECT
>>>radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupc
> h
>>>
>>>
>>e
>>
>>
>>>ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
>>>usergroup.Username = 'DEFAULT' AND usergroup.GroupName =
>>>radgroupcheck.GroupName ORDER BY radgroupcheck.id
>>>radius_xlat: 'SELECT
>>>radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupr
> e
>>>
>>>
>>p
>>
>>
>>>ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
>>>usergroup.Username = 'DEFAULT' AND usergroup.GroupName =
>>>radgroupreply.GroupName ORDER BY radgroupreply.id'
>>>rlm_sql_mysql: query: SELECT
>>>radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupr
> e
>>>
>>>
>>p
>>
>>
>>>ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
>>>usergroup.Username = 'DEFAULT' AND usergroup.GroupName =
>>>radgroupreply.GroupName ORDER BY radgroupreply.id
>>>rlm_sql (sql): Released sql socket id: 4
>>> modcall[authorize]: module "sql" returns ok for request 5
>>>modcall: group authorize returns ok for request 5
>>> rad_check_password: Found Auth-Type None
>>> rad_check_password: Auth-Type = Accept, accepting the user
>>>radius_xlat: 'Authenticated by group Dialin'
>>>Sending Access-Accept of id 153 to xx.xx.xx.xx:33167
>>> Reply-Message = "Authenticated by group Dialin"
>>> SIP-AVP = "Sip-Group:Dialin"
>>>Finished request 5
>>>
>>>-----Original Message-----
>>>From: Tavis P [mailto:tavis.lists at galaxytelecom.net]
>>>Sent: Friday, October 14, 2005 7:21 PM
>>>To: Lenir
>>>Cc: users at openser.org; serusers at iptel.org
>>>Subject: Re: group_radius radius_is_user_in
>>>
>>>Ugh the subject line is getting really munged up ;P
>>>
>>>Hmmm, what does the output from "radiusd -X" look like for the exchange?
>>>
>>>
>>>Lenir wrote:
>>>
>>>
>>>
>>>
>>>
>>>>Tavis,
>>>>
>>>>Thanks for your input, that did fix the problem. I did have the "files"
>>>>before "sql" in radiusd.conf. Also I followed your advice about taking
> out
>>>>"Auth-Type" out of mysql table and let DEFAULT in users file do the
> trick.
>>>>
>>>>
>>
>>
>>
>>>>However it's semi-working.
>>>>
>>>>Accourding to the snippet from my ser.cfg file, now I get the following
> in
>>>>stderr:
>>>>0(4866) 000d2890-d47f0003-4a230347-53c6189b at yy.yy.yy.yy -
>>>>sip:1000 at xx.xx.xx.xx - User authenticated...
>>>>0(4866) Credentials: User is in Radius Group Dialin!!!!
>>>>0(4866) Credentials: User is in Radius Group Dialin2!!!!
>>>>
>>>>No matter which parameter I use for the function radius_is_user_in(), it
>>>>always returns TRUE. When in fact it should return FALSE for Group
>>>>
>>>>
>>Dialin2.
>>
>>
>>>>I've tried:
>>>>
>>>>if (radius_is_user_in("From", "Dialin2")){...
>>>>if (radius_is_user_in("Credentials", "Dialin2")){...
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>Here's what I did to fix future problems:
>>>>
>>>>EFAULT Auth-Type = System
>>>> Fall-Through = 1
>>>>
>>>>DEFAULT Service-Type == Call-Check, Auth-Type := Digest
>>>>
>>>>DEFAULT Service-Type == Group-Check, Auth-Type := None
>>>>
>>>>DEFAULT Service-Type == SIP-Session, Auth-Type := Digest
>>>>
>>>>DEFAULT Service-Type == SIP-Callee-AVPs, Auth-Type := None
>>>>
>>>>DEFAULT Service-Type == SIP-Caller-AVPs, Auth-Type := None
>>>>
>>>>
>>>>Also, for those of you using the latest version of freeradius, you may
>>>>
>>>>
>>have
>>
>>
>>>>to comment out the following lines as they conflict with dictionary.ser
>>>>
>>>>
>>>>
>>>>
>>>(SER
>>>
>>>
>>>
>>>
>>>>CVS) and dictionary.sip (comes with radiusclient-NG)
>>>>
>>>>#VALUE Service-Type Voice 12
>>>>#VALUE Service-Type Fax 13
>>>>#VALUE Service-Type Modem-Relay 14
>>>>#VALUE Service-Type IAPP-Register 15
>>>>#VALUE Service-Type IAPP-AP-Check 16
>>>>
>>>>
>>>>Thanks,
>>>>
>>>>
>>>>Lenir
>>>>
>>>>
>>>>-----Original Message-----
>>>>From: serusers-bounces at iptel.org [mailto:serusers-bounces at iptel.org] On
>>>>Behalf Of Tavis P
>>>>Sent: Friday, October 14, 2005 1:49 PM
>>>>To: lsantiago at globalgatewaycom.com
>>>>Cc: serdev at iptel.org; serusers at iptel.org; devel at openser.org;
>>>>users at openser.org
>>>>Subject: [Serusers] Re: [Serdev] group_radius radius_is_user_in
>>>>
>>>>Oops, i spoke too soon
>>>>
>>>>It looks like you have placed the "files" module before the "sql" module
>>>>in your radiusd.conf
>>>>
>>>>Its matching your DEFAULT entry in files (setting the Auth-Type to none)
>>>>but the sql module is later changing the Auth-Type to "digest"
>>>>
>>>>Changing the order would solve this problem, as you want it to match the
>>>>SQL statement first and than the section in the files last (which
>>>>changes the Auth-Type)
>>>>
>>>>Also, you may want to reduce the load on your database by not setting
>>>>the Auth-Type in the database and instead setting in the users file with
>>>>a DEFAULT statement as (at least in my case) it isn't somthing that need
>>>>to be dynamic.
>>>>
>>>>lenirsantiago at yahoo.com wrote:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>Hello list,
>>>>>
>>>>>I've been trying my hardest today to get group_radius to work, and its
>>>>>function radius_is_user_in().
>>>>>I'm running ser0.9.4 and freeradius 1.0.4 with the mysql backend and
>>>>>
>>>>>
>>>>>
>>>>>
>>>digest
>>>
>>>
>>>
>>>
>>>>>authentication.
>>>>>
>>>>>Radius authentication works fine.
>>>>>The problem is that when radius_is_user_in() function gets called, it
>>>>>
>>>>>
>>>>>
>>>>>
>>>sends
>>>
>>>
>>>
>>>
>>>>>a radius message but without the User-Password field and freeradius
>>>>>complains that it requires it since we are using Digest.
>>>>>I've seen a couple of posts here, but they were never answered:
>>>>>http://mail.iptel.org/pipermail/serusers/2005-March/017342.html
>>>>>http://mail.iptel.org/pipermail/serusers/2005-March/017075.html
>>>>>
>>>>>-----
>>>>>I have a small test in my ser.cfg file:
>>>>> if (!radius_www_authorize("")) {
>>>>> xlog("L_I","%ci - %fu - User not authenticated, Radius
>>>>>Authenticating...\n");
>>>>> www_challenge("","0");
>>>>> break;
>>>>> } else {
>>>>> xlog("L_I","%ci - %fu - User authenticated...\n");
>>>>> };
>>>>>
>>>>> if (radius_is_user_in("From", "Dialin")){
>>>>> xlog("L_I","From: User is in Radius Group Dialin!!!!\n");
>>>>> } else {
>>>>> xlog("L_I","From: User *IS NOT* Group Dialin!!!!!\n");
>>>>> };
>>>>>
>>>>> if (radius_is_user_in("Credentials", "Dialin2")){
>>>>> xlog("L_I","From: User is in Radius Group Dialin2!!!!\n");
>>>>> } else {
>>>>> xlog("L_I","From: User *IS NOT* Group Dialin2!!!!!\n");
>>>>> };
>>>>>
>>>>>-----
>>>>>In /etc/raddb/users file I have the following at line 152:
>>>>>DEFAULT Auth-Type = System
>>>>> Fall-Through = 1
>>>>>
>>>>>DEFAULT Service-Type == Group-Check, Auth-Type := None
>>>>>
>>>>>DEFAULT Service-Type == SIP-Callee-AVPs, Auth-Type := None
>>>>>
>>>>>-----
>>>>>
>>>>>These are mysql tables:
>>>>>
>>>>>+----+----------+-----------+----+----------+
>>>>>| id | UserName | Attribute | op | Value |
>>>>>+----+----------+-----------+----+----------+
>>>>>| 1 | Jhassell | Password | == | changeme |
>>>>>| 2 | Rneis | Password | == | changeme |
>>>>>| 3 | 1000 | Password | == | 1000 |
>>>>>| 4 | 2000 | Password | == | 2000 |
>>>>>| 5 | 3000 | Password | == | 3000 |
>>>>>| 8 | 1000 | Auth-Type | := | Digest |
>>>>>+----+----------+-----------+----+----------+
>>>>>
>>>>>+----+-----------+-----------+----+--------+
>>>>>| id | GroupName | Attribute | op | Value |
>>>>>+----+-----------+-----------+----+--------+
>>>>>| 6 | Dialin | Auth-Type | := | Accept |
>>>>>+----+-----------+-----------+----+--------+
>>>>>
>>>>>+----+-----------+---------------+----+---------------------------------
> -
>>>>>
>>>>>
>>+
>>
>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>-
>>>
>>>
>>>
>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>-
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>----+
>>>>>| id | GroupName | Attribute | op | Value
>>>>>
>>>>>
>>|
>>
>>
>>>>>prio |
>>>>>+----+-----------+---------------+----+---------------------------------
> -
>>>>>
>>>>>
>>+
>>
>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>-
>>>
>>>
>>>
>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>-
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>----+
>>>>>| 1 | Dialin | Reply-Message | = | "Authenticated by group Dialin"
>>>>>
>>>>>
>>|
>>
>>
>>>>>0 |
>>>>>| 2 | Dialin2 | Reply-Message | = | "Authenticated by group
>>>>>Dialin2"
>>>>>
>>>>>
>>|
>>
>>
>>>>>0 |
>>>>>+----+-----------+---------------+----+---------------------------------
> -
>>>>>
>>>>>
>>+
>>
>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>-
>>>
>>>
>>>
>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>-
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>----+
>>>>>
>>>>>+----+----------+---------------+----+------------------+
>>>>>| id | UserName | Attribute | op | Value |
>>>>>+----+----------+---------------+----+------------------+
>>>>>| 1 | 1000 | Reply-Message | = | "Authenticated" |
>>>>>| 2 | 1000 | Sip-Group | = | Dialin |
>>>>>| 3 | 1000 | SIP-AVP | = | Sip-Group:Dialin |
>>>>>+----+----------+---------------+----+------------------+
>>>>>
>>>>>+----+----------+------------+
>>>>>| id | UserName | GroupName |
>>>>>+----+----------+------------+
>>>>>| 1 | Jhassell | Dialin |
>>>>>| 2 | Rneis | Staticdial |
>>>>>| 3 | 1000 | Dialin |
>>>>>| 4 | 2000 | Dialin |
>>>>>| 5 | 3000 | Dialin |
>>>>>| 6 | 3000 | Dialin2 |
>>>>>+----+----------+------------+
>>>>>
>>>>>------
>>>>>
>>>>>This is the debug I get from freeradius for the group check:
>>>>>
>>>>>rad_recv: Access-Request packet from host xx.xx.xx.xx:33025, id=15,
>>>>>length=67
>>>>> User-Name = "1000 at xx.xx.xx.xx"
>>>>> Sip-Group = "Dialin2"
>>>>> Service-Type = Group-Check
>>>>> NAS-IP-Address = 127.0.0.1
>>>>> NAS-Port = 0
>>>>>Processing the authorize section of radiusd.conf
>>>>>modcall: entering group authorize for request 74
>>>>>modcall[authorize]: module "preprocess" returns ok for request 74
>>>>>modcall[authorize]: module "chap" returns noop for request 74
>>>>>modcall[authorize]: module "mschap" returns noop for request 74
>>>>>modcall[authorize]: module "digest" returns noop for request 74
>>>>> rlm_realm: Looking up realm "xx.xx.xx.xx" for User-Name =
>>>>>"1000 at xx.xx.xx.xx"
>>>>> rlm_realm: Found realm "xx.xx.xx.xx"
>>>>> rlm_realm: Adding Stripped-User-Name = "1000"
>>>>> rlm_realm: Proxying request from user 1000 to realm xx.xx.xx.xx
>>>>> rlm_realm: Adding Realm = "xx.xx.xx.xx"
>>>>> rlm_realm: Authentication realm is LOCAL.
>>>>>modcall[authorize]: module "suffix" returns noop for request 74
>>>>>rlm_eap: No EAP-Message, not doing EAP
>>>>>modcall[authorize]: module "eap" returns noop for request 74
>>>>> users: Matched entry DEFAULT at line 152
>>>>> users: Matched entry DEFAULT at line 158
>>>>>modcall[authorize]: module "files" returns ok for request 74
>>>>>radius_xlat: '1000'
>>>>>rlm_sql (sql): sql_set_user escaped user --> '1000'
>>>>>rlm_sql (sql): Released sql socket id: 0
>>>>>modcall[authorize]: module "sql" returns ok for request 74
>>>>>modcall: group authorize returns ok for request 74
>>>>>rad_check_password: Found Auth-Type Digest
>>>>>auth: type "digest"
>>>>>Processing the authenticate section of radiusd.conf
>>>>>modcall: entering group authenticate for request 74
>>>>>ERROR: No Digest-Nonce: Cannot perform Digest authentication
>>>>>modcall[authenticate]: module "digest" returns invalid for request 74
>>>>>modcall: group authenticate returns invalid for request 74
>>>>>auth: Failed to validate the user.
>>>>>Delaying request 74 for 1 seconds
>>>>>Finished request 74
>>>>>Going to the next request
>>>>>--- Walking the entire request list ---
>>>>>Waking up in 1 seconds...
>>>>>--- Walking the entire request list ---
>>>>>Waking up in 1 seconds...
>>>>>--- Walking the entire request list ---
>>>>>Sending Access-Reject of id 15 to xx.xx.xx.xx:33025
>>>>> Reply-Message = "Authenticated"
>>>>>Waking up in 4 seconds...
>>>>>--- Walking the entire request list ---
>>>>>Cleaning up request 74 ID 15 with timestamp 434f1121
>>>>>Nothing to do. Sleeping until we see a request.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>Any help in this matter would be deeply appreciated,
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>Lenir
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>_______________________________________________
>>>>>Serdev mailing list
>>>>>Serdev at iptel.org
>>>>>http://mail.iptel.org/mailman/listinfo/serdev
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>_______________________________________________
>>>>Serusers mailing list
>>>>Serusers at iptel.org
>>>>http://mail.iptel.org/mailman/listinfo/serusers
>>>>
>>>>
>>>>_______________________________________________
>>>>Serdev mailing list
>>>>Serdev at iptel.org
>>>>http://mail.iptel.org/mailman/listinfo/serdev
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>>
>>
>
>
>
> _______________________________________________
> Serdev mailing list
> Serdev at iptel.org
> http://mail.iptel.org/mailman/listinfo/serdev
>
>
> _______________________________________________
> Serdev mailing list
> Serdev at iptel.org
> http://mail.iptel.org/mailman/listinfo/serdev
>
>
> _______________________________________________
> Serdev mailing list
> Serdev at iptel.org
> http://mail.iptel.org/mailman/listinfo/serdev
>
More information about the Devel
mailing list