[Serusers] Re: [Serdev] group_radius radius_is_user_in

Lenir lenirsantiago at yahoo.com
Fri Oct 14 20:55:19 CEST 2005


Tavis,

Thanks for your input, that did fix the problem. I did have the "files"
before "sql" in radiusd.conf. Also I followed your advice about taking out
"Auth-Type" out of mysql table and let DEFAULT in users file do the trick. 

However it's semi-working.

Accourding to the snippet from my ser.cfg file, now I get the following in
stderr:
0(4866) 000d2890-d47f0003-4a230347-53c6189b at yy.yy.yy.yy -
sip:1000 at xx.xx.xx.xx - User authenticated...
 0(4866) Credentials: User is in Radius Group Dialin!!!!
 0(4866) Credentials: User is in Radius Group Dialin2!!!!

No matter which parameter I use for the function radius_is_user_in(), it
always returns TRUE. When in fact it should return FALSE for Group Dialin2.
I've tried:

if (radius_is_user_in("From", "Dialin2")){...
if (radius_is_user_in("Credentials", "Dialin2")){...





Here's what I did to fix future problems:

EFAULT Auth-Type = System
        Fall-Through = 1

DEFAULT Service-Type == Call-Check, Auth-Type := Digest

DEFAULT Service-Type == Group-Check, Auth-Type := None

DEFAULT Service-Type == SIP-Session, Auth-Type := Digest

DEFAULT Service-Type == SIP-Callee-AVPs, Auth-Type := None

DEFAULT Service-Type == SIP-Caller-AVPs, Auth-Type := None


Also, for those of you using the latest version of freeradius, you may have
to comment out the following lines as they conflict with dictionary.ser (SER
CVS) and dictionary.sip (comes with radiusclient-NG)

#VALUE          Service-Type            Voice                   12
#VALUE          Service-Type            Fax                     13
#VALUE          Service-Type            Modem-Relay             14
#VALUE          Service-Type            IAPP-Register           15
#VALUE          Service-Type            IAPP-AP-Check           16


Thanks,


Lenir


-----Original Message-----
From: serusers-bounces at iptel.org [mailto:serusers-bounces at lists.iptel.org] On
Behalf Of Tavis P
Sent: Friday, October 14, 2005 1:49 PM
To: lsantiago at globalgatewaycom.com
Cc: serdev at lists.iptel.org; serusers at lists.iptel.org; devel at openser.org;
users at openser.org
Subject: [Serusers] Re: [Serdev] group_radius radius_is_user_in

Oops, i spoke too soon

It looks like you have placed the "files" module before the "sql" module
in your radiusd.conf

Its matching your DEFAULT entry in files (setting the Auth-Type to none)
but the sql module is later changing the Auth-Type to "digest"

Changing the order would solve this problem, as you want it to match the
SQL statement first and than the section in the files last (which
changes the Auth-Type)

Also, you may want to reduce the load on your database by not setting
the Auth-Type in the database and instead setting in the users file with
a DEFAULT statement as (at least in my case) it isn't somthing that need
to be dynamic.

lenirsantiago at yahoo.com wrote:

>Hello list,
>
>I've been trying my hardest today to get group_radius to work, and its
>function radius_is_user_in().
>I'm running ser0.9.4 and freeradius 1.0.4 with the mysql backend and digest
>authentication. 
>
>Radius authentication works fine.
>The problem is that when radius_is_user_in() function gets called, it sends
>a radius message but without the User-Password field and freeradius
>complains that it requires it since we are using Digest.
>I've seen a couple of posts here, but they were never answered: 
>http://lists.iptel.org/pipermail/serusers/2005-March/017342.html
>http://lists.iptel.org/pipermail/serusers/2005-March/017075.html
>
>-----
>I have a small test in my ser.cfg file:
>        if (!radius_www_authorize("")) {
>                xlog("L_I","%ci - %fu - User not authenticated, Radius
>Authenticating...\n");
>                www_challenge("","0");
>                break;
>        } else {
>                xlog("L_I","%ci - %fu - User authenticated...\n");
>        };
>
>        if (radius_is_user_in("From", "Dialin")){
>                xlog("L_I","From: User is in Radius Group Dialin!!!!\n");
>        } else {
>                xlog("L_I","From: User *IS NOT* Group Dialin!!!!!\n");
>        };
>
>        if (radius_is_user_in("Credentials", "Dialin2")){
>                xlog("L_I","From: User is in Radius Group Dialin2!!!!\n");
>        } else {
>                xlog("L_I","From: User *IS NOT* Group Dialin2!!!!!\n");
>        };
>
>-----
>In /etc/raddb/users file I have the following at line 152:
>DEFAULT Auth-Type = System
>        Fall-Through = 1
>
>DEFAULT Service-Type == Group-Check, Auth-Type := None
>
>DEFAULT Service-Type == SIP-Callee-AVPs, Auth-Type := None
>
>-----
>
>These are mysql tables:
>
>+----+----------+-----------+----+----------+
>| id | UserName | Attribute | op | Value    |
>+----+----------+-----------+----+----------+
>|  1 | Jhassell | Password  | == | changeme |
>|  2 | Rneis    | Password  | == | changeme |
>|  3 | 1000     | Password  | == | 1000     |
>|  4 | 2000     | Password  | == | 2000     |
>|  5 | 3000     | Password  | == | 3000     |
>|  8 | 1000     | Auth-Type | := | Digest   |
>+----+----------+-----------+----+----------+
>
>+----+-----------+-----------+----+--------+
>| id | GroupName | Attribute | op | Value  |
>+----+-----------+-----------+----+--------+
>|  6 | Dialin    | Auth-Type | := | Accept |
>+----+-----------+-----------+----+--------+
>
>+----+-----------+---------------+----+----------------------------------+-
-
>----+
>| id | GroupName | Attribute     | op | Value                            |
>prio |
>+----+-----------+---------------+----+----------------------------------+-
-
>----+
>|  1 | Dialin    | Reply-Message | =  | "Authenticated by group Dialin"  |
>0 |
>|  2 | Dialin2   | Reply-Message | =  | "Authenticated by group Dialin2" |
>0 |
>+----+-----------+---------------+----+----------------------------------+-
-
>----+
>
>+----+----------+---------------+----+------------------+
>| id | UserName | Attribute     | op | Value            |
>+----+----------+---------------+----+------------------+
>|  1 | 1000     | Reply-Message | =  | "Authenticated"  |
>|  2 | 1000     | Sip-Group     | =  | Dialin           |
>|  3 | 1000     | SIP-AVP       | =  | Sip-Group:Dialin |
>+----+----------+---------------+----+------------------+
>
>+----+----------+------------+
>| id | UserName | GroupName  |
>+----+----------+------------+
>|  1 | Jhassell | Dialin     |
>|  2 | Rneis    | Staticdial |
>|  3 | 1000     | Dialin     |
>|  4 | 2000     | Dialin     |
>|  5 | 3000     | Dialin     |
>|  6 | 3000     | Dialin2    |
>+----+----------+------------+
>
>------
>
>This is the debug I get from freeradius for the group check:
>
>rad_recv: Access-Request packet from host xx.xx.xx.xx:33025, id=15,
>length=67
>        User-Name = "1000 at xx.xx.xx.xx"
>        Sip-Group = "Dialin2"
>        Service-Type = Group-Check
>        NAS-IP-Address = 127.0.0.1
>        NAS-Port = 0
>  Processing the authorize section of radiusd.conf
>modcall: entering group authorize for request 74
>  modcall[authorize]: module "preprocess" returns ok for request 74
>  modcall[authorize]: module "chap" returns noop for request 74
>  modcall[authorize]: module "mschap" returns noop for request 74
>  modcall[authorize]: module "digest" returns noop for request 74
>    rlm_realm: Looking up realm "xx.xx.xx.xx" for User-Name =
>"1000 at xx.xx.xx.xx"
>    rlm_realm: Found realm "xx.xx.xx.xx"
>    rlm_realm: Adding Stripped-User-Name = "1000"
>    rlm_realm: Proxying request from user 1000 to realm xx.xx.xx.xx
>    rlm_realm: Adding Realm = "xx.xx.xx.xx"
>    rlm_realm: Authentication realm is LOCAL.
>  modcall[authorize]: module "suffix" returns noop for request 74
>  rlm_eap: No EAP-Message, not doing EAP
>  modcall[authorize]: module "eap" returns noop for request 74
>    users: Matched entry DEFAULT at line 152
>    users: Matched entry DEFAULT at line 158
>  modcall[authorize]: module "files" returns ok for request 74
>radius_xlat:  '1000'
>rlm_sql (sql): sql_set_user escaped user --> '1000'
>rlm_sql (sql): Released sql socket id: 0
>  modcall[authorize]: module "sql" returns ok for request 74
>modcall: group authorize returns ok for request 74
>  rad_check_password:  Found Auth-Type Digest
>auth: type "digest"
>  Processing the authenticate section of radiusd.conf
>modcall: entering group authenticate for request 74
>ERROR: No Digest-Nonce: Cannot perform Digest authentication
>  modcall[authenticate]: module "digest" returns invalid for request 74
>modcall: group authenticate returns invalid for request 74
>auth: Failed to validate the user.
>Delaying request 74 for 1 seconds
>Finished request 74
>Going to the next request
>--- Walking the entire request list ---
>Waking up in 1 seconds...
>--- Walking the entire request list ---
>Waking up in 1 seconds...
>--- Walking the entire request list ---
>Sending Access-Reject of id 15 to xx.xx.xx.xx:33025
>        Reply-Message = "Authenticated"
>Waking up in 4 seconds...
>--- Walking the entire request list ---
>Cleaning up request 74 ID 15 with timestamp 434f1121
>Nothing to do.  Sleeping until we see a request.
>
>
>
>
>
>Any help in this matter would be deeply appreciated,
>
>
>
>
>Lenir 
>
>
>
>
>_______________________________________________
>Serdev mailing list
>serdev at lists.iptel.org
>http://lists.iptel.org/mailman/listinfo/serdev
>
>
>  
>

_______________________________________________
Serusers mailing list
serusers at lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers





More information about the sr-users mailing list