[Users] Re: group_radius radius_is_user_in

Tavis P tavis.lists at galaxytelecom.net
Sat Oct 15 01:20:49 CEST 2005


Ugh the subject line is getting really munged up ;P

Hmmm, what does the output from "radiusd -X" look like for the exchange?


Lenir wrote:

>Tavis,
>
>Thanks for your input, that did fix the problem. I did have the "files"
>before "sql" in radiusd.conf. Also I followed your advice about taking out
>"Auth-Type" out of mysql table and let DEFAULT in users file do the trick. 
>
>However it's semi-working.
>
>Accourding to the snippet from my ser.cfg file, now I get the following in
>stderr:
>0(4866) 000d2890-d47f0003-4a230347-53c6189b at yy.yy.yy.yy -
>sip:1000 at xx.xx.xx.xx - User authenticated...
> 0(4866) Credentials: User is in Radius Group Dialin!!!!
> 0(4866) Credentials: User is in Radius Group Dialin2!!!!
>
>No matter which parameter I use for the function radius_is_user_in(), it
>always returns TRUE. When in fact it should return FALSE for Group Dialin2.
>I've tried:
>
>if (radius_is_user_in("From", "Dialin2")){...
>if (radius_is_user_in("Credentials", "Dialin2")){...
>
>
>
>
>
>Here's what I did to fix future problems:
>
>EFAULT Auth-Type = System
>        Fall-Through = 1
>
>DEFAULT Service-Type == Call-Check, Auth-Type := Digest
>
>DEFAULT Service-Type == Group-Check, Auth-Type := None
>
>DEFAULT Service-Type == SIP-Session, Auth-Type := Digest
>
>DEFAULT Service-Type == SIP-Callee-AVPs, Auth-Type := None
>
>DEFAULT Service-Type == SIP-Caller-AVPs, Auth-Type := None
>
>
>Also, for those of you using the latest version of freeradius, you may have
>to comment out the following lines as they conflict with dictionary.ser (SER
>CVS) and dictionary.sip (comes with radiusclient-NG)
>
>#VALUE          Service-Type            Voice                   12
>#VALUE          Service-Type            Fax                     13
>#VALUE          Service-Type            Modem-Relay             14
>#VALUE          Service-Type            IAPP-Register           15
>#VALUE          Service-Type            IAPP-AP-Check           16
>
>
>Thanks,
>
>
>Lenir
>
>
>-----Original Message-----
>From: serusers-bounces at iptel.org [mailto:serusers-bounces at iptel.org] On
>Behalf Of Tavis P
>Sent: Friday, October 14, 2005 1:49 PM
>To: lsantiago at globalgatewaycom.com
>Cc: serdev at iptel.org; serusers at iptel.org; devel at openser.org;
>users at openser.org
>Subject: [Serusers] Re: [Serdev] group_radius radius_is_user_in
>
>Oops, i spoke too soon
>
>It looks like you have placed the "files" module before the "sql" module
>in your radiusd.conf
>
>Its matching your DEFAULT entry in files (setting the Auth-Type to none)
>but the sql module is later changing the Auth-Type to "digest"
>
>Changing the order would solve this problem, as you want it to match the
>SQL statement first and than the section in the files last (which
>changes the Auth-Type)
>
>Also, you may want to reduce the load on your database by not setting
>the Auth-Type in the database and instead setting in the users file with
>a DEFAULT statement as (at least in my case) it isn't somthing that need
>to be dynamic.
>
>lenirsantiago at yahoo.com wrote:
>
>  
>
>>Hello list,
>>
>>I've been trying my hardest today to get group_radius to work, and its
>>function radius_is_user_in().
>>I'm running ser0.9.4 and freeradius 1.0.4 with the mysql backend and digest
>>authentication. 
>>
>>Radius authentication works fine.
>>The problem is that when radius_is_user_in() function gets called, it sends
>>a radius message but without the User-Password field and freeradius
>>complains that it requires it since we are using Digest.
>>I've seen a couple of posts here, but they were never answered: 
>>http://mail.iptel.org/pipermail/serusers/2005-March/017342.html
>>http://mail.iptel.org/pipermail/serusers/2005-March/017075.html
>>
>>-----
>>I have a small test in my ser.cfg file:
>>       if (!radius_www_authorize("")) {
>>               xlog("L_I","%ci - %fu - User not authenticated, Radius
>>Authenticating...\n");
>>               www_challenge("","0");
>>               break;
>>       } else {
>>               xlog("L_I","%ci - %fu - User authenticated...\n");
>>       };
>>
>>       if (radius_is_user_in("From", "Dialin")){
>>               xlog("L_I","From: User is in Radius Group Dialin!!!!\n");
>>       } else {
>>               xlog("L_I","From: User *IS NOT* Group Dialin!!!!!\n");
>>       };
>>
>>       if (radius_is_user_in("Credentials", "Dialin2")){
>>               xlog("L_I","From: User is in Radius Group Dialin2!!!!\n");
>>       } else {
>>               xlog("L_I","From: User *IS NOT* Group Dialin2!!!!!\n");
>>       };
>>
>>-----
>>In /etc/raddb/users file I have the following at line 152:
>>DEFAULT Auth-Type = System
>>       Fall-Through = 1
>>
>>DEFAULT Service-Type == Group-Check, Auth-Type := None
>>
>>DEFAULT Service-Type == SIP-Callee-AVPs, Auth-Type := None
>>
>>-----
>>
>>These are mysql tables:
>>
>>+----+----------+-----------+----+----------+
>>| id | UserName | Attribute | op | Value    |
>>+----+----------+-----------+----+----------+
>>|  1 | Jhassell | Password  | == | changeme |
>>|  2 | Rneis    | Password  | == | changeme |
>>|  3 | 1000     | Password  | == | 1000     |
>>|  4 | 2000     | Password  | == | 2000     |
>>|  5 | 3000     | Password  | == | 3000     |
>>|  8 | 1000     | Auth-Type | := | Digest   |
>>+----+----------+-----------+----+----------+
>>
>>+----+-----------+-----------+----+--------+
>>| id | GroupName | Attribute | op | Value  |
>>+----+-----------+-----------+----+--------+
>>|  6 | Dialin    | Auth-Type | := | Accept |
>>+----+-----------+-----------+----+--------+
>>
>>+----+-----------+---------------+----+----------------------------------+-
>>    
>>
>-
>  
>
>>----+
>>| id | GroupName | Attribute     | op | Value                            |
>>prio |
>>+----+-----------+---------------+----+----------------------------------+-
>>    
>>
>-
>  
>
>>----+
>>|  1 | Dialin    | Reply-Message | =  | "Authenticated by group Dialin"  |
>>0 |
>>|  2 | Dialin2   | Reply-Message | =  | "Authenticated by group Dialin2" |
>>0 |
>>+----+-----------+---------------+----+----------------------------------+-
>>    
>>
>-
>  
>
>>----+
>>
>>+----+----------+---------------+----+------------------+
>>| id | UserName | Attribute     | op | Value            |
>>+----+----------+---------------+----+------------------+
>>|  1 | 1000     | Reply-Message | =  | "Authenticated"  |
>>|  2 | 1000     | Sip-Group     | =  | Dialin           |
>>|  3 | 1000     | SIP-AVP       | =  | Sip-Group:Dialin |
>>+----+----------+---------------+----+------------------+
>>
>>+----+----------+------------+
>>| id | UserName | GroupName  |
>>+----+----------+------------+
>>|  1 | Jhassell | Dialin     |
>>|  2 | Rneis    | Staticdial |
>>|  3 | 1000     | Dialin     |
>>|  4 | 2000     | Dialin     |
>>|  5 | 3000     | Dialin     |
>>|  6 | 3000     | Dialin2    |
>>+----+----------+------------+
>>
>>------
>>
>>This is the debug I get from freeradius for the group check:
>>
>>rad_recv: Access-Request packet from host xx.xx.xx.xx:33025, id=15,
>>length=67
>>       User-Name = "1000 at xx.xx.xx.xx"
>>       Sip-Group = "Dialin2"
>>       Service-Type = Group-Check
>>       NAS-IP-Address = 127.0.0.1
>>       NAS-Port = 0
>> Processing the authorize section of radiusd.conf
>>modcall: entering group authorize for request 74
>> modcall[authorize]: module "preprocess" returns ok for request 74
>> modcall[authorize]: module "chap" returns noop for request 74
>> modcall[authorize]: module "mschap" returns noop for request 74
>> modcall[authorize]: module "digest" returns noop for request 74
>>   rlm_realm: Looking up realm "xx.xx.xx.xx" for User-Name =
>>"1000 at xx.xx.xx.xx"
>>   rlm_realm: Found realm "xx.xx.xx.xx"
>>   rlm_realm: Adding Stripped-User-Name = "1000"
>>   rlm_realm: Proxying request from user 1000 to realm xx.xx.xx.xx
>>   rlm_realm: Adding Realm = "xx.xx.xx.xx"
>>   rlm_realm: Authentication realm is LOCAL.
>> modcall[authorize]: module "suffix" returns noop for request 74
>> rlm_eap: No EAP-Message, not doing EAP
>> modcall[authorize]: module "eap" returns noop for request 74
>>   users: Matched entry DEFAULT at line 152
>>   users: Matched entry DEFAULT at line 158
>> modcall[authorize]: module "files" returns ok for request 74
>>radius_xlat:  '1000'
>>rlm_sql (sql): sql_set_user escaped user --> '1000'
>>rlm_sql (sql): Released sql socket id: 0
>> modcall[authorize]: module "sql" returns ok for request 74
>>modcall: group authorize returns ok for request 74
>> rad_check_password:  Found Auth-Type Digest
>>auth: type "digest"
>> Processing the authenticate section of radiusd.conf
>>modcall: entering group authenticate for request 74
>>ERROR: No Digest-Nonce: Cannot perform Digest authentication
>> modcall[authenticate]: module "digest" returns invalid for request 74
>>modcall: group authenticate returns invalid for request 74
>>auth: Failed to validate the user.
>>Delaying request 74 for 1 seconds
>>Finished request 74
>>Going to the next request
>>--- Walking the entire request list ---
>>Waking up in 1 seconds...
>>--- Walking the entire request list ---
>>Waking up in 1 seconds...
>>--- Walking the entire request list ---
>>Sending Access-Reject of id 15 to xx.xx.xx.xx:33025
>>       Reply-Message = "Authenticated"
>>Waking up in 4 seconds...
>>--- Walking the entire request list ---
>>Cleaning up request 74 ID 15 with timestamp 434f1121
>>Nothing to do.  Sleeping until we see a request.
>>
>>
>>
>>
>>
>>Any help in this matter would be deeply appreciated,
>>
>>
>>
>>
>>Lenir 
>>
>>
>>
>>
>>_______________________________________________
>>Serdev mailing list
>>Serdev at iptel.org
>>http://mail.iptel.org/mailman/listinfo/serdev
>>
>>
>> 
>>
>>    
>>
>
>_______________________________________________
>Serusers mailing list
>Serusers at iptel.org
>http://mail.iptel.org/mailman/listinfo/serusers
>
>
>_______________________________________________
>Serdev mailing list
>Serdev at iptel.org
>http://mail.iptel.org/mailman/listinfo/serdev
>
>
>  
>





More information about the Users mailing list