[Users] Re: group_radius radius_is_user_in
Tavis P
tavis.lists at galaxytelecom.net
Sat Oct 15 01:20:49 CEST 2005
Ugh the subject line is getting really munged up ;P
Hmmm, what does the output from "radiusd -X" look like for the exchange?
Lenir wrote:
>Tavis,
>
>Thanks for your input, that did fix the problem. I did have the "files"
>before "sql" in radiusd.conf. Also I followed your advice about taking out
>"Auth-Type" out of mysql table and let DEFAULT in users file do the trick.
>
>However it's semi-working.
>
>Accourding to the snippet from my ser.cfg file, now I get the following in
>stderr:
>0(4866) 000d2890-d47f0003-4a230347-53c6189b at yy.yy.yy.yy -
>sip:1000 at xx.xx.xx.xx - User authenticated...
> 0(4866) Credentials: User is in Radius Group Dialin!!!!
> 0(4866) Credentials: User is in Radius Group Dialin2!!!!
>
>No matter which parameter I use for the function radius_is_user_in(), it
>always returns TRUE. When in fact it should return FALSE for Group Dialin2.
>I've tried:
>
>if (radius_is_user_in("From", "Dialin2")){...
>if (radius_is_user_in("Credentials", "Dialin2")){...
>
>
>
>
>
>Here's what I did to fix future problems:
>
>EFAULT Auth-Type = System
> Fall-Through = 1
>
>DEFAULT Service-Type == Call-Check, Auth-Type := Digest
>
>DEFAULT Service-Type == Group-Check, Auth-Type := None
>
>DEFAULT Service-Type == SIP-Session, Auth-Type := Digest
>
>DEFAULT Service-Type == SIP-Callee-AVPs, Auth-Type := None
>
>DEFAULT Service-Type == SIP-Caller-AVPs, Auth-Type := None
>
>
>Also, for those of you using the latest version of freeradius, you may have
>to comment out the following lines as they conflict with dictionary.ser (SER
>CVS) and dictionary.sip (comes with radiusclient-NG)
>
>#VALUE Service-Type Voice 12
>#VALUE Service-Type Fax 13
>#VALUE Service-Type Modem-Relay 14
>#VALUE Service-Type IAPP-Register 15
>#VALUE Service-Type IAPP-AP-Check 16
>
>
>Thanks,
>
>
>Lenir
>
>
>-----Original Message-----
>From: serusers-bounces at iptel.org [mailto:serusers-bounces at iptel.org] On
>Behalf Of Tavis P
>Sent: Friday, October 14, 2005 1:49 PM
>To: lsantiago at globalgatewaycom.com
>Cc: serdev at iptel.org; serusers at iptel.org; devel at openser.org;
>users at openser.org
>Subject: [Serusers] Re: [Serdev] group_radius radius_is_user_in
>
>Oops, i spoke too soon
>
>It looks like you have placed the "files" module before the "sql" module
>in your radiusd.conf
>
>Its matching your DEFAULT entry in files (setting the Auth-Type to none)
>but the sql module is later changing the Auth-Type to "digest"
>
>Changing the order would solve this problem, as you want it to match the
>SQL statement first and than the section in the files last (which
>changes the Auth-Type)
>
>Also, you may want to reduce the load on your database by not setting
>the Auth-Type in the database and instead setting in the users file with
>a DEFAULT statement as (at least in my case) it isn't somthing that need
>to be dynamic.
>
>lenirsantiago at yahoo.com wrote:
>
>
>
>>Hello list,
>>
>>I've been trying my hardest today to get group_radius to work, and its
>>function radius_is_user_in().
>>I'm running ser0.9.4 and freeradius 1.0.4 with the mysql backend and digest
>>authentication.
>>
>>Radius authentication works fine.
>>The problem is that when radius_is_user_in() function gets called, it sends
>>a radius message but without the User-Password field and freeradius
>>complains that it requires it since we are using Digest.
>>I've seen a couple of posts here, but they were never answered:
>>http://mail.iptel.org/pipermail/serusers/2005-March/017342.html
>>http://mail.iptel.org/pipermail/serusers/2005-March/017075.html
>>
>>-----
>>I have a small test in my ser.cfg file:
>> if (!radius_www_authorize("")) {
>> xlog("L_I","%ci - %fu - User not authenticated, Radius
>>Authenticating...\n");
>> www_challenge("","0");
>> break;
>> } else {
>> xlog("L_I","%ci - %fu - User authenticated...\n");
>> };
>>
>> if (radius_is_user_in("From", "Dialin")){
>> xlog("L_I","From: User is in Radius Group Dialin!!!!\n");
>> } else {
>> xlog("L_I","From: User *IS NOT* Group Dialin!!!!!\n");
>> };
>>
>> if (radius_is_user_in("Credentials", "Dialin2")){
>> xlog("L_I","From: User is in Radius Group Dialin2!!!!\n");
>> } else {
>> xlog("L_I","From: User *IS NOT* Group Dialin2!!!!!\n");
>> };
>>
>>-----
>>In /etc/raddb/users file I have the following at line 152:
>>DEFAULT Auth-Type = System
>> Fall-Through = 1
>>
>>DEFAULT Service-Type == Group-Check, Auth-Type := None
>>
>>DEFAULT Service-Type == SIP-Callee-AVPs, Auth-Type := None
>>
>>-----
>>
>>These are mysql tables:
>>
>>+----+----------+-----------+----+----------+
>>| id | UserName | Attribute | op | Value |
>>+----+----------+-----------+----+----------+
>>| 1 | Jhassell | Password | == | changeme |
>>| 2 | Rneis | Password | == | changeme |
>>| 3 | 1000 | Password | == | 1000 |
>>| 4 | 2000 | Password | == | 2000 |
>>| 5 | 3000 | Password | == | 3000 |
>>| 8 | 1000 | Auth-Type | := | Digest |
>>+----+----------+-----------+----+----------+
>>
>>+----+-----------+-----------+----+--------+
>>| id | GroupName | Attribute | op | Value |
>>+----+-----------+-----------+----+--------+
>>| 6 | Dialin | Auth-Type | := | Accept |
>>+----+-----------+-----------+----+--------+
>>
>>+----+-----------+---------------+----+----------------------------------+-
>>
>>
>-
>
>
>>----+
>>| id | GroupName | Attribute | op | Value |
>>prio |
>>+----+-----------+---------------+----+----------------------------------+-
>>
>>
>-
>
>
>>----+
>>| 1 | Dialin | Reply-Message | = | "Authenticated by group Dialin" |
>>0 |
>>| 2 | Dialin2 | Reply-Message | = | "Authenticated by group Dialin2" |
>>0 |
>>+----+-----------+---------------+----+----------------------------------+-
>>
>>
>-
>
>
>>----+
>>
>>+----+----------+---------------+----+------------------+
>>| id | UserName | Attribute | op | Value |
>>+----+----------+---------------+----+------------------+
>>| 1 | 1000 | Reply-Message | = | "Authenticated" |
>>| 2 | 1000 | Sip-Group | = | Dialin |
>>| 3 | 1000 | SIP-AVP | = | Sip-Group:Dialin |
>>+----+----------+---------------+----+------------------+
>>
>>+----+----------+------------+
>>| id | UserName | GroupName |
>>+----+----------+------------+
>>| 1 | Jhassell | Dialin |
>>| 2 | Rneis | Staticdial |
>>| 3 | 1000 | Dialin |
>>| 4 | 2000 | Dialin |
>>| 5 | 3000 | Dialin |
>>| 6 | 3000 | Dialin2 |
>>+----+----------+------------+
>>
>>------
>>
>>This is the debug I get from freeradius for the group check:
>>
>>rad_recv: Access-Request packet from host xx.xx.xx.xx:33025, id=15,
>>length=67
>> User-Name = "1000 at xx.xx.xx.xx"
>> Sip-Group = "Dialin2"
>> Service-Type = Group-Check
>> NAS-IP-Address = 127.0.0.1
>> NAS-Port = 0
>> Processing the authorize section of radiusd.conf
>>modcall: entering group authorize for request 74
>> modcall[authorize]: module "preprocess" returns ok for request 74
>> modcall[authorize]: module "chap" returns noop for request 74
>> modcall[authorize]: module "mschap" returns noop for request 74
>> modcall[authorize]: module "digest" returns noop for request 74
>> rlm_realm: Looking up realm "xx.xx.xx.xx" for User-Name =
>>"1000 at xx.xx.xx.xx"
>> rlm_realm: Found realm "xx.xx.xx.xx"
>> rlm_realm: Adding Stripped-User-Name = "1000"
>> rlm_realm: Proxying request from user 1000 to realm xx.xx.xx.xx
>> rlm_realm: Adding Realm = "xx.xx.xx.xx"
>> rlm_realm: Authentication realm is LOCAL.
>> modcall[authorize]: module "suffix" returns noop for request 74
>> rlm_eap: No EAP-Message, not doing EAP
>> modcall[authorize]: module "eap" returns noop for request 74
>> users: Matched entry DEFAULT at line 152
>> users: Matched entry DEFAULT at line 158
>> modcall[authorize]: module "files" returns ok for request 74
>>radius_xlat: '1000'
>>rlm_sql (sql): sql_set_user escaped user --> '1000'
>>rlm_sql (sql): Released sql socket id: 0
>> modcall[authorize]: module "sql" returns ok for request 74
>>modcall: group authorize returns ok for request 74
>> rad_check_password: Found Auth-Type Digest
>>auth: type "digest"
>> Processing the authenticate section of radiusd.conf
>>modcall: entering group authenticate for request 74
>>ERROR: No Digest-Nonce: Cannot perform Digest authentication
>> modcall[authenticate]: module "digest" returns invalid for request 74
>>modcall: group authenticate returns invalid for request 74
>>auth: Failed to validate the user.
>>Delaying request 74 for 1 seconds
>>Finished request 74
>>Going to the next request
>>--- Walking the entire request list ---
>>Waking up in 1 seconds...
>>--- Walking the entire request list ---
>>Waking up in 1 seconds...
>>--- Walking the entire request list ---
>>Sending Access-Reject of id 15 to xx.xx.xx.xx:33025
>> Reply-Message = "Authenticated"
>>Waking up in 4 seconds...
>>--- Walking the entire request list ---
>>Cleaning up request 74 ID 15 with timestamp 434f1121
>>Nothing to do. Sleeping until we see a request.
>>
>>
>>
>>
>>
>>Any help in this matter would be deeply appreciated,
>>
>>
>>
>>
>>Lenir
>>
>>
>>
>>
>>_______________________________________________
>>Serdev mailing list
>>Serdev at iptel.org
>>http://mail.iptel.org/mailman/listinfo/serdev
>>
>>
>>
>>
>>
>>
>
>_______________________________________________
>Serusers mailing list
>Serusers at iptel.org
>http://mail.iptel.org/mailman/listinfo/serusers
>
>
>_______________________________________________
>Serdev mailing list
>Serdev at iptel.org
>http://mail.iptel.org/mailman/listinfo/serdev
>
>
>
>
More information about the Users
mailing list