[Users] RE: group_radius radius_is_user_in
Lenir
lenirsantiago at yahoo.com
Wed Oct 19 19:03:56 CEST 2005
This is my users file:
DEFAULT Auth-Type = System
Fall-Through = 1
DEFAULT Service-Type == Call-Check, Auth-Type := None
DEFAULT Service-Type == Group-Check, Auth-Type := None
DEFAULT Service-Type == SIP-Session, Auth-Type := Digest
DEFAULT Service-Type == SIP-Callee-AVPs, Auth-Type := None
DEFAULT Service-Type == SIP-Caller-AVPs, Auth-Type := None
mysql> select * from radcheck;
+----+----------+-----------+----+----------+
| id | UserName | Attribute | op | Value |
+----+----------+-----------+----+----------+
| 1 | Jhassell | Password | == | changeme |
| 2 | Rneis | Password | == | changeme |
| 3 | 1000 | Password | == | 1000 |
| 4 | 2000 | Password | == | 2000 |
| 5 | 3000 | Password | == | 3000 |
+----+----------+-----------+----+----------+
5 rows in set (0.00 sec)
mysql> select * from radreply;
Empty set (0.00 sec)
mysql> select * from usergroup;
+----+----------+------------+
| id | UserName | GroupName |
+----+----------+------------+
| 1 | Jhassell | Dialin |
| 2 | Rneis | Staticdial |
| 3 | 1000 | Dialin |
| 4 | 2000 | Dialin |
| 5 | 3000 | Dialin |
| 6 | 3000 | Dialin2 |
+----+----------+------------+
6 rows in set (0.00 sec)
mysql> select * from radgroupcheck;
Empty set (0.00 sec)
mysql> select * from radgroupreply;
+----+-----------+---------------+----+----------------------------------+--
---+
| id | GroupName | Attribute | op | Value |
prio |
+----+-----------+---------------+----+----------------------------------+--
----+
| 1 | Dialin | Reply-Message | = | "Authenticated by group Dialin" |
0 |
| 2 | Dialin2 | Reply-Message | = | "Authenticated by group Dialin2" |
0 |
| 3 | Dialin | SIP-AVP | = | Sip-Group:Dialin |
0 |
+----+-----------+---------------+----+----------------------------------+--
----+
3 rows in set (0.00 sec)
mysql> select * from radpostauth;
Empty set (0.00 sec)
Here's the debug, notice how it returns access-accept whether its in the
right group or not. Shouldn't it return access-reject for group Dialin2?
-----------------
rad_recv: Access-Request packet from host xx.xx.xx.xx:33167, id=152,
length=66
User-Name = "1000 at xx.xx.xx.xx"
Sip-Group = "Dialin"
Service-Type = Group-Check
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
modcall[authorize]: module "preprocess" returns ok for request 4
modcall[authorize]: module "chap" returns noop for request 4
modcall[authorize]: module "mschap" returns noop for request 4
modcall[authorize]: module "digest" returns noop for request 4
rlm_realm: Looking up realm "xx.xx.xx.xx" for User-Name =
"1000 at xx.xx.xx.xx"
rlm_realm: Found realm "xx.xx.xx.xx"
rlm_realm: Adding Stripped-User-Name = "1000"
rlm_realm: Proxying request from user 1000 to realm xx.xx.xx.xx
rlm_realm: Adding Realm = "xx.xx.xx.xx"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "suffix" returns noop for request 4
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 4
users: Matched entry DEFAULT at line 156
users: Matched entry DEFAULT at line 161
modcall[authorize]: module "files" returns ok for request 4
radius_xlat: '1000'
rlm_sql (sql): sql_set_user escaped user --> '1000'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
radcheck WHERE Username = '1000' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 0
rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op
FROM radcheck WHERE Username = '1000' ORDER BY id
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche
ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
usergroup.Username = '1000' AND usergroup.GroupName =
radgroupcheck.GroupName ORDER BY radgroupcheck.id'
rlm_sql_mysql: query: SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche
ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
usergroup.Username = '1000' AND usergroup.GroupName =
radgroupcheck.GroupName ORDER BY radgroupcheck.id
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
radreply WHERE Username = '1000' ORDER BY id'
rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op
FROM radreply WHERE Username = '1000' ORDER BY id
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep
ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
usergroup.Username = '1000' AND usergroup.GroupName =
radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql_mysql: query: SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep
ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
usergroup.Username = '1000' AND usergroup.GroupName =
radgroupreply.GroupName ORDER BY radgroupreply.id
rlm_sql (sql): Checking profile DEFAULT
rlm_sql (sql): sql_set_user escaped user --> 'DEFAULT'
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche
ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
usergroup.Username = 'DEFAULT' AND usergroup.GroupName =
radgroupcheck.GroupName ORDER BY radgroupcheck.id'
rlm_sql_mysql: query: SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche
ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
usergroup.Username = 'DEFAULT' AND usergroup.GroupName =
radgroupcheck.GroupName ORDER BY radgroupcheck.id
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep
ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
usergroup.Username = 'DEFAULT' AND usergroup.GroupName =
radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql_mysql: query: SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep
ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
usergroup.Username = 'DEFAULT' AND usergroup.GroupName =
radgroupreply.GroupName ORDER BY radgroupreply.id
rlm_sql (sql): Released sql socket id: 0
modcall[authorize]: module "sql" returns ok for request 4
modcall: group authorize returns ok for request 4
rad_check_password: Found Auth-Type None
rad_check_password: Auth-Type = Accept, accepting the user
radius_xlat: 'Authenticated by group Dialin'
Sending Access-Accept of id 152 to xx.xx.xx.xx:33167
Reply-Message = "Authenticated by group Dialin"
SIP-AVP = "Sip-Group:Dialin"
Finished request 4
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host xx.xx.xx.xx:33167, id=153,
length=67
User-Name = "1000 at xx.xx.xx.xx"
Sip-Group = "Dialin2"
Service-Type = Group-Check
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
modcall[authorize]: module "preprocess" returns ok for request 5
modcall[authorize]: module "chap" returns noop for request 5
modcall[authorize]: module "mschap" returns noop for request 5
modcall[authorize]: module "digest" returns noop for request 5
rlm_realm: Looking up realm "xx.xx.xx.xx" for User-Name =
"1000 at xx.xx.xx.xx"
rlm_realm: Found realm "xx.xx.xx.xx"
rlm_realm: Adding Stripped-User-Name = "1000"
rlm_realm: Proxying request from user 1000 to realm xx.xx.xx.xx
rlm_realm: Adding Realm = "xx.xx.xx.xx"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "suffix" returns noop for request 5
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 5
users: Matched entry DEFAULT at line 156
users: Matched entry DEFAULT at line 161
modcall[authorize]: module "files" returns ok for request 5
radius_xlat: '1000'
rlm_sql (sql): sql_set_user escaped user --> '1000'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
radcheck WHERE Username = '1000' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op
FROM radcheck WHERE Username = '1000' ORDER BY id
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche
ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
usergroup.Username = '1000' AND usergroup.GroupName =
radgroupcheck.GroupName ORDER BY radgroupcheck.id'
rlm_sql_mysql: query: SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche
ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
usergroup.Username = '1000' AND usergroup.GroupName =
radgroupcheck.GroupName ORDER BY radgroupcheck.id
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
radreply WHERE Username = '1000' ORDER BY id'
rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op
FROM radreply WHERE Username = '1000' ORDER BY id
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep
ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
usergroup.Username = '1000' AND usergroup.GroupName =
radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql_mysql: query: SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep
ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
usergroup.Username = '1000' AND usergroup.GroupName =
radgroupreply.GroupName ORDER BY radgroupreply.id
rlm_sql (sql): Checking profile DEFAULT
rlm_sql (sql): sql_set_user escaped user --> 'DEFAULT'
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche
ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
usergroup.Username = 'DEFAULT' AND usergroup.GroupName =
radgroupcheck.GroupName ORDER BY radgroupcheck.id'
rlm_sql_mysql: query: SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche
ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
usergroup.Username = 'DEFAULT' AND usergroup.GroupName =
radgroupcheck.GroupName ORDER BY radgroupcheck.id
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep
ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
usergroup.Username = 'DEFAULT' AND usergroup.GroupName =
radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql_mysql: query: SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep
ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
usergroup.Username = 'DEFAULT' AND usergroup.GroupName =
radgroupreply.GroupName ORDER BY radgroupreply.id
rlm_sql (sql): Released sql socket id: 4
modcall[authorize]: module "sql" returns ok for request 5
modcall: group authorize returns ok for request 5
rad_check_password: Found Auth-Type None
rad_check_password: Auth-Type = Accept, accepting the user
radius_xlat: 'Authenticated by group Dialin'
Sending Access-Accept of id 153 to xx.xx.xx.xx:33167
Reply-Message = "Authenticated by group Dialin"
SIP-AVP = "Sip-Group:Dialin"
Finished request 5
-----Original Message-----
From: Tavis P [mailto:tavis.lists at galaxytelecom.net]
Sent: Friday, October 14, 2005 7:21 PM
To: Lenir
Cc: users at openser.org; serusers at iptel.org
Subject: Re: group_radius radius_is_user_in
Ugh the subject line is getting really munged up ;P
Hmmm, what does the output from "radiusd -X" look like for the exchange?
Lenir wrote:
>Tavis,
>
>Thanks for your input, that did fix the problem. I did have the "files"
>before "sql" in radiusd.conf. Also I followed your advice about taking out
>"Auth-Type" out of mysql table and let DEFAULT in users file do the trick.
>
>However it's semi-working.
>
>Accourding to the snippet from my ser.cfg file, now I get the following in
>stderr:
>0(4866) 000d2890-d47f0003-4a230347-53c6189b at yy.yy.yy.yy -
>sip:1000 at xx.xx.xx.xx - User authenticated...
> 0(4866) Credentials: User is in Radius Group Dialin!!!!
> 0(4866) Credentials: User is in Radius Group Dialin2!!!!
>
>No matter which parameter I use for the function radius_is_user_in(), it
>always returns TRUE. When in fact it should return FALSE for Group Dialin2.
>I've tried:
>
>if (radius_is_user_in("From", "Dialin2")){...
>if (radius_is_user_in("Credentials", "Dialin2")){...
>
>
>
>
>
>Here's what I did to fix future problems:
>
>EFAULT Auth-Type = System
> Fall-Through = 1
>
>DEFAULT Service-Type == Call-Check, Auth-Type := Digest
>
>DEFAULT Service-Type == Group-Check, Auth-Type := None
>
>DEFAULT Service-Type == SIP-Session, Auth-Type := Digest
>
>DEFAULT Service-Type == SIP-Callee-AVPs, Auth-Type := None
>
>DEFAULT Service-Type == SIP-Caller-AVPs, Auth-Type := None
>
>
>Also, for those of you using the latest version of freeradius, you may have
>to comment out the following lines as they conflict with dictionary.ser
(SER
>CVS) and dictionary.sip (comes with radiusclient-NG)
>
>#VALUE Service-Type Voice 12
>#VALUE Service-Type Fax 13
>#VALUE Service-Type Modem-Relay 14
>#VALUE Service-Type IAPP-Register 15
>#VALUE Service-Type IAPP-AP-Check 16
>
>
>Thanks,
>
>
>Lenir
>
>
>-----Original Message-----
>From: serusers-bounces at iptel.org [mailto:serusers-bounces at iptel.org] On
>Behalf Of Tavis P
>Sent: Friday, October 14, 2005 1:49 PM
>To: lsantiago at globalgatewaycom.com
>Cc: serdev at iptel.org; serusers at iptel.org; devel at openser.org;
>users at openser.org
>Subject: [Serusers] Re: [Serdev] group_radius radius_is_user_in
>
>Oops, i spoke too soon
>
>It looks like you have placed the "files" module before the "sql" module
>in your radiusd.conf
>
>Its matching your DEFAULT entry in files (setting the Auth-Type to none)
>but the sql module is later changing the Auth-Type to "digest"
>
>Changing the order would solve this problem, as you want it to match the
>SQL statement first and than the section in the files last (which
>changes the Auth-Type)
>
>Also, you may want to reduce the load on your database by not setting
>the Auth-Type in the database and instead setting in the users file with
>a DEFAULT statement as (at least in my case) it isn't somthing that need
>to be dynamic.
>
>lenirsantiago at yahoo.com wrote:
>
>
>
>>Hello list,
>>
>>I've been trying my hardest today to get group_radius to work, and its
>>function radius_is_user_in().
>>I'm running ser0.9.4 and freeradius 1.0.4 with the mysql backend and
digest
>>authentication.
>>
>>Radius authentication works fine.
>>The problem is that when radius_is_user_in() function gets called, it
sends
>>a radius message but without the User-Password field and freeradius
>>complains that it requires it since we are using Digest.
>>I've seen a couple of posts here, but they were never answered:
>>http://mail.iptel.org/pipermail/serusers/2005-March/017342.html
>>http://mail.iptel.org/pipermail/serusers/2005-March/017075.html
>>
>>-----
>>I have a small test in my ser.cfg file:
>> if (!radius_www_authorize("")) {
>> xlog("L_I","%ci - %fu - User not authenticated, Radius
>>Authenticating...\n");
>> www_challenge("","0");
>> break;
>> } else {
>> xlog("L_I","%ci - %fu - User authenticated...\n");
>> };
>>
>> if (radius_is_user_in("From", "Dialin")){
>> xlog("L_I","From: User is in Radius Group Dialin!!!!\n");
>> } else {
>> xlog("L_I","From: User *IS NOT* Group Dialin!!!!!\n");
>> };
>>
>> if (radius_is_user_in("Credentials", "Dialin2")){
>> xlog("L_I","From: User is in Radius Group Dialin2!!!!\n");
>> } else {
>> xlog("L_I","From: User *IS NOT* Group Dialin2!!!!!\n");
>> };
>>
>>-----
>>In /etc/raddb/users file I have the following at line 152:
>>DEFAULT Auth-Type = System
>> Fall-Through = 1
>>
>>DEFAULT Service-Type == Group-Check, Auth-Type := None
>>
>>DEFAULT Service-Type == SIP-Callee-AVPs, Auth-Type := None
>>
>>-----
>>
>>These are mysql tables:
>>
>>+----+----------+-----------+----+----------+
>>| id | UserName | Attribute | op | Value |
>>+----+----------+-----------+----+----------+
>>| 1 | Jhassell | Password | == | changeme |
>>| 2 | Rneis | Password | == | changeme |
>>| 3 | 1000 | Password | == | 1000 |
>>| 4 | 2000 | Password | == | 2000 |
>>| 5 | 3000 | Password | == | 3000 |
>>| 8 | 1000 | Auth-Type | := | Digest |
>>+----+----------+-----------+----+----------+
>>
>>+----+-----------+-----------+----+--------+
>>| id | GroupName | Attribute | op | Value |
>>+----+-----------+-----------+----+--------+
>>| 6 | Dialin | Auth-Type | := | Accept |
>>+----+-----------+-----------+----+--------+
>>
>>+----+-----------+---------------+----+----------------------------------+
-
>>
>>
>-
>
>
>>----+
>>| id | GroupName | Attribute | op | Value |
>>prio |
>>+----+-----------+---------------+----+----------------------------------+
-
>>
>>
>-
>
>
>>----+
>>| 1 | Dialin | Reply-Message | = | "Authenticated by group Dialin" |
>>0 |
>>| 2 | Dialin2 | Reply-Message | = | "Authenticated by group Dialin2" |
>>0 |
>>+----+-----------+---------------+----+----------------------------------+
-
>>
>>
>-
>
>
>>----+
>>
>>+----+----------+---------------+----+------------------+
>>| id | UserName | Attribute | op | Value |
>>+----+----------+---------------+----+------------------+
>>| 1 | 1000 | Reply-Message | = | "Authenticated" |
>>| 2 | 1000 | Sip-Group | = | Dialin |
>>| 3 | 1000 | SIP-AVP | = | Sip-Group:Dialin |
>>+----+----------+---------------+----+------------------+
>>
>>+----+----------+------------+
>>| id | UserName | GroupName |
>>+----+----------+------------+
>>| 1 | Jhassell | Dialin |
>>| 2 | Rneis | Staticdial |
>>| 3 | 1000 | Dialin |
>>| 4 | 2000 | Dialin |
>>| 5 | 3000 | Dialin |
>>| 6 | 3000 | Dialin2 |
>>+----+----------+------------+
>>
>>------
>>
>>This is the debug I get from freeradius for the group check:
>>
>>rad_recv: Access-Request packet from host xx.xx.xx.xx:33025, id=15,
>>length=67
>> User-Name = "1000 at xx.xx.xx.xx"
>> Sip-Group = "Dialin2"
>> Service-Type = Group-Check
>> NAS-IP-Address = 127.0.0.1
>> NAS-Port = 0
>> Processing the authorize section of radiusd.conf
>>modcall: entering group authorize for request 74
>> modcall[authorize]: module "preprocess" returns ok for request 74
>> modcall[authorize]: module "chap" returns noop for request 74
>> modcall[authorize]: module "mschap" returns noop for request 74
>> modcall[authorize]: module "digest" returns noop for request 74
>> rlm_realm: Looking up realm "xx.xx.xx.xx" for User-Name =
>>"1000 at xx.xx.xx.xx"
>> rlm_realm: Found realm "xx.xx.xx.xx"
>> rlm_realm: Adding Stripped-User-Name = "1000"
>> rlm_realm: Proxying request from user 1000 to realm xx.xx.xx.xx
>> rlm_realm: Adding Realm = "xx.xx.xx.xx"
>> rlm_realm: Authentication realm is LOCAL.
>> modcall[authorize]: module "suffix" returns noop for request 74
>> rlm_eap: No EAP-Message, not doing EAP
>> modcall[authorize]: module "eap" returns noop for request 74
>> users: Matched entry DEFAULT at line 152
>> users: Matched entry DEFAULT at line 158
>> modcall[authorize]: module "files" returns ok for request 74
>>radius_xlat: '1000'
>>rlm_sql (sql): sql_set_user escaped user --> '1000'
>>rlm_sql (sql): Released sql socket id: 0
>> modcall[authorize]: module "sql" returns ok for request 74
>>modcall: group authorize returns ok for request 74
>> rad_check_password: Found Auth-Type Digest
>>auth: type "digest"
>> Processing the authenticate section of radiusd.conf
>>modcall: entering group authenticate for request 74
>>ERROR: No Digest-Nonce: Cannot perform Digest authentication
>> modcall[authenticate]: module "digest" returns invalid for request 74
>>modcall: group authenticate returns invalid for request 74
>>auth: Failed to validate the user.
>>Delaying request 74 for 1 seconds
>>Finished request 74
>>Going to the next request
>>--- Walking the entire request list ---
>>Waking up in 1 seconds...
>>--- Walking the entire request list ---
>>Waking up in 1 seconds...
>>--- Walking the entire request list ---
>>Sending Access-Reject of id 15 to xx.xx.xx.xx:33025
>> Reply-Message = "Authenticated"
>>Waking up in 4 seconds...
>>--- Walking the entire request list ---
>>Cleaning up request 74 ID 15 with timestamp 434f1121
>>Nothing to do. Sleeping until we see a request.
>>
>>
>>
>>
>>
>>Any help in this matter would be deeply appreciated,
>>
>>
>>
>>
>>Lenir
>>
>>
>>
>>
>>_______________________________________________
>>Serdev mailing list
>>Serdev at iptel.org
>>http://mail.iptel.org/mailman/listinfo/serdev
>>
>>
>>
>>
>>
>>
>
>_______________________________________________
>Serusers mailing list
>Serusers at iptel.org
>http://mail.iptel.org/mailman/listinfo/serusers
>
>
>_______________________________________________
>Serdev mailing list
>Serdev at iptel.org
>http://mail.iptel.org/mailman/listinfo/serdev
>
>
>
>
More information about the Users
mailing list