[Users] Re: group_radius radius_is_user_in

Tavis P tavis.lists at galaxytelecom.net
Wed Oct 19 23:40:53 CEST 2005


Sorry, i always tend to think more than i write/talk

What i meant was that you can pass the necessary information during the
authentication using the auth_radius module or during feature request
using the avp_radius depending on what you are trying to do with the feature

Lenir wrote:

>I will try that as a workaround.
>
>For the SER-DEVEL and OPENSER-DEVEL guys...can any of you comment on this?
>
>Thanks
>
>-----Original Message-----
>From: Tavis P [mailto:tavis.lists at galaxytelecom.net] 
>Sent: Wednesday, October 19, 2005 4:40 PM
>To: Lenir
>Cc: users at openser.org; serusers at iptel.org
>Subject: Re: group_radius radius_is_user_in
>
>I've never used the group_radius module so i'm not certain what it
>expects from the radius server (its not well documented currently)
>
>Although you may be able to optimize a bit and skip the
>radius_is_user_in function call and simply pass the users group back as
>an SIP-AVP attribute in the radreply table, and then check for that AVP
>in the OpenSER script
>
>What i've done is commented the group checking SQL from the freeradius
>sql.conf file so that when a user authenticates or when an avp_radius
>call is made only 2 SQL queries are sent, instead of the 4-5 used when
>group check is enabled. 
>
>Try this, it should work and it will save you ~10 sql queries and a
>radius request/response
>
>
>Lenir wrote:
>
>  
>
>>I'm trying to use group_radius module to check if the user is in a
>>particular radius group. I'm calling radius_is_user_in function to do this.
>>Here is the snippet in my config that calls that function:
>>
>>route[2] {
>>
>>       # -----------------------------------------------------------------
>>       # REGISTER Message Handler
>>       # ----------------------------------------------------------------
>>       sl_send_reply("100", "Trying");
>>
>>       if (!radius_www_authorize("")) {
>>               xlog("L_INFO","$ci - $fu - User not authenticated, Radius
>>Authenticating...\n");
>>               www_challenge("","0");
>>               return;
>>       } else {
>>               xlog("L_INFO","$ci - $fu - User authenticated...\n");
>>       };
>>
>>       if (radius_is_user_in("From", "Dialin")){
>>               xlog("L_INFO","From: User is in Radius Group
>>    
>>
>Dialin!!!!\n");
>  
>
>>       } else {
>>               xlog("L_INFO","From: User *IS NOT* Group Dialin!!!!!\n");
>>       };
>>
>>       if (radius_is_user_in("From", "Dialin2")){
>>               xlog("L_INFO","From: User is in Radius Group
>>Dialin2!!!!\n");
>>       } else {
>>               xlog("L_INFO","From: User *IS NOT* Group Dialin2!!!!!\n");
>>       };
>>
>>       #if (!radius_check_to()) {
>>       #       sl_send_reply("401", "Unauthorized");
>>       #       return;
>>       #};
>>
>>       consume_credentials();
>>
>>       if (!save("location")) {
>>               sl_reply_error();
>>       };
>>}
>>
>>
>>-----Original Message-----
>>From: Tavis P [mailto:tavis.lists at galaxytelecom.net] 
>>Sent: Wednesday, October 19, 2005 3:59 PM
>>To: Lenir
>>Cc: users at openser.org; serusers at iptel.org
>>Subject: Re: group_radius radius_is_user_in
>>
>>Well either way the radius server is going to respond with an
>>"Access-Accept" because you have set the auth-type to "none" (which is
>>necessary because you are not authenticating and can not provide the
>>necessary credentials).
>>
>>>From the trace you showed me below, i see two radius requests both for
>>the user 1000 and both of which respond as i would expect.
>>
>>I'm not what you are trying to accomplish, are you using the
>>group_radius module or just loading the group information using avp_radius?
>>
>>
>>Lenir wrote:
>>
>> 
>>
>>    
>>
>>>This is my users file:
>>>
>>>DEFAULT Auth-Type = System
>>>      Fall-Through = 1
>>>
>>>DEFAULT Service-Type == Call-Check, Auth-Type := None
>>>
>>>DEFAULT Service-Type == Group-Check, Auth-Type := None
>>>
>>>DEFAULT Service-Type == SIP-Session, Auth-Type := Digest
>>>
>>>DEFAULT Service-Type == SIP-Callee-AVPs, Auth-Type := None
>>>
>>>DEFAULT Service-Type == SIP-Caller-AVPs, Auth-Type := None
>>>
>>>
>>>mysql> select * from radcheck;
>>>+----+----------+-----------+----+----------+
>>>| id | UserName | Attribute | op | Value    |
>>>+----+----------+-----------+----+----------+
>>>|  1 | Jhassell | Password  | == | changeme |
>>>|  2 | Rneis    | Password  | == | changeme |
>>>|  3 | 1000     | Password  | == | 1000     |
>>>|  4 | 2000     | Password  | == | 2000     |
>>>|  5 | 3000     | Password  | == | 3000     |
>>>+----+----------+-----------+----+----------+
>>>5 rows in set (0.00 sec)
>>>
>>>mysql> select * from radreply;
>>>Empty set (0.00 sec)
>>>
>>>mysql> select * from usergroup;
>>>+----+----------+------------+
>>>| id | UserName | GroupName  |
>>>+----+----------+------------+
>>>|  1 | Jhassell | Dialin     |
>>>|  2 | Rneis    | Staticdial |
>>>|  3 | 1000     | Dialin     |
>>>|  4 | 2000     | Dialin     |
>>>|  5 | 3000     | Dialin     |
>>>|  6 | 3000     | Dialin2    |
>>>+----+----------+------------+
>>>6 rows in set (0.00 sec)
>>>
>>>mysql> select * from radgroupcheck;
>>>Empty set (0.00 sec)
>>>
>>>mysql> select * from radgroupreply;
>>>+----+-----------+---------------+----+----------------------------------+
>>>      
>>>
>-
>  
>
>>>   
>>>
>>>      
>>>
>>-
>> 
>>
>>    
>>
>>>---+
>>>| id | GroupName | Attribute     | op | Value                            |
>>>prio |
>>>+----+-----------+---------------+----+----------------------------------+
>>>      
>>>
>-
>  
>
>>>   
>>>
>>>      
>>>
>>-
>> 
>>
>>    
>>
>>>----+
>>>|  1 | Dialin    | Reply-Message | =  | "Authenticated by group Dialin"  |
>>>0 |
>>>|  2 | Dialin2   | Reply-Message | =  | "Authenticated by group Dialin2" |
>>>0 |
>>>|  3 | Dialin    | SIP-AVP       | =  | Sip-Group:Dialin                 |
>>>0 |
>>>+----+-----------+---------------+----+----------------------------------+
>>>      
>>>
>-
>  
>
>>>   
>>>
>>>      
>>>
>>-
>> 
>>
>>    
>>
>>>----+
>>>3 rows in set (0.00 sec)
>>>
>>>mysql> select * from radpostauth;  
>>>Empty set (0.00 sec)
>>>
>>>
>>>
>>>Here's the debug, notice how it returns access-accept whether its in the
>>>right group or not. Shouldn't it return access-reject for group Dialin2?
>>>-----------------
>>>rad_recv: Access-Request packet from host xx.xx.xx.xx:33167, id=152,
>>>length=66
>>>      User-Name = "1000 at xx.xx.xx.xx"
>>>      Sip-Group = "Dialin"
>>>      Service-Type = Group-Check
>>>      NAS-IP-Address = 127.0.0.1
>>>      NAS-Port = 0
>>>Processing the authorize section of radiusd.conf
>>>modcall: entering group authorize for request 4
>>>modcall[authorize]: module "preprocess" returns ok for request 4
>>>modcall[authorize]: module "chap" returns noop for request 4
>>>modcall[authorize]: module "mschap" returns noop for request 4
>>>modcall[authorize]: module "digest" returns noop for request 4
>>>  rlm_realm: Looking up realm "xx.xx.xx.xx" for User-Name =
>>>"1000 at xx.xx.xx.xx"
>>>  rlm_realm: Found realm "xx.xx.xx.xx"
>>>  rlm_realm: Adding Stripped-User-Name = "1000"
>>>  rlm_realm: Proxying request from user 1000 to realm xx.xx.xx.xx
>>>  rlm_realm: Adding Realm = "xx.xx.xx.xx"
>>>  rlm_realm: Authentication realm is LOCAL.
>>>modcall[authorize]: module "suffix" returns noop for request 4
>>>rlm_eap: No EAP-Message, not doing EAP
>>>modcall[authorize]: module "eap" returns noop for request 4
>>>  users: Matched entry DEFAULT at line 156
>>>  users: Matched entry DEFAULT at line 161
>>>modcall[authorize]: module "files" returns ok for request 4
>>>radius_xlat:  '1000'
>>>rlm_sql (sql): sql_set_user escaped user --> '1000'
>>>radius_xlat:  'SELECT id, UserName, Attribute, Value, op           FROM
>>>radcheck           WHERE Username = '1000'           ORDER BY id'
>>>rlm_sql (sql): Reserving sql socket id: 0
>>>rlm_sql_mysql: query:  SELECT id, UserName, Attribute, Value, op
>>>   
>>>
>>>      
>>>
>>>FROM radcheck           WHERE Username = '1000'           ORDER BY id
>> 
>>
>>    
>>
>>>radius_xlat:  'SELECT
>>>radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupc
>>>      
>>>
>h
>  
>
>>>   
>>>
>>>      
>>>
>>e
>> 
>>
>>    
>>
>>>ck.Value,radgroupcheck.op  FROM radgroupcheck,usergroup WHERE
>>>usergroup.Username = '1000' AND usergroup.GroupName =
>>>radgroupcheck.GroupName ORDER BY radgroupcheck.id'
>>>rlm_sql_mysql: query:  SELECT
>>>radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupc
>>>      
>>>
>h
>  
>
>>>   
>>>
>>>      
>>>
>>e
>> 
>>
>>    
>>
>>>ck.Value,radgroupcheck.op  FROM radgroupcheck,usergroup WHERE
>>>usergroup.Username = '1000' AND usergroup.GroupName =
>>>radgroupcheck.GroupName ORDER BY radgroupcheck.id
>>>radius_xlat:  'SELECT id, UserName, Attribute, Value, op           FROM
>>>radreply           WHERE Username = '1000'           ORDER BY id'
>>>rlm_sql_mysql: query:  SELECT id, UserName, Attribute, Value, op
>>>   
>>>
>>>      
>>>
>>>FROM radreply           WHERE Username = '1000'           ORDER BY id
>> 
>>
>>    
>>
>>>radius_xlat:  'SELECT
>>>radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupr
>>>      
>>>
>e
>  
>
>>>   
>>>
>>>      
>>>
>>p
>> 
>>
>>    
>>
>>>ly.Value,radgroupreply.op  FROM radgroupreply,usergroup WHERE
>>>usergroup.Username = '1000' AND usergroup.GroupName =
>>>radgroupreply.GroupName ORDER BY radgroupreply.id'
>>>rlm_sql_mysql: query:  SELECT
>>>radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupr
>>>      
>>>
>e
>  
>
>>>   
>>>
>>>      
>>>
>>p
>> 
>>
>>    
>>
>>>ly.Value,radgroupreply.op  FROM radgroupreply,usergroup WHERE
>>>usergroup.Username = '1000' AND usergroup.GroupName =
>>>radgroupreply.GroupName ORDER BY radgroupreply.id
>>>rlm_sql (sql): Checking profile DEFAULT
>>>rlm_sql (sql): sql_set_user escaped user --> 'DEFAULT'
>>>radius_xlat:  'SELECT
>>>radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupc
>>>      
>>>
>h
>  
>
>>>   
>>>
>>>      
>>>
>>e
>> 
>>
>>    
>>
>>>ck.Value,radgroupcheck.op  FROM radgroupcheck,usergroup WHERE
>>>usergroup.Username = 'DEFAULT' AND usergroup.GroupName =
>>>radgroupcheck.GroupName ORDER BY radgroupcheck.id'
>>>rlm_sql_mysql: query:  SELECT
>>>radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupc
>>>      
>>>
>h
>  
>
>>>   
>>>
>>>      
>>>
>>e
>> 
>>
>>    
>>
>>>ck.Value,radgroupcheck.op  FROM radgroupcheck,usergroup WHERE
>>>usergroup.Username = 'DEFAULT' AND usergroup.GroupName =
>>>radgroupcheck.GroupName ORDER BY radgroupcheck.id
>>>radius_xlat:  'SELECT
>>>radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupr
>>>      
>>>
>e
>  
>
>>>   
>>>
>>>      
>>>
>>p
>> 
>>
>>    
>>
>>>ly.Value,radgroupreply.op  FROM radgroupreply,usergroup WHERE
>>>usergroup.Username = 'DEFAULT' AND usergroup.GroupName =
>>>radgroupreply.GroupName ORDER BY radgroupreply.id'
>>>rlm_sql_mysql: query:  SELECT
>>>radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupr
>>>      
>>>
>e
>  
>
>>>   
>>>
>>>      
>>>
>>p
>> 
>>
>>    
>>
>>>ly.Value,radgroupreply.op  FROM radgroupreply,usergroup WHERE
>>>usergroup.Username = 'DEFAULT' AND usergroup.GroupName =
>>>radgroupreply.GroupName ORDER BY radgroupreply.id
>>>rlm_sql (sql): Released sql socket id: 0
>>>modcall[authorize]: module "sql" returns ok for request 4
>>>modcall: group authorize returns ok for request 4
>>>rad_check_password:  Found Auth-Type None
>>>rad_check_password: Auth-Type = Accept, accepting the user
>>>radius_xlat:  'Authenticated by group Dialin'
>>>Sending Access-Accept of id 152 to xx.xx.xx.xx:33167
>>>      Reply-Message = "Authenticated by group Dialin"
>>>      SIP-AVP = "Sip-Group:Dialin"
>>>Finished request 4
>>>Going to the next request
>>>Waking up in 6 seconds...
>>>rad_recv: Access-Request packet from host xx.xx.xx.xx:33167, id=153,
>>>length=67
>>>      User-Name = "1000 at xx.xx.xx.xx"
>>>      Sip-Group = "Dialin2"
>>>      Service-Type = Group-Check
>>>      NAS-IP-Address = 127.0.0.1
>>>      NAS-Port = 0
>>>Processing the authorize section of radiusd.conf
>>>modcall: entering group authorize for request 5
>>>modcall[authorize]: module "preprocess" returns ok for request 5
>>>modcall[authorize]: module "chap" returns noop for request 5
>>>modcall[authorize]: module "mschap" returns noop for request 5
>>>modcall[authorize]: module "digest" returns noop for request 5
>>>  rlm_realm: Looking up realm "xx.xx.xx.xx" for User-Name =
>>>"1000 at xx.xx.xx.xx"
>>>  rlm_realm: Found realm "xx.xx.xx.xx"
>>>  rlm_realm: Adding Stripped-User-Name = "1000"
>>>  rlm_realm: Proxying request from user 1000 to realm xx.xx.xx.xx
>>>  rlm_realm: Adding Realm = "xx.xx.xx.xx"
>>>  rlm_realm: Authentication realm is LOCAL.
>>>modcall[authorize]: module "suffix" returns noop for request 5
>>>rlm_eap: No EAP-Message, not doing EAP
>>>modcall[authorize]: module "eap" returns noop for request 5
>>>  users: Matched entry DEFAULT at line 156
>>>  users: Matched entry DEFAULT at line 161
>>>modcall[authorize]: module "files" returns ok for request 5
>>>radius_xlat:  '1000'
>>>rlm_sql (sql): sql_set_user escaped user --> '1000'
>>>radius_xlat:  'SELECT id, UserName, Attribute, Value, op           FROM
>>>radcheck           WHERE Username = '1000'           ORDER BY id'
>>>rlm_sql (sql): Reserving sql socket id: 4
>>>rlm_sql_mysql: query:  SELECT id, UserName, Attribute, Value, op
>>>   
>>>
>>>      
>>>
>>>FROM radcheck           WHERE Username = '1000'           ORDER BY id
>> 
>>
>>    
>>
>>>radius_xlat:  'SELECT
>>>radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupc
>>>      
>>>
>h
>  
>
>>>   
>>>
>>>      
>>>
>>e
>> 
>>
>>    
>>
>>>ck.Value,radgroupcheck.op  FROM radgroupcheck,usergroup WHERE
>>>usergroup.Username = '1000' AND usergroup.GroupName =
>>>radgroupcheck.GroupName ORDER BY radgroupcheck.id'
>>>rlm_sql_mysql: query:  SELECT
>>>radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupc
>>>      
>>>
>h
>  
>
>>>   
>>>
>>>      
>>>
>>e
>> 
>>
>>    
>>
>>>ck.Value,radgroupcheck.op  FROM radgroupcheck,usergroup WHERE
>>>usergroup.Username = '1000' AND usergroup.GroupName =
>>>radgroupcheck.GroupName ORDER BY radgroupcheck.id
>>>radius_xlat:  'SELECT id, UserName, Attribute, Value, op           FROM
>>>radreply           WHERE Username = '1000'           ORDER BY id'
>>>rlm_sql_mysql: query:  SELECT id, UserName, Attribute, Value, op
>>>   
>>>
>>>      
>>>
>>>FROM radreply           WHERE Username = '1000'           ORDER BY id
>> 
>>
>>    
>>
>>>radius_xlat:  'SELECT
>>>radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupr
>>>      
>>>
>e
>  
>
>>>   
>>>
>>>      
>>>
>>p
>> 
>>
>>    
>>
>>>ly.Value,radgroupreply.op  FROM radgroupreply,usergroup WHERE
>>>usergroup.Username = '1000' AND usergroup.GroupName =
>>>radgroupreply.GroupName ORDER BY radgroupreply.id'
>>>rlm_sql_mysql: query:  SELECT
>>>radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupr
>>>      
>>>
>e
>  
>
>>>   
>>>
>>>      
>>>
>>p
>> 
>>
>>    
>>
>>>ly.Value,radgroupreply.op  FROM radgroupreply,usergroup WHERE
>>>usergroup.Username = '1000' AND usergroup.GroupName =
>>>radgroupreply.GroupName ORDER BY radgroupreply.id
>>>rlm_sql (sql): Checking profile DEFAULT
>>>rlm_sql (sql): sql_set_user escaped user --> 'DEFAULT'
>>>radius_xlat:  'SELECT
>>>radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupc
>>>      
>>>
>h
>  
>
>>>   
>>>
>>>      
>>>
>>e
>> 
>>
>>    
>>
>>>ck.Value,radgroupcheck.op  FROM radgroupcheck,usergroup WHERE
>>>usergroup.Username = 'DEFAULT' AND usergroup.GroupName =
>>>radgroupcheck.GroupName ORDER BY radgroupcheck.id'
>>>rlm_sql_mysql: query:  SELECT
>>>radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupc
>>>      
>>>
>h
>  
>
>>>   
>>>
>>>      
>>>
>>e
>> 
>>
>>    
>>
>>>ck.Value,radgroupcheck.op  FROM radgroupcheck,usergroup WHERE
>>>usergroup.Username = 'DEFAULT' AND usergroup.GroupName =
>>>radgroupcheck.GroupName ORDER BY radgroupcheck.id
>>>radius_xlat:  'SELECT
>>>radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupr
>>>      
>>>
>e
>  
>
>>>   
>>>
>>>      
>>>
>>p
>> 
>>
>>    
>>
>>>ly.Value,radgroupreply.op  FROM radgroupreply,usergroup WHERE
>>>usergroup.Username = 'DEFAULT' AND usergroup.GroupName =
>>>radgroupreply.GroupName ORDER BY radgroupreply.id'
>>>rlm_sql_mysql: query:  SELECT
>>>radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupr
>>>      
>>>
>e
>  
>
>>>   
>>>
>>>      
>>>
>>p
>> 
>>
>>    
>>
>>>ly.Value,radgroupreply.op  FROM radgroupreply,usergroup WHERE
>>>usergroup.Username = 'DEFAULT' AND usergroup.GroupName =
>>>radgroupreply.GroupName ORDER BY radgroupreply.id
>>>rlm_sql (sql): Released sql socket id: 4
>>>modcall[authorize]: module "sql" returns ok for request 5
>>>modcall: group authorize returns ok for request 5
>>>rad_check_password:  Found Auth-Type None
>>>rad_check_password: Auth-Type = Accept, accepting the user
>>>radius_xlat:  'Authenticated by group Dialin'
>>>Sending Access-Accept of id 153 to xx.xx.xx.xx:33167
>>>      Reply-Message = "Authenticated by group Dialin"
>>>      SIP-AVP = "Sip-Group:Dialin"
>>>Finished request 5
>>>
>>>-----Original Message-----
>>>From: Tavis P [mailto:tavis.lists at galaxytelecom.net] 
>>>Sent: Friday, October 14, 2005 7:21 PM
>>>To: Lenir
>>>Cc: users at openser.org; serusers at iptel.org
>>>Subject: Re: group_radius radius_is_user_in
>>>
>>>Ugh the subject line is getting really munged up ;P
>>>
>>>Hmmm, what does the output from "radiusd -X" look like for the exchange?
>>>
>>>
>>>Lenir wrote:
>>>
>>>
>>>
>>>   
>>>
>>>      
>>>
>>>>Tavis,
>>>>
>>>>Thanks for your input, that did fix the problem. I did have the "files"
>>>>before "sql" in radiusd.conf. Also I followed your advice about taking
>>>>        
>>>>
>out
>  
>
>>>>"Auth-Type" out of mysql table and let DEFAULT in users file do the
>>>>        
>>>>
>trick.
>  
>
>>>>     
>>>>
>>>>        
>>>>
>> 
>>
>>    
>>
>>>>However it's semi-working.
>>>>
>>>>Accourding to the snippet from my ser.cfg file, now I get the following
>>>>        
>>>>
>in
>  
>
>>>>stderr:
>>>>0(4866) 000d2890-d47f0003-4a230347-53c6189b at yy.yy.yy.yy -
>>>>sip:1000 at xx.xx.xx.xx - User authenticated...
>>>>0(4866) Credentials: User is in Radius Group Dialin!!!!
>>>>0(4866) Credentials: User is in Radius Group Dialin2!!!!
>>>>
>>>>No matter which parameter I use for the function radius_is_user_in(), it
>>>>always returns TRUE. When in fact it should return FALSE for Group
>>>>     
>>>>
>>>>        
>>>>
>>Dialin2.
>> 
>>
>>    
>>
>>>>I've tried:
>>>>
>>>>if (radius_is_user_in("From", "Dialin2")){...
>>>>if (radius_is_user_in("Credentials", "Dialin2")){...
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>Here's what I did to fix future problems:
>>>>
>>>>EFAULT Auth-Type = System
>>>>     Fall-Through = 1
>>>>
>>>>DEFAULT Service-Type == Call-Check, Auth-Type := Digest
>>>>
>>>>DEFAULT Service-Type == Group-Check, Auth-Type := None
>>>>
>>>>DEFAULT Service-Type == SIP-Session, Auth-Type := Digest
>>>>
>>>>DEFAULT Service-Type == SIP-Callee-AVPs, Auth-Type := None
>>>>
>>>>DEFAULT Service-Type == SIP-Caller-AVPs, Auth-Type := None
>>>>
>>>>
>>>>Also, for those of you using the latest version of freeradius, you may
>>>>     
>>>>
>>>>        
>>>>
>>have
>> 
>>
>>    
>>
>>>>to comment out the following lines as they conflict with dictionary.ser
>>>>  
>>>>
>>>>     
>>>>
>>>>        
>>>>
>>>(SER
>>>
>>>
>>>   
>>>
>>>      
>>>
>>>>CVS) and dictionary.sip (comes with radiusclient-NG)
>>>>
>>>>#VALUE          Service-Type            Voice                   12
>>>>#VALUE          Service-Type            Fax                     13
>>>>#VALUE          Service-Type            Modem-Relay             14
>>>>#VALUE          Service-Type            IAPP-Register           15
>>>>#VALUE          Service-Type            IAPP-AP-Check           16
>>>>
>>>>
>>>>Thanks,
>>>>
>>>>
>>>>Lenir
>>>>
>>>>
>>>>-----Original Message-----
>>>>From: serusers-bounces at iptel.org [mailto:serusers-bounces at iptel.org] On
>>>>Behalf Of Tavis P
>>>>Sent: Friday, October 14, 2005 1:49 PM
>>>>To: lsantiago at globalgatewaycom.com
>>>>Cc: serdev at iptel.org; serusers at iptel.org; devel at openser.org;
>>>>users at openser.org
>>>>Subject: [Serusers] Re: [Serdev] group_radius radius_is_user_in
>>>>
>>>>Oops, i spoke too soon
>>>>
>>>>It looks like you have placed the "files" module before the "sql" module
>>>>in your radiusd.conf
>>>>
>>>>Its matching your DEFAULT entry in files (setting the Auth-Type to none)
>>>>but the sql module is later changing the Auth-Type to "digest"
>>>>
>>>>Changing the order would solve this problem, as you want it to match the
>>>>SQL statement first and than the section in the files last (which
>>>>changes the Auth-Type)
>>>>
>>>>Also, you may want to reduce the load on your database by not setting
>>>>the Auth-Type in the database and instead setting in the users file with
>>>>a DEFAULT statement as (at least in my case) it isn't somthing that need
>>>>to be dynamic.
>>>>
>>>>lenirsantiago at yahoo.com wrote:
>>>>
>>>>
>>>>
>>>>  
>>>>
>>>>     
>>>>
>>>>        
>>>>
>>>>>Hello list,
>>>>>
>>>>>I've been trying my hardest today to get group_radius to work, and its
>>>>>function radius_is_user_in().
>>>>>I'm running ser0.9.4 and freeradius 1.0.4 with the mysql backend and
>>>>>    
>>>>>
>>>>>       
>>>>>
>>>>>          
>>>>>
>>>digest
>>>
>>>
>>>   
>>>
>>>      
>>>
>>>>>authentication. 
>>>>>
>>>>>Radius authentication works fine.
>>>>>The problem is that when radius_is_user_in() function gets called, it
>>>>>    
>>>>>
>>>>>       
>>>>>
>>>>>          
>>>>>
>>>sends
>>>
>>>
>>>   
>>>
>>>      
>>>
>>>>>a radius message but without the User-Password field and freeradius
>>>>>complains that it requires it since we are using Digest.
>>>>>I've seen a couple of posts here, but they were never answered: 
>>>>>http://mail.iptel.org/pipermail/serusers/2005-March/017342.html
>>>>>http://mail.iptel.org/pipermail/serusers/2005-March/017075.html
>>>>>
>>>>>-----
>>>>>I have a small test in my ser.cfg file:
>>>>>    if (!radius_www_authorize("")) {
>>>>>            xlog("L_I","%ci - %fu - User not authenticated, Radius
>>>>>Authenticating...\n");
>>>>>            www_challenge("","0");
>>>>>            break;
>>>>>    } else {
>>>>>            xlog("L_I","%ci - %fu - User authenticated...\n");
>>>>>    };
>>>>>
>>>>>    if (radius_is_user_in("From", "Dialin")){
>>>>>            xlog("L_I","From: User is in Radius Group Dialin!!!!\n");
>>>>>    } else {
>>>>>            xlog("L_I","From: User *IS NOT* Group Dialin!!!!!\n");
>>>>>    };
>>>>>
>>>>>    if (radius_is_user_in("Credentials", "Dialin2")){
>>>>>            xlog("L_I","From: User is in Radius Group Dialin2!!!!\n");
>>>>>    } else {
>>>>>            xlog("L_I","From: User *IS NOT* Group Dialin2!!!!!\n");
>>>>>    };
>>>>>
>>>>>-----
>>>>>In /etc/raddb/users file I have the following at line 152:
>>>>>DEFAULT Auth-Type = System
>>>>>    Fall-Through = 1
>>>>>
>>>>>DEFAULT Service-Type == Group-Check, Auth-Type := None
>>>>>
>>>>>DEFAULT Service-Type == SIP-Callee-AVPs, Auth-Type := None
>>>>>
>>>>>-----
>>>>>
>>>>>These are mysql tables:
>>>>>
>>>>>+----+----------+-----------+----+----------+
>>>>>| id | UserName | Attribute | op | Value    |
>>>>>+----+----------+-----------+----+----------+
>>>>>|  1 | Jhassell | Password  | == | changeme |
>>>>>|  2 | Rneis    | Password  | == | changeme |
>>>>>|  3 | 1000     | Password  | == | 1000     |
>>>>>|  4 | 2000     | Password  | == | 2000     |
>>>>>|  5 | 3000     | Password  | == | 3000     |
>>>>>|  8 | 1000     | Auth-Type | := | Digest   |
>>>>>+----+----------+-----------+----+----------+
>>>>>
>>>>>+----+-----------+-----------+----+--------+
>>>>>| id | GroupName | Attribute | op | Value  |
>>>>>+----+-----------+-----------+----+--------+
>>>>>|  6 | Dialin    | Auth-Type | := | Accept |
>>>>>+----+-----------+-----------+----+--------+
>>>>>
>>>>>+----+-----------+---------------+----+---------------------------------
>>>>>          
>>>>>
>-
>  
>
>>>>>       
>>>>>
>>>>>          
>>>>>
>>+
>> 
>>
>>    
>>
>>>>>    
>>>>>
>>>>>       
>>>>>
>>>>>          
>>>>>
>>>-
>>>
>>>
>>>   
>>>
>>>      
>>>
>>>>> 
>>>>>
>>>>>    
>>>>>
>>>>>       
>>>>>
>>>>>          
>>>>>
>>>>-
>>>>
>>>>
>>>>  
>>>>
>>>>     
>>>>
>>>>        
>>>>
>>>>>----+
>>>>>| id | GroupName | Attribute     | op | Value
>>>>>       
>>>>>
>>>>>          
>>>>>
>>|
>> 
>>
>>    
>>
>>>>>prio |
>>>>>+----+-----------+---------------+----+---------------------------------
>>>>>          
>>>>>
>-
>  
>
>>>>>       
>>>>>
>>>>>          
>>>>>
>>+
>> 
>>
>>    
>>
>>>>>    
>>>>>
>>>>>       
>>>>>
>>>>>          
>>>>>
>>>-
>>>
>>>
>>>   
>>>
>>>      
>>>
>>>>> 
>>>>>
>>>>>    
>>>>>
>>>>>       
>>>>>
>>>>>          
>>>>>
>>>>-
>>>>
>>>>
>>>>  
>>>>
>>>>     
>>>>
>>>>        
>>>>
>>>>>----+
>>>>>|  1 | Dialin    | Reply-Message | =  | "Authenticated by group Dialin"
>>>>>       
>>>>>
>>>>>          
>>>>>
>>|
>> 
>>
>>    
>>
>>>>>0 |
>>>>>|  2 | Dialin2   | Reply-Message | =  | "Authenticated by group Dialin2"
>>>>>       
>>>>>
>>>>>          
>>>>>
>>|
>> 
>>
>>    
>>
>>>>>0 |
>>>>>+----+-----------+---------------+----+---------------------------------
>>>>>          
>>>>>
>-
>  
>
>>>>>       
>>>>>
>>>>>          
>>>>>
>>+
>> 
>>
>>    
>>
>>>>>    
>>>>>
>>>>>       
>>>>>
>>>>>          
>>>>>
>>>-
>>>
>>>
>>>   
>>>
>>>      
>>>
>>>>> 
>>>>>
>>>>>    
>>>>>
>>>>>       
>>>>>
>>>>>          
>>>>>
>>>>-
>>>>
>>>>
>>>>  
>>>>
>>>>     
>>>>
>>>>        
>>>>
>>>>>----+
>>>>>
>>>>>+----+----------+---------------+----+------------------+
>>>>>| id | UserName | Attribute     | op | Value            |
>>>>>+----+----------+---------------+----+------------------+
>>>>>|  1 | 1000     | Reply-Message | =  | "Authenticated"  |
>>>>>|  2 | 1000     | Sip-Group     | =  | Dialin           |
>>>>>|  3 | 1000     | SIP-AVP       | =  | Sip-Group:Dialin |
>>>>>+----+----------+---------------+----+------------------+
>>>>>
>>>>>+----+----------+------------+
>>>>>| id | UserName | GroupName  |
>>>>>+----+----------+------------+
>>>>>|  1 | Jhassell | Dialin     |
>>>>>|  2 | Rneis    | Staticdial |
>>>>>|  3 | 1000     | Dialin     |
>>>>>|  4 | 2000     | Dialin     |
>>>>>|  5 | 3000     | Dialin     |
>>>>>|  6 | 3000     | Dialin2    |
>>>>>+----+----------+------------+
>>>>>
>>>>>------
>>>>>
>>>>>This is the debug I get from freeradius for the group check:
>>>>>
>>>>>rad_recv: Access-Request packet from host xx.xx.xx.xx:33025, id=15,
>>>>>length=67
>>>>>    User-Name = "1000 at xx.xx.xx.xx"
>>>>>    Sip-Group = "Dialin2"
>>>>>    Service-Type = Group-Check
>>>>>    NAS-IP-Address = 127.0.0.1
>>>>>    NAS-Port = 0
>>>>>Processing the authorize section of radiusd.conf
>>>>>modcall: entering group authorize for request 74
>>>>>modcall[authorize]: module "preprocess" returns ok for request 74
>>>>>modcall[authorize]: module "chap" returns noop for request 74
>>>>>modcall[authorize]: module "mschap" returns noop for request 74
>>>>>modcall[authorize]: module "digest" returns noop for request 74
>>>>>rlm_realm: Looking up realm "xx.xx.xx.xx" for User-Name =
>>>>>"1000 at xx.xx.xx.xx"
>>>>>rlm_realm: Found realm "xx.xx.xx.xx"
>>>>>rlm_realm: Adding Stripped-User-Name = "1000"
>>>>>rlm_realm: Proxying request from user 1000 to realm xx.xx.xx.xx
>>>>>rlm_realm: Adding Realm = "xx.xx.xx.xx"
>>>>>rlm_realm: Authentication realm is LOCAL.
>>>>>modcall[authorize]: module "suffix" returns noop for request 74
>>>>>rlm_eap: No EAP-Message, not doing EAP
>>>>>modcall[authorize]: module "eap" returns noop for request 74
>>>>>users: Matched entry DEFAULT at line 152
>>>>>users: Matched entry DEFAULT at line 158
>>>>>modcall[authorize]: module "files" returns ok for request 74
>>>>>radius_xlat:  '1000'
>>>>>rlm_sql (sql): sql_set_user escaped user --> '1000'
>>>>>rlm_sql (sql): Released sql socket id: 0
>>>>>modcall[authorize]: module "sql" returns ok for request 74
>>>>>modcall: group authorize returns ok for request 74
>>>>>rad_check_password:  Found Auth-Type Digest
>>>>>auth: type "digest"
>>>>>Processing the authenticate section of radiusd.conf
>>>>>modcall: entering group authenticate for request 74
>>>>>ERROR: No Digest-Nonce: Cannot perform Digest authentication
>>>>>modcall[authenticate]: module "digest" returns invalid for request 74
>>>>>modcall: group authenticate returns invalid for request 74
>>>>>auth: Failed to validate the user.
>>>>>Delaying request 74 for 1 seconds
>>>>>Finished request 74
>>>>>Going to the next request
>>>>>--- Walking the entire request list ---
>>>>>Waking up in 1 seconds...
>>>>>--- Walking the entire request list ---
>>>>>Waking up in 1 seconds...
>>>>>--- Walking the entire request list ---
>>>>>Sending Access-Reject of id 15 to xx.xx.xx.xx:33025
>>>>>    Reply-Message = "Authenticated"
>>>>>Waking up in 4 seconds...
>>>>>--- Walking the entire request list ---
>>>>>Cleaning up request 74 ID 15 with timestamp 434f1121
>>>>>Nothing to do.  Sleeping until we see a request.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>Any help in this matter would be deeply appreciated,
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>Lenir 
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>_______________________________________________
>>>>>Serdev mailing list
>>>>>Serdev at iptel.org
>>>>>http://mail.iptel.org/mailman/listinfo/serdev
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> 
>>>>>
>>>>>    
>>>>>
>>>>>       
>>>>>
>>>>>          
>>>>>
>>>>_______________________________________________
>>>>Serusers mailing list
>>>>Serusers at iptel.org
>>>>http://mail.iptel.org/mailman/listinfo/serusers
>>>>
>>>>
>>>>_______________________________________________
>>>>Serdev mailing list
>>>>Serdev at iptel.org
>>>>http://mail.iptel.org/mailman/listinfo/serdev
>>>>
>>>>
>>>>
>>>>
>>>>  
>>>>
>>>>     
>>>>
>>>>        
>>>>
>>>
>>>
>>>   
>>>
>>>      
>>>
>>
>>
>> 
>>
>>    
>>
>
>
>
>
>  
>





More information about the Users mailing list