Greetings,
I have set up freeradius 0.7.1 using mySQL authentication. Everything
works, except that users who have a group aren't being rejected based on
group.
I have a group called nonprof that is restricted to 8am to 5pm
(Any0800-1700). Those in the group that are alloed to login (using the
authorize_check_query/authorize_reply_query) should then be checked against
the Radius_Grp table to see if they are in a group and if so, the values
from Radius_Grp_Reply should work, but they seem to be ignored. I set up a
disabled group, with Auth-Type := reject and it ignores that group when I
try to get them to log in (ie it lets them in!).
Below is excepts from the my trace on the test server. If you need more
information, let me know, I will be happy to provide it.
>From trace:
sql: sql_user_name = "%{Stripped-User-Name:-%{User-Name}}"
sql: authorize_check_query = "SELECT RID, username, attribute, password, op FROM
Radius LEFT JOIN Billing ON Radius.RID = Billing.BID LEFT JOIN Invoices_Include ON
Radius.IID = Invoices_Include.ID LEFT JOIN Services ON Services.ID =
Invoices_Include.service_ID LEFT JOIN Status on Status.ID = Invoices_Include.status_ID
WHERE username = '%{SQL-User-Name}' AND Status.active = 1 AND Services.dialup= 1 ORDER
BY RID"
sql: authorize_reply_query = "SELECT id,UserName,Attribute,Value,op FROM Radius_Reply
WHERE UserName = '%{SQL-User-Name}' ORDER BY id"
sql: authorize_group_check_query = "SELECT
Radius_Grp_Check.ID,Radius_Grp_Check.groupname,Radius_Grp_Check.attribute,Radius_Grp_Check.value,Radius_Grp_Check.op
FROM Radius_Grp_Check,Radius_Grp WHERE Radius_Grp.username = '%{SQL-User-Name}' AND
Radius_Grp.groupname = Radius_Grp_Check.groupName ORDER BY Radius_Grp_Check.ID"
sql: authorize_group_reply_query = "SELECT
Radius_Grp_Reply.ID,Radius_Grp_Reply.groupname,Radius_Grp_Reply.attribute,Radius_Grp_Reply.value,Radius_Grp_Reply.op
FROM Radius_Grp_Reply,Radius_Grp WHERE Radius_Grp.username = '%{SQL-User-Name}' AND
Radius_Grp.groupname = Radius_Grp_Reply.GroupName ORDER BY Radius_Grp_Reply.ID"
sql: authenticate_query = "SELECT password,attribute FROM Radius LEFT JOIN
Billing on Radius.RID = Billing.BID LEFT JOIN Status on Billing.status_ID = Status.ID
LEFT JOIN Invoices_Include ON Radius.IID = Invoices_Include.ID LEFT JOIN Services ON
Services.ID = Invoices_Include.service_ID WHERE (username = '%{User-Name}' AND
Status.active = 1 AND Services.dialup = 1) AND ( attribute = 'User-Password' OR
attribute = 'Password' OR attribute = 'Crypt-Password' ) ORDER BY attribute DESC"
...
sql_set_user: escaped user --> 'eaglevillage'
radius_xlat: 'SELECT RID, username, attribute, password, op FROM Radius LEFT JOIN
Billing ON Radius.RID = Billing.BID LEFT JOIN Invoices_Include ON Radius.IID =
Invoices_Include.ID LEFT JOIN Services ON Services.ID = Invoices_Include.service_ID
LEFT JOIN Status on Status.ID = Invoices_Include.status_ID WHERE username =
'eaglevillage' AND Status.active = 1 AND Services.dialup= 1 ORDER BY RID'
rlm_sql: Reserving sql socket id: 4
radius_xlat: 'SELECT
Radius_Grp_Check.ID,Radius_Grp_Check.groupname,Radius_Grp_Check.attribute,Radius_Grp_Check.value,Radius_Grp_Check.op
FROM Radius_Grp_Check,Radius_Grp WHERE Radius_Grp.username = 'eaglevillage' AND
Radius_Grp.groupname = Radius_Grp_Check.groupName ORDER BY Radius_Grp_Check.ID'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM Radius_Reply WHERE UserName
= 'eaglevillage' ORDER BY id'
radius_xlat: 'SELECT
Radius_Grp_Reply.ID,Radius_Grp_Reply.groupname,Radius_Grp_Reply.attribute,Radius_Grp_Reply.value,Radius_Grp_Reply.op
FROM Radius_Grp_Reply,Radius_Grp WHERE Radius_Grp.username = 'eaglevillage' AND
Radius_Grp.groupname = Radius_Grp_Reply.GroupName ORDER BY Radius_Grp_Reply.ID'
radius_xlat: 'SELECT password,attribute FROM Radius LEFT JOIN Billing on Radius.RID =
Billing.BID LEFT JOIN Status on Billing.status_ID = Status.ID LEFT JOIN
Invoices_Include ON Radius.IID = Invoices_Include.ID LEFT JOIN Services ON Services.ID
= Invoices_Include.service_ID WHERE (username = 'eaglevillage' AND Status.active = 1
AND Services.dialup = 1) AND ( attribute = 'User-Password' OR attribute = 'Password'
OR attribute = 'Crypt-Password' ) ORDER BY attribute DESC'
rlm_sql: Released sql socket id: 4
modcall[authorize]: module "sql" returns ok
modcall: group authorize returns ok
auth: type Local
auth: user supplied User-Password matches local User-Password
Login OK: [eaglevillage] (from client flyer port 0)
--
�William Ragsdale �http://www.netonecom.net
�Server Administrator �Office Hours �NetOne Communications, Inc.
�Work: 231-734-2917 10AM - 7PM �2186 US 10
�FAX: 231-734-6395 �Sears, MI 49679
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
