Hi,
I'm trying to understand the semantics of the += users file operator.
I'd like to use it to select a particular DEFAULT entry based on a
locally-defined dictionary attribute, as follows...
#
# V.90 dial-up user
#
# ES-Default-ID and V90LocalUser are defined in a local dictionary
#
lerxst Crypt-Password == "KSi8a3j4oasdi", ES-Default-ID += V90LocalUser
Filter-Id = 7,
Fall-Through = yes
#
# Default entry for V.90 dial-up users
#
DEFAULT ES-Default-ID == V90LocalUser
Framed-IP-Address = 0.0.0.0,
Framed-IP-Netmask = 255.255.255.255,
Framed-Protocol = PPP
When I test with a users file like this, FreeRADIUS returns the reply
items from the user-specific entry, but it does not trigger the
DEFAULT entry. If I add ES-Default-ID = V90LocalUser to the original
request, the DEFAULT entry triggers.
Am I using the += operator incorrectly? The users(5) man page states
that the += operator "... adds the current attribute with value to the
list of configuration items." Other documents -- notably aaa.txt --
reference the fact that radiusd builds separate lists for check items
and configure items. Is += adding the ES-Default-ID attribute to a
list which the DEFAULT entry cannot check?
If += cannot be used this way, can anyone recommend a way of
accomplishing the same behavior? I have users with many different
classes of service and I want to create a DEFAULT entry for each class
which the user-specific entry references when authenticating.
I'm running FreeRADIUS 0.8.1 and using a vanilla users file (i.e., no
SQL or LDAP database). I've included below (1) my radiusd.conf (with
comments and whitespace removed for brevity), (2) my local dictionary
file, and (3) a transcript of running radiusd with -X.
Thanks!
Ken Maupin
EasyStreet Online Services
________________________________________
radiusd.conf
________________________________________
prefix = /usr/local/freeradius-0.8.1
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = ${prefix}/var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/radius
raddbdir = /usr/local/etc/freeradius
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = no
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
$INCLUDE ${confdir}/clients.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
files {
usersfile = ${confdir}/users
compat = no
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
}
instantiate {
}
authorize {
preprocess
files
}
authenticate {
}
preacct {
preprocess
files
}
accounting {
}
session {
}
post-auth {
}
________________________________________
Local dictionary
________________________________________
VENDOR EasyStreet 2724
ATTRIBUTE ES-Default-ID 1 integer EasyStreet
VALUE ES-Default-ID V90LocalUser 1
________________________________________
radiusd -X output
________________________________________
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/freeradius/clients.conf
main: prefix = "/usr/local/freeradius-0.8.1"
main: localstatedir = "/usr/local/freeradius-0.8.1/var"
main: logdir = "/var/log/radius"
main: libdir = "/usr/local/freeradius-0.8.1/lib"
main: radacctdir = "/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/var/log/radius/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/usr/local/freeradius-0.8.1/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/freeradius-0.8.1/sbin/checkrad"
main: proxy_requests = yes
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/freeradius-0.8.1/lib
Module: Loaded preprocess
preprocess: huntgroups = "/usr/local/etc/freeradius/huntgroups"
preprocess: hints = "/usr/local/etc/freeradius/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded files
files: usersfile = "/usr/local/etc/freeradius/users"
files: acctusersfile = "/usr/local/etc/freeradius/acct_users"
files: preproxy_usersfile = "/usr/local/etc/freeradius/preproxy_users"
files: compat = "no"
auth_type_fixup: Auth-Type [1000]
auth_type_fixup: User-Password [2]
auth_type_fixup: ES-Default-ID [178520065]
Module: Instantiated files (files)
Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp.
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1:32803, id=7, length=46
User-Name = "lerxst"
User-Password = "alex"
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
users: Matched lerxst at 4
modcall[authorize]: module "files" returns ok
modcall: group authorize returns ok
rad_check_password: Found Auth-Type Local
auth: type Local
auth: user supplied User-Password matches local User-Password
Sending Access-Accept of id 7 to 127.0.0.1:32803
Filter-Id = "7"
Finished request 0
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html