Re: RADIUS does not send reply for all groups the user is a member of

[Det Det]

Hi there,

here is the SQL and debug logs from radius.


mysql> select * from radusergroup;
+---------------------------+-----------+----------+
| username                  | groupname | priority |
+---------------------------+-----------+----------+
| us...@mydomain.com  | defgroup  |        1 |
us...@mydomain.com  | dynamic   |        1 |
+---------------------------+-----------+----------+

mysql> select * from radcheck;
+-------+---------------------------+----------------+----+------------------------------------+
| id    | username                  | attribute      | op | 
value                              |
+-------+---------------------------+----------------+----+------------------------------------+
| 72766 | us...@mydomain.com  | Crypt-Password | := | 
$1$7l.zLR5h$8ahKvbTht98HuOHOXWI7v0 |
+-------+---------------------------+----------------+----+------------------------------------+

mysql> select * from radreply;
Empty set (0.00 sec)

mysql> select * from radgroupcheck;
Empty set (0.00 sec)

mysql> select * from radgroupreply;
+----+-----------+-------------------+----+-----------------+
| id | groupname | attribute         | op | value           |
+----+-----------+-------------------+----+-----------------+
|  1 | defgroup  | Framed-MTU        | =  | 1500            |
|  2 | defgroup  | Service-Type      | =  | Framed-User     |
|  3 | defgroup  | Port-Limit        | =  | 1               |
|  7 | dynamic   | Framed-IP-Netmask | =  | 255.255.255.255 |
|  6 | dynamic   | Framed-IP-Address | =  | 255.255.255.254 |
+----+-----------+-------------------+----+-----------------+


rad_recv: Access-Request packet from host 127.0.0.1 port 60675, id=90, length=76
    User-Name = "us...@mydomain.com"
    User-Password = "xxx"
    NAS-IP-Address = 10.10.11.95
    NAS-Port = 0
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "mydomain.com" for User-Name = "us...@mydomain.com"
[suffix] No such realm "mydomain.com"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
[sql]     expand: %{User-Name} -> us...@mydomain.com
[sql] sql_set_user escaped user --> 'us...@mydomain.com'
rlm_sql (sql): Reserving sql socket id: 3
[sql]     expand: SELECT id, username, attribute, value, op           FROM 
radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> 
SELECT id, username, attribute, value, op           FROM radcheck           
WHERE username = 'us...@mydomain.com'           ORDER BY id
rlm_sql_mysql: query:  SELECT id, username, attribute, value, op           FROM 
radcheck           WHERE username = 'us...@mydomain.com'           ORDER BY id
[sql] User found in radcheck table
[sql]     expand: SELECT id, username, attribute, value, op           FROM 
radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> 
SELECT id, username, attribute, value, op           FROM radreply           
WHERE username = 'us...@mydomain.com'           ORDER BY id
rlm_sql_mysql: query:  SELECT id, username, attribute, value, op           FROM 
radreply           WHERE username = 'us...@mydomain.com'           ORDER BY id
[sql]     expand: SELECT groupname           FROM radusergroup           WHERE 
username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT 
groupname           FROM radusergroup           WHERE username = 
'us...@mydomain.com'           ORDER BY priority
rlm_sql_mysql: query:  SELECT groupname           FROM radusergroup           
WHERE username = 'us...@mydomain.com'           ORDER BY priority
[sql]     expand: SELECT id, groupname, attribute,           Value, 
op           FROM radgroupcheck           WHERE groupname = 
'%{Sql-Group}'           ORDER BY id -> SELECT id, groupname, 
attribute,           Value, op           FROM radgroupcheck           WHERE 
groupname = 'defgroup'           ORDER BY id
rlm_sql_mysql: query:  SELECT id, groupname, attribute,           Value, 
op           FROM radgroupcheck           WHERE groupname = 
'defgroup'           ORDER BY id
[sql] User found in group defgroup
[sql]     expand: SELECT id, groupname, attribute,           value, 
op           FROM radgroupreply           WHERE groupname = 
'%{Sql-Group}'           ORDER BY id -> SELECT id, groupname, 
attribute,           value, op           FROM radgroupreply           WHERE 
groupname = 'defgroup'           ORDER BY id
rlm_sql_mysql: query:  SELECT id, groupname, attribute,           value, 
op           FROM radgroupreply           WHERE groupname = 
'defgroup'           ORDER BY id
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "xxx"
[pap] Using CRYPT encryption.
[pap] User authenticated successfully
++[pap] returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 90 to 127.0.0.1 port 60675
    Framed-MTU = 1500
    Service-Type = Framed-User
    Port-Limit = 1
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 90 with timestamp +12
Ready to process requests.



And also what does this line for item 5 in rlm_sql mean? What match is it 
referring to?


If there is a match, the reply items for this group are pulled from the 
radgroupreply table and applied.



thanks,
det


________________________________
From: Fajar A. Nugraha <l...@fajar.net>
To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org>
Sent: Tuesday, August 23, 2011 1:35 PM
Subject: Re: RADIUS does not send reply for all groups the user is a member of

On Tue, Aug 23, 2011 at 12:23 PM, Det Det <det.explo...@yahoo.com> wrote:
> Hi,
> user1 is a member of group1 and group2. both group1 and group2 has replies
> in radgroupreply table.
> when freeradius query for radusergroup, it will only get the first group the
> user is a member of and will proceed to get the reply attributes for that
> group as below.
> query1: SELECT groupname           FROM radusergroup           WHERE
> username = 'us...@domain.com'           ORDER BY priority
> query2: SELECT id, groupname, attribute,           value, op           FROM
> radgroupreply           WHERE groupname = 'group1'           ORDER BY id
> from the debug, it does not do this query
> query3: SELECT id, groupname, attribute,           value, op           FROM
> radgroupreply           WHERE groupname = 'group2'           ORDER BY id
> any idea why?
> i am very sure that query 1 returns more that one value (that is 2 groups,
> group1 and group2)

If you want more help, you need to provide more output from debug log,
and (possibly) what's in the radusergroup/radgroupcheck/radgroupreply.

In the mean time, see doc/rlm_sql. A snippet from that file:

  5. For each group this user is a member of, the corresponding check items
     are pulled from radgroupcheck table and compared with the request.  If
     there is a match, the reply items for this group are pulled from the
     radgroupreply table and applied.
  6. Processing continues to the next group IF:
     a. There was not a match for the last group's check items OR
     b. Fall-Through was set in the last group's reply items
     (The above is exactly the same as in the users file)

-- 
Fajar

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html