Re: fail-over configration

[baffy200y]

Thanks for your reply. Alan.

You showed the follow process.

  1.Checking users file
If the User-Name is not found, go to Checking SQL(Mysql) DataBase.
   Check the Calling-Station-Id.
  if the Calling-Station-Id is correct, continue to authenticate
  if the Calling-Station-Id is incorrect,reject the user.
 
  2.Checking SQL(Mysql) DataBase.
If the User-Name is not found, reject the user.
  
   Check the Calling-Station-Id.
  if the Calling-Station-Id is correct, continue to authenticate
  if the Calling-Station-Id is incorrect,reject the user.
 
   In authenticate, check the User-password.  If correct, the user is
 authenticated.
  if the User-Password is incorrect,reject the user

Then, I have a question.

What means, the User-Name is not found?
I thought the User-Name value in resquest is not found in users file.
But the freeradius does not operate such.
It looks like follow.

case 1 (this case is OK(found!))
  User-Name(value) in Users file equals User-Name(value) in Access-Request.
  and
  User-Password(value) in Users file equals User-Password(value) in
  Access-Request.
  and
  Calling-Station-Id(value) in Users file equals Calling-Station-Id(value) in
  Access-Request.

case 2 (this case is not found)
  User-Name(value) in Users file equals User-Name(value) in Access-Request.
  and
  User-Password(value) in Users file do not equal User-Password(value) in
  Access-Request.
  and
  Calling-Station-Id(value) in Users file equals Calling-Station-Id(value) in
  Access-Request.

case 3 (this case is not found)
  User-Name(value) in Users file equals User-Name(value) in Access-Request.
  and
  User-Password(value) in Users file equals User-Password(value) in
  Access-Request.
  and
  Calling-Station-Id(value) in Users file do not equal Calling-Station-Id(value)
  in  Access-Request.

case 4 (this case is not found)
  User-Name(value) in Users file equals User-Name(value) in Access-Request.
  and
  User-Password(value) in Users file do not equal User-Password(value) in
  Access-Request.
  and
  Calling-Station-Id(value) in Users file do not equal Calling-Station-Id(value)
  in  Access-Request.

Does The User-Name is not found mean what all the radius attributes that
should be compared are matched?, not only the User-Name value does not matched?
IF that is right, does checking the User-Password in authenticate always succeed?

--
Access-Request:
 User-Name = testusr
 User-Password = usrpass00
 NAS-Port = 1
 NAS-IP-Address = 192.168.100.20
 Framed-Protocol = PPP
 Service-Type = Framed-User
 NAS-Port-Type = ISDN
 Calling-Station-Id = 0123456789

--
Users file:
testusr Auth-Type := Local, User-Password == usrpass, Calling-Station-Id 
==0123456789
User-Service = Framed-User ,
Framed-Protocol = PPP ,
Framed-IP-Address = 10.0.0.1 ,
Framed-IP-Netmask = 255.255.255.255 ,
Ascend-Idle-Limit = 600 ,
Ascend-Data-Filter = ip in forward dstip 10.0.1.0/24 ,
Ascend-Data-Filter += ip in forward dstip 172.16.1.0/24 ,
Ascend-Data-Filter += ip in drop dstip 0.0.0.0 ,
Ascend-Data-Filter += ip out forward


sorry for my poor english
regards


-- 
baffy200y [EMAIL PROTECTED]


__
Do You Yahoo!?
http://bb.yahoo.co.jp/


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: fail-over configration

[Alan DeKok]

baffy200y [EMAIL PROTECTED] wrote:
 1.Checking users file
   If the User-Name is found,check the User-Password.

  The server can't do that.  The authorize section doesn't do any
authentication.

  I would re-write your request as:

 1.Checking users file
   If the User-Name is not found, go to Checking SQL(Mysql) DataBase.
  Check the Calling-Station-Id.
 if the Calling-Station-Id is correct, continue to authenticate
 if the Calling-Station-Id is incorrect,reject the user.

 2.Checking SQL(Mysql) DataBase.
   If the User-Name is not found, reject the user.
 
  Check the Calling-Station-Id.
 if the Calling-Station-Id is correct, continue to authenticate
 if the Calling-Station-Id is incorrect,reject the user.

  In authenticate, check the User-password.  If correct, the user is
authenticated.
 if the User-Password is incorrect,reject the user


  The server can do this.  See doc/configurable_failover for how to
configure the authorize section to do check files, if not found,
check sql.

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

fail-over configration

[baffy200y]

Hi,all.
(B
(BI want to set up freeradius which use users file and sql database for
(Buser authenticating.
(B
(BBut I can not set up well.
(BCan I set up freeradius as follow?
(B
(B
(B1.Checking users file
(B  If the User-Name is found,check the User-Password.
(B if the User-Password is correct,check the Calling-Station-Id.
(Bif the Calling-Station-Id is correct,the user is authenticated.
(Bif the Calling-Station-Id is incorrect,reject the user.
(B if the User-Password is incorrect,reject the user
(B  If the User-Name is not found, go to "Checking SQL(Mysql) DataBase."
(B
(B2.Checking SQL(Mysql) DataBase.
(B
(B  If the User-Name is found,check the User-Password.
(B if the User-Password is correct,check the Calling-Station-Id.
(Bif the Calling-Station-Id is correct,the user is authenticated.
(Bif the Calling-Station-Id is incorrect,reject the user.
(B if the User-Password is incorrect,reject the user
(B  If the User-Name is not found, reject the user.
(B
(BMy image process figure
(B--
(B   Start
(B |
(B+++
(B| |user found
(B|  users  +---+
(B|  file   |   |
(B+++   |
(B |user not found  |
(B ||
(B ||
(B+++   |
(B| |user found |
(B|   sql   +---+
(B| (MySql) |   |
(B+++   |
(B |user not found +++
(B |   | |false
(B  reject | Password+-reject
(B | check   |
(B +++
(B  |ok
(B  |
(B ++---+
(B | Calling-   |false
(B | Station-Id +--reject
(B | check  |
(B ++---+
(B  |ok
(B  |
(B user authenticated
(B 
(Bfigure 1
(B--
(B
(Bmy authorize section in radiusd.conf is below
(B--
(Bauthorize {
(Bpreprocess
(Bgroup {
(Bfiles   {
(Bok = return
(B}
(Bsql {
(Bok = return
(B}
(B}
(B}
(B
(Bmy users file
(B--
(Btest Auth-Type := Local, User-Password == "test", Calling-Station-Id=="00"
(B User-Service = Framed-User ,
(B Framed-Protocol = PPP ,
(B Framed-IP-Address = 10.0.0.1 ,
(B Framed-IP-Netmask = 255.255.255.255
(B
(B
(BResult I tested.
(B--
(B  |User-Name|User-Password|Calling-Station-Id|
(B--+-+-+--+
(B   (1)|$B!{(B   | $B!_(B  |   -  | 
(B--+-+-+--+
(B   (2)|$B!{(B   | $B!{(B  |   $B!_(B | 
(B--+-+-+--+
$B!{(B:correct
$B!_(B:incorrect
(B
(BCase (1)
(B files(rlm_files) returns notfound but reject.
(B and sql db has been checked.
(B and group returns notfound but reject.
(B
(Bcase (2)
(B files(rlm_files) returns notfound but reject.
(B and sql db has been checked.
(B and group returns notfound but reject.
(B
(B
(B
(B
(B
(Bsorry for my poor english
(Bregards
(B
(B-- 
(Bbaffy200y [EMAIL PROTECTED]
(B
(B__
(BDo You Yahoo!?
(Bhttp://bb.yahoo.co.jp/
(B
(B
(B- 
(BList info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html