Hello
I am currently trying to have my FreeRadius server check the "Service-Type"
values, and reject Login attempts from a user that should be used for
service-type Outbound only.
My client equipment always send the "Service-Type" attribute in its requests.
This attribute is defined into the check databases, but debug mode says:
>>Debug: rlm_checkval: Could not find attribute named Service-Type in check
>>pairs
I really do not see what is wrong and why value checking is not done properly.
It should find the attribute in the database, and reject the request. Can you
help me out ?
Below is my radcheck table, relevant parts of my radiusd.config and the debug
output.
mysql> select * from radcheck;
+----+----------+--------------+----+----------+
| id | UserName | Attribute | op | Value |
+----+----------+--------------+----+----------+
| 3 | admin | Password | == | cisco |
| 5 | admin | Service-Type | == | Outbound |
+----+----------+--------------+----+----------+
checkval {
item-name = Service-Type
check-name = Service-Type
data-type = string
notfound-reject = yes
}
//...
authorize {
preprocess
chap
suffix
eap
#files
sql
checkval
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
eap
}
rad_recv: Access-Request packet from host 10.10.107.68:1645, id=6, length=86
NAS-IP-Address = 10.10.107.68
NAS-Port = 500
NAS-Port-Type = Virtual
User-Name = "admin"
Calling-Station-Id = "XXX.XXX.XXX.XXX"
User-Password = "cisco"
Service-Type = Login-User
Wed Aug 30 11:30:13 2006 : Debug: Processing the authorize section of
radiusd.conf
Wed Aug 30 11:30:13 2006 : Debug: modcall: entering group authorize for request
1
Wed Aug 30 11:30:13 2006 : Debug: modsingle[authorize]: calling preprocess
(rlm_preprocess) for request 1
Wed Aug 30 11:30:13 2006 : Debug: modsingle[authorize]: returned from
preprocess (rlm_preprocess) for request 1
Wed Aug 30 11:30:13 2006 : Debug: modcall[authorize]: module "preprocess"
returns ok for request 1
Wed Aug 30 11:30:13 2006 : Debug: modsingle[authorize]: calling chap
(rlm_chap) for request 1
Wed Aug 30 11:30:13 2006 : Debug: modsingle[authorize]: returned from chap
(rlm_chap) for request 1
Wed Aug 30 11:30:13 2006 : Debug: modcall[authorize]: module "chap" returns
noop for request 1
Wed Aug 30 11:30:13 2006 : Debug: modsingle[authorize]: calling suffix
(rlm_realm) for request 1
Wed Aug 30 11:30:13 2006 : Debug: rlm_realm: No '@' in User-Name = "admin",
looking up realm NULL
Wed Aug 30 11:30:13 2006 : Debug: rlm_realm: No such realm "NULL"
Wed Aug 30 11:30:13 2006 : Debug: modsingle[authorize]: returned from suffix
(rlm_realm) for request 1
Wed Aug 30 11:30:13 2006 : Debug: modcall[authorize]: module "suffix" returns
noop for request 1
Wed Aug 30 11:30:13 2006 : Debug: modsingle[authorize]: calling eap (rlm_eap)
for request 1
Wed Aug 30 11:30:13 2006 : Debug: rlm_eap: No EAP-Message, not doing EAP
Wed Aug 30 11:30:13 2006 : Debug: modsingle[authorize]: returned from eap
(rlm_eap) for request 1
Wed Aug 30 11:30:13 2006 : Debug: modcall[authorize]: module "eap" returns
noop for request 1
Wed Aug 30 11:30:13 2006 : Debug: modsingle[authorize]: calling sql (rlm_sql)
for request 1
Wed Aug 30 11:30:13 2006 : Debug: radius_xlat: 'admin'
Wed Aug 30 11:30:13 2006 : Debug: rlm_sql (sql): sql_set_user escaped user -->
'admin'
Wed Aug 30 11:30:13 2006 : Debug: radius_xlat: 'SELECT
id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'admin' ORDER BY
id'
Wed Aug 30 11:30:13 2006 : Debug: rlm_sql (sql): Reserving sql socket id: 3
Wed Aug 30 11:30:13 2006 : Debug: radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'admin' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
Wed Aug 30 11:30:13 2006 : Debug: radius_xlat: 'SELECT
id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'admin' ORDER BY
id'
Wed Aug 30 11:30:13 2006 : Debug: radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = 'admin' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
Wed Aug 30 11:30:13 2006 : Debug: rlm_sql (sql): Released sql socket id: 3
Wed Aug 30 11:30:13 2006 : Debug: modsingle[authorize]: returned from sql
(rlm_sql) for request 1
Wed Aug 30 11:30:13 2006 : Debug: modcall[authorize]: module "sql" returns ok
for request 1
Wed Aug 30 11:30:13 2006 : Debug: modsingle[authorize]: calling checkval
(rlm_checkval) for request 1
Wed Aug 30 11:30:13 2006 : Debug: rlm_checkval: Item Name: Service-Type, Value:
Login-User
Wed Aug 30 11:30:13 2006 : Debug: rlm_checkval: Could not find attribute named
Service-Type in check pairs
Wed Aug 30 11:30:13 2006 : Debug: modsingle[authorize]: returned from
checkval (rlm_checkval) for request 1
Wed Aug 30 11:30:13 2006 : Debug: modcall[authorize]: module "checkval"
returns notfound for request 1
Wed Aug 30 11:30:13 2006 : Debug: modcall: group authorize returns ok for
request 1
Wed Aug 30 11:30:13 2006 : Debug: auth: type Local
Wed Aug 30 11:30:13 2006 : Debug: auth: user supplied User-Password matches
local User-Password
Sending Access-Accept of id 6 to 10.10.107.68:1645
Cisco-AVPair += "ipsec:tunnel-password=admin123"
Cisco-AVPair == "ipsec:addr-pool=admin"
Cisco-AVPair == "ipsec:inacl=admin"
Service-Type == Outbound-User
Cisco-AVPair += "shell:priv-lvl=0"
Cisco-AVPair += "ipsec:key-exchange=ike"
Cisco-AVPair += "ipsec:key-exchange=preshared-key"
Tunnel-Type:0 == ESP
Wed Aug 30 11:30:13 2006 : Debug: Finished request 1
Wed Aug 30 11:30:13 2006 : Debug: Going to the next request
Thanks for your help !
G.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
