Hi,
I am using freeradius 2.0.5 with MySQL, I am very new to Radius and
FreRadius so please pardon my ignorance
I need to reject user if his NAS-IP-Address input attribute does not match
check attributes defined for his group.
For example radgroupcheck
| 1 | GROUP1 | NAS-IP-Address | == |
leopold wrote:
If user is coming from NAS-IP-Address x.x.x.1 or x.x.x.2 or x.x.x.3 the user
should be accepted and reply attributes are sent back
If however if user is coming from NAS-IP-Address y.y.y.1 he should be
rejected (even in the case he provide a valid password and NAS y.y.y.1 is
The problem is that all the users are valid and SQL module returns OK
replyattribute list is empty, so I need somehow reject the user
I did some dirty workaround
if (!reply:Service-Type) {
# reply list does not contain Service-Type
reject
}
See in debug
See in debug output a valid user with valid password comes from wrong
NAS-IP-Address which does not belong to check attributes of the user's group
++[sql] returns ok
That is wrong. If group check fails sql should return notfound. Check
your sql entries again. Have you altered default sql queries
Ivan,
Even with default SQL query it returns OK, because user is defined properly,
it is just check attributes of group do not match
I went to the code and I saw that rlm_sql_process_groups function causes the
whole module to return OK even though NAS-IP-Address attribute does not
match
Note it
It seems that rlm_sql_process_groups in rlm_sql.c does not handle this
situation
1. If paircompare fails in rlm_sql_process_groups it should not return
found=1
2. rlm_sql_authorize should handle return code of rlm_sql_process_groups so
that if it is not found it should actually return not found
No, it should return notfound.
I can confirm this. If check is put in radcheck table user will be
rejected but if check (that should fail) is put in radgroupcheck table
user is authenticated. That is not how things should work. It should
return notfound if there is no match in radgroupcheck too.
7 matches
Mail list logo