LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (http://www.linuxquestions.org/questions/linux-software-2/)
-   -   Having problems with FreeRADIUS and MySQL Group Check Auths (http://www.linuxquestions.org/questions/linux-software-2/having-problems-with-freeradius-and-mysql-group-check-auths-791874/)

Schurrly 02-26-2010 09:57 PM

Having problems with FreeRADIUS and MySQL Group Check Auths
 
I recently setup a freeradius 2 server with MySQL and I am having an issue where it doesn't appear to be doing group checks.

If I have a user set to a group it doesn't appear to check the attributes set in that group:

+----+----------+--------------+----+------------------------------------------+
| id | username | attribute | op | value |
+----+----------+--------------+----+------------------------------------------+
| 15 | user1 | SHA-Password | := | 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 |
+----+----------+--------------+----+------------------------------------------+
1 row in set (0.00 sec)

mysql> select * from radusergroup where username = 'user1';
+----------+-----------+----------+
| username | groupname | priority |
+----------+-----------+----------+
| user1 | admin | 1 |
+----------+-----------+----------+
1 row in set (0.00 sec)

mysql> select * from radgroupcheck where groupname = 'admin';
+----+-----------+----------------+----+--------+
| id | groupname | attribute | op | value |
+----+-----------+----------------+----+--------+
| 3 | admin | NAS-Identifier | == | Adtran |
+----+-----------+----------------+----+--------+
1 row in set (0.00 sec)


If I understand correctly the following request should be denied because the NAS-Identifier in the request doesn't match the one specified in the groupcheck table. However, it is replying with Accept-Accept.



rad_recv: Access-Request packet from host 64.185.12.105 port 7458, id=61, length=56
User-Name = "user1"
User-Password = "password"
NAS-Identifier = "Zhone MxK"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "user1", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
expand: %{User-Name} -> user1
rlm_sql (sql): sql_set_user escaped user --> 'user1'
rlm_sql (sql): Reserving sql socket id: 3
expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'user1' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'user1' ORDER BY id
rlm_sql (sql): User found in radcheck table
expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'user1' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'user1' ORDER BY id
expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'user1' ORDER BY priority
rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = 'user1' ORDER BY priority
expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'admin' ORDER BY id
rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'admin' ORDER BY id
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Normalizing SHA-Password from hex encoding
++[pap] returns updated
rad_check_password: Found Auth-Type
auth: type "PAP"
+- entering group PAP
rlm_pap: login attempt with password "password"
rlm_pap: Using SHA1 encryption.
rlm_pap: User authenticated successfully
++[pap] returns ok
Login OK: [user1/password] (from client lab-mxk-1 port 0)
+- entering group post-auth
rlm_sql (sql): Processing sql_postauth
expand: %{User-Name} -> user1
rlm_sql (sql): sql_set_user escaped user --> 'user1'
expand: %{User-Password} -> password
expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'user1', 'password', 'Access-Accept', '2010-02-24 10:56:24')
expand: /var/log/freeradius/sqltrace.sql -> /var/log/freeradius/sqltrace.sql
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'user1', 'password', 'Access-Accept', '2010-02-24 10:56:24')
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql_mysql: query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'user1', 'password', 'Access-Accept', '2010-02-24 10:56:24')
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
++[exec] returns noop
Sending Access-Accept of id 61 to 64.185.12.105 port 7458
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 61 with timestamp +9
Ready to process requests.


Any help would be greatly appreciated.

Thanks,
Craig


All times are GMT -5. The time now is 04:01 AM.