Jump to content

Freeradius не отдаёт параметры с radreply

ThreeDHead
 Share

Recommended Posts

ThreeDHead

ThreeDHead

Posted
Posted

Настраиваю Радиус.

Радтестом проверяю, параметры с radgroupreply отдаёт, а с radreply нет. По дебагу видно что даже не читает эту таблицу.

Почему так?

 

rad_recv: Access-Request packet from host 127.0.0.1 port 55588, id=70, length=98
User-Name = "10.230.51.15"
User-Password = "VasExperts.FastDPI"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
Message-Authenticator = 0xb290d0abf4b714e3816e9ed04aa67282
# Executing section authorize from file /etc/freeradius/sites-enabled/sql
+group authorize {
[sql] 	expand: %{User-Name} -> 10.230.51.15
[sql] sql_set_user escaped user --> '10.230.51.15'
rlm_sql (sql): Reserving sql socket id: 12
[sql] 	expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '10.230.51.15'           ORDER BY id
[sql] 	expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = '10.230.51.15'           ORDER BY priority
[sql] 	expand: SELECT id, groupname, attribute,           Value, op           FROM radgroupcheck           WHERE groupname = '%{Sql-Group}'           ORDER BY id -> SELECT id, groupname, attribute,           Value, op           FROM radgroupcheck           WHERE groupname = 'subscribers'           ORDER BY id
[sql] User found in group subscribers
[sql] 	expand: SELECT id, groupname, attribute,           value, op           FROM radgroupreply           WHERE groupname = '%{Sql-Group}'           ORDER BY id -> SELECT id, groupname, attribute,           value, op           FROM radgroupreply           WHERE groupname = 'subscribers'           ORDER BY id
rlm_sql (sql): Released sql socket id: 12
++[sql] = ok
+} # group authorize = ok
Found Auth-Type = Accept
Auth-Type = Accept, accepting the user
# Executing section post-auth from file /etc/freeradius/sites-enabled/sql
+group post-auth {
[sql] 	expand: %{User-Name} -> 10.230.51.15
[sql] sql_set_user escaped user --> '10.230.51.15'
[sql] 	expand: %{User-Password} -> VasExperts.FastDPI
[sql] 	expand: INSERT INTO radpostauth                           (username, pass, reply, authdate)                           VALUES (                           '%{User-Name}',                           '%{%{User-Password}:-%{Chap-Password}}',                           '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth                           (username, pass, reply, authdate)                           VALUES (                           '10.230.51.15',                           'VasExperts.FastDPI',                           'Access-Accept', '2017-07-17 20:01:28')
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth                           (username, pass, reply, authdate)                           VALUES (                           '10.230.51.15',                           'VasExperts.FastDPI',                           'Access-Accept', '2017-07-17 20:01:28')
rlm_sql (sql): Reserving sql socket id: 11
rlm_sql (sql): Released sql socket id: 11
++[sql] = ok
+} # group post-auth = ok
Sending Access-Accept of id 70 to 127.0.0.1 port 55588
Finished request 14.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 14 ID 70 with timestamp +661
Ready to process requests.

snvoronkov

snvoronkov

Posted
Posted (edited)

Так выдает?

user@host:/etc/freeradius/mods-enabled# grep authreply_table sql
authreply_table = "radreply"

 

И еще на проверку (сам не пользовался):

       # If set to 'yes' (default) we read the group tables unless Fall-Through = no in the reply table.
       # If set to 'no' we do not read the group tables unless Fall-Through = yes in the reply table.
#       read_groups = yes

       # If set to 'yes' (default) we read profiles unless Fall-Through = no in the groupreply table.
       # If set to 'no' we do not read profiles unless Fall-Through = yes in the groupreply table.
#       read_profiles = yes

Edited by snvoronkov
ThreeDHead

ThreeDHead

Posted
  • Author
Posted

Думал лыжи не едут потому что старый фрирадиус, обновил до крайнего, всё то же самое :(

 

Так выдает?

user@host:/etc/freeradius/mods-enabled# grep authreply_table sql
authreply_table = "radreply"

Выдаёт:

# grep authreply_table /etc/freeradius/3.0/mods-enabled/sql
       authreply_table = "radreply"

 

С Fall-Through с сотой попытки разобрался, не причем он тут, т.к. групповые ответы читаются уже после radreply, а Fall-Through надо писать в radreply, а radreply не читается...

ThreeDHead

ThreeDHead

Posted
  • Author
Posted

Вот сам лог, но в нем опять ни одного упоминания о radreply

(0) sql: EXPAND %{User-Name}
(0) sql:    --> 10.11.100.254
(0) sql: SQL-User-Name set to '10.11.100.254'
rlm_sql (sql): Reserved connection (1)
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql:    --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '10.11.100.254' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '10.11.100.254' ORDER BY id
(0) sql: User found in radcheck table
(0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(0) sql:    --> SELECT groupname FROM radusergroup WHERE username = '10.11.100.254' ORDER BY priority
(0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = '10.11.100.254' ORDER BY priority
(0) sql: User found in the group table
(0) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id
(0) sql:    --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'subscribers' ORDER BY id
(0) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'subscribers' ORDER BY id
(0) sql: Group "subscribers": Conditional check items matched
(0) sql: Group "subscribers": Merging assignment check items
(0) sql:   Auth-Type := Accept
(0) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id
(0) sql:    --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'subscribers' ORDER BY id
(0) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'subscribers' ORDER BY id
(0) sql: Group "subscribers": Merging reply items
rlm_sql (sql): Released connection (1)
rlm_sql (sql): Need 4 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.1.23-MariaDB-9+deb9u1, protocol version 10
(0)     [sql] = ok
(0)     [expiration] = noop
(0)     [logintime] = noop
(0) pap: WARNING: Auth-Type already set.  Not setting to PAP
(0)     [pap] = noop
(0)   } # authorize = ok
(0) Found Auth-Type = Accept
(0) Auth-Type = Accept, accepting the user

ThreeDHead

ThreeDHead

Posted
  • Author
Posted

В качестве бреда, указал в проверке операцию присвоения (:=), вместо сравнения (==) - заработало.

Видимо у меня еще нет понимания как как и где их применять.

 

snvoronkov, спасибо за диалог.

 

MariaDB [radius]> SELECT * FROM `radcheck`;
+----+---------------+--------------------+----+--------------------+
| id | username      | attribute          | op | value              |
+----+---------------+--------------------+----+--------------------+
|  1 | 10.11.100.254 | Cleartext-Password | := | VasExperts.FastDPI |
+----+---------------+--------------------+----+--------------------+
1 row in set (0.00 sec)

 

(0) sql: EXPAND %{User-Name}
(0) sql:    --> 10.11.100.254
(0) sql: SQL-User-Name set to '10.11.100.254'
rlm_sql (sql): Reserved connection (1)
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql:    --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '10.11.100.254' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '10.11.100.254' ORDER BY id
(0) sql: User found in radcheck table
(0) sql: Conditional check items matched, merging assignment check items
(0) sql:   Cleartext-Password := "VasExperts.FastDPI"
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql:    --> SELECT id, username, attribute, value, op FROM radreply WHERE username = '10.11.100.254' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = '10.11.100.254' ORDER BY id
(0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(0) sql:    --> SELECT groupname FROM radusergroup WHERE username = '10.11.100.254' ORDER BY priority
(0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = '10.11.100.254' ORDER BY priority
(0) sql: User found in the group table
(0) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id
(0) sql:    --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'subscribers' ORDER BY id
(0) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'subscribers' ORDER BY id
(0) sql: Group "subscribers": Conditional check items matched
(0) sql: Group "subscribers": Merging assignment check items
(0) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id
(0) sql:    --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'subscribers' ORDER BY id
(0) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'subscribers' ORDER BY id
(0) sql: Group "subscribers": Merging reply items

snvoronkov

snvoronkov

Posted
Posted

В качестве бреда, указал в проверке операцию присвоения (:=), вместо сравнения (==) - заработало.

Это не бред для 'Cleartext-Password'. Это так и должно быть!

 

Буквально на днях на те-же грабли наступил - перевожу сервис с freeradius 1.x с атрибутами "Password ==" на freeradius 3.x

 

Разницу в операциях смотреть тут:

 

https://wiki.freeradius.org/config/Operators

 

Для чек-атрибута:

'==' - не сравнение, а атрибут ЕСТЬ такой И у него ТАКОЕ значение. В запросах от брасов 'Cleartext-Password' не встречается ин зэ вайлд. :-)

':=' - для 'Cleartext-Password' самое оно! Значит, его надо ЗАДАТЬ для дальнейшей проверки.

  • 7 years later...
TeCHNoiD

TeCHNoiD

Posted
Posted (edited)

Зарание извиняюсь за поднятие семилетнего треда, но сам столкнулся с той же проблемой. Если в таблице radcheck нет ни одного упоминания для запрашиваемого UserName, то таблица radreply просто не читается модулем SQL, хотя групповые атрибуты (при наличии юзера в radusergroup конечно же) всё равно отдаются. Поведение не очевидное. FreeRADIUS Version 3.0.26

Edited by TeCHNoiD

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...
На сайте используются файлы cookie и сервисы аналитики для корректной работы форума и улучшения качества обслуживания. Продолжая использовать сайт, вы соглашаетесь с использованием файлов cookie и с Политикой конфиденциальности.