Re: FR not honoring AutzType
This is a discussion on Re: FR not honoring AutzType within the FreeRADIUS Users forums, part of the Networking and Network Related category; Sam Schultz wrote: > radiusd.conf, authorize block: > > Autz-Type SQL-BOGUS { > sql-bogus > } > > &...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
02-01-2007
|
|||
|
|||
Re: FR not honoring AutzType
Sam Schultz wrote:
> radiusd.conf, authorize block: > > Autz-Type SQL-BOGUS { > sql-bogus > } > > > > radiusd.conf, authenticate block: > > Auth-Type SQL-BOGUS { > sql-bogus > } > Both of these are incomplete. The latter is almost certainly not valid - rlm_sql doesn't have an "authenticate" handler, so can't sensibly run during the "authenticate" block. You need to add config items e.g. User-Password to the request and run a different module e.g. PAP, mschap to run the authentication. > > > hints: > > DEFAULT Prefix == "BOGUS\", Strip-User-Name = Yes > Hint = "MIE Login", > Service-Type = Framed-User, > Autz-Type := SQL-BOGUS, > Auth-Type := SQL-BOGUS Both wrong. Autz-Type and Auth-Type are configure items and therefore get set on the first line of a "users" entry. Since this is a "hints" file you've added them to the request items here (which is meaningless). You also shouldn't set Auth-Type (and anyway are setting it to a meaningless value, see above) > > > > users: > > DEFAULT Realm == "bogus", Autz-Type := SQL-BOGUS This should work, but you've removed "files" from your "authorize" section so it's not running - hence it breaks. > > > > mysql bogus realms' radcheck table: > > +----+----------+---------------+----+----------+ > | id | UserName | Attribute | op | Value | > +----+----------+---------------+----+----------+ > | 6 | user | User-Password | == | password | > | 7 | user | Auth-Type | := | Local | > +----+----------+---------------+----+----------+ Don't use "==" for User-Password. Use := > > > > radiusd -X -A (snippet 1, module instantiation): > rlm_sql (sql-bogus): Driver rlm_sql_mysql (module rlm_sql_mysql) > loaded and linked > rlm_sql (sql-bogus): Attempting to connect to root@localhost:/radius > rlm_sql (sql-bogus): starting 0 > rlm_sql (sql-bogus): Attempting to connect rlm_sql_mysql #0 > rlm_sql (sql-bogus): Connected new DB handle, #0 > rlm_sql (sql-bogus): starting 1 > rlm_sql (sql-bogus): Attempting to connect rlm_sql_mysql #1 > rlm_sql (sql-bogus): Connected new DB handle, #1 > rlm_sql (sql-bogus): starting 2 > rlm_sql (sql-bogus): Attempting to connect rlm_sql_mysql #2 > rlm_sql (sql-bogus): Connected new DB handle, #2 > rlm_sql (sql-bogus): starting 3 > rlm_sql (sql-bogus): Attempting to connect rlm_sql_mysql #3 > rlm_sql (sql-bogus): Connected new DB handle, #3 > rlm_sql (sql-bogus): starting 4 > rlm_sql (sql-bogus): Attempting to connect rlm_sql_mysql #4 > rlm_sql (sql-bogus): Connected new DB handle, #4 > Module: Instantiated sql (sql-bogus) > > > > radiusd -X -A (snippet 2, module *NOT* getting used): > > modcall: entering group authorize for request 0 > modcall[authorize]: module "preprocess" returns ok for request 0 > rlm_realm: Looking up realm "bogus" for User-Name = "bogus\user" > rlm_realm: Found realm "bogus" > rlm_realm: Adding Stripped-User-Name = "user" > rlm_realm: Proxying request from user user to realm bogus > rlm_realm: Adding Realm = "bogus" > rlm_realm: Authentication realm is LOCAL. > modcall[authorize]: module "ntdomain" returns noop for request 0 > rlm_eap: EAP packet type response id 0 length 15 > rlm_eap: No EAP Start, assuming it's an on-going EAP conversation > modcall[authorize]: module "eap" returns updated for request 0 > modcall[authorize]: module "chap" returns noop for request 0 > modcall[authorize]: module "mschap" returns noop for request 0 > modcall: leaving group authorize (returns updated) for request 0 Note, no: module "files" ....hence your entry in the "users" file is not being processed and as discussed your entry in the "hints" file is formatted wrong. > > > > NOTE: My module order, and the fact that radius found the "bogus" > realm means that there should be SQL auth lines appearing > immediately after the "mschap returns noop" line. They don't show > up, which means FR either wasn't seeing Autz-Type at that point, or > some other module changed it. I disagree. I think you've broken your configuration. The details you've posted above are clearly incomplete so I can only guess. Please post your actual, full configs - not extracts - and your actual full debug output - not extracts. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html 
|
Linear Mode
