-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi Folks,
I've been testing SER 0.8.14 Auth and ACC (radiusclient-0.4.4) in radius (freeradius 1.0.1) and its working fine. Now I tried to use group_radius module to check if a user is in a especific group and it failed. First I received a error about missing "Sip-Group" attribute and I found a mail about this error and howto correct it (http://lists.iptel.org/pipermail/serdev/2004-July/002339.html). Now SER doesn't return any error, just
radius_is_user_in(): Failure
after a long time.
I have a user "1213" in group "general" on radius database like this:
mysql> select * from radgroupcheck; +----+-----------+-----------+----+--------+ | id | GroupName | Attribute | op | Value | +----+-----------+-----------+----+--------+ | 1 | general | Auth-Type | := | Digest | +----+-----------+-----------+----+--------+
mysql> select * from radcheck; +----+----------+---------------+----+-------+ | id | UserName | Attribute | op | Value | +----+----------+---------------+----+-------+ | 2 | 1213 | User-Password | == | testonly | +----+----------+---------------+----+-------+
mysql> select * from usergroup; +----+----------+-----------+ | id | UserName | GroupName | +----+----------+-----------+ | 1 | 1213 | general | +----+----------+-----------+
mysql> select * from radgroupreply; +----+-----------+---------------+----+------------+------+ | id | GroupName | Attribute | op | Value | prio | +----+-----------+---------------+----+------------+------+ | 3 | general | Reply-Message | = | Authorized | 0 | +----+-----------+---------------+----+------------+------+
I googled this but I couldn't find anything about that. Am I missing something? Thanks in advance.
Try to se what is going on in the radius server, if you are using freeradius then start it with -X cmdline option.
Jan.
On 05-10 23:08, Rodrigo P. Telles wrote:
Hi Folks,
I've been testing SER 0.8.14 Auth and ACC (radiusclient-0.4.4) in radius (freeradius 1.0.1) and its working fine. Now I tried to use group_radius module to check if a user is in a especific group and it failed. First I received a error about missing "Sip-Group" attribute and I found a mail about this error and howto correct it (http://lists.iptel.org/pipermail/serdev/2004-July/002339.html). Now SER doesn't return any error, just
radius_is_user_in(): Failure
after a long time.
I have a user "1213" in group "general" on radius database like this:
mysql> select * from radgroupcheck; +----+-----------+-----------+----+--------+ | id | GroupName | Attribute | op | Value | +----+-----------+-----------+----+--------+ | 1 | general | Auth-Type | := | Digest | +----+-----------+-----------+----+--------+
mysql> select * from radcheck; +----+----------+---------------+----+-------+ | id | UserName | Attribute | op | Value | +----+----------+---------------+----+-------+ | 2 | 1213 | User-Password | == | testonly | +----+----------+---------------+----+-------+
mysql> select * from usergroup; +----+----------+-----------+ | id | UserName | GroupName | +----+----------+-----------+ | 1 | 1213 | general | +----+----------+-----------+
mysql> select * from radgroupreply; +----+-----------+---------------+----+------------+------+ | id | GroupName | Attribute | op | Value | prio | +----+-----------+---------------+----+------------+------+ | 3 | general | Reply-Message | = | Authorized | 0 | +----+-----------+---------------+----+------------+------+
I googled this but I couldn't find anything about that. Am I missing something? Thanks in advance.
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi Jan,
Jan Janak wrote: | Try to se what is going on in the radius server, if you are using | freeradius then start it with -X cmdline option. |
I did that and I received this: - ---- rad_recv: Access-Request packet from host xxx.yyy.zzz.www:37861, id=204, length=51 ~ User-Name = "1213" ~ Sip-Group = "Active" ~ Service-Type = Group-Check ~ NAS-IP-Address = xxx.yyy.zzz.www ~ NAS-Port = 0 ~ Processing the authorize section of radiusd.conf modcall: entering group authorize for request 28 ~ modcall[authorize]: module "preprocess" returns ok for request 28 ~ modcall[authorize]: module "chap" returns noop for request 28 ~ modcall[authorize]: module "mschap" returns noop for request 28 ~ modcall[authorize]: module "digest" returns noop for request 28 ~ rlm_realm: No '@' in User-Name = "1213", looking up realm NULL ~ rlm_realm: No such realm "NULL" ~ modcall[authorize]: module "suffix" returns noop for request 28 radius_xlat: '' ~ modcall[authorize]: module "sql" returns fail for request 28 modcall: group authorize returns fail for request 28 Finished request 28 Going to the next request Waking up in 2 seconds... - --- Walking the entire request list --- Cleaning up request 27 ID 203 with timestamp 416541dc Waking up in 4 seconds... - --- Walking the entire request list --- Cleaning up request 28 ID 204 with timestamp 416541e0 Nothing to do. Sleeping until we see a request. - ---
I think that the problem is on modcall[authorize]: module "sql" returns fail for request 28
but I don't know why module sql return "fail" for the request. I saw the mysql log file too and freeradius doesn't do any query about that request!
Do you have any idea? Thanks for your answer.
Telles
| Jan. | | On 05-10 23:08, Rodrigo P. Telles wrote: | |>Hi Folks, |> |>I've been testing SER 0.8.14 Auth and ACC (radiusclient-0.4.4) |>in radius (freeradius 1.0.1) and its working fine. |>Now I tried to use group_radius module to check if a user is in a especific |>group and it failed. |>First I received a error about missing "Sip-Group" attribute and I found a mail |>about this error and howto correct it |>(http://lists.iptel.org/pipermail/serdev/2004-July/002339.html). |>Now SER doesn't return any error, just |> |>radius_is_user_in(): Failure |> |>after a long time. |> |>I have a user "1213" in group "general" on radius database like this: |> |>mysql> select * from radgroupcheck; |>+----+-----------+-----------+----+--------+ |>| id | GroupName | Attribute | op | Value | |>+----+-----------+-----------+----+--------+ |>| 1 | general | Auth-Type | := | Digest | |>+----+-----------+-----------+----+--------+ |> |>mysql> select * from radcheck; |>+----+----------+---------------+----+-------+ |>| id | UserName | Attribute | op | Value | |>+----+----------+---------------+----+-------+ |>| 2 | 1213 | User-Password | == | testonly | |>+----+----------+---------------+----+-------+ |> |>mysql> select * from usergroup; |>+----+----------+-----------+ |>| id | UserName | GroupName | |>+----+----------+-----------+ |>| 1 | 1213 | general | |>+----+----------+-----------+ |> |>mysql> select * from radgroupreply; |>+----+-----------+---------------+----+------------+------+ |>| id | GroupName | Attribute | op | Value | prio | |>+----+-----------+---------------+----+------------+------+ |>| 3 | general | Reply-Message | = | Authorized | 0 | |>+----+-----------+---------------+----+------------+------+ |> |> |>I googled this but I couldn't find anything about that. |>Am I missing something? |>Thanks in advance. |> |>_______________________________________________ |>Serusers mailing list |>serusers@lists.iptel.org |>http://lists.iptel.org/mailman/listinfo/serusers |> | | |
This might be the problem:
rlm_realm: No '@' in User-Name = "1213", looking up realm NULL rlm_realm: No such realm "NULL"
Jan.
On 07-10 10:29, Rodrigo P. Telles wrote:
Hi Jan,
Jan Janak wrote: | Try to se what is going on in the radius server, if you are using | freeradius then start it with -X cmdline option. |
I did that and I received this:
rad_recv: Access-Request packet from host xxx.yyy.zzz.www:37861, id=204, length=51 ~ User-Name = "1213" ~ Sip-Group = "Active" ~ Service-Type = Group-Check ~ NAS-IP-Address = xxx.yyy.zzz.www ~ NAS-Port = 0 ~ Processing the authorize section of radiusd.conf modcall: entering group authorize for request 28 ~ modcall[authorize]: module "preprocess" returns ok for request 28 ~ modcall[authorize]: module "chap" returns noop for request 28 ~ modcall[authorize]: module "mschap" returns noop for request 28 ~ modcall[authorize]: module "digest" returns noop for request 28 ~ rlm_realm: No '@' in User-Name = "1213", looking up realm NULL ~ rlm_realm: No such realm "NULL" ~ modcall[authorize]: module "suffix" returns noop for request 28 radius_xlat: '' ~ modcall[authorize]: module "sql" returns fail for request 28 modcall: group authorize returns fail for request 28 Finished request 28 Going to the next request Waking up in 2 seconds... --- Walking the entire request list --- Cleaning up request 27 ID 203 with timestamp 416541dc Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 28 ID 204 with timestamp 416541e0 Nothing to do. Sleeping until we see a request.
I think that the problem is on modcall[authorize]: module "sql" returns fail for request 28
but I don't know why module sql return "fail" for the request. I saw the mysql log file too and freeradius doesn't do any query about that request!
Do you have any idea? Thanks for your answer.
Telles
| Jan. | | On 05-10 23:08, Rodrigo P. Telles wrote: | |>Hi Folks, |> |>I've been testing SER 0.8.14 Auth and ACC (radiusclient-0.4.4) |>in radius (freeradius 1.0.1) and its working fine. |>Now I tried to use group_radius module to check if a user is in a especific |>group and it failed. |>First I received a error about missing "Sip-Group" attribute and I found a mail |>about this error and howto correct it |>(http://lists.iptel.org/pipermail/serdev/2004-July/002339.html). |>Now SER doesn't return any error, just |> |>radius_is_user_in(): Failure |> |>after a long time. |> |>I have a user "1213" in group "general" on radius database like this: |> |>mysql> select * from radgroupcheck; |>+----+-----------+-----------+----+--------+ |>| id | GroupName | Attribute | op | Value | |>+----+-----------+-----------+----+--------+ |>| 1 | general | Auth-Type | := | Digest | |>+----+-----------+-----------+----+--------+ |> |>mysql> select * from radcheck; |>+----+----------+---------------+----+-------+ |>| id | UserName | Attribute | op | Value | |>+----+----------+---------------+----+-------+ |>| 2 | 1213 | User-Password | == | testonly | |>+----+----------+---------------+----+-------+ |> |>mysql> select * from usergroup; |>+----+----------+-----------+ |>| id | UserName | GroupName | |>+----+----------+-----------+ |>| 1 | 1213 | general | |>+----+----------+-----------+ |> |>mysql> select * from radgroupreply; |>+----+-----------+---------------+----+------------+------+ |>| id | GroupName | Attribute | op | Value | prio | |>+----+-----------+---------------+----+------------+------+ |>| 3 | general | Reply-Message | = | Authorized | 0 | |>+----+-----------+---------------+----+------------+------+ |> |> |>I googled this but I couldn't find anything about that. |>Am I missing something? |>Thanks in advance. |> |>_______________________________________________ |>Serusers mailing list |>serusers@lists.iptel.org |>http://lists.iptel.org/mailman/listinfo/serusers |> | | |
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi Jan,
Jan Janak wrote: | This might be the problem: | | rlm_realm: No '@' in User-Name = "1213", looking up realm NULL | rlm_realm: No such realm "NULL" | | Jan. |
I've been striped '@domain' (realm) in freeradius to authenticate ours users without major problems. Are you saying that I want to not strip the '@domain' part in freeradius?
Tx
| On 07-10 10:29, Rodrigo P. Telles wrote: | |>Hi Jan, |> |>Jan Janak wrote: |>| Try to se what is going on in the radius server, if you are using |>| freeradius then start it with -X cmdline option. |>| |> |>I did that and I received this: |>---- |>rad_recv: Access-Request packet from host xxx.yyy.zzz.www:37861, id=204, length=51 |>~ User-Name = "1213" |>~ Sip-Group = "Active" |>~ Service-Type = Group-Check |>~ NAS-IP-Address = xxx.yyy.zzz.www |>~ NAS-Port = 0 |>~ Processing the authorize section of radiusd.conf |>modcall: entering group authorize for request 28 |>~ modcall[authorize]: module "preprocess" returns ok for request 28 |>~ modcall[authorize]: module "chap" returns noop for request 28 |>~ modcall[authorize]: module "mschap" returns noop for request 28 |>~ modcall[authorize]: module "digest" returns noop for request 28 |>~ rlm_realm: No '@' in User-Name = "1213", looking up realm NULL |>~ rlm_realm: No such realm "NULL" |>~ modcall[authorize]: module "suffix" returns noop for request 28 |>radius_xlat: '' |>~ modcall[authorize]: module "sql" returns fail for request 28 |>modcall: group authorize returns fail for request 28 |>Finished request 28 |>Going to the next request |>Waking up in 2 seconds... |>--- Walking the entire request list --- |>Cleaning up request 27 ID 203 with timestamp 416541dc |>Waking up in 4 seconds... |>--- Walking the entire request list --- |>Cleaning up request 28 ID 204 with timestamp 416541e0 |>Nothing to do. Sleeping until we see a request. |>--- |> |>I think that the problem is on |>modcall[authorize]: module "sql" returns fail for request 28 |> |>but I don't know why module sql return "fail" for the request. |>I saw the mysql log file too and freeradius doesn't do any query |>about that request! |> |>Do you have any idea? |>Thanks for your answer. |> |> |>Telles |> |>| Jan. |>| |>| On 05-10 23:08, Rodrigo P. Telles wrote: |>| |>|>Hi Folks, |>|> |>|>I've been testing SER 0.8.14 Auth and ACC (radiusclient-0.4.4) |>|>in radius (freeradius 1.0.1) and its working fine. |>|>Now I tried to use group_radius module to check if a user is in a especific |>|>group and it failed. |>|>First I received a error about missing "Sip-Group" attribute and I found a mail |>|>about this error and howto correct it |>|>(http://lists.iptel.org/pipermail/serdev/2004-July/002339.html). |>|>Now SER doesn't return any error, just |>|> |>|>radius_is_user_in(): Failure |>|> |>|>after a long time. |>|> |>|>I have a user "1213" in group "general" on radius database like this: |>|> |>|>mysql> select * from radgroupcheck; |>|>+----+-----------+-----------+----+--------+ |>|>| id | GroupName | Attribute | op | Value | |>|>+----+-----------+-----------+----+--------+ |>|>| 1 | general | Auth-Type | := | Digest | |>|>+----+-----------+-----------+----+--------+ |>|> |>|>mysql> select * from radcheck; |>|>+----+----------+---------------+----+-------+ |>|>| id | UserName | Attribute | op | Value | |>|>+----+----------+---------------+----+-------+ |>|>| 2 | 1213 | User-Password | == | testonly | |>|>+----+----------+---------------+----+-------+ |>|> |>|>mysql> select * from usergroup; |>|>+----+----------+-----------+ |>|>| id | UserName | GroupName | |>|>+----+----------+-----------+ |>|>| 1 | 1213 | general | |>|>+----+----------+-----------+ |>|> |>|>mysql> select * from radgroupreply; |>|>+----+-----------+---------------+----+------------+------+ |>|>| id | GroupName | Attribute | op | Value | prio | |>|>+----+-----------+---------------+----+------------+------+ |>|>| 3 | general | Reply-Message | = | Authorized | 0 | |>|>+----+-----------+---------------+----+------------+------+ |>|> |>|> |>|>I googled this but I couldn't find anything about that. |>|>Am I missing something? |>|>Thanks in advance. |>|> |>|>_______________________________________________ |>|>Serusers mailing list |>|>serusers@lists.iptel.org |>|>http://lists.iptel.org/mailman/listinfo/serusers |>|> |>| |>| |>| |> |>_______________________________________________ |>Serusers mailing list |>serusers@lists.iptel.org |>http://lists.iptel.org/mailman/listinfo/serusers |> | | |
-
Jan Janak -
Rodrigo P. Telles