Authorization problem

classic Classic list List threaded Threaded
3 messages Options
| Threaded
Open this post in threaded view
|

Authorization problem

Miguel Sennoun

Dear freeradius users,

 

I have a problem which seems not to be complicated, but I can’t find a solution.

 

In my users file :

 

DEFAULT Auth-Type := Reject, Service-Type !* 2

        Reply-Message = "l'AVP Service-Type est absent de la requete",

        Fall-Through = No

 

DEFAULT Auth-Type := Reject, Service-Type != 2

        Reply-Message = "l'AVP Service-Type est different de Framed-User",

        Fall-Through = No

 

DEFAULT Auth-Type := Reject, Framed-Protocol !* 7

        Reply-Message = "l'AVP Framed-Protocol est abscent de la requete",

        Fall-Through = No

 

 

DEFAULT Auth-Type := Reject, Framed-Protocol != 7

        Reply-Message = "l'AVP Framed-Protocol est different de GPRS-PDP-Context",

        Fall-Through = No

 

DEFAULT Auth-Type := Accept, Service-Type==2, Framed-Protocol==7

        Service-Type = 2,

        Framed-Protocol = 7,

        Class = "FT0001",

        Fall-Through = No

 

DEFAULT Auth-Type := Reject

        Reply-Message = "probleme sur le module users"

 

 

 

You can understand I would like to accept only users who have the attributes :

Service-Type present and equal to 2

Framed-Protocol present and equal to 7

 

 

 

But when I test with NTRadPing, It doesn’t works. I send an Access Request without the attribute Service-Type, and the serveur replies an Access-Accept.

 

 

Here is a trace of debug:

 

rad_recv: Access-Request packet from host 172.20.0.64:2236, id=136, length=79

        User-Name = "public.dynamic"

        3GPP-IMSI = "901111100007142"

        Calling-Station-Id = "870771100834"

        Framed-Protocol = GPRS-PDP-Context

  Processing the authorize section of radiusd.conf

modcall: entering group authorize for request 0

  modcall[authorize]: module "preprocess" returns ok for request 0

radius_xlat:  '/usr/local/var/log/radius/radacct/172.20.0.64/auth-detail-20050525'

rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/172.20.0.64/auth-detail-20050525

  modcall[authorize]: module "auth_log" returns ok for request 0

    users: Matched DEFAULT at 96

  modcall[authorize]: module "files" returns ok for request 0

modcall: group authorize returns ok for request 0

  rad_check_password:  Found Auth-Type Accept

  rad_check_password: Auth-Type = Accept, accepting the user

Login OK: [public.dynamic] (from client miguel port 0 cli 870771100834)

  Processing the post-auth section of radiusd.conf

modcall: entering group post-auth for request 0

radius_xlat:  '/usr/local/var/log/radius/radacct/172.20.0.64/reply-detail-20050525'

rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/172.20.0.64/reply-detail-20050525

  modcall[post-auth]: module "reply_log" returns ok for request 0

modcall: group post-auth returns ok for request 0

Sending Access-Accept of id 136 to 172.20.0.64:2236

        Service-Type = Framed-User

        Framed-Protocol = GPRS-PDP-Context

        Class = 0x465430303031

Finished request 0

Going to the next request

--- Walking the entire request list ---

Waking up in 6 seconds...

--- Walking the entire request list ---

Cleaning up request 0 ID 136 with timestamp 4294a4b0

Nothing to do.  Sleeping until we see a request.

 

 

 

 

 

Thank you very much for any help

| Threaded
Open this post in threaded view
|

Re: Authorization problem

Alan DeKok
"Miguel Sennoun" <[hidden email]> wrote:
> DEFAULT Auth-Type := Reject, Service-Type !* 2

  The !* operator ignores any value you give it.

> You can understand I would like to accept only users who have the attributes
> :
>
> Service-Type present and equal to 2

  Why not just use 'Service-Type == 2"?

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RE: Authorization problem

Miguel Sennoun
Thank you for the reply, it was for a debug purpose.
I think I found an explanation to the behaviour:
When the AVP Framed-Protocol is present, Freeradius implicitly put the AVP
Service-Type to the Framed value, even if the client doesn't send it
(verified with Ethereal)

> -----Message d'origine-----
> De : [hidden email] [mailto:freeradius-users-
> [hidden email]] De la part de Alan DeKok
> Envoyé : mercredi 25 mai 2005 19:52
> À : [hidden email]
> Objet : Re: Authorization problem
>
> "Miguel Sennoun" <[hidden email]> wrote:
> > DEFAULT Auth-Type := Reject, Service-Type !* 2
>
>   The !* operator ignores any value you give it.
>
> > You can understand I would like to accept only users who have the
> attributes
> > :
> >
> > Service-Type present and equal to 2
>
>   Why not just use 'Service-Type == 2"?
>
>   Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html