what would cause sql to return reject response?

classic Classic list List threaded Threaded
5 messages Options
| Threaded
Open this post in threaded view
|

what would cause sql to return reject response?

Users mailing list
i have the below in authorize

     sql {
         notfound = 1
         reject = 2
     }
     if (notfound) {
         update reply {
             Reply-Message := "Incorrect Username or Password"
         }
         reject
     }
     if (reject) {
         update reply {
             Reply-Message := "Your account is disabled, contact admin"
         }
         reject
     }
     expiration {
         userlock = 1
     }
     if (userlock) {
         update reply {
             Reply-Message := "Your account has expired, contact admin"
         }
         reject
     }
     logintime
     pap

but the reject response is never generated from the sql module, if the
username doesnt match it generates the notfound and if password doesnt
match the pap module rejects the request and sql responds ok but what i
want is the sql module to generate the reject response.

can anyone guide me under what circumstances does the sql module
generate a reject response coz i tried setting Auth-Type attribute to
reject but still sql doesnt generate reject

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: what would cause sql to return reject response?

Alan DeKok-2
On Feb 11, 2019, at 10:23 AM, Bipin Patel via Freeradius-Users <[hidden email]> wrote:
>
> i have the below in authorize
>
>    sql {
>        notfound = 1
>        reject = 2
>    }
...
> but the reject response is never generated from the sql module,

  Because the SQL module does not authenticate a user.  SQL is a database.  FreeRADIUS just looks the user up in the database.  The answer is either "yes, the user is there" or "no such user in the database".

> if the username doesnt match it generates the notfound and if password doesnt match the pap module rejects the request and sql responds ok but what i want is the sql module to generate the reject response.

  Why?

  This is the typical issue of you have a solution in mind, and you're wondering how to implement it.  And, why the server doesn't behave the way you expect.

  You should instead discuss the *problem* you're having.  Why is it important for "sql" to reject the user, instead of "pap" ?

> can anyone guide me under what circumstances does the sql module generate a reject response coz i tried setting Auth-Type attribute to reject but still sql doesnt generate reject

  The SQL module never rejects a user.

  You might have 4 different databases for users.  It is *wrong* for the SQL module to reject a user.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: what would cause sql to return reject response?

Users mailing list
basically i have developed a full web gui for mikrotik routers and
freeradius to work as a hotspot where the web gui talks to the sql db
directly and the user can create plans which would be the radius groups
and associated check and reply attributes. I have created a disable
client account option which deactivates the account and what i saw in
daloradius was it used to create a disabled group with priority 0 and
sets the Auth-Type attribute to Reject, i know the docs mention not the
set the auth-type directly but i dont see a way to do it directly in FR
so i followed the same method and the reason i was assuming the sql
module would reject seeing the auth-type to reject using the reject
response but later noticed it would never respond with reject. I
searched all docs and the book but no place it mentions under what cases
sql module would respond with reject and i wanted to sql module to
reject so i can reply with "account disabled" and not have the rest of
the authorize section to execute coz later down the section i have a
call to a php script and im trying to reduce calls to it unless the
account is enabled and id/pass match

On 11-02-2019 19:37, Alan DeKok wrote:

> On Feb 11, 2019, at 10:23 AM, Bipin Patel via Freeradius-Users <[hidden email]> wrote:
>
>> i have the below in authorize
>>
>> sql {
>> notfound = 1
>> reject = 2
>> }
> ...
>
>> but the reject response is never generated from the sql module,
>
> Because the SQL module does not authenticate a user.  SQL is a database.  FreeRADIUS just looks the user up in the database.  The answer is either "yes, the user is there" or "no such user in the database".
>
>> if the username doesnt match it generates the notfound and if password doesnt match the pap module rejects the request and sql responds ok but what i want is the sql module to generate the reject response.
>
> Why?
>
> This is the typical issue of you have a solution in mind, and you're wondering how to implement it.  And, why the server doesn't behave the way you expect.
>
> You should instead discuss the *problem* you're having.  Why is it important for "sql" to reject the user, instead of "pap" ?
>
>> can anyone guide me under what circumstances does the sql module generate a reject response coz i tried setting Auth-Type attribute to reject but still sql doesnt generate reject
>
> The SQL module never rejects a user.
>
> You might have 4 different databases for users.  It is *wrong* for the SQL module to reject a user.
>
> Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: what would cause sql to return reject response?

Alan DeKok-2
On Feb 11, 2019, at 11:33 AM, Bipin Patel via Freeradius-Users <[hidden email]> wrote:
>
> basically i have developed a full web gui for mikrotik routers and
> freeradius to work as a hotspot where the web gui talks to the sql db
> directly and the user can create plans which would be the radius groups
> and associated check and reply attributes.

  Ok...

> I have created a disable
> client account option which deactivates the account and what i saw in
> daloradius was it used to create a disabled group with priority 0 and
> sets the Auth-Type attribute to Reject, i know the docs mention not the
> set the auth-type directly but i dont see a way to do it directly in FR

  That should work.  If it doesn't, read the debug output as suggest in the "man" page, web pages, and the message you get when joining this list.

  No amount of randomly changing things will fix it.  You need to understand what it's doing.

> so i followed the same method and the reason i was assuming the sql
> module would reject seeing the auth-type to reject using the reject
> response but later noticed it would never respond with reject. I
> searched all docs and the book but no place it mentions under what cases
> sql module would respond with reject and i wanted to sql module to
> reject

  It doesn't.  You want the group to match.

> so i can reply with "account disabled" and not have the rest of
> the authorize section to execute coz later down the section i have a
> call to a php script and im trying to reduce calls to it unless the
> account is enabled and id/pass match

  If you want to skip parts of the "authorize" section, you will need to check for that and write the policy.  Something like:


authorize {
        ...
        sql
        if (SQL-Group == "disabled") {
                reject
        }
        ...
}

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: what would cause sql to return reject response?

Users mailing list

The part about checking the SQL-group for disabled didn't click to me so
let me try that, hopefully it should work help me skip calling the php
script which basically just sets the bandwidth which I don't need to call
if account is part of disabled group.

Setting auth-type to reject works like daloradius does but the call to php
script would still run which I'm trying to avoid coz no point setting
bandwidth from the group with priority 1 when the group with priority 0
says auth-type reject. Earlier I used to think SQL module would respond
with reject which clearly doesn't and thanks for the clarification,  coz
most docs say it has possible response of reject also and I was wondering
why isn't it responding with that and went on a quest to figure out what
situation would cause it to respond with that.

Btw the hotspot is mostly ready to use and once I add even more features I
shall be releasing it as open source if it helps others. Mikrotik router
based hotspot with FR running on raspberry pi for very small setups but it
can run on any normal Debian machine too.




On February 11, 2019 9:07:50 PM Alan DeKok <[hidden email]> wrote:

> On Feb 11, 2019, at 11:33 AM, Bipin Patel via Freeradius-Users
> <[hidden email]> wrote:
>>
>>
>> basically i have developed a full web gui for mikrotik routers and
>> freeradius to work as a hotspot where the web gui talks to the sql db
>> directly and the user can create plans which would be the radius groups
>> and associated check and reply attributes.
>
>  Ok...
>
>> I have created a disable
>> client account option which deactivates the account and what i saw in
>> daloradius was it used to create a disabled group with priority 0 and
>> sets the Auth-Type attribute to Reject, i know the docs mention not the
>> set the auth-type directly but i dont see a way to do it directly in FR
>
>  That should work.  If it doesn't, read the debug output as suggest in the
>  "man" page, web pages, and the message you get when joining this list.
>
>  No amount of randomly changing things will fix it.  You need to understand
>  what it's doing.
>
>> so i followed the same method and the reason i was assuming the sql
>> module would reject seeing the auth-type to reject using the reject
>> response but later noticed it would never respond with reject. I
>> searched all docs and the book but no place it mentions under what cases
>> sql module would respond with reject and i wanted to sql module to
>> reject
>
>  It doesn't.  You want the group to match.
>
>> so i can reply with "account disabled" and not have the rest of
>> the authorize section to execute coz later down the section i have a
>> call to a php script and im trying to reduce calls to it unless the
>> account is enabled and id/pass match
>
>  If you want to skip parts of the "authorize" section, you will need to
>  check for that and write the policy.  Something like:
>
>
> authorize {
> ...
> sql
> if (SQL-Group == "disabled") {
>  reject
> }
> ...
> }
>
>  Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html