help-gnu-radius
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Help-gnu-radius] Defining custom attributes

From: Charles Sprickman
Subject: [Help-gnu-radius] Defining custom attributes
Date: Mon, 19 Apr 2004 17:40:20 -0400 (EDT) 
Hi,

In another thread I noticed that it's possible to define custom
attributes.  In my config I am using the attribute "Auth-Data" to supply
some additional information for my sql auth query.  Since another hackish
thing I'm trying to do requires another attribute, I decided to make a few
more appropriately named attributes for my own use.

Looking through the supplied dictionary files, I see Auth-Data is defined
like so in the standard dictionary:

ATTRIBUTE       Auth-Data               2006    string  - [L--R-R]=

I looked through the other files and found that the low 4000's are free
for additional attributes.  I'm not sure if there's some limit on this ID,
or a suggested range for custom attributes.

So I added two more attributes of my own patterned after Auth-Data:

ATTRIBUTE       Auth-Gid                4000    string  - [L--R-R]=
ATTRIBUTE       Auth-Dom                4001    string  - [L--R-R]=

Auth-Data was used in three files to supply a slightly different query
depending on where the request came from.  Below are the relevant config
snippets.

huntgroups:

# this config will tag each NAS client with a name that is recognized
# in the users file.  In the users file, an additional sql conditional
# is added to discriminate between local, roaming and news access

#LOCAL  NAS-IP-Address = 127.0.0.1      NULL
ROAM    NAS-IP-Address = 127.0.0.1      NULL
NEWS    NAS-IP-Address = 216.220.x.7  NULL
#COVAD  NAS-IP-Address = 127.0.0.1      NULL

users:

# also see "huntgroups"...  Here we are using tags from huntgroups to
# assign extra "Auth-Data" to a request based on which nas the request
# comes from.

DEFAULT         Huntgroup-Name = LOCAL,
                Auth-Type = SQL,
                Auth-Gid = "64"
                Service-Type = Framed-User

DEFAULT         Huntgroup-Name = ROAM,
                Auth-Type = SQL,
                Auth-Gid = "128"
                Service-Type = Framed-User
[etc.]

sqlserver:

# Query to select the password for the given user. Should return one
string.
auth_query  SELECT pw_passwd \
        FROM vpopmail \
        WHERE pw_name='%u' \
        AND pw_domain='bway.net' \
        AND !(pw_gid & %C{Auth-Gid})

Now when all of the above was set to "Auth-Data" where you now see
"Auth-Gid" all is well, and everything works as expected.  But when I
switch to using my custom attributes, authentication always fails, in fact
it never even makes it to the sql query:

Apr 19 17:25:52 Main.info: Ready to process requests.
Apr 19 17:26:02 Auth.debug: auth.c:684:rad_authenticate: auth: chip
Apr 19 17:26:02 Auth.notice: No such user [chip]
Apr 19 17:26:02 Auth.debug: auth.c:807:sfn_init: 0 -> 15
Apr 19 17:26:02 Auth.debug: auth.c:1197:sfn_reject_cleanup: 15 -> 14
Apr 19 17:26:02 Auth.debug: auth.c:1203:sfn_reject: REJECT: chip
Apr 19 17:26:02 Auth.info: rule trace: /usr/local/etc/raddb/huntgroups:9

Here's a log snippet with the same config, but with all instances of
"Auth-Gid" changed back to "Auth-Data":

address@hidden/usr/local/etc/raddb]# grep Auth-Data *
sqlserver:      AND !(pw_gid & %C{Auth-Data})
users:# assign extra "Auth-Data" to a request based on which nas the
request
users:          Auth-Data = "64"
users:          Auth-Data = "128"
users:          Auth-Data = "256"
users:          Auth-Data = "512"

Apr 19 17:40:17 Auth.debug: auth.c:684:rad_authenticate: auth: chip
Apr 19 17:40:17 Auth.debug: sql.c:750:attach_sql_connection: allocating
new 0 sql connection
Apr 19 17:40:17 Auth.debug: sql.c:763:attach_sql_connection: connection 0
timed out: reconnect
Apr 19 17:40:17 Auth.debug: mysql.c:119:rad_mysql_reconnect: connected to
216.220.x.x
Apr 19 17:40:17 Auth.debug: sql.c:768:attach_sql_connection: attaching
0x8106500 [0]
Apr 19 17:40:17 Auth.debug: mysql.c:158:rad_mysql_getpwd: query: SELECT
pw_passwd FROM vpopmail WHERE pw_name='chip' AND pw_domain='bway.net' AND
!(pw_gid & 128)
Apr 19 17:40:17 Auth.debug: mysql.c:61:do_mysql_query: called with SELECT
pw_passwd FROM vpopmail WHERE pw_name='chip' AND pw_domain='bway.net' AND
!(pw_gid & 128)
Apr 19 17:40:17 Auth.debug: mysql.c:71:do_mysql_query: MYSQL query
returned 0
Apr 19 17:40:17 Auth.debug: auth.c:292:rad_check_password: auth_type=3,
userpass=xxx, name=chip, password=$1$xxxxx
Apr 19 17:40:17 Auth.debug: auth.c:322:rad_check_password:   auth: Crypt
Apr 19 17:40:17 Auth.debug: auth.c:333:rad_check_password: pwbuf:
$1$xxxxx
Apr 19 17:40:17 Auth.debug: auth.c:1175:sfn_ack: ACK: chip
Apr 19 17:40:17 Auth.notice: Login OK [chip]
Apr 19 17:40:17 Auth.info: rule trace: /usr/local/etc/raddb/users:18;
huntgroups:9

It seems strange that just changing that one attribute causes such a
radically different behaviour; even the rule trace shows a different line.
Again, the only changes are noted in the grep above this log...

Any ideas?

Thanks,

Charles
___
Charles Sprickman
NetEng/SysAdmin
Bway.net - New York's Best Internet - www.bway.net
address@hidden - 212.655.9344
reply via email to
[Prev in Thread] Current Thread [Next in Thread]