stackoom
  简体   繁体   中英

Freeradius server does not reject user

 原文  2017-08-31 11:14:48       freeradius

Question

My Freeradius server is supposed to deny users access which have exceeded their usage limit, but the server accepts them, while the return message that users have exceeded their limit, is being set anyway.

Debug log: 

rad_recv: Access-Request packet from host 1.2.3.4 port 46010, id=13, length=197
    NAS-Port-Type = Wireless-802.11
    Calling-Station-Id = "80:ED:2C:E5:EB:C6"
    Called-Station-Id = "hotspot1"
    NAS-Port-Id = "bridge"
    User-Name = "USERNAME"
    NAS-Port = 2151677955
    Acct-Session-Id = "80400003"
    Framed-IP-Address = 192.168.8.251
    Mikrotik-Host-IP = 192.168.8.251
    CHAP-Challenge = 0xa484e5a94500de0751545d5a69777d03
    CHAP-Password = 0xb99d22e3c7c8cef532b70f9f514eef029c
    Service-Type = Login-User
    WISPr-Logoff-URL = "http://192.168.8.1/logout"
    NAS-Identifier = "ROUTER"
    NAS-IP-Address = 10.0.0.114
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
[chap] Setting 'Auth-Type := CHAP'
++[chap] = ok
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "USERNAME", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] No EAP-Message, not doing EAP
++[eap] = noop
++[files] = noop
[sql]   expand: %{User-Name} -> USERNAME
[sql] sql_set_user escaped user --> 'USERNAME'
rlm_sql (sql): Reserving sql socket id: 31
[sql]   expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = 'USERNAME'           ORDER BY id
rlm_sql_mysql: query:  SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = 'USERNAME'           ORDER BY id
[sql] User found in radcheck table
[sql]   expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = 'USERNAME'           ORDER BY id
rlm_sql_mysql: query:  SELECT id, username, attribute, value, op           FROM radreply           WHERE username = 'USERNAME'           ORDER BY id
[sql]   expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = 'USERNAME'           ORDER BY priority
rlm_sql_mysql: query:  SELECT groupname           FROM radusergroup           WHERE username = 'USERNAME'           ORDER BY priority
rlm_sql (sql): Released sql socket id: 31
++[sql] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] = noop
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[dailycounter] = noop
++? if (reject)
? Evaluating (reject) -> FALSE
++? if (reject) -> FALSE
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[weeklycounter] = noop
++? if (reject)
? Evaluating (reject) -> FALSE
++? if (reject) -> FALSE
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[monthlycounter] = noop
++? if (reject)
? Evaluating (reject) -> FALSE
++? if (reject) -> FALSE
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[noresetcounter] = noop
++? if (reject)
? Evaluating (reject) -> FALSE
++? if (reject) -> FALSE
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[dailyBytecounter] = noop
++? if (reject)
? Evaluating (reject) -> FALSE
++? if (reject) -> FALSE
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[weeklyBytecounter] = noop
++? if (reject)
? Evaluating (reject) -> FALSE
++? if (reject) -> FALSE
rlm_sqlcounter: Entering module authorize code
sqlcounter_expand:  'SELECT (IFNULL(SUM(AcctInputOctets), 0) + IFNULL(SUM(AcctOutputOctets), 0)) as used_data FROM (SELECT * FROM radacct b WHERE username = '%{User-Name}' AND dateformat_ym(acctstarttime) = dateformat_ym(CURDATE()) GROUP BY acctuniqueid) a'
[monthlyBytecounter]    expand: SELECT (IFNULL(SUM(AcctInputOctets), 0) + IFNULL(SUM(AcctOutputOctets), 0)) as used_data FROM (SELECT * FROM radacct b WHERE username = '%{User-Name}' AND dateformat_ym(acctstarttime) = dateformat_ym(CURDATE()) GROUP BY acctuniqueid) a -> SELECT (IFNULL(SUM(AcctInputOctets), 0) + IFNULL(SUM(AcctOutputOctets), 0)) as used_data FROM (SELECT * FROM radacct b WHERE username = 'USERNAME' AND dateformat_ym(acctstarttime) = dateformat_ym(CURDATE()) GROUP BY acctuniqueid) a
WARNING: Please replace '%S' with '${sqlmod-inst}'
sqlcounter_expand:  '%{sql:SELECT (IFNULL(SUM(AcctInputOctets), 0) + IFNULL(SUM(AcctOutputOctets), 0)) as used_data FROM (SELECT * FROM radacct b WHERE username = 'USERNAME' AND dateformat_ym(acctstarttime) = dateformat_ym(CURDATE()) GROUP BY acctuniqueid) a}'
[monthlyBytecounter] sql_xlat
[monthlyBytecounter]    expand: %{User-Name} -> USERNAME
[monthlyBytecounter] sql_set_user escaped user --> 'USERNAME'
[monthlyBytecounter]    expand: SELECT (IFNULL(SUM(AcctInputOctets), 0) + IFNULL(SUM(AcctOutputOctets), 0)) as used_data FROM (SELECT * FROM radacct b WHERE username = 'USERNAME' AND dateformat_ym(acctstarttime) = dateformat_ym(CURDATE()) GROUP BY acctuniqueid) a -> SELECT (IFNULL(SUM(AcctInputOctets), 0) + IFNULL(SUM(AcctOutputOctets), 0)) as used_data FROM (SELECT * FROM radacct b WHERE username = 'USERNAME' AND dateformat_ym(acctstarttime) = dateformat_ym(CURDATE()) GROUP BY acctuniqueid) a
[monthlyBytecounter]    expand: /var/log/freeradius/sqltrace.sql -> /var/log/freeradius/sqltrace.sql
rlm_sql (sql): Reserving sql socket id: 30
rlm_sql_mysql: query:  SELECT (IFNULL(SUM(AcctInputOctets), 0) + IFNULL(SUM(AcctOutputOctets), 0)) as used_data FROM (SELECT * FROM radacct b WHERE username = 'USERNAME' AND dateformat_ym(acctstarttime) = dateformat_ym(CURDATE()) GROUP BY acctuniqueid) a
[monthlyBytecounter] sql_xlat finished
rlm_sql (sql): Released sql socket id: 30
[monthlyBytecounter]    expand: %{sql:SELECT (IFNULL(SUM(AcctInputOctets), 0) + IFNULL(SUM(AcctOutputOctets), 0)) as used_data FROM (SELECT * FROM radacct b WHERE username = 'USERNAME' AND dateformat_ym(acctstarttime) = dateformat_ym(CURDATE()) GROUP BY acctuniqueid) a} -> 3111228361
rlm_sqlcounter: (Check item - counter) is less than zero
rlm_sqlcounter: Rejected user USERNAME, check_item=1048576000, counter=3111228361
++[monthlyBytecounter] = reject
++? if (reject)
? Evaluating (reject) -> TRUE
++? if (reject) -> TRUE
++if (reject) {
+++update reply {
+++} # update reply = noop
++} # if (reject) = noop
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[noresetBytecounter] = noop
++? if (reject)
? Evaluating (reject) -> FALSE
++? if (reject) -> FALSE
+} # group authorize = ok
Found Auth-Type = CHAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group CHAP {
[chap] login attempt by "USERNAME" with CHAP password
[chap] Using clear text password "PASSWORD" for user USERNAME authentication.
[chap] chap user USERNAME authenticated succesfully
++[chap] = ok
+} # group CHAP = ok
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+group post-auth {
[sql]   expand: %{User-Name} -> USERNAME
[sql] sql_set_user escaped user --> 'USERNAME'
[sql]   expand: %{User-Password} -> 
[sql]   ... expanding second conditional
[sql]   expand: %{Chap-Password} -> 0xb99d22e3c7c8cef532b70f9f514eef029c
[sql]   expand: INSERT INTO radpostauth                           (username, pass, reply, authdate)                           VALUES (                           '%{User-Name}',                           '%{%{User-Password}:-%{Chap-Password}}',                           '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth                           (username, pass, reply, authdate)                           VALUES (                           'USERNAME',                           '0xb99d22e3c7c8cef532b70f9f514eef029c',                           'Access-Accept', '2017-08-31 10:59:03')
[sql]   expand: /var/log/freeradius/sqltrace.sql -> /var/log/freeradius/sqltrace.sql
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth                           (username, pass, reply, authdate)                           VALUES (                           'USERNAME',                           '0xb99d22e3c7c8cef532b70f9f514eef029c',                           'Access-Accept', '2017-08-31 10:59:03')
rlm_sql (sql): Reserving sql socket id: 29
rlm_sql_mysql: query:  INSERT INTO radpostauth                           (username, pass, reply, authdate)                           VALUES (                           'USERNAME',                           '0xb99d22e3c7c8cef532b70f9f514eef029c',                           'Access-Accept', '2017-08-31 10:59:03')
rlm_sql (sql): Released sql socket id: 29
++[sql] = ok
++[exec] = noop
+} # group post-auth = ok
Sending Access-Accept of id 13 to 1.2.3.4 port 46010
    Mikrotik-Total-Limit = 1048576000
    Reply-Message = "You have exceeded your usage limit this month."

It appears that the usage limit is being checked correctly, but somehow the return is set to accept? 

Sending Access-Accept of id 13 to 1.2.3.4 port 46010
    Mikrotik-Total-Limit = 1048576000
    Reply-Message = "You have exceeded your usage limit this month."

The configuration of the specific part in sites-enabled/default is this: 

monthlyBytecounter {
        reject = 1
}
if (reject) {
        update reply {
                Reply-Message := "You have exceeded your usage limit this month."
        }
        reject
}

I'm running freeradius: FreeRADIUS Version 2.2.8 on Ubuntu 16.04 LTS

Any ideas what may cause the problem ?

2 answers

solution1
 0  2017-09-06 16:24:33

Could be something wrong with monthlyBytecounter in counter.conf

Mine is here (daily) 

sqlcounter counterChilliSpotMaxTotalOctetsDaily {
                        counter-name = ChilliSpot-Max-Total-Octets-Daily
                        check-name = CS-Total-Octets-Daily
                        counter-type = data
                        reply-name = ChilliSpot-Max-Total-Octets
                        sqlmod-inst = sql
                        key = User-Name
                        reset = daily
                        query = "SELECT IFNULL((SUM(AcctInputOctets + AcctOutputOctets)),0) FROM radacct WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
        }

But I do define limit in radcheck for CS-Total-Octets-Daily for the specific user.

solution2
 0  2017-09-19 14:32:38

You are returning only monthlyBytecounter reply message, not the monthlyBytecounter return value. In case of exceeded usage limit, you must return 0(zero) or send disconnection request like below.

echo \\"User-Name='$username'\\" | radclient -x -c 1 -n 3 -r 3 -t 3 '127.0.0.1:3997' 'disconnect' 'testing123'

Post your monthlyBytecounter code if this does not solve your question

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question <ask> acces-reject on freeradius freeradius and expired user configuration Freeradius server authentication issue FreeRadius Disconnect User Expected Access-Accept got Access-Reject in FreeRadius tutorial FreeRADIUS change user domain Authentication error in freeradius server Get Online User From FreeRadius CoovaChilli & FreeRadius: Apache server Authentication FreeRadius - Fallthrough to next Active Directory In Post-Auth Reject
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM