[RADIATOR] check-items in chained authby queries

Linuxchuck linuxchuck at n-force.com
Thu Feb 3 14:11:58 CST 2011 

Hi Michael, Thanks for the response.

Actually, it does hit the AuthHOTP section.  I should have put a little more emphasis on the fact that there is an "AuthType=AuthHOTP" for the user when it is looked up in the database.  I did mention that, but it was kind of jammed into the beginning, and was probably easy to miss.

Here is the "slightly sanitized" debug output indicating AuthHOTP was indeed used:

Thu Feb  3 13:54:57 2011: DEBUG: Handling request with Handler 'Realm=DEFAULT', Identifier ''
Thu Feb  3 13:54:57 2011: DEBUG:  Deleting session for testuser, 192.168.xxx.xxx, 1
Thu Feb  3 13:54:57 2011: DEBUG: Handling with Radius::AuthGROUP: AuthSQL
Thu Feb  3 13:54:57 2011: DEBUG: Handling with Radius::AuthSQL:
Thu Feb  3 13:54:57 2011: DEBUG: Handling with Radius::AuthSQL:
Thu Feb  3 13:54:57 2011: DEBUG: Query is: 'select PASSWORD, CHECKATTR, 'GroupList="group1 group2 group3 group4 group5"' from SUBSCRIBERS where USERNAME='testuser'':
Thu Feb  3 13:54:57 2011: DEBUG: Radius::AuthSQL looks for match with testuser [testuser]
Thu Feb  3 13:54:57 2011: DEBUG: Handling with Radius::AuthGROUP: AuthHOTP
Thu Feb  3 13:54:57 2011: DEBUG: Handling with Radius::AuthSQLHOTP:
Thu Feb  3 13:54:57 2011: DEBUG: Radius::AuthSQLHOTP looks for match with testuser [testuser]
Thu Feb  3 13:54:57 2011: WARNING: This AuthBy does not know how to get user Groups
Thu Feb  3 13:54:57 2011: WARNING: This AuthBy does not know how to get user Groups
Thu Feb  3 13:54:57 2011: WARNING: This AuthBy does not know how to get user Groups
Thu Feb  3 13:54:57 2011: WARNING: This AuthBy does not know how to get user Groups
Thu Feb  3 13:54:57 2011: WARNING: This AuthBy does not know how to get user Groups
Thu Feb  3 13:54:57 2011: DEBUG: Radius::AuthSQLHOTP REJECT: User testuser is not in any group in GroupList: testuser [testuser]
Thu Feb  3 13:54:57 2011: DEBUG: Radius::AuthGROUP:AuthHOTP  result: REJECT, User testuser is not in any group in GroupList
Thu Feb  3 13:54:57 2011: DEBUG: Radius::AuthSQL REJECT: User testuser is not in any group in GroupList: testuser [testuser]
Thu Feb  3 13:54:57 2011: DEBUG: Query is: 'select PASSWORD, CHECKATTR, 'GroupList="group1 group2 group3 group4 group5"' from SUBSCRIBERS where USERNAME='DEFAULT'':
Thu Feb  3 13:54:57 2011: DEBUG: Radius::AuthGROUP:AuthSQLUSR  result: REJECT, User testuser is not in any group in GroupList
Thu Feb  3 13:54:57 2011: DEBUG: AuthBy GROUP result: REJECT, User testuser is not in any group in GroupList
Thu Feb  3 13:54:57 2011: INFO: Access rejected for testuser: User testuser is not in any group in GroupList

Thanks!

On 02/03/2011 01:43 PM, Michael wrote:
> 
> your "AuthBy GROUP AuthSQL" will not flow down into  the "AuthBy GROUP AuthHOTP".  I don't think the AuthHOTP will be used at all in this config.
> 
> Look like you need an "AuthBy AuthHOTP" in the AuthSQL config, like this:
>> <AuthBy GROUP>
>>          Identifier      AuthSQL
>>          AuthByPolicy    ContinueWhileAccept
>>          <AuthBy SQL>
>>                  GroupMembershipQuery    SELECT groupname FROM v_usergroups WHERE username=%0 AND groupname=%1
>>                  AuthSelect      select PASSWORD, 'Auth-Type=AuthHOTP', 'GroupList="Group1 Group2 Group3"' from SUBSCRIBERS where USERNAME=%0
>>                  AuthColumnDef   0, Class, request
>>                  AuthColumnDef   1, GENERIC, check
>>                  AuthColumnDef   2, GENERIC, check
>>          </AuthBy>
> 
> # now call the AuthHOTP
>     AuthBy AuthHOTP
> 
>> </AuthBy GROUP>
> 
> 
> Michael
> 
> 
> On 11-02-03 02:34 PM, Linuxchuck wrote:
>> Hello again,
>>
>> I am attempting to validate both the username and appropriate group membership via MySQL on an incoming access-request before bothering to process the HOTP password provided.  If the username doesn't exist, or the user is not a member of the group in the list provided, send a reject and stop processing.
>>
>> The problem I run into is that the grouplist check appears to be performed by the 2nd AuthBy clause, which fails because HOTP is not capable of checking groups.  I would like for the group check to occur prior to the HOTP check.
>>
>> Here is my config layout so far:
>>
>> FYI:  The user entry in MySQL provides a check-item of "Auth-Type=AuthHOTP"
>>
>> <AuthBy GROUP>
>>          Identifier      AuthSQL
>>          AuthByPolicy    ContinueWhileAccept
>>          <AuthBy SQL>
>>                  GroupMembershipQuery    SELECT groupname FROM v_usergroups WHERE username=%0 AND groupname=%1
>>                  AuthSelect      select PASSWORD, 'Auth-Type=AuthHOTP', 'GroupList="Group1 Group2 Group3"' from SUBSCRIBERS where USERNAME=%0
>>                  AuthColumnDef   0, Class, request
>>                  AuthColumnDef   1, GENERIC, check
>>                  AuthColumnDef   2, GENERIC, check
>>          </AuthBy>
>> </AuthBy GROUP>
>>
>> <AuthBy GROUP>
>>          Identifier              AuthHOTP
>>          <AuthBy SQLHOTP>
>>                  ...
>>          </AuthBy>
>> </AuthBy GROUP>
>>
>> <Realm DEFAULT>
>>          AuthBy AuthSQL
>> </Realm>
>>
>> I don't see any evidence that the Authby SQL is performing the group check, and the log tells me "WARNING: This AuthBy does not know how to get user Groups" under the HOTP section.
>>
>> Is there a way to accomplish what I'm after?
>>
>> Thanks!
>>
>> Chuck
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>>
>>

More information about the radiator mailing list