Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

#44 Disabling users, group daloRADIUS-Disabled-Users is ignored

v0.9
open
nobody
5
2013-12-06
2012-08-09
No

When a user is disabled over the web interface, the user is added to the group "daloRADIUS-Disabled-Users". The idea is to send a RADIUS-Auth-Type reject to the NAS when a user is a member of this group. Now i discovered the following behaviour.

  • When the user is only in the group "daloRADIUS-Disabled-Users", freeradius rejects the connection
  • When the user is in multiple groups with equal priorities, but "daloRADIUS-Disabled-Users" appears first in the database, , freeradius rejects the connection
  • When the user is in multiple groups an just one group has a higher priority than "daloRADIUS-Disabled-Users", freeradius allows connections.

Disabling users take place in the file include/management/userOperations.php (function userDisable):

...
$sql = "INSERT IGNORE INTO ".$configValues['CONFIG_DB_TBL_RADUSERGROUP']." (Username,Groupname,Priority) ".
" VALUES ('$user','daloRADIUS-Disabled-Users',0) ";
...

So this group always has standard priority and normally would appear after other groups in the databases when disabling a user.
When i change the line to something like

$sql = "INSERT IGNORE INTO ".$configValues['CONFIG_DB_TBL_RADUSERGROUP']." (Username,Groupname,Priority) ".
" VALUES ('$user','daloRADIUS-Disabled-Users',-999) ";

the priority is very low and will be sorted first by freeradius.

Is this behaviour known? Or is it maybe a bug from freeradius that it doesn´t process the attributes of all groups?

Best regards
Andreas Bruckmeier

Discussion


  • Anonymous
    2013-02-19

    This is not bug, this is freeradius feature :) Please, see Fall-Through attribute in freeradius docs.

     


Anonymous


Cancel   Add attachments