[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: Repost: Properly using the := and = operators?
From:       Mike <mike-freeradius () tiedyenetworks ! com>
Date:       2006-12-27 22:17:29
Message-ID: 4592F0F9.80308 () tiedyenetworks ! com
[Download RAW message or body]



Kevin Bonner wrote:
> > > 5 | suspended | Framed-IP-Address | =  | 10.10.0.2+      |
> > 
> mysql> select * from radgroupreply ;
> 
> The = operator here is incorrect, as you want to always override the 
> Framed-IP-Address.  Using := will replace any/all Framed-IP-Address 
> attributes in the reply with the one listed above.
> 
> 
> 
Yeah that's the problem. The documentation says that's what it does, but 
in fact it doesn't. Any Framed-IP-Address in radreply, superceeds and 
overrules any Framed-IP-Address from radgroupreply, and no operators 
change or alter that. I can put in a Framed-IP-Address in radgroupreply 
using = or :=, but it never ever overwrites Framed-IP-Address from 
radreply, and I can prove that group processing is happening because if 
I change it to +=, I then get both ip addresses in the reply. For example:


mysql> select * from radreply ;
+----+----------+-------------------+----+---------+
> id | UserName | Attribute         | op | Value   |
+----+----------+-------------------+----+---------+
> 4 | joe.user | Framed-IP-Address | := | 1.2.3.4 |
+----+----------+-------------------+----+---------+


mysql> select * from usergroup where GroupName = 'suspended';
+----------+-----------+----------+
> UserName | GroupName | priority |
+----------+-----------+----------+
> joe.user | suspended |        1 |
+----------+-----------+----------+



mysql> select * from radgroupreply where GroupName = 'suspended' ;
+----+-----------+-------------------+----+-----------------+
> id | GroupName | Attribute         | op | Value           |
+----+-----------+-------------------+----+-----------------+
> 6 | suspended | Framed-Netmask    | =  | 255.255.255.255 |
> 5 | suspended | Framed-IP-Address | += | 10.10.0.2+      |
> 10 | suspended | Framed-Filter-Id  | =  | "natroutes"     |
+----+-----------+-------------------+----+-----------------+
3 rows in set (0.00 sec)

radtest joe.user ididntpaymybill localhost 0 testing123 hello

Sending Access-Request of id 58 to 127.0.0.1 port 1812
        User-Name = "joe.user"
        User-Password = "ididntpaymybill"
        NAS-IP-Address = 255.255.255.255
        NAS-Port = 0
        Framed-Protocol = PPP
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=58, length=62
        Framed-IP-Address = 1.2.3.4
        Framed-IP-Address = 10.10.0.2
        Framed-IP-Netmask = 255.255.255.255
        Framed-Route = "40.0.0.0/16"
        Filter-Id = "natroutes"

So you can see both Framed-IP-Address from above. I got two because += 
added the 10.10.0.2 to the reply.

And now I'll change it back to := for show:

mysql> select * from radgroupreply where GroupName = 'suspended' ;
+----+-----------+-------------------+----+-----------------+
> id | GroupName | Attribute         | op | Value           |
+----+-----------+-------------------+----+-----------------+
> 6 | suspended | Framed-Netmask    | =  | 255.255.255.255 |
> 5 | suspended | Framed-IP-Address | := | 10.10.0.2+      |
> 10 | suspended | Framed-Filter-Id  | =  | "natroutes"     |
+----+-----------+-------------------+----+-----------------+
3 rows in set (0.00 sec)


radtest joe.user ididntpaymybill localhost 0 testing123 hello
Sending Access-Request of id 166 to 127.0.0.1 port 1812
        User-Name = "joe.user"
        User-Password = "ididntpaymybill"
        NAS-IP-Address = 255.255.255.255
        NAS-Port = 0
        Framed-Protocol = PPP
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=166, length=56
        Framed-IP-Address = 1.2.3.4
        Framed-IP-Netmask = 255.255.255.255
        Framed-Route = "40.0.0.0/16"
        Filter-Id = "natroutes"

Now you can see the Framed-IP-Address is 1.2.3.4 - it was not 
overwritten by the 10.10.0.2 from radgroupreply despite what the 
documentation seems to suggest and what you have stated. Can you suggest 
changes that will allow radgroupreply to set a Framed-IP-Address 
attribute that overwrites any set from radreply?



-- 
> --
> Do not try to make the creditors stop calling, for that is impossibe. 
> Instead, only try to realise the truth: THERE IS NO PHONE!
> <a href="http://speedtest.dslreports.com"><img border=0 \
> src="http://www.dslreports.com/im/18224717/86472.png"></a> 
> 
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


[prev in list] [next in list] [prev in thread] [next in thread]