Hi Michael, Thanks for the response. Actually, it does hit the AuthHOTP section. I should have put a little more emphasis on the fact that there is an "AuthType=AuthHOTP" for the user when it is looked up in the database. I did mention that, but it was kind of jammed into the beginning, and was probably easy to miss.
Here is the "slightly sanitized" debug output indicating AuthHOTP was indeed used: Thu Feb 3 13:54:57 2011: DEBUG: Handling request with Handler 'Realm=DEFAULT', Identifier '' Thu Feb 3 13:54:57 2011: DEBUG: Deleting session for testuser, 192.168.xxx.xxx, 1 Thu Feb 3 13:54:57 2011: DEBUG: Handling with Radius::AuthGROUP: AuthSQL Thu Feb 3 13:54:57 2011: DEBUG: Handling with Radius::AuthSQL: Thu Feb 3 13:54:57 2011: DEBUG: Handling with Radius::AuthSQL: Thu Feb 3 13:54:57 2011: DEBUG: Query is: 'select PASSWORD, CHECKATTR, 'GroupList="group1 group2 group3 group4 group5"' from SUBSCRIBERS where USERNAME='testuser'': Thu Feb 3 13:54:57 2011: DEBUG: Radius::AuthSQL looks for match with testuser [testuser] Thu Feb 3 13:54:57 2011: DEBUG: Handling with Radius::AuthGROUP: AuthHOTP Thu Feb 3 13:54:57 2011: DEBUG: Handling with Radius::AuthSQLHOTP: Thu Feb 3 13:54:57 2011: DEBUG: Radius::AuthSQLHOTP looks for match with testuser [testuser] Thu Feb 3 13:54:57 2011: WARNING: This AuthBy does not know how to get user Groups Thu Feb 3 13:54:57 2011: WARNING: This AuthBy does not know how to get user Groups Thu Feb 3 13:54:57 2011: WARNING: This AuthBy does not know how to get user Groups Thu Feb 3 13:54:57 2011: WARNING: This AuthBy does not know how to get user Groups Thu Feb 3 13:54:57 2011: WARNING: This AuthBy does not know how to get user Groups Thu Feb 3 13:54:57 2011: DEBUG: Radius::AuthSQLHOTP REJECT: User testuser is not in any group in GroupList: testuser [testuser] Thu Feb 3 13:54:57 2011: DEBUG: Radius::AuthGROUP:AuthHOTP result: REJECT, User testuser is not in any group in GroupList Thu Feb 3 13:54:57 2011: DEBUG: Radius::AuthSQL REJECT: User testuser is not in any group in GroupList: testuser [testuser] Thu Feb 3 13:54:57 2011: DEBUG: Query is: 'select PASSWORD, CHECKATTR, 'GroupList="group1 group2 group3 group4 group5"' from SUBSCRIBERS where USERNAME='DEFAULT'': Thu Feb 3 13:54:57 2011: DEBUG: Radius::AuthGROUP:AuthSQLUSR result: REJECT, User testuser is not in any group in GroupList Thu Feb 3 13:54:57 2011: DEBUG: AuthBy GROUP result: REJECT, User testuser is not in any group in GroupList Thu Feb 3 13:54:57 2011: INFO: Access rejected for testuser: User testuser is not in any group in GroupList Thanks! On 02/03/2011 01:43 PM, Michael wrote: > > your "AuthBy GROUP AuthSQL" will not flow down into the "AuthBy GROUP > AuthHOTP". I don't think the AuthHOTP will be used at all in this config. > > Look like you need an "AuthBy AuthHOTP" in the AuthSQL config, like this: >> <AuthBy GROUP> >> Identifier AuthSQL >> AuthByPolicy ContinueWhileAccept >> <AuthBy SQL> >> GroupMembershipQuery SELECT groupname FROM v_usergroups >> WHERE username=%0 AND groupname=%1 >> AuthSelect select PASSWORD, 'Auth-Type=AuthHOTP', >> 'GroupList="Group1 Group2 Group3"' from SUBSCRIBERS where USERNAME=%0 >> AuthColumnDef 0, Class, request >> AuthColumnDef 1, GENERIC, check >> AuthColumnDef 2, GENERIC, check >> </AuthBy> > > # now call the AuthHOTP > AuthBy AuthHOTP > >> </AuthBy GROUP> > > > Michael > > > On 11-02-03 02:34 PM, Linuxchuck wrote: >> Hello again, >> >> I am attempting to validate both the username and appropriate group >> membership via MySQL on an incoming access-request before bothering to >> process the HOTP password provided. If the username doesn't exist, or the >> user is not a member of the group in the list provided, send a reject and >> stop processing. >> >> The problem I run into is that the grouplist check appears to be performed >> by the 2nd AuthBy clause, which fails because HOTP is not capable of >> checking groups. I would like for the group check to occur prior to the >> HOTP check. >> >> Here is my config layout so far: >> >> FYI: The user entry in MySQL provides a check-item of "Auth-Type=AuthHOTP" >> >> <AuthBy GROUP> >> Identifier AuthSQL >> AuthByPolicy ContinueWhileAccept >> <AuthBy SQL> >> GroupMembershipQuery SELECT groupname FROM v_usergroups >> WHERE username=%0 AND groupname=%1 >> AuthSelect select PASSWORD, 'Auth-Type=AuthHOTP', >> 'GroupList="Group1 Group2 Group3"' from SUBSCRIBERS where USERNAME=%0 >> AuthColumnDef 0, Class, request >> AuthColumnDef 1, GENERIC, check >> AuthColumnDef 2, GENERIC, check >> </AuthBy> >> </AuthBy GROUP> >> >> <AuthBy GROUP> >> Identifier AuthHOTP >> <AuthBy SQLHOTP> >> ... >> </AuthBy> >> </AuthBy GROUP> >> >> <Realm DEFAULT> >> AuthBy AuthSQL >> </Realm> >> >> I don't see any evidence that the Authby SQL is performing the group check, >> and the log tells me "WARNING: This AuthBy does not know how to get user >> Groups" under the HOTP section. >> >> Is there a way to accomplish what I'm after? >> >> Thanks! >> >> Chuck >> _______________________________________________ >> radiator mailing list >> radiator@open.com.au >> http://www.open.com.au/mailman/listinfo/radiator >> >> _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
