| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
If you have more than one entry in your ‘users’ file it is not always obvious which of the entries were used for authentication. The authentication data flow becomes even harder to understand if there are some complex rules in the ‘hints’ and ‘huntgroups’ files.
The rule tracing mode is intended to help you find out the exact
order of the rules that each request matched during processing.
The mode is toggled by trace-rules statement in auth
or acct block of your ‘config’ file. When rule tracing
mode is on for a given type of requests, radiusd will
display the data flow diagram for each processed request of this
type. The diagram is output on info logging category,
it represents the list of rules in reverse chronological order.
Each rule is represented by its location in the form
filename:line. To make the output more compact, if
several rules appear in the same configuration file, their locations
are listed as a comma-separated list of numbers after the file name.
Furthermore, if the configuration files have the same path prefix,
then only the first file name appears with the full prefix.
Here is an example of trace rule diagram:
|
This diagram means, that the authentication request from server ‘foo’ for user ‘bar’ with ID 170 matched the following rules
File name | Line number |
‘/etc/raddb/hints’ | 34 |
‘/etc/raddb/huntgroups’ | 72 |
‘/etc/raddb/users’ | 3 |
‘/etc/raddb/users’ | 22 |
‘/etc/raddb/users’ | 157 |
As a practical example, let's suppose you have the following setup. There are three classes of users:
In addition, users from the first two classes are accounted using
custom Scheme procedure staff-acct.
The configuration files for this setup are showed below:
Contents of ‘hints’:
DEFAULT Group = "root"
Scheme-Acct-Procedure = "staff-acct",
Hint = "admin"
DEFAULT Group = "staff"
Scheme-Acct-Procedure = "staff-acct",
Hint = "staff"
|
Contents of file ‘users’:
DEFAULT Auth-Type = SQL,
Simultaneous-Use = 1
Service-Type = Framed-User,
Framed-Protocol = PPP
DEFAULT Hint = "admin",
Auth-Type = System
Service-Type = Login-User,
Login-IP-Host = 192.168.0.1,
Login-Service = Rlogin
DEFAULT Hint = "staff",
Auth-Type = System,
Simultaneous-Use = 1
Service-Type = Login-User,
Login-IP-Host = 192.168.0.2,
Login-Service = Telnet
|
Now, let's suppose that user ‘svp’ is in the group
‘staff’ and is trying to log in. However, he fails to do so and
in radiusd logs you see:
|
Why? To answer this question, you add to auth block of your
‘config’ the statement
trace-rules yes; |
and ask user ‘svp’ to retry his attempt. Now you see in your logs:
|
This means that the request for ‘svp’ has first matched rule on the line 1 of file ‘hints’, then the rule on line 1 of file ‘users’. Now you see the error: the entries in ‘users’ appear in wrong order! After fixing it your ‘users’ looks like:
DEFAULT Hint = "admin",
Auth-Type = System
Service-Type = Login-User,
Login-IP-Host = 192.168.0.1,
Login-Service = Rlogin
DEFAULT Hint = "staff",
Auth-Type = System,
Simultaneous-Use = 1
Service-Type = Login-User,
Login-IP-Host = 192.168.0.2,
Login-Service = Telnet
DEFAULT Auth-Type = SQL,
Simultaneous-Use = 1
Service-Type = Framed-User,
Framed-Protocol = PPP
|
Now, you ask ‘svp’ to log in again, and see:
|
Let's also suppose that user ‘plog’ is not listed in groups “root” and “staff”, so he is supposed to authenticate using SQL. When he logs in, you see in your logs:
|
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] |
This document was generated by Sergey Poznyakoff on December, 6 2008 using texi2html 1.78.