Despite reading everything I can find, performing many different experiments, turning the issue over to a UNIX hack with 20 years of experience, and asking questions on lots of different forums, I cannot figure out a problem I have with RADIUS. I am sure it is due to my ignorance, and not a bug - in fact, I suspect that this is very easy to solve, but that no one has thought to offer up such a basic piece of info. Any help would be appreciated.
We are a WISP, we have freeRadius running with mySQL. The NASs that currently use RADIUS (SmartBridge XOs) transmit the CPE's MAC address as both UserName and Password. We have new and better NASs (MikroTik) that transmit the CPE's mac address as the UserName, but with a "null" password. What we want is "simple" - for both NASs to validate off of RADIUS. BUT because of the difference in Passwords, the same entry in RadCheck won't do it. There is a lot of debug output below, bracketed by "------------------"s, and divided into three different approaches: two entries in radcheck, rewriting the password attribute in the request, and using different operators under both "password = mac" and "password = null" conditions. First Approach: I have tried to have 2 entries in RadCheck with the same username (one where password = username, one where password = <null>), however that causes neither NAS to be able to authenticate a request. I thought that perhaps this was a function of "Fall Through" (mentioned as living in the Users file), however I haven't been able to find the mySQL-version of "Fall Through" and am not even sure that would do what I want even. Below I list Accepts and Rejects from both devices under two different scenarios. After the fourth debug output, I continue describing other steps I've tried. This is an XO, getting an Accept, with only the one entry in radcheck: ------------------------------- rad_recv: Access-Request packet from host 10.0.1.243:1812, id=15, length=52 User-Name = "00026f341586" User-Password = "00026f341586" rad_lowerpair: User-Name now '00026f341586' Processing the authorize section of radiusd.conf modcall: entering group authorize for request 57787 modcall[authorize]: module "preprocess" returns ok for request 57787 radius_xlat: ':' rlm_attr_rewrite: No match found for attribute User-Name with value '00026f341586' modcall[authorize]: module "mac_colons" returns ok for request 57787 modcall[authorize]: module "chap" returns noop for request 57787 modcall[authorize]: module "mschap" returns noop for request 57787 rlm_realm: No '@' in User-Name = "00026f341586", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 57787 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 57787 users: Matched DEFAULT at 152 modcall[authorize]: module "files" returns ok for request 57787 radius_xlat: '00026f341586' rlm_sql (sql): sql_set_user escaped user --> '00026f341586' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '00026f341586' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 2 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '00026f341586' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '00026f341586' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '00026f341586' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '00026f341586' ORDER BY id' rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '00026f341586' ORDER BY id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '00026f341586' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '00026f341586' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): Released sql socket id: 2 modcall[authorize]: module "sql" returns ok for request 57787 modcall: group authorize returns ok for request 57787 rad_check_password: Found Auth-Type Local auth: type Local auth: user supplied User-Password matches local User-Password Sending Access-Accept of id 15 to 10.0.1.243:1812 Limit-Rate-Downlink = 5000 Limit-Rate-Uplink = 5000 Finished request 57787 ----------------------------- This is an XO, getting a reject, with two entries in radcheck - one with the password filled with the actual password the XO is sending, and one with the password as <null>: ------------------------------ rad_recv: Access-Request packet from host 10.0.0.243:1812, id=5, length=52 User-Name = "000d2f00f0e3" User-Password = "000d2f00f0e3" rad_lowerpair: User-Name now '000d2f00f0e3' Processing the authorize section of radiusd.conf modcall: entering group authorize for request 58582 modcall[authorize]: module "preprocess" returns ok for request 58582 radius_xlat: ':' rlm_attr_rewrite: No match found for attribute User-Name with value '000d2f00f0e3' modcall[authorize]: module "mac_colons" returns ok for request 58582 modcall[authorize]: module "chap" returns noop for request 58582 modcall[authorize]: module "mschap" returns noop for request 58582 rlm_realm: No '@' in User-Name = "000d2f00f0e3", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 58582 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 58582 users: Matched DEFAULT at 152 modcall[authorize]: module "files" returns ok for request 58582 radius_xlat: '000d2f00f0e3' rlm_sql (sql): sql_set_user escaped user --> '000d2f00f0e3' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '000d2f00f0e3' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 2 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '000d2f00f0e3' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '000d2f00f0e3' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '000d2f00f0e3' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '000d2f00f0e3' ORDER BY id' rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '000d2f00f0e3' ORDER BY id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '000d2f00f0e3' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '000d2f00f0e3' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): No matching entry in the database for request from user [000d2f00f0e3] rlm_sql (sql): Released sql socket id: 2 modcall[authorize]: module "sql" returns notfound for request 58582 modcall: group authorize returns ok for request 58582 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 58582 modcall[authenticate]: module "unix" returns notfound for request 58582 modcall: group authenticate returns notfound for request 58582 auth: Failed to validate the user. Sending Access-Reject of id 5 to 10.0.0.243:1812 ---------------------- This is a MikroTik, getting an Accept, with only one entry (password = null): ---------------------- rad_recv: Access-Request packet from host 10.35.0.30:1481, id=131, length=60 Service-Type = Framed-User NAS-Port-Id = "wlan1" User-Name = "00:0A:E9:06:29:07" User-Password = "" NAS-IP-Address = 10.35.0.30 rad_lowerpair: User-Name now '00:0a:e9:06:29:07' Processing the authorize section of radiusd.conf modcall: entering group authorize for request 57452 modcall[authorize]: module "preprocess" returns ok for request 57452 radius_xlat: ':' rlm_attr_rewrite: Changed value for attribute User-Name from '00:0a:e9:06:29:07' to '000ae9062907' modcall[authorize]: module "mac_colons" returns ok for request 57452 modcall[authorize]: module "chap" returns noop for request 57452 modcall[authorize]: module "mschap" returns noop for request 57452 rlm_realm: No '@' in User-Name = "000ae9062907", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 57452 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 57452 users: Matched DEFAULT at 152 users: Matched DEFAULT at 171 modcall[authorize]: module "files" returns ok for request 57452 radius_xlat: '000ae9062907' rlm_sql (sql): sql_set_user escaped user --> '000ae9062907' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '000ae9062907' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 2 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '000ae9062907' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '000ae9062907' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '000ae9062907' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '000ae9062907' ORDER BY id' rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '000ae9062907' ORDER BY id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '000ae9062907' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '000ae9062907' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): Released sql socket id: 2 modcall[authorize]: module "sql" returns ok for request 57452 modcall: group authorize returns ok for request 57452 rad_check_password: Found Auth-Type Local auth: type Local auth: user supplied User-Password matches local User-Password Sending Access-Accept of id 131 to 10.35.0.30:1481 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User Limit-Rate-Downlink = 5000 Limit-Rate-Uplink = 5000 Recv-Limit = 5000 Xmit-Limit = 5000 -------------------------- This is a MiroTik, getting a reject, with two entries in radcheck: --------------------------- rad_recv: Access-Request packet from host 10.35.0.30:1337, id=118, length=60 Service-Type = Framed-User NAS-Port-Id = "wlan1" User-Name = "00:0A:E9:06:29:07" User-Password = "" NAS-IP-Address = 10.35.0.30 rad_lowerpair: User-Name now '00:0a:e9:06:29:07' Processing the authorize section of radiusd.conf modcall: entering group authorize for request 55957 modcall[authorize]: module "preprocess" returns ok for request 55957 radius_xlat: ':' rlm_attr_rewrite: Changed value for attribute User-Name from '00:0a:e9:06:29:07' to '000ae9062907' modcall[authorize]: module "mac_colons" returns ok for request 55957 modcall[authorize]: module "chap" returns noop for request 55957 modcall[authorize]: module "mschap" returns noop for request 55957 rlm_realm: No '@' in User-Name = "000ae9062907", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 55957 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 55957 users: Matched DEFAULT at 152 users: Matched DEFAULT at 171 modcall[authorize]: module "files" returns ok for request 55957 radius_xlat: '000ae9062907' rlm_sql (sql): sql_set_user escaped user --> '000ae9062907' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '000ae9062907' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 2 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '000ae9062907' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '000ae9062907' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '000ae9062907' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '000ae9062907' ORDER BY id' rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '000ae9062907' ORDER BY id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '000ae9062907' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '000ae9062907' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): No matching entry in the database for request from user [000ae9062907] rlm_sql (sql): Released sql socket id: 2 modcall[authorize]: module "sql" returns notfound for request 55957 modcall: group authorize returns ok for request 55957 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 55957 modcall[authenticate]: module "unix" returns notfound for request 55957 modcall: group authenticate returns notfound for request 55957 auth: Failed to validate the user. Delaying request 55957 for 1 seconds Finished request 55957 Going to the next request Sending Access-Reject of id 118 to 10.35.0.30:1337 ------------------------------- Second Approach: We have tried to use attr_rewrite to write the mac into the Auth Request's Password attribute, but were unsuccessful. Seems like if it comes in as anything BUT "null", it can be rewritten. The debug output when trying to rewrite a null password is below: "rlm_attr_rewrite: Attribute User-Password string value NULL or of zero length" " modcall[authorize]: module "blank_password"returns noop for request 10" Don't see how it's possible to go the other way with this approach (strip the XO's Password of everything so that it's null) because what would you search for...? Third Approach: I read "man 5 users" and tried different operators. "Surely, I can just tell it to accept if a password is in the request at all, whether it's actually a string or not" - wrong. I have tried different operators under two different scenarios - with the Password populated, and with the Password blank - the results are below, along with debug output. Scenario 1: Password field has username in it Password == MikroTik - Reject XO - Accept (this is how we are setup right now) ------------------------------------------------------- Password >= MT - Reject XO - Accept Debug: Waking up in 1 seconds... rad_recv: Access-Request packet from host 10.35.0.30:1482, id=133, length=60 Service-Type = Framed-User NAS-Port-Id = "wlan1" User-Name = "00:0A:E9:06:29:07" User-Password = "" NAS-IP-Address = 10.35.0.30 rad_lowerpair: User-Name now '00:0a:e9:06:29:07' Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1324 modcall[authorize]: module "preprocess" returns ok for request 1324 radius_xlat: ':' rlm_attr_rewrite: Changed value for attribute User-Name from '00:0a:e9:06:29:07' to '000ae9062907' modcall[authorize]: module "mac_colons" returns ok for request 1324 modcall[authorize]: module "chap" returns noop for request 1324 modcall[authorize]: module "mschap" returns noop for request 1324 rlm_realm: No '@' in User-Name = "000ae9062907", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1324 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 1324 users: Matched DEFAULT at 152 users: Matched DEFAULT at 174 modcall[authorize]: module "files" returns ok for request 1324 radius_xlat: '000ae9062907' rlm_sql (sql): sql_set_user escaped user --> '000ae9062907' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '000ae9062907' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 0 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '000ae9062907' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '000ae9062907' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '000ae9062907' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '000ae9062907' ORDER BY id' rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '000ae9062907' ORDER BY id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '000ae9062907' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '000ae9062907' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): No matching entry in the database for request from user [000ae9062907] rlm_sql (sql): Released sql socket id: 0 modcall[authorize]: module "sql" returns notfound for request 1324 modcall: group authorize returns ok for request 1324 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1324 modcall[authenticate]: module "unix" returns notfound for request 1324 modcall: group authenticate returns notfound for request 1324 auth: Failed to validate the user. ---------------------------------------------------------------------------- ----------- Password =* MT - Accept XO - Reject Based on this from man 5 users: "Attribute =* Value As a check item, it matches if the request contains the named attribute, no matter what the value is. Not allowed as a reply item." I thought for SURE that this would work. But notice how the XOs reject this, while the MTs accept (different than the other two expressions under this condition)...here's the debug of an XO being rejected with this operator: rad_recv: Access-Request packet from host 10.0.0.243:1812, id=3, length=52 User-Name = "00301a04a7e0" User-Password = "00301a04a7e0" rad_lowerpair: User-Name now '00301a04a7e0' Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1262 modcall[authorize]: module "preprocess" returns ok for request 1262 radius_xlat: ':' rlm_attr_rewrite: No match found for attribute User-Name with value '00301a04a7e0' modcall[authorize]: module "mac_colons" returns ok for request 1262 modcall[authorize]: module "chap" returns noop for request 1262 modcall[authorize]: module "mschap" returns noop for request 1262 rlm_realm: No '@' in User-Name = "00301a04a7e0", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1262 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 1262 users: Matched DEFAULT at 152 modcall[authorize]: module "files" returns ok for request 1262 radius_xlat: '00301a04a7e0' rlm_sql (sql): sql_set_user escaped user --> '00301a04a7e0' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '00301a04a7e0' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 2 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '00301a04a7e0' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '00301a04a7e0' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '00301a04a7e0' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '00301a04a7e0' ORDER BY id' rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '00301a04a7e0' ORDER BY id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '00301a04a7e0' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '00301a04a7e0' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): Released sql socket id: 2 modcall[authorize]: module "sql" returns ok for request 1262 modcall: group authorize returns ok for request 1262 rad_check_password: Found Auth-Type Local auth: type Local auth: user supplied User-Password does NOT match local User-Password auth: Failed to validate the user. ---------------------------------------------------------------------------- ----------- Password <= MT - Reject XO - Accept rad_recv: Access-Request packet from host 10.35.0.30:1492, id=154, length=60 Service-Type = Framed-User NAS-Port-Id = "wlan1" User-Name = "00:0A:E9:06:29:07" User-Password = "" NAS-IP-Address = 10.35.0.30 rad_lowerpair: User-Name now '00:0a:e9:06:29:07' Processing the authorize section of radiusd.conf modcall: entering group authorize for request 128 modcall[authorize]: module "preprocess" returns ok for request 128 radius_xlat: ':' rlm_attr_rewrite: Changed value for attribute User-Name from '00:0a:e9:06:29:07' to '000ae9062907' modcall[authorize]: module "mac_colons" returns ok for request 128 modcall[authorize]: module "chap" returns noop for request 128 modcall[authorize]: module "mschap" returns noop for request 128 rlm_realm: No '@' in User-Name = "000ae9062907", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 128 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 128 users: Matched DEFAULT at 152 users: Matched DEFAULT at 174 modcall[authorize]: module "files" returns ok for request 128 radius_xlat: '000ae9062907' rlm_sql (sql): sql_set_user escaped user --> '000ae9062907' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '000ae9062907' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 1 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '000ae9062907' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '000ae9062907' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '000ae9062907' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '000ae9062907' ORDER BY id' rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '000ae9062907' ORDER BY id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '000ae9062907' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '000ae9062907' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): Released sql socket id: 1 modcall[authorize]: module "sql" returns ok for request 128 modcall: group authorize returns ok for request 128 rad_check_password: Found Auth-Type Local auth: type Local auth: user supplied User-Password does NOT match local User-Password auth: Failed to validate the user. Scenario 2: Password field is null Password == MT - Accept XO - Reject (this would be our config if we didn't have any XOs, and I wouldn't have this issue) -------------------------------------------------------------------- Password >= MT - Accept XO - Reject rad_recv: Access-Request packet from host 10.0.0.243:1812, id=201, length=52 User-Name = "00301a04a7e0" User-Password = "00301a04a7e0" rad_lowerpair: User-Name now '00301a04a7e0' Processing the authorize section of radiusd.conf modcall: entering group authorize for request 484 modcall[authorize]: module "preprocess" returns ok for request 484 radius_xlat: ':' rlm_attr_rewrite: No match found for attribute User-Name with value '00301a04a7e0' modcall[authorize]: module "mac_colons" returns ok for request 484 modcall[authorize]: module "chap" returns noop for request 484 modcall[authorize]: module "mschap" returns noop for request 484 rlm_realm: No '@' in User-Name = "00301a04a7e0", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 484 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 484 users: Matched DEFAULT at 152 modcall[authorize]: module "files" returns ok for request 484 radius_xlat: '00301a04a7e0' rlm_sql (sql): sql_set_user escaped user --> '00301a04a7e0' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '00301a04a7e0' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 0 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '00301a04a7e0' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '00301a04a7e0' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '00301a04a7e0' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '00301a04a7e0' ORDER BY id' rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '00301a04a7e0' ORDER BY id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '00301a04a7e0' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '00301a04a7e0' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): Released sql socket id: 0 modcall[authorize]: module "sql" returns ok for request 484 modcall: group authorize returns ok for request 484 rad_check_password: Found Auth-Type Local auth: type Local auth: user supplied User-Password does NOT match local User-Password auth: Failed to validate the user. ---------------------------------------------------------------------------- ---- Password =* MT - Accept XO - Reject rad_recv: Access-Request packet from host 10.0.0.243:1812, id=8, length=52 User-Name = "00301a04a7e0" User-Password = "00301a04a7e0" rad_lowerpair: User-Name now '00301a04a7e0' Processing the authorize section of radiusd.conf modcall: entering group authorize for request 345 modcall[authorize]: module "preprocess" returns ok for request 345 radius_xlat: ':' rlm_attr_rewrite: No match found for attribute User-Name with value '00301a04a7e0' modcall[authorize]: module "mac_colons" returns ok for request 345 modcall[authorize]: module "chap" returns noop for request 345 modcall[authorize]: module "mschap" returns noop for request 345 rlm_realm: No '@' in User-Name = "00301a04a7e0", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 345 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 345 users: Matched DEFAULT at 152 modcall[authorize]: module "files" returns ok for request 345 radius_xlat: '00301a04a7e0' rlm_sql (sql): sql_set_user escaped user --> '00301a04a7e0' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '00301a04a7e0' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '00301a04a7e0' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '00301a04a7e0' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '00301a04a7e0' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '00301a04a7e0' ORDER BY id' rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '00301a04a7e0' ORDER BY id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '00301a04a7e0' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '00301a04a7e0' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module "sql" returns ok for request 345 modcall: group authorize returns ok for request 345 rad_check_password: Found Auth-Type Local auth: type Local auth: user supplied User-Password does NOT match local User-Password auth: Failed to validate the user. Delaying request 345 for 1 seconds Finished request 345 Going to the next request ---------------------------------------------------------------------------- -------------- Password <= MT - Accept XO - there are two components in an XO that query RADIUS, a "Supervisor" and a "Radio". With a null password, and the "<=" operator, the Supervisor gets an Accept, but the Radio gets a Reject. rad_recv: Access-Request packet from host 10.0.0.243:1812, id=226, length=52 User-Name = "00301a04a7e0" User-Password = "00301a04a7e0" rad_lowerpair: User-Name now '00301a04a7e0' Processing the authorize section of radiusd.conf modcall: entering group authorize for request 18 modcall[authorize]: module "preprocess" returns ok for request 18 radius_xlat: ':' rlm_attr_rewrite: No match found for attribute User-Name with value '00301a04a7e0' modcall[authorize]: module "mac_colons" returns ok for request 18 modcall[authorize]: module "chap" returns noop for request 18 modcall[authorize]: module "mschap" returns noop for request 18 rlm_realm: No '@' in User-Name = "00301a04a7e0", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 18 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 18 users: Matched DEFAULT at 152 modcall[authorize]: module "files" returns ok for request 18 radius_xlat: '00301a04a7e0' rlm_sql (sql): sql_set_user escaped user --> '00301a04a7e0' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '00301a04a7e0' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 1 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '00301a04a7e0' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '00301a04a7e0' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '00301a04a7e0' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '00301a04a7e0' ORDER BY id' rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '00301a04a7e0' ORDER BY id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '00301a04a7e0' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '00301a04a7e0' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): No matching entry in the database for request from user [00301a04a7e0] rlm_sql (sql): Released sql socket id: 1 modcall[authorize]: module "sql" returns notfound for request 18 modcall: group authorize returns ok for request 18 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 18 modcall[authenticate]: module "unix" returns notfound for request 18 modcall: group authenticate returns notfound for request 18 auth: Failed to validate the user. Delaying request 18 for 1 seconds ------------------------------------------------- So...that's "it". I am a RADIUS novice but have got to assume that what I want to do is possible...isn't it? Brian Ammons [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html