I have been successfully authenticating individual users between a PIX 515 VPN and FreeRadius server. I'm using mysql as the data storage on the radius server.
Recently I began changing the way I manage the ACLs on the PIX and began setting up user specific ACLs that get set after logging in via the VPN. On the PIX: access-list myvpntest permit ip... and so forth On radius (mysql): insert into radcheck (UserName,Attribute,op,Value) values ('josh','Filter-Id','=','myvpntest'); Now when I attempt to login with my VPN client I get denied. Here's a snippet of the debug: ------ BEGIN DEBUG ------ radius_xlat: 'josh' rlm_sql (sql): sql_set_user escaped user --> 'josh' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'josh' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'josh' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'josh' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'josh' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): No matching entry in the database for request from user [josh] rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module "sql" returns notfound for request 0 modcall: group authorize returns ok for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Finished request 0 ------ END DEBUG ------ For reference, here's the debug info when I remove the Filter-Id for user 'josh': ------ BEGIN DEBUG ------ radius_xlat: 'josh' rlm_sql (sql): sql_set_user escaped user --> 'josh' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'josh' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 3 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'josh' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'josh' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'josh' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 3 modcall[authorize]: module "sql" returns ok for request 1 modcall: group authorize returns ok for request 1 rad_check_password: Found Auth-Type PAP auth: type "PAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 1 rlm_pap: login attempt by "josh" with password ******** rlm_pap: Using password "********" for user josh authentication. rlm_pap: Using MD5 encryption. rlm_pap: User authenticated succesfully modcall[authenticate]: module "pap" returns ok for request 1 modcall: group Auth-Type returns ok for request 1 Sending Access-Accept of id 119 to 10.5.0.1:1812 Finished request 1 ------ END DEBUG ------ Any ideas? __________________________________ Start your day with Yahoo! - Make it your home page! http://www.yahoo.com/r/hs - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html