|
Surely someone has users in mulitple groups and can tell me how to make that work.
Scott Reed Owner NewWays Wireless Networking Network Design, Installation and Administration www.nwwnet.net ---------- Original Message ----------- From: "Scott Reed" <[EMAIL PROTECTED]> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Sent: Wed, 5 Apr 2006 07:25:29 -0500 Subject: User in Multiple Groups > I have searched the archive and came close to figuring this out, but I have not been able to get a user to exist in 2 groups and have each authenticate. I have one set of systems that need Login-User and then reply with one set of responses and another set that need Framed-User and reply with a different set of responses. > I have both groups working if I have the user in just one group. If the user is in 2 groups, one group works and the other Rejects. What is wrong with my configuration? > > There is an accounting request packet in the trace below that show that sreed is logged into one of the Framed-User devices. Then there is the packet from treed trying to log into a Login-User device. > > Configuration tables: > 1 USERGROUP > 2 80 sreed MS1-AP1 > 3 76 treed MS1-AP1 > 4 78 sreed Router-Admin > 5 79 treed Router-Admin > 6 81 dreed Router-Admin > 7 > 8 RADCHECK > 9 331 dreed User-Password == password > 10 269 treed User-Password == password > 11 267 sreed User-Password == password > 12 > 13 RADGROUPCHECK > 14 31 Router-Admin Service-Type == Login-User > 15 28 MS1-AP1 Service-Type == Framed-User > 16 > 17 RADREPLY > 18 33 sreed Fall-Through = yes > 19 43 treed Fall-Through = yes > 20 > 21 RADGROUPREPLY > 22 33 MS1-AP1 Port-Limit = 128k 15 > 23 34 Router-Admin Mikrotik-Group = full 10 > 24 39 Router-Admin Fall-Through = Yes 10 > 25 37 MS1-AP1 Fall-Through = Yes 15 > > Debug trace: > rlm_sql_mysql: Starting connect to MySQL server for #1 > rlm_sql (sql): Connected new DB handle, #1 > rlm_sql (sql): starting 2 > rlm_sql (sql): Attempting to connect rlm_sql_mysql #2 > rlm_sql_mysql: Starting connect to MySQL server for #2 > rlm_sql (sql): Connected new DB handle, #2 > rlm_sql (sql): starting 3 > rlm_sql (sql): Attempting to connect rlm_sql_mysql #3 > rlm_sql_mysql: Starting connect to MySQL server for #3 > rlm_sql (sql): Connected new DB handle, #3 > rlm_sql (sql): starting 4 > rlm_sql (sql): Attempting to connect rlm_sql_mysql #4 > rlm_sql_mysql: Starting connect to MySQL server for #4 > rlm_sql (sql): Connected new DB handle, #4 > rlm_sql (sql): - generate_sql_clients > rlm_sql (sql): Query: SELECT * FROM nas > rlm_sql (sql): Reserving sql socket id: 4 > rlm_sql_mysql: query: SELECT * FROM nas > rlm_sql (sql): Read entry nasname=nwnr0004.nwadmin.net,shortname=nwnr0004,secret=sbr28tsr > rlm_sql (sql): Adding client 10.2.49.5 (nwnr0004) to clients list > rlm_sql (sql): Read entry nasname=nwnr0003.nwadmin.net,shortname=nwnr0003,secret=sbr28tsr > rlm_sql (sql): Adding client 10.2.49.4 (nwnr0003) to clients list > rlm_sql (sql): Read entry nasname=nwnr0002.nwadmin.net,shortname=nwnr0002,secret=sbr28tsr > rlm_sql (sql): Adding client 10.0.1.4 (nwnr0002) to clients list > rlm_sql (sql): Read entry nasname=hotspot.nwwhome.net,shortname=hotspot,secret=testing123 > rlm_sql (sql): Adding client 192.168.100.13 (hotspot) to clients list > rlm_sql (sql): Read entry nasname=nwnr0001.nwadmin.net,shortname=nwnr0001,secret=sbr28tsr > rlm_sql (sql): Adding client 10.0.0.1 (nwnr0001) to clients list > rlm_sql (sql): Released sql socket id: 4 > Module: Instantiated sql (sql) > Module: Loaded Acct-Unique-Session-Id > acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" > Module: Instantiated acct_unique (acct_unique) > Module: Loaded detail > detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" > detail: detailperm = 384 > detail: dirperm = 493 > detail: locking = no > Module: Instantiated detail (detail) > Module: Loaded System > unix: cache = no > unix: passwd = "(null)" > unix: shadow = "/etc/shadow" > unix: group = "(null)" > unix: radwtmp = "/var/log/radius/radwtmp" > unix: usegroup = no > unix: cache_reload = 600 > Module: Instantiated unix (unix) > Module: Loaded radutmp > radutmp: filename = "/var/log/radius/radutmp" > radutmp: username = "%{User-Name}" > radutmp: case_sensitive = yes > radutmp: check_with_nas = yes > radutmp: perm = 384 > radutmp: callerid = yes > Module: Instantiated radutmp (radutmp) > Module: Loaded eap > eap: default_eap_type = "md5" > eap: timer_expire = 60 > eap: ignore_unknown_eap_types = no > eap: cisco_accounting_username_bug = no > rlm_eap: Loaded and initialized type md5 > rlm_eap: Loaded and initialized type leap > gtc: challenge = "Password: " > gtc: auth_type = "PAP" > rlm_eap: Loaded and initialized type gtc > mschapv2: with_ntdomain_hack = no > rlm_eap: Loaded and initialized type mschapv2 > Module: Instantiated eap (eap) > Listening on authentication *:1812 > Listening on accounting *:1813 > Listening on proxy *:1814 > Ready to process requests. > rad_recv: Accounting-Request packet from host 192.168.100.13:1201, id=165, length=177 > Service-Type = Framed-User > Framed-Protocol = PPP > NAS-Port = 17564 > NAS-Port-Type = Ethernet > User-Name = "sreed" > Calling-Station-Id = "00:05:9E:81:8B:DD" > Called-Station-Id = "TestAP" > NAS-Port-Id = "TestAP" > Acct-Session-Id = "81700264" > Framed-IP-Address = 172.17.1.100 > Acct-Authentic = RADIUS > Acct-Session-Time = 54602 > Acct-Input-Octets = 80 > Acct-Input-Gigawords = 0 > Acct-Input-Packets = 8 > Acct-Output-Octets = 130 > Acct-Output-Gigawords = 0 > Acct-Output-Packets = 8 > Acct-Status-Type = Alive > NAS-Identifier = "HotSpot" > NAS-IP-Address = 192.168.100.13 > Acct-Delay-Time = 0 > Processing the preacct section of radiusd.conf > modcall: entering group preacct for request 0 > modcall[preacct]: module "preprocess" returns noop for request 0 > rlm_acct_unique: Hashing 'NAS-Port = 17564,Client-IP-Address = 192.168.100.13,NAS-IP-Address = 192.168.100.13,Acct-Session-Id = "81700264",User-Name = "sreed"' > rlm_acct_unique: Acct-Unique-Session-ID = "4553128d21acc6cf". > modcall[preacct]: module "acct_unique" returns ok for request 0 > rlm_realm: No '@' in User-Name = "sreed", looking up realm NULL > rlm_realm: No such realm "NULL" > modcall[preacct]: module "suffix" returns noop for request 0 > modcall: group preacct returns ok for request 0 > Processing the accounting section of radiusd.conf > modcall: entering group accounting for request 0 > radius_xlat: '/var/log/radius/radacct/192.168.100.13/detail-20060405' > rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radius/radacct/192.168.100.13/detail-20060405 > modcall[accounting]: module "detail" returns ok for request 0 > modcall[accounting]: module "unix" returns noop for request 0 > radius_xlat: '/var/log/radius/radutmp' > radius_xlat: 'sreed' > modcall[accounting]: module "radutmp" returns ok for request 0 > radius_xlat: 'sreed' > rlm_sql (sql): sql_set_user escaped user --> 'sreed' > radius_xlat: 'UPDATE radacct ? SET FramedIPAddress = '172.17.1.100', ? AcctSessionTime = '54602', ? AcctInputOctets = '80', ? AcctOutputOctets = '130' ? WHERE AcctSessionId = '81700264' ? AND UserName = 'sreed' ? AND NASIPAddress= '192.168.100.13'' > radius_xlat: '/var/log/radius/sqltrace.sql' > rlm_sql (sql): Reserving sql socket id: 3 > rlm_sql_mysql: query: UPDATE radacct ? SET FramedIPAddress = '172.17.1.100', ? AcctSessionTime = '54602', ? AcctInputOctets = '80', ? AcctOutputOctets = '130' ? WHERE AcctSessionId = '81700264' ? AND UserName = 'sreed' ? AND NASIPAddress= '192.168.100.13' > rlm_sql (sql): Released sql socket id: 3 > modcall[accounting]: module "sql" returns ok for request 0 > modcall: group accounting returns ok for request 0 > Sending Accounting-Response of id 165 to 192.168.100.13:1201 > Finished request 0 > Going to the next request > --- Walking the entire request list --- > Waking up in 6 seconds... > rad_recv: Access-Request packet from host 192.168.100.13:1201, id=166, length=83 > Service-Type = Login-User > User-Name = "treed" > User-Password = "password" > Calling-Station-Id = "192.168.100.240" > NAS-Identifier = "HotSpot" > NAS-IP-Address = 192.168.100.13 > Processing the authorize section of radiusd.conf > modcall: entering group authorize for request 1 > modcall[authorize]: module "preprocess" returns ok for request 1 > modcall[authorize]: module "chap" returns noop for request 1 > modcall[authorize]: module "mschap" returns noop for request 1 > rlm_realm: No '@' in User-Name = "treed", looking up realm NULL > rlm_realm: No such realm "NULL" > modcall[authorize]: module "suffix" returns noop for request 1 > radius_xlat: 'treed' > rlm_sql (sql): sql_set_user escaped user --> 'treed' > radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'treed' ORDER BY id' > rlm_sql (sql): Reserving sql socket id: 2 > rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'treed' ORDER BY id > radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'treed' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' > rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'treed' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id > radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'treed' ORDER BY id' > rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'treed' ORDER BY id > radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'treed' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.prio' > rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'treed' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.prio > rlm_sql (sql): No matching entry in the database for request from user [treed] > rlm_sql (sql): Released sql socket id: 2 > modcall[authorize]: module "sql" returns notfound for request 1 > modcall: group authorize returns ok for request 1 > auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user > auth: Failed to validate the user. > Login incorrect: [treed/password] (from client hotspot port 0 cli 192.168.100.240) > Processing the post-auth section of radiusd.conf > modcall: entering group Post-Auth-Type for request 1 > rlm_sql (sql): Processing sql_postauth > radius_xlat: 'treed' > rlm_sql (sql): sql_set_user escaped user --> 'treed' > radius_xlat: 'INSERT into radpostauth (id, user, pass, reply, date) values ('', 'treed', 'password', 'Access-Reject', NOW())' > radius_xlat: '/var/log/radius/sqltrace.sql' > rlm_sql (sql) in sql_postauth: query is INSERT into radpostauth (id, user, pass, reply, date) values ('', 'treed', 'password', 'Access-Reject', NOW()) > rlm_sql (sql): Reserving sql socket id: 1 > rlm_sql_mysql: query: INSERT into radpostauth (id, user, pass, reply, date) values ('', 'treed', 'password', 'Access-Reject', NOW()) > rlm_sql (sql): Released sql socket id: 1 > modcall[post-auth]: module "sql" returns ok for request 1 > modcall: group Post-Auth-Type returns ok for request 1 > Delaying request 1 for 1 seconds > Finished request 1 > Going to the next request > --- Walking the entire request list --- > Waking up in 1 seconds... > rad_recv: Access-Request packet from host 192.168.100.13:1201, id=166, length=83 > Sending Access-Reject of id 166 to 192.168.100.13:1201 > Waking up in 1 seconds... > --- Walking the entire request list --- > Waking up in 3 seconds... > > Scott Reed > Owner > NewWays > Wireless Networking > Network Design, Installation and Administration > www.nwwnet.net > > ---------- Original Message ----------- > From: "debik" <[EMAIL PROTECTED]> > To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> > Sent: Wed, 5 Apr 2006 20:26:14 +0200 > Subject: Re: Couldn't stop freeradius server!! > > > Try "killall radiusd" or "killall freeradius". > > I have debian and that commands are allwright. > > > > ----- Original Message ----- > > From: "lmyho" <[EMAIL PROTECTED]> > > To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> > > Sent: Tuesday, April 04, 2006 6:19 PM > > Subject: Re: Couldn't stop freeradius server!! > > > > > > > > --- monish ar <[EMAIL PROTECTED]> wrote: > > >> Instead of using the command to stop the radius daemon, herez another > > >> simple way..... > > >> At the console type " ps -ax | grep radiusd" , this will give u the list > > >> of > > >> radius servers currently > > >> along with its process IDs. The next thing u do is type " kill pid# " , > > >> PID# refers to the process > > >> id number of ur currently running radius daemon. Hope it helps... > > >> Dunno bout the NAS list though... > > > > > > Hi Monish, > > > > > > Thank you for the idea! I checked, and found the process. but on this > > > debian > > > system, the process is actually named "freeradius", instead of the > > > traditional > > > "radiusd".:( So there are indeed some changes on how the freeradius is > > > run on > > > debian. Do you have more idea about it? > > > Can anyone tell me more on how the debian is running the freeradius and > > > how I can > > > stop the server from command line in debian system? (pls see problem > > > detail below) > > > > > > Thanks a lot!! > > > leo > > > > > >> On 4/4/06, lmyho <[EMAIL PROTECTED]> wrote: > > >> > > > >> > Hi All, > > >> > > > >> > Installed freeradius 1.1.0-1 on debian system (2.6.15-1-686). The > > >> > radius > > >> > server started automatically well each time when the system booting. > > >> > But I > > > wanted to stop it to do some testing using my modified configuration > > > files. I tried > > > to stop the server using command: 'freeradius stop' ('radiusd' doesn't > > > work on this > > > debian - anyone knows why??) > > >> > > > >> > But so werid, no matter what command I gave, with parameter > > >> > stop|start|restart, the server ALWAYS goes to START again!! even from > > >> > the > > > /etc/init.d/freeradius I can read that the 'stop' param should stop the > > > server! Can > > > anyone tell me why the command couldn't stop the server?? and how should I > > > stop it?? > > >> > > > >> > The log file shows entries like this for each of my trying, even the > > >> > command given was to "stop": > > >> > > > >> > Tue Apr 4 01:14:13 2006 : Info: Using deprecated naslist file. > > >> > Support > > >> > for this will go away soon. > > >> > Tue Apr 4 01:14:13 2006 : Error: There appears to be another RADIUS > > >> > server running on the authenticat > > >> > > > >> > What is happenning here? (I couldn't top the running deamon, so is the > > >> > 2nd line above) > > >> > > > >> > Also, from the log file I noticed: even when the system automatically > > >> > started the freeradius server deamon, it was "Using deprecated naslist > > >> > file". > > > Log entries show like this: > > >> > > > >> > Fri Mar 31 13:51:54 2006 : Info: Using deprecated naslist file. > > >> > Support > > >> > for this will go away soon. > > >> > Fri Mar 31 13:51:54 2006 : Info: rlm_exec: Wait=yes but no output > > >> > defined. > > >> > Did you mean output=none? > > >> > Fri Mar 31 13:51:55 2006 : Info: Ready to process requests. > > >> > > > >> > Can anyone tell me what is happenning here?? Why it's using the > > >> > deprecating naslist file? The installed radiusd.conf file doesn't show > > >> > the > > > server will use the naslist > > >> > file at all! from where I can stop the server to use this deprecating > > >> > file? Also what does the 2nd line of the above log entries mean? > > >> > > > >> > Any help would be greatly appreciated! Thank you so much for help in > > >> > advance!! > > >> > > > >> > Best regrads, > > >> > leo > > >> > > >> > > >> > > > > > > > > > __________________________________________________ > > > Do You Yahoo!? > > > Tired of spam? Yahoo! Mail has the best spam protection around > > > http://mail.yahoo.com > > > - > > > List info/subscribe/unsubscribe? See > > > http://www.freeradius.org/list/users.html > > > > - > > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > ------- End of Original Message ------- > ------- End of Original Message ------- |
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
