Sorry if this has already been addressed. I has been searching all
day and haven't found the solution to my problem. I am attempting to
setup multiple huntgroups to limit the types of connections that
clients can make. Along with this I have a list of realms that are
authenticated locally and others that are directed to remote radius
servers. All of the user and group information is stored in a mysql
db. I am having problems authenticating users with realms that are
not passed to a remote server.
Below is an example of a test without a realm:
radtest test blah123 127.0.0.1 0 testing123Sending Access-Request of
id 215 to 127.0.0.1:1812
User-Name = "test"
User-Password = "blah123"
NAS-IP-Address = localhost.localdomain
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=215,
length=272
Framed-Protocol = PPP
Framed-Routing = Broadcast
Framed-Compression = None
Framed-MTU = 1500
Idle-Timeout = 0
Cisco-AVPair = "lcp:interface-config=rate-limit input 256000
32000 32000 conform-action transmit exceed-action drop"
Cisco-AVPair = "lcp:interface-config=rate-limit output
4500000 32000 32000 conform-action transmit exceed-action drop"
Service-Type = Framed-User
With a realm:
radtest [EMAIL PROTECTED] blah123 127.0.0.1 0 testing123
Sending Access-Request of id 223 to 127.0.0.1:1812
User-Name = "[EMAIL PROTECTED]"
User-Password = "blah123"
NAS-IP-Address = localhost.localdomain
NAS-Port = 0
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=223,
length=20
Output from the server:
rad_recv: Access-Request packet from host 127.0.0.1:32770, id=223,
length=77
User-Name = "[EMAIL PROTECTED]"
User-Password = "blah123"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
rlm_sql (sql): - sql_groupcmp
radius_xlat: '[EMAIL PROTECTED]'
rlm_sql (sql): sql_set_user escaped user --> '[EMAIL PROTECTED]'
radius_xlat: 'SELECT GroupName FROM usergroup WHERE
UserName='[EMAIL PROTECTED]''
rlm_sql (sql): Reserving sql socket id: 0
rlm_sql (sql): Released sql socket id: 0
rlm_sql (sql): - sql_groupcmp finished: User does not belong in group
3072BY256
No huntgroup access: [EMAIL PROTECTED] (from client localhost port 0)
modcall[authorize]: module "preprocess" returns reject for request 2
modcall: group authorize returns reject for request 2
If I removed the huntgroups out of the picture, is works fine. The
problem seems to be that the realm is not being stripped off of the
username when it checks it against the usergroup table. If more
information is needed, please let me know. I would really like to get
this working.
Thanks!
- Brad
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
