Hello! I am trying to put checkval to work with radgroupcheck however without success. My problem is that in the radcheck if Calling-Station-Id is not met he rejects the user (just like I want it to do) but in the radgroupcheck if the Calling-Station-Id is not met freeradius send an Access-Accept anyway (I want it to reject).
My checkval: checkval { # The attribute to look for in the request item-name = Calling-Station-Id # The attribute to look for in check items. Can be multi valued check-name = Calling-Station-Id # The data type. Can be # string,integer,ipaddr,date,abinary,octets data-type = string # If set to yes and we dont find the item-name attribute in the # request then we send back a reject # DEFAULT is no notfound-reject = yes } Part of my radius log: rlm_sql (sql): Released sql socket id: 1 ++[sql] returns ok rlm_checkval: Item Name: Calling-Station-Id, Value: 00-21-00-33-B1-88 rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs ++[checkval] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/md5 [eap] processing type md5 [eap] Freeing handler ++[eap] returns ok +- entering group post-auth {...} expand: %{User-Name} -> vitor33 [sql] sql_set_user escaped user --> 'vitor33' expand: %{User-Password} -> expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ('%{User-Name}', '%{%{User-Password}:-Chap-Password}', '%{reply:Packet-Type}', NOW()) -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ('vitor33', 'Chap-Password', 'Access-Accept', NOW()) expand: /var/log/freeradius/sqltrace.sql -> /var/log/freeradius/sqltrace.sql rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ('vitor33', 'Chap-Password', 'Access-Accept', NOW()) rlm_sql (sql): Reserving sql socket id: 0 rlm_sql_postgresql: query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ('vitor33', 'Chap-Password', 'Access-Accept', NOW()) rlm_sql_postgresql: Status: PGRES_COMMAND_OK rlm_sql_postgresql: query affected rows = 1 rlm_sql (sql): Released sql socket id: 0 ++[sql] returns ok } # server inner-tunnel [ttls] Got tunneled reply code 2 EAP-Message = 0x03010004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "vitor33" [ttls] Got tunneled Access-Accept [eap] Freeing handler rlm_eap_ttls: Freeing handler for user vitor33 ++[eap] returns ok +- entering group post-auth {...} expand: %{User-Name} -> vitor33 [sql] sql_set_user escaped user --> 'vitor33' expand: %{User-Password} -> expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ('%{User-Name}', '%{%{User-Password}:-Chap-Password}', '%{reply:Packet-Type}', NOW()) -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ('vitor33', 'Chap-Password', 'Access-Accept', NOW()) expand: /var/log/freeradius/sqltrace.sql -> /var/log/freeradius/sqltrace.sql rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ('vitor33', 'Chap-Password', 'Access-Accept', NOW()) rlm_sql (sql): Reserving sql socket id: 4 rlm_sql_postgresql: query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ('vitor33', 'Chap-Password', 'Access-Accept', NOW()) rlm_sql_postgresql: Status: PGRES_COMMAND_OK rlm_sql_postgresql: query affected rows = 1 rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok ++[exec] returns noop Sending Access-Accept of id 19 to 192.168.100.2 port 32773 MS-MPPE-Recv-Key = 0x5b81c8ead986cb6408398bc0a2e3bef7457500dd6b8504be9d63a097679ee0d8 MS-MPPE-Send-Key = 0x4da2d778e0ffa8bddaf4e989a5b34e69e29266ff830134df8c2f03ca8d21bbe7 EAP-Message = 0x03070004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "vitor33" Finished request 7. My radgroupcheck table: 4;"testgroup";"Simultaneous-Use";":=";"1" 7;"testgroup";"Calling-Station-Id";"==";"00-00-00-00-00-11" My radusergroup table: "admin";"testgroup";0 "vitor33";"testgroup";0 Can anyone help me ? Thanks in advance. edit: If I add the line "Auth-Type := Reject" for the same group in radgroupcheck, freeradius keep send Access-Acept when he should send Access-Reject, right ? -- View this message in context: http://www.nabble.com/Checkval-tp23867006p23867006.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html