I had some older Debian 4.0 (etch) servers, with freeradius v1.1.3 installed from packages.
I then upgraded to Debian 5.0 (lenny), which comes with freeradius v2.0.4 After upgrading I ran into some problems with my radgroupcheck rules. In radgroupcheck, I have some rules to restrict which NAS users are allowed to connect to. Here's an example : mysql> select * from radcheck where username = 'mbowe-test'; +------+------------+----------------+----+--------------------------------- ---+ | id | username | attribute | op | value | +------+------------+----------------+----+--------------------------------- ---+ | 708 | mbowe-test | Crypt-Password | := | <SNIPPED> | +------+------------+----------------+----+--------------------------------- ---+ mysql> select * from radreply where username = 'mbowe-test'; Empty set (0.00 sec) mysql> select * from radusergroup where username = 'mbowe-test'; +------------+----------------+----------+ | username | groupname | priority | +------------+----------------+----------+ | mbowe-test | dialup-freedom | 1 | +------------+----------------+----------+ mysql> select * from radgroupcheck where groupname = 'dialup-freedom'; +----+----------------+------------------+----+----------------------------- + | id | groupname | attribute | op | value | +----+----------------+------------------+----+----------------------------- + | 3 | dialup-freedom | NAS-IP-Address | !~ | ^111.222.333.(1|2|3|4|5|6)$ | | 4 | dialup-freedom | Simultaneous-Use | := | 1 | +----+----------------+------------------+----+----------------------------- + mysql> select * from radgroupreply where groupname = 'dialup-freedom'; +----+----------------+--------------------+----+---------------------+ | id | groupname | attribute | op | value | +----+----------------+--------------------+----+---------------------+ | 9 | dialup-freedom | Service-Type | := | Framed-User | | 10 | dialup-freedom | Framed-Protocol | := | PPP | | 11 | dialup-freedom | Framed-IP-Address | = | 255.255.255.254 | | 12 | dialup-freedom | Framed-IP-Netmask | := | 255.255.255.255 | | 13 | dialup-freedom | Framed-Compression | := | Van-Jacobson-TCP-IP | | 14 | dialup-freedom | Idle-Timeout | := | 1800 | | 15 | dialup-freedom | Session-Timeout | := | 14400 | | 16 | dialup-freedom | Port-Limit | := | 1 | +----+----------------+--------------------+----+---------------------+ Under the older freeradius, if the mbowe-test user tried to connect to a NAS with IP 111.222.333.1|2|3|4|5|6 then their access would be rejected. However under the newer freeradius, the user can now get online OK. (The group doesn't match so the 'dialup-freedom' attributes are not returned) In my sql.conf I have read_groups = yes I tried installing the freeradius 2.1.7 from source, and it gives the same result as the 2.0.4 from packages (user can get online). Am I doing something wrong? Let me know if you would like me to paste some debugs. Michael. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html