I recently setup a freeradius 2 server with MySQL and I am having an issue where it doesn't appear to be doing group checks.
If I have a user set to a group it doesn't appear to check the attributes set in that group: +----+----------+--------------+----+------------------------------------------+ | id | username | attribute | op | value | +----+----------+--------------+----+------------------------------------------+ | 15 | user1 | SHA-Password | := | 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 | +----+----------+--------------+----+------------------------------------------+ 1 row in set (0.00 sec) mysql> select * from radusergroup where username = 'user1'; +----------+-----------+----------+ | username | groupname | priority | +----------+-----------+----------+ | user1 | admin | 1 | +----------+-----------+----------+ 1 row in set (0.00 sec) mysql> select * from radgroupcheck where groupname = 'admin'; +----+-----------+----------------+----+--------+ | id | groupname | attribute | op | value | +----+-----------+----------------+----+--------+ | 3 | admin | NAS-Identifier | == | Adtran | +----+-----------+----------------+----+--------+ 1 row in set (0.00 sec) If I understand correctly the following request should be denied because the NAS-Identifier in the request doesn't match the one specified in the groupcheck table. However, it is replying with Accept-Accept. rad_recv: Access-Request packet from host 64.185.12.105 port 7458, id=61, length=56 User-Name = "user1" User-Password = "password" NAS-Identifier = "Zhone MxK" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "user1", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop expand: %{User-Name} -> user1 rlm_sql (sql): sql_set_user escaped user --> 'user1' rlm_sql (sql): Reserving sql socket id: 3 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'user1' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'user1' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'user1' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'user1' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'user1' ORDER BY priority rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = 'user1' ORDER BY priority expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'admin' ORDER BY id rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'admin' ORDER BY id rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Normalizing SHA-Password from hex encoding ++[pap] returns updated rad_check_password: Found Auth-Type auth: type "PAP" +- entering group PAP rlm_pap: login attempt with password "password" rlm_pap: Using SHA1 encryption. rlm_pap: User authenticated successfully ++[pap] returns ok Login OK: [user1/password] (from client lab-mxk-1 port 0) +- entering group post-auth rlm_sql (sql): Processing sql_postauth expand: %{User-Name} -> user1 rlm_sql (sql): sql_set_user escaped user --> 'user1' expand: %{User-Password} -> password expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'user1', 'password', 'Access-Accept', '2010-02-24 10:56:24') expand: /var/log/freeradius/sqltrace.sql -> /var/log/freeradius/sqltrace.sql rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'user1', 'password', 'Access-Accept', '2010-02-24 10:56:24') rlm_sql (sql): Reserving sql socket id: 2 rlm_sql_mysql: query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'user1', 'password', 'Access-Accept', '2010-02-24 10:56:24') rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok ++[exec] returns noop Sending Access-Accept of id 61 to 64.185.12.105 port 7458 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 61 with timestamp +9 Ready to process requests. Any help would be greatly appreciated. Thanks, Craig
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html