Hi! I'm having the following problem: Any item that I put in radgroupcheck is not being considered by the radius ... the radius only checks the table radcheck ...
I'm using Radius 2 with mysql database. *nas *id: 200 idrevenda: 1 nasname: 192.168.0.10 shortname: rb45g type: other ports: 1812 secret: 123 *radcheck* idrevenda: 1 username: "john" attribute: "user-password" op: "==" value: "123456" *radgroupcheck* idrevenda: 1 groupname: "office" attribute: "Calling-Station-Id" op: "==" value: "00:00:00:00:00:00" *radusergroup* idrevenda: 1 username: "john" groupname: "office" priority: 1 Suppose that the John's MAC Address is 00:a2:bf:66:dd:ff ... the radius should not allow the access... # radtest john 123456 192.168.0.10 10 123 Sending Access-Request of id 218 to 192.168.0.10 port 1812 User-Name = "john" User-Password = "123456" NAS-IP-Address = 192.168.0.10 NAS-Port = 10 rad_recv: Access-Accept packet from host 192.168.0.10 port 1812, id=218, length=20 #radius -X ... rad_recv: Access-Request packet from host 192.168.0.10 port 44307, id=218, length=56 User-Name = "john" User-Password = "123456" NAS-IP-Address = 192.168.0.10 NAS-Port = 10 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[files] returns noop [sql] expand: %{User-Name} -> john [sql] sql_set_user escaped user --> 'john' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT aut.id, aut.username, aut.attribute, aut.value, aut.op FROM radcheck aut WHERE aut.username = '%{SQL-User-Name}' and aut.idrevenda = (SELECT distinct n.idrevenda FROM nas n WHERE n.nasname = '%{NAS-IP-Address}' LIMIT 0,1) ORDER BY aut.id-> SELECT aut.id, aut.username, aut.attribute, aut.value, aut.op FROM radcheck aut WHERE aut.username = 'john' and aut.idrevenda = (SELECT distinct n.idrevenda FROM nas n WHERE n.nasname = '192.168.0.10' LIMIT 0,1) ORDER BY aut.id WARNING: Found User-Password == "...". WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See "man rlm_pap" for more information. [sql] User found in radcheck table [sql] expand: SELECT rp.id, rp.username, rp.attribute, rp.value, rp.op FROM radreply rp WHERE rp.username = '%{SQL-User-Name}' and rp.idrevenda = (SELECT distinct n.idrevenda FROM nas n WHERE n.nasname = '%{NAS-IP-Address}' LIMIT 0,1) ORDER BY rp.id -> SELECT rp.id, rp.username, rp.attribute, rp.value, rp.op FROM radreply rp WHERE rp.username = 'john' and rp.idrevenda = (SELECT distinct n.idrevenda FROM nas n WHERE n.nasname = '192.168.0.10' LIMIT 0,1) ORDER BY rp.id [sql] expand: SELECT ug.groupname FROM radusergroup ug WHERE ug.username = '%{SQL-User-Name}' and ug.idrevenda = (SELECT distinct n.idrevenda FROM nas n WHERE n.nasname = '%{NAS-IP-Address}' LIMIT 0,1) ORDER BY ug.priority -> SELECT ug.groupname FROM radusergroup ug WHERE ug.username = 'john' and ug.idrevenda = (SELECT distinct n.idrevenda FROM nas n WHERE n.nasname = '192.168.0.10' LIMIT 0,1) ORDER BY ug.priority [sql] expand: SELECT gc.id, gc.groupname, gc.attribute, gc.Value, gc.op FROM radgroupcheck gc WHERE gc.groupname = '%{Sql-Group}' and gc.idrevenda = (SELECT distinct n.idrevenda FROM nas n WHERE n.nasname = '%{NAS-IP-Address}' LIMIT 0,1) ORDER BY gc.id -> SELECT gc.id, gc.groupname, gc.attribute, gc.Value, gc.op FROM radgroupcheck gc WHERE gc.groupname = '27' and gc.idrevenda = (SELECT distinct n.idrevenda FROM nas n WHERE n.nasname = '192.168.0.10' LIMIT 0,1) ORDER BY gc.id rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +- entering group PAP {...} [pap] login attempt with password "123456" [pap] Using clear text password "123456" [pap] User authenticated successfully ++[pap] returns ok expand: -> Login OK: [john/123456] (from client radtest port 10) +- entering group post-auth {...} [sql] expand: %{User-Name} -> john [sql] sql_set_user escaped user --> 'john' [sql] expand: %{User-Password} -> 123456 [sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'john', '123456', 'Access-Accept', '2010-08-06 17:30:29') rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'john', '123456', 'Access-Accept', '2010-08-06 17:30:29') rlm_sql (sql): Reserving sql socket id: 2 rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok ++[exec] returns noop Sending Access-Accept of id 218 to 192.168.0.10 port 44307 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 218 with timestamp +6 Ready to process requests. *dialup.conf: *authorize_check_query = "SELECT aut.id, aut.username, aut.attribute, aut.value, aut.op \ FROM ${authcheck_table} aut \ WHERE aut.username = '%{SQL-User-Name}' \ and aut.idrevenda = (SELECT distinct n.idrevenda FROM ${nas_table} n WHERE n.nasname = '%{NAS-IP-Address}' LIMIT 0,1) \ ORDER BY aut.id" authorize_reply_query = "SELECT rp.id, rp.username, rp.attribute, rp.value, rp.op \ FROM ${authreply_table} rp \ WHERE rp.username = '%{SQL-User-Name}' \ and rp.idrevenda = (SELECT distinct n.idrevenda FROM ${nas_table} n WHERE n.nasname = '%{NAS-IP-Address}' LIMIT 0,1) \ ORDER BY rp.id" group_membership_query = "SELECT ug.groupname \ FROM ${usergroup_table} ug \ WHERE ug.username = '%{SQL-User-Name}' \ and ug.idrevenda = (SELECT distinct n.idrevenda FROM ${nas_table} n WHERE n.nasname = '%{NAS-IP-Address}' LIMIT 0,1) \ ORDER BY ug.priority" authorize_group_check_query = "SELECT gc.id, gc.groupname, gc.attribute, \ gc.Value, gc.op \ FROM ${groupcheck_table} gc \ WHERE gc.groupname = '%{Sql-Group}' \ and gc.idrevenda = (SELECT distinct n.idrevenda FROM ${nas_table} n WHERE n.nasname = '%{NAS-IP-Address}' LIMIT 0,1) \ ORDER BY gc.id" authorize_group_reply_query = "SELECT gr.id, gr.groupname, gr.attribute, \ gr.value, gr.op \ FROM ${groupreply_table} gr \ WHERE gr.groupname = '%{Sql-Group}' \ and gr.idrevenda = (SELECT distinct n.idrevenda FROM ${nas_table} n WHERE n.nasname = '%{NAS-IP-Address}' LIMIT 0,1) \ ORDER BY gr.id"* *What can it be? Thank's you for help! -- Erick de A. Fabbio MSN/GTalk: erickfab...@gmail.com Skype: erickfabbio
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html