SQL log attached:
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = 't...@realm' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM
radreply WHERE username = 't...@realm' ORDER BY id
rlm_sql_mysql: query: SELECT groupname FROM usergroup
WHERE username = 't...@realm' ORDER BY priority
rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = 'VRF-TEST' ORDER
BY id
rlm_sql_mysql: query: SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = 'VRF-TEST' ORDER
BY id
rlm_sql (sql): Released sql socket id: 4
If I run the 3rd query manually, it does pickup VRF-TEST and QOS-PROFILE
usergroups, however looking at the above groupcheck/groupreply query, it is
only running it for the first instance. bug perhaps in rlm_sql_mysql?
-Michael
On Thu, 16 Dec 2010 11:33:46 +1100, <mich...@jarrett.id.au> wrote:
> Hi,
> During a rebuild of our Radius servers from an old freeradius 1.x install
> to 2.1.10, we've lost ability to push multiple usergroups to our Cisco LNS:
> MySQL:
> radcheck:
> id UserName Attribute op Value
> 9791 t...@realm Password := {clear}somepass
>
> radgroupreply:
> id GroupName Attribute op Value
> 161 VRF-TEST Cisco-AVPair += ip:vrf-id=TEST
> 162 VRF-TEST Cisco-AVPair += ip:ip-unnumbered=loopback25
> 2211 QOS-PROFILE Cisco-AVPair +=
> ip:sub-qos-policy-out=TEST-QOS-PROFILE
>
> radreply:
> id UserName Attribute op Value
> 124561 t...@realm Framed-IP-Netmask = 255.255.255.255
> 124571 t...@realm Framed-IP-Address = 1.1.1.1
>
> usergroup:
> UserName GroupName priority
> t...@realm VRF-TEST 1
> t...@realm QOS-PROFILE 2
>
> debugging Radius on the Cisco shows (amongst other things):
> RADIUS: Vendor, Cisco [26] 21
> RADIUS: Cisco AVpair [1] 15 "ip:vrf-id=TEST"
> RADIUS: Vendor, Cisco [26] 35
> RADIUS: Cisco AVpair [1] 29 "ip:ip-unnumbered=loopback25"
>
> If you set QOS-PROFILE to priority 0 for example, it will then only pick
> up the QOS-PROFILE usergroup, not both. Setting both usergroups to same
> priority yeilds the same results; only applying the first, never both.
>
> To rule out the Cisco i've performed a tcpdump on Radius itself; I can
> only see freeradius sending one usergroup in the Access-Accept response.
> This is also a fresh freeradius install via FreeBSD ports; no
> configuration was carried over from the previous install except for MySQL
> DB credentials.
>
> Thoughts?
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
