Pairs do not match user [xxx]
Hi again. I've found my question many times in mailinglist archives, but not suitable solution. I keep receiving 'pairs do not match user'; in the end, follows copy of log. I have installed sql tables from the FreeRadius template. Since I'm not using crypt now, I tried to change 'Password' to 'User-Password' as attribute in the sql, but still no joy. Reading the log, it says modcall[authorize]: module "sql" returns notfound users: Matched DEFAULT at 85 modcall[authorize]: module "files" returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type system auth: type "System" (after the message about pairs was sent); of course, I don't have a module 'sql {' in radiusd.conf, and don't know how to build one. Then, in the end of log, I see "Found Auth-Type System" (is this correct? in my 'authorization' section I'm trying sql, but the module doesn't exists, and we start it all over..) Is this the problem? But, according the log, rlm_sql is checking the sql tables after stripping username - and in this phase I get the error message... Yet, no joy. Where the error / missing config could be? -- Fernando rad_recv: Access-Request packet from host 192.168.1.25:1027, id=35, length=75 Thread 1 assigned request 0 --- Walking the entire request list --- Threads: total/active/spare threads = 5/1/4 Nothing to do. Sleeping until we see a request. Thread 1 handling request 0, (1 handled so far) User-Name = "ferds" User-Password = "twister" NAS-IP-Address = 192.168.1.25 NAS-Port = 2 NAS-Port-Type = Async Service-Type = Framed-User Framed-Protocol = PPP modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok rlm_realm: No '@' in User-Name = "ferds", looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module "suffix" returns noop radius_xlat: 'ferds' rlm_sql (sql): sql_set_user escaped user --> 'ferds' (...) radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'ferds' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): Pairs do not match for user [ferds] rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module "sql" returns notfound users: Matched DEFAULT at 85 modcall[authorize]: module "files" returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type system auth: type "System" auth: Failed to validate the user. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pairs do not match
perhaps you should upgrade to freeradius-0.8 ? On Wed, 27 Nov 2002, betux wrote: > hi all, > > i am just install freeradius and i am newbie for that. > what should i do if get error message : > > Wed Nov 27 04:38:32 2002 : Error: rlm_eap: EAP-Message not found > Wed Nov 27 04:38:32 2002 : Info: rlm_sql: Pairs do not match [2101704] > (in radcheck table, i set value for attribute = "Password" and op = "==") > Wed Nov 27 04:38:37 2002 : Error: rlm_sql: Stop packet with zero session > length. (user '2101704', nas '199.37.116.117') > Wed Nov 27 04:38:42 2002 : Error: rlm_sql: Stop packet with zero session > length. (user '2101704', nas '199.37.116.117') > Wed Nov 27 04:38:47 2002 : Error: rlm_sql: Stop packet with zero session > length. (user '2101704', nas '199.37.116.117') > Wed Nov 27 04:38:52 2002 : Error: rlm_sql: Stop packet with zero session > length. (user '2101704', nas '199.37.116.117') > > i am using freeradius-0.4, suse 8.0 and cisco AS5300. > > thank you for your help. > > > > Regards, > > > Tjenen > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pairs do not match
hi all, i am just install freeradius and i am newbie for that. what should i do if get error message : Wed Nov 27 04:38:32 2002 : Error: rlm_eap: EAP-Message not found Wed Nov 27 04:38:32 2002 : Info: rlm_sql: Pairs do not match [2101704] (in radcheck table, i set value for attribute = "Password" and op = "==") Wed Nov 27 04:38:37 2002 : Error: rlm_sql: Stop packet with zero session length. (user '2101704', nas '199.37.116.117') Wed Nov 27 04:38:42 2002 : Error: rlm_sql: Stop packet with zero session length. (user '2101704', nas '199.37.116.117') Wed Nov 27 04:38:47 2002 : Error: rlm_sql: Stop packet with zero session length. (user '2101704', nas '199.37.116.117') Wed Nov 27 04:38:52 2002 : Error: rlm_sql: Stop packet with zero session length. (user '2101704', nas '199.37.116.117') i am using freeradius-0.4, suse 8.0 and cisco AS5300. thank you for your help. Regards, Tjenen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question about rlm_sql "Pairs do not match for user ..."
Hello, In src/modules/rlm_sql/rlm_sql.c around line 575 there is a block of code which looks like: if (paircmp(request, request->packet->vps, check_tmp, &reply_tmp) != 0) { radlog(L_INFO, "rlm_sql (%s): Pairs do not match for user [%s]", inst->config->xlat_name, sqlusername); /* Remove the username we (maybe) added above */ pairdelete(&request->packet->vps, PW_SQL_USER_NAME); sql_release_socket(inst, sqlsocket); pairfree(&reply_tmp); pairfree(&check_tmp); return RLM_MODULE_NOTFOUND; } This seems to be comparing the pairs from the: authorize_group_check_query and authorize_group_reply_query results when used with the rlm_sql module. My question is why should the reply and check pairs be the same? The code has no comments explaining this (I'll write some up and submit a patch if someone explains it to me). I uncommented the extra debugging above this section, and what I see is: rlm_sql: check items Crypt-Password = "$1$xxx$x" Simultaneous-Use = 1 rlm_sql: reply items rlm_sql (sql): Pairs do not match for user [wizardit] rlm_sql (sql): Released sql socket id: 9 modcall[authorize]: module "sql" returns notfound modcall: group authorize returns ok rad_check_password: Found Auth-Type Local auth: type Local auth: No password configured for the user Section 4 of the doc/Simultaneous-Use says: Note that you need to add the Simultaneous-Use parameter to the check item (first line), not the reply item, using the ':=' operator. So it seems to me that there the check_items should never match the reply items (of which I have none) when using Simultaneous-Use. Is this correct? If so the code in rlm_sql.c is wrong, otherwise what am I missing? With the block of code above commented out in rlm_sql.c authentication works properly (as it did in previous versions), and I haven't noticed any other problems. Is there a problem with leaving this out? Thanks, Josh -- Josh Wilsdon <[EMAIL PROTECTED]> Programmer Analyst Wizard IT Services - http://www.wizard.ca Linux Support Specialist - http://linuxmagic.com Unix Administration, Website Hosting, Network Services, Programming (604) 589-0037 Beautiful British Columbia, Canada LinuxMagic is a TradeMark of Wizard Tower TechnoServices Ltd. This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to which they are addressed. If you have received this email in error please notify the system manager. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql - pairs do not match - but everything seems to be there
At 06:23 PM 1/8/2002 -0500, Steve Sobol wrote: >I'm currently using FreeRadius - just upgraded to 0.4 - to authenticate >users with account info in /etc/passwd and /etc/shadow. >Currently all I use is a default entry in /usr/local/etc/raddb/users. You'll want to update to a CVS snapshot. The current CVS has an updated sql table definition that adds support for the 'operator'. If no operator is returned, the code assumes '=='. To set an Auth-Type, you need to use the ':=' operator. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql - pairs do not match - but everything seems to be there
Hi, Look in te archives for subject: "anyone uses sql authorization with radius". You find your answers in there. bash On Tue, 8 Jan 2002, Steve Sobol wrote: > I'm currently using FreeRadius - just upgraded to 0.4 - to authenticate > users with account info in /etc/passwd and /etc/shadow. > Currently all I use is a default entry in /usr/local/etc/raddb/users. > > This works fine. > > However, I'm testing a setup where as much information as possible will go > into a MySQL database. I'm also setting up LDAP > for authentication, so I'm using an LDAP account to test... As you will > see, this is not an LDAP issue... > > Here's the contents of the relevant fields out of my database > > [radcheck] > ++--+---+---+ > | id | UserName | Attribute | Value | > ++--+---+---+ > | 11 | [EMAIL PROTECTED] | Auth-Type | LDAP | > ++--+---+---+ > > [usergroup] > ++--+---+ > | id | UserName | GroupName | > ++--+---+ > | 4 | [EMAIL PROTECTED] | ldap | > ++--+---+ > > [radgroupcheck] > ++---+---+---+ > | id | GroupName | Attribute | Value | > ++---+---+---+ > | 6 | ldap | Auth-Type | Ldap | > ++---+---+---+ > > [radgroupreply] > ++---+---+-+ > | id | GroupName | Attribute | Value | > ++---+---+-+ > | 10 | ldap | Idle-Timeout | 600 | > | 9 | ldap | Port-Limit| 1 | > | 13 | ldap | Service-Type | Framed-User | > | 14 | ldap | Framed-Protocol | PPP | > | 15 | ldap | Framed-IP-Address | 255.255.255.254 | > | 20 | ldap | Framed-IP-Netmask | 255.255.255.255 | > | 19 | ldap | Session-Timeout | 28800 | > ++---+---+-+ > > Ok, first: If the account isn't in radcheck, usergroup doesn't get checked > for the username. > The next apparent step if the account isn't in radcheck is that the various > tables are checked > for DEFAULT - and this seems like a bug to me. > > Now... This is what happens when I try to dial in using sjs-ldap > > Thread 1 handling request 0, (1 handled so far) > User-Name = "[EMAIL PROTECTED]" > Password = "\352{\252\236M4\257}3KwZl\006\274[" > NAS-IP-Address = 64.24.224.229 > NAS-Port = 44 > NAS-Port-Type = Async > Service-Type = Framed-User > Framed-Protocol = PPP > Connect-Info = "16800 LAPM/V42BIS" > Called-Station-Id = "4408560016" > Calling-Station-Id = "4402098862" > Proxy-State = > 0x3c3b74724018e0e5040210007c1462fc83ad10f33842ef6c7294576d > rad_lowerpair: User-Name now '[EMAIL PROTECTED]' > rad_lowerpair: Password now 'myDialupPassword' > rad_rmspace_pair: User-Name now '[EMAIL PROTECTED]' > rad_rmspace_pair: Password now 'myDialupPassword' > modcall: entering group authorize >modcall[authorize]: module "preprocess" returns ok >modcall[authorize]: module "suffix" returns ok > rlm_sql: Reserving sql socket id: 4 > radius_xlat: '[EMAIL PROTECTED]' > sql_escape in: '[EMAIL PROTECTED]' > sql_escape out: '[EMAIL PROTECTED]' > sql_set_user: escaped user --> '[EMAIL PROTECTED]' > radius_xlat: 'SELECT id,UserName,Attribute,Value FROM radcheck WHERE > Username = '[EMAIL PROTECTED]' ORDER BY id' > radius_xlat: 'SELECT > radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value > FROM radgroupcheck,usergroup WHERE usergroup.Username = > '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupcheck.GroupName > ORDER BY radgroupcheck.id' > radius_xlat: 'SELECT id,UserName,Attribute,Value FROM radreply WHERE > Username = '[EMAIL PROTECTED]' ORDER BY id' > radius_xlat: 'SELECT > radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value > FROM radgroupreply,usergroup WHERE usergroup.Username = > '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupreply.GroupName > ORDER BY radgroupreply.id' > rlm_sql: Released sql socket id: 4 > rlm_sql: Pairs do not match [[EMAIL PROTECTED]] >modcall[authorize]: module "sq
rlm_sql - pairs do not match - but everything seems to be there
I'm currently using FreeRadius - just upgraded to 0.4 - to authenticate users with account info in /etc/passwd and /etc/shadow. Currently all I use is a default entry in /usr/local/etc/raddb/users. This works fine. However, I'm testing a setup where as much information as possible will go into a MySQL database. I'm also setting up LDAP for authentication, so I'm using an LDAP account to test... As you will see, this is not an LDAP issue... Here's the contents of the relevant fields out of my database [radcheck] ++--+---+---+ | id | UserName | Attribute | Value | ++--+---+---+ | 11 | [EMAIL PROTECTED] | Auth-Type | LDAP | ++--+---+---+ [usergroup] ++--+---+ | id | UserName | GroupName | ++--+---+ | 4 | [EMAIL PROTECTED] | ldap | ++--+---+ [radgroupcheck] ++---+---+---+ | id | GroupName | Attribute | Value | ++---+---+---+ | 6 | ldap | Auth-Type | Ldap | ++---+---+---+ [radgroupreply] ++---+---+-+ | id | GroupName | Attribute | Value | ++---+---+-+ | 10 | ldap | Idle-Timeout | 600 | | 9 | ldap | Port-Limit | 1 | | 13 | ldap | Service-Type | Framed-User | | 14 | ldap | Framed-Protocol | PPP | | 15 | ldap | Framed-IP-Address | 255.255.255.254 | | 20 | ldap | Framed-IP-Netmask | 255.255.255.255 | | 19 | ldap | Session-Timeout | 28800 | ++---+---+-+ Ok, first: If the account isn't in radcheck, usergroup doesn't get checked for the username. The next apparent step if the account isn't in radcheck is that the various tables are checked for DEFAULT - and this seems like a bug to me. Now... This is what happens when I try to dial in using sjs-ldap Thread 1 handling request 0, (1 handled so far) User-Name = "[EMAIL PROTECTED]" Password = "\352{\252\236M4\257}3KwZl\006\274[" NAS-IP-Address = 64.24.224.229 NAS-Port = 44 NAS-Port-Type = Async Service-Type = Framed-User Framed-Protocol = PPP Connect-Info = "16800 LAPM/V42BIS" Called-Station-Id = "4408560016" Calling-Station-Id = "4402098862" Proxy-State = 0x3c3b74724018e0e5040210007c1462fc83ad10f33842ef6c7294576d rad_lowerpair: User-Name now '[EMAIL PROTECTED]' rad_lowerpair: Password now 'myDialupPassword' rad_rmspace_pair: User-Name now '[EMAIL PROTECTED]' rad_rmspace_pair: Password now 'myDialupPassword' modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "suffix" returns ok rlm_sql: Reserving sql socket id: 4 radius_xlat: '[EMAIL PROTECTED]' sql_escape in: '[EMAIL PROTECTED]' sql_escape out: '[EMAIL PROTECTED]' sql_set_user: escaped user --> '[EMAIL PROTECTED]' radius_xlat: 'SELECT id,UserName,Attribute,Value FROM radcheck WHERE Username = '[EMAIL PROTECTED]' ORDER BY id' radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value FROM radgroupcheck,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value FROM radreply WHERE Username = '[EMAIL PROTECTED]' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value FROM radgroupreply,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql: Released sql socket id: 4 rlm_sql: Pairs do not match [[EMAIL PROTECTED]] modcall[authorize]: module "sql" returns notfound users: Matched DEFAULT at 2 modcall[authorize]: module "files" returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type System auth: type "System" modcall: entering group authenticate modcall[authenticate]: module "unix" returns notfound modcall: group authenticate returns notfound auth: Failed to validate the user. Sending Access-Reject of id 109 to 216.126.128.8:1650 Proxy-State = 0x3c3b74724018e0e5040210007c1462fc83ad10f33842ef6c7294576d Finished request 0 Going to the next request Now, for some reason, enabling debugging on 0.4 doesn't print the results of t
rlm_sql: Pairs do not match
Who can tell me what does 'rlm_sql: Pairs do not match' mean? please... --- query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,r adgroupreply.Value FROM radgroupreply,usergroup WHERE usergroup.Username = 'steve' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_postgresql Status: PGRES_TUPLES_OK sql_postgresql: affected rows = Service-Type = Framed-User Service-Type = Framed-User Framed-Protocol = PPP Service-Type = Framed-User Framed-Protocol = PPP Framed-Address = 255.255.255.254 Service-Type = Framed-User Framed-Protocol = PPP Framed-Address = 255.255.255.254 Framed-Compression = Van-Jacobson-TCP-IP Service-Type = Framed-User Framed-Protocol = PPP Framed-Address = 255.255.255.254 Framed-Compression = Van-Jacobson-TCP-IP Framed-MTU = 1500 Service-Type = Framed-User Framed-Protocol = PPP Framed-Address = 255.255.255.254 Framed-Compression = Van-Jacobson-TCP-IP Framed-MTU = 1500 Fall-Through = Yes rlm_sql: Released sql socket id: 4 rlm_sql: Pairs do not match [steve] Sending Access-Reject of id 137 to 127.0.0.1:2083 -- cron - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Pairs do not match
Hi ! I need to configure user with Exec-Program-wait. I am using Freeradius and MySQL, an i already imported the dictionary and configured the user in the radcheck table this way: (34,"SomeUser","Exec-Program-Wait","/sbin/exec_program") Is this correct ? I receive "pairs do not match" err when i try to connect. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pairs do not match
At 06:09 PM 11/22/2001 +1000, Mark Constable wrote: >On Thu, 22 Nov 2001 00:45, Chris Parker wrote: > > > It looks like you are storing a plaintext password in a Crypt > > password container. Either store the encrypted password in the > > table, or change the attribute name to 'User-Password'. > >Oh oh, where does "User-Password" come from ? I've been >using either just "Password" for plain text entries or >"Crypt-Password" for encrypt('pw')ed entries. User-Password and Password would be the same thing. Password is what's defined in the dictionary, so use that. The RFC gives the proper "name" as User-Password, so that's why I mentioned it, however, regardless of the RFC, you need to use Password. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pairs do not match
On Thu, 22 Nov 2001 00:45, Chris Parker wrote: > It looks like you are storing a plaintext password in a Crypt > password container. Either store the encrypted password in the > table, or change the attribute name to 'User-Password'. Oh oh, where does "User-Password" come from ? I've been using either just "Password" for plain text entries or "Crypt-Password" for encrypt('pw')ed entries. Using "radtest" confirms my user/pw entries are OK. > This has been going on for a while. It looks like series of debugging > statements that should be commented out somewhere, as the server is > iterating through a loop. Not that there is a definite pattern to this > series, as if it's printing the a/v pair list each time through a loop: > Pass 1: > >Service-Type = Framed-User > Pass 2: Ah right, I never noticed that obvious pattern. > So it's a cosmetic bug, unless you are seeing the reply being sent with > that many attributes out from the NAS. Nope. > I'd look at the SQL module for this, if you want to clean it up. As long as I know it's not part of my problem(s) then like everyone else, I'll put up with it until someone else cleans it up with CVS access. Thanks for the response Chris. --markc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pairs do not match
At 03:23 PM 11/21/2001 +1000, Mark Constable wrote: >Could anyone please explain what might be going on here >and which "Pairs do not match" ? > >"rlm_sql: Pairs do not match [[EMAIL PROTECTED]]" It looks like you are storing a plaintext password in a Crypt password container. Either store the encrypted password in the table, or change the attribute name to 'User-Password'. >And why might I be seeing doubled up reply pairs ? This has been going on for a while. It looks like series of debugging statements that should be commented out somewhere, as the server is iterating through a loop. Not that there is a definite pattern to this series, as if it's printing the a/v pair list each time through a loop: Pass 1: >Service-Type = Framed-User Pass 2: > Service-Type = Framed-User > Framed-Protocol = PPP Pass 3: > Service-Type = Framed-User > Framed-Protocol = PPP > Framed-Netmask = 255.255.255.255 Pass 4: > Service-Type = Framed-User > Framed-Protocol = PPP > Framed-Netmask = 255.255.255.255 > Framed-MTU = 1500 Pass 5: > Service-Type = Framed-User > Framed-Protocol = PPP > Framed-Netmask = 255.255.255.255 > Framed-MTU = 1500 > Framed-Compression = Van-Jacobson-TCP-IP So it's a cosmetic bug, unless you are seeing the reply being sent with that many attributes out from the NAS. I'd look at the SQL module for this, if you want to clean it up. -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Pairs do not match
Could anyone please explain what might be going on here and which "Pairs do not match" ? "rlm_sql: Pairs do not match [[EMAIL PROTECTED]]" And why might I be seeing doubled up reply pairs ? TIA --markc rad_recv: Access-Request packet from host 203.45.208.156:32974, id=233, length=64 User-Name = "[EMAIL PROTECTED]" Password = "\277\241\273\337"\274\247v\262@J\227\006E\256D" NAS-IP-Address = 255.255.255.255 NAS-Port-Id = "0" rlm_sql: Reserving sql socket id: 4 Crypt-Password = "G0t7spLAraWNo" Crypt-Password = "G0t7spLAraWNo" Auth-Type = SQL Service-Type = Framed-User Service-Type = Framed-User Framed-Protocol = PPP Service-Type = Framed-User Framed-Protocol = PPP Framed-Netmask = 255.255.255.255 Service-Type = Framed-User Framed-Protocol = PPP Framed-Netmask = 255.255.255.255 Framed-MTU = 1500 Service-Type = Framed-User Framed-Protocol = PPP Framed-Netmask = 255.255.255.255 Framed-MTU = 1500 Framed-Compression = Van-Jacobson-TCP-IP rlm_sql: Released sql socket id: 4 rlm_sql: Pairs do not match [[EMAIL PROTECTED]] Login incorrect: [[EMAIL PROTECTED]/Xmarkc] (from nas c port 0) Sending Access-Reject of id 233 to 203.45.208.156:32974 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html