Re: FreeRADIUS without Universal Password
* Jason C Brown jasonbr...@ferris.edu [Wed, 4 Feb 2009 17:41:49 -0500]: Is there a way to integrate FreeRADIUS without having to use the universal password in Novell? You need to send the password in plaintext to the RADIUS server from the connecting client, in the world of 802.1X this is typically done with wrapping PAP in EAP-TTLS[1]. It's what we had to do in the early days whilst migrating from a non-UP world to a UP world...now I just have to work out how to dispose of Novell but that's another battle. When you use PAP, you can just do a nasty bog standard LDAP bind and get FreeRADIUS to check that it succeeds and then work from there. Once you are UP'ed you can then enable the horrors of MSCHAP and let those horrible Jesus Phones connect and what not. Looking on the good side, no iPhones on your wireless network till you get there, so you might want to view this as a reason not to UP altogether ;) Cheers [1] which is better than PEAP anyway as you have the option to pre-config windows clients with a single EXE; if you choose to use SecureW2 -- Alexander Clouter .sigmonster says: Practice yourself what you preach. -- Titus Maccius Plautus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radgroupcheck and regexp
I use freeradius 2.1.3 with oracle DB. Regexp works wrong in radgroupcheck table. What did I do wrong? Usergrop table -- 65658 testgroup testgroup1 15 65659 testgroup testgroup2 20 -- Radgroupcheck table -- 321 testgroup1 NAS-IP-Address !~ ^10.10 341 testgroup2 NAS-IP-Address =~ ^10.10 -- Radgroupreply table -- 682 testgroup1 Fall-Through= Yes 661 testgroup1 Cisco-AVPair+= ip:addr-pool=test1 681 testgroup2 Fall-Through= Yes 662 testgroup2 Cisco-AVPair+= ip:addr-pool=test2 -- Sending Access-Request of id 250 to 127.0.0.1 port 1812 User-Name = testgroup User-Password = test NAS-IP-Address = 10.10.1.1 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=250, length=46 Cisco-AVPair = ip:addr-pool=test2 Sending Access-Request of id 203 to 127.0.0.1 port 1812 User-Name = testgroup User-Password = test NAS-IP-Address = 10.11.1.1 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=203, length=46 Cisco-AVPair = ip:addr-pool=test2 Debug from last request: Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 6526, id=133, length=55 User-Name = testgroup User-Password = test NAS-IP-Address = 10.11.1.1 +- entering group authorize {...} [preprocess]expand: %{NAS-IP-Address} - 10.11.1.1 ++[preprocess] returns ok [auth_log] expand: /usr/local/var/log/radius/radacct/detail/%{Client-IP-Address}/detail-%Y%m%d - /usr/local/var/log/radius/radacct/detail/127.0.0.1/detail-20090205 [auth_log] /usr/local/var/log/radius/radacct/detail/%{Client-IP-Address}/detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/detail/127.0.0.1/detail-20090205 [auth_log] expand: %t - Thu Feb 5 16:39:28 2009 ++[auth_log] returns ok ++[chap] returns noop [suffix] No '@' in User-Name = testgroup, looking up realm NULL [suffix] Found realm NULL [suffix] Adding Stripped-User-Name = testgroup [suffix] Adding Realm = NULL [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [files] users: Matched entry DEFAULT at line 2 ++[files] returns ok [sqlauth] expand: %{User-Name} - testgroup [sqlauth] sql_set_user escaped user -- 'testgroup' rlm_sql (sqlauth): Reserving sql socket id: 7 [sqlauth] expand: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'testgroup' ORDER BY id SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'testgroup' ORDER BY id WARNING: Found User-Password == WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See man rlm_pap for more information. [sqlauth] User found in radcheck table [sqlauth] expand: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'testgroup' ORDER BY id SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'testgroup' ORDER BY id [sqlauth] expand: SELECT GroupName FROM usergroup WHERE UserName='%{SQL-User-Name}' OR CLID='%{Calling-Station-Id}' order by priority - SELECT GroupName FROM usergroup WHERE UserName='testgroup' OR CLID='' order by priority SELECT GroupName FROM usergroup WHERE UserName='testgroup' OR CLID='' order by priority [sqlauth] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'testgroup1' ORDER BY id SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'testgroup1' ORDER BY id ### [sqlauth] expand: %{NAS-IP-Address} - 10.11.1.1 ### [sqlauth] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'testgroup2' ORDER BY id SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'testgroup2' ORDER BY id ### [sqlauth] expand: %{NAS-IP-Address} - 10.11.1.1 [sqlauth] User found in group testgroup2 ### [sqlauth] expand
802.1x with freeradius + PEAP + 3com Switch
Hi, I managed to get authentication of users logged on Windows XP workstation to the network. The machine authentication (while booting) however fails thus preventing the users from retrieving their roaming profiles. Here is the relevant part of the log: Thu Feb 5 14:39:16 2009 : Debug: rlm_ldap: - authorize Thu Feb 5 14:39:16 2009 : Debug: rlm_ldap: performing user authorization for host/mycomputer Thu Feb 5 14:39:16 2009 : Debug: radius_xlat: Running registered xlat function of module mschap for string 'User-Name:None' Thu Feb 5 14:39:16 2009 : Debug: expand: (uid=%{mschap:User-Name:None}) - (uid=mycomputer$) Thu Feb 5 14:39:16 2009 : Debug: expand: ou=People,dc=mycompany,dc=com - ou=People,dc=mycompany,dc=com Thu Feb 5 14:39:16 2009 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Thu Feb 5 14:39:16 2009 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Thu Feb 5 14:39:16 2009 : Debug: rlm_ldap: attempting LDAP reconnection It seems freeradius tries to authenticate the computer from the ou=People,dc=mydomain,dc=com. In radiusd.conf I have the following: ldap { server = 192.168.0.3 identity = uid=dot1x_read_user,ou=People,dc=mydomain,dc=com password = ldapreadpasswd basedn = ou=People,dc=mydomain,dc=com filter = (uid=%{mschap:User-Name:None}) I now need to instruct the ldap to search in ou=Computers,dc=mydomain,dc=com for the computers authentication. How do I do this while preserving the working users auth ? Thanks Laurent - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: mschav2 can't get connected
Hi Ivan,I just not sure if the card broken because when I set it to use WPA then it's working perfectlybut why MSCHAPv2 EAP-TLS didn't work?Will that be other reasons or missing some thing that cause the problem.should I send you the execution log?From: ssa...@hotmail.comto: freeradius-us...@lists.freeradius.orgsubject: RE: mschav2 can't get connectedDate: Tue, 3 Feb 2009 23:46:15 +0900 Hi Alan,Appreciated if you could give me some tips how to solve the problem.I ready have not idea why this happen or where did i get wrong..newbie.Thank in advance. Date: Mon, 2 Feb 2009 14:50:04 +0100 From: al...@deployingradius.com To: freeradius-users@lists.freeradius.org Subject: Re: mschav2 can't get connected saman saman wrote: Hi..Can anyone help me. I can't get client connect to radius server. any suggestion on how to fix it..appreciated. Here the radius output: ... EAP-Message = 0x0101000501Your supplicant is sending an empty identity. This isn't permitted.Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.htmlGet what you want at ebay. Get rid of those unwanted christmas presents! _ Get rid of those unwanted christmas presents! Get what you want at ebay. http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Frover%2Eebay%2Ecom%2Frover%2F1%2F705%2D10129%2D5668%2D323%2F4%3Fid%3D10_t=763807330_r=hotmailTAGLINES_m=EXT- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: mschav2 can't get connected
Hi Ivan,I just not sure if the card broken because when I set it to use WPA then it's working perfectlybut why MSCHAPv2 EAP-TLS didn't work? WPA what? WPA-PSK? That doesn't use EAP or any other user authentication method. EAP is broken. Card is just radio. Instead of music it repalys data. That is extremly unlikely to be a problem. If the card isn't working - you have no reception. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x with freeradius + PEAP + 3com Switch
It seems freeradius tries to authenticate the computer from the ou=People,dc=mydomain,dc=com. In radiusd.conf I have the following: ldap { server = 192.168.0.3 identity = uid=dot1x_read_user,ou=People,dc=mydomain,dc=com password = ldapreadpasswd basedn = ou=People,dc=mydomain,dc=com filter = (uid=%{mschap:User-Name:None}) I now need to instruct the ldap to search in ou=Computers,dc=mydomain,dc=com for the computers authentication. How do I do this while preserving the working users auth ? Make another ldap instance that has that basedn. Machine usernames have $ at the end - use unlang to test for that and switch ldap instance as required. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x with freeradius + PEAP + 3com Switch
Make another ldap instance that has that basedn. Machine usernames have $ at the end - use unlang to test for that and switch ldap instance as required. I see how to create another instance but really don't see where and how to use unlang to switch between the 2 instances depending on the username. Any clue ? regex. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x with freeradius + PEAP + 3com Switch
t...@kalik.net wrote: regex. Thanks Ivan, Can you please give me some hint about what to put in config's stanzas ? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS without Universal Password
I had to ask, I have people telling me that this is a limitation of only FreeRADIUS and not all RADIUS servers in general. There is a concern that the UP is being stored in clear text in Novell and we need to turn off that service and only use simple password. Since I am no Novell admin I really do not have a clue if we can encrypt the UP that is stored on the server or what other implications there are in turning off UP. Jason Brown - RHCT, Security+, Linux+, Network+ Systems Administrator Enterprise Technology Services Ferris State University (231) 591-2687 On Feb 5, 2009, at 1:48 AM, Alan DeKok wrote: Jason C Brown wrote: Do you by chance know if every RADIUS server acts the same way? For instance would Steel Belted RADIUS require the use of UP as well? Please read this explanation again: The Novell password is not stored as an attribute unless Universal password is enabled. It exists in eDirectory, can be created/ modified by ldap as userpassword but cannot be returned in an ldap search. The password can't be seen by *any* RADIUS server until it's stored as a Universal password. This is a limitation of Novell's LDAP server, and applies to all LDAP clients, whether they are RADIUS servers, command-line clients, web servers, or anything else. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x with freeradius + PEAP + 3com Switch
if(User-Name =~ /\$$/ ) { ldapmachine } else { ldapuser } Ivan Kalik Kalik Informatika ISP Dana 5/2/2009, Laurent CARON lca...@lncsa.com piše: t...@kalik.net wrote: regex. Thanks Ivan, Can you please give me some hint about what to put in config's stanzas ? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x with freeradius + PEAP + 3com Switch
t...@kalik.net wrote: if(User-Name =~ /\$$/ ) { ldapmachine } else { ldapuser } in my radiusd.conf file I've got 2 stanzas like this: ldap { server = port = } ldap2 { server = port = } I did copy/paste the lines you gave me just over the first server = ... line but it doesn't seem to do anything. Any clue ? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS without Universal Password
Universal Password is encrypted. It's attribute name is npsmDistributionPassword I believe. As a further protection it is only readable by admin roles. You'll have to set up freeradius to bind with such a login and get the password and decrypt it. That function has been in freeradius for quite a while. That process will give freeradius (internally) a cleartext password to use for mschapv2. We moved to all M$ products a while back, but used freeradius against eDirectory for a couple of years before we moved to all Windows servers. It was low maintenance and worked well for us. The only issue was the moving auth target that M$ eap clients presented us. That's why we use IAS presently. At least when it breaks it's their fault. Mearl -Original Message- From: freeradius-users- bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius- users-bounces+jmdanner=samford@lists.freeradius.org] On Behalf Of Jason C Brown Sent: Thursday, February 05, 2009 10:45 AM To: FreeRadius users mailing list Subject: Re: FreeRADIUS without Universal Password I had to ask, I have people telling me that this is a limitation of only FreeRADIUS and not all RADIUS servers in general. There is a concern that the UP is being stored in clear text in Novell and we need to turn off that service and only use simple password. Since I am no Novell admin I really do not have a clue if we can encrypt the UP that is stored on the server or what other implications there are in turning off UP. Jason Brown - RHCT, Security+, Linux+, Network+ Systems Administrator Enterprise Technology Services Ferris State University (231) 591-2687 On Feb 5, 2009, at 1:48 AM, Alan DeKok wrote: Jason C Brown wrote: Do you by chance know if every RADIUS server acts the same way? For instance would Steel Belted RADIUS require the use of UP as well? Please read this explanation again: The Novell password is not stored as an attribute unless Universal password is enabled. It exists in eDirectory, can be created/ modified by ldap as userpassword but cannot be returned in an ldap search. The password can't be seen by *any* RADIUS server until it's stored as a Universal password. This is a limitation of Novell's LDAP server, and applies to all LDAP clients, whether they are RADIUS servers, command-line clients, web servers, or anything else. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS without Universal Password
* a.l.m.bu...@lboro.ac.uk a.l.m.bu...@lboro.ac.uk [Thu, 5 Feb 2009 16:52:36 +]: I had to ask, I have people telling me that this is a limitation of only FreeRADIUS and not all RADIUS servers in general. There is a concern that the UP is being stored in clear text in Novell and we need to turn off that service and only use simple password. Since I am no Novell admin I really do not have a clue if we can encrypt the UP that is stored on the server or what other implications there are in turning off UP. you *might be able to encrypt it - it'll still have to be in the same place etc - then you might be able to use the auto-handle features of FreeRADIUS for it to decrypt the password to something suitable. never tried, but sounds feasible. the record would/may(?) have to start with the encryption flavour used eg {SHA256} or somesuch A shared secret would need to be known by both parties (or to have some public key infrastructure in place) for encryption/decryption to work. If you have a shared secret between already then there hardly is any point. This is where EAP-TTLS steps in to save the day, effectively SSL for RADIUS/EAP. nitpick hash != encryption /nitpick You can use hashes to provide authenticity of a chunk of data (HMAC's). To encrypt that's where AES, Blowfish and such step in and for those to work you need a key, which means you need a shared secret between you and the client; which in a round about way defeats the point of the authentication. 'Other' RADIUS servers, I am almost certain, just do a bog standard LDAP bind[1] and work on from there. Cheers [1] use the plaintext password and authenticate pretending to be an LDAP client using the users credentials; identical to how you would use ldap(search|modify|add|kitchensink) with credentials -- Alexander Clouter .sigmonster says: Graduate life: It's not just a job. It's an indenture. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Matching Realms and Group-Membership
Hi, I've successfully set up freeradius and till now it is doing what I want - checking realms and prefixes and uses a postgres database backend. ;) Now I want to implement a check, that verifies if a user authenticating with 10...@realma.com is also in the group realmA and reject the request if this is not the case. This way I want to implement a user X purchased product Y? Already tried this: Adding in the radusergroup table: +--+---+---+ | username | groupname | priority | +--+---+---+ | 10...@realma.com | realmA| 10| +--+---+---+ And in the radgroupcheck table: ++---+---+++ | id | groupname | attribute | op | value | |+---+---+++ | 1 | realmA| Realm | != | realma.com | ++---+---+++ And finally in the radgroupreply table: ++---+---++---+ | id | groupname | attribute | op | value | ++---+---++---+ | 1 | realmA| Auth-Type | := | Reject| ++---+---++---+ And of course, my debug output says: rlm_realm: Adding Realm = ~^realmA.com$ I also tried adding ~^realmA.com$ as value in the radgroupcheck table with no success. I thought to already understood this concept... but adding Auth-Type := Reject in the radgroupcheck table works?! My expression in radgroupcheck also works - I verified this by adding Reply-Message += Is this working? within radgroupreply and the reply-message is added to the response. If anybody could assist me with this or just give me a hint it'd be great! Regards, Robert Borz. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS without Universal Password
* Alan DeKok al...@deployingradius.com [Thu, 05 Feb 2009 18:35:58 +0100]: There is a concern that the UP is being stored in clear text in Novell and we need to turn off that service and only use simple password. Since I am no Novell admin I really do not have a clue if we can encrypt the UP that is stored on the server or what other implications there are in turning off UP. Storing the UP in clear text isn't a security issue. Really. I have always considered it more of a problem that the users know the password :) Cheers -- Alexander Clouter .sigmonster says: You display the wonderful traits of charm and courtesy. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x with freeradius + PEAP + 3com Switch
in my radiusd.conf file I've got 2 stanzas like this: ldap { server = port = } ldap2 { server = port = } I did copy/paste the lines you gave me just over the first server = ... line but it doesn't seem to do anything. Any clue ? That should be: ldap ldap1 { .. } ldap ldap2 { .. } What i wrote should go in the authorize section instead of ldap entry. Ivan Kalik Kalik Informatika ISP Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Matching Realms and Group-Membership
Now I want to implement a check, that verifies if a user authenticating with 10...@realma.com is also in the group realmA and reject the request if this is not the case. This way I want to implement a user X purchased product Y? Already tried this: Adding in the radusergroup table: +--+---+---+ | username | groupname | priority | +--+---+---+ | 10...@realma.com | realmA| 10| +--+---+---+ And in the radgroupcheck table: ++---+---+++ | id | groupname | attribute | op | value | |+---+---+++ | 1 | realmA| Realm | != | realma.com | ++---+---+++ And finally in the radgroupreply table: ++---+---++---+ | id | groupname | attribute | op | value | ++---+---++---+ | 1 | realmA| Auth-Type | := | Reject| ++---+---++---+ You do know that this doesn't do anything. If the password is linked to username 10...@realma.com these group checks are pointless. And of course, my debug output says: rlm_realm: Adding Realm = ~^realmA.com$ That shouldn't happen. realm suffix should return realmA.com as Realm (without those regex things). Post the whole debug. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radgroupcheck and regexp
Now I check this in 2.0.1. This work right in 2.0.1, but not in 2.1.3. Sending Access-Request of id 163 to 127.0.0.1 port 1812 User-Name = testgroup User-Password = test NAS-IP-Address = 10.10.1.1 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=163, length=46 Cisco-AVPair = ip:addr-pool=test2 Sending Access-Request of id 140 to 127.0.0.1 port 1812 User-Name = testgroup User-Password = test NAS-IP-Address = 10.11.1.1 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=140, length=46 Cisco-AVPair = ip:addr-pool=test1 I use freeradius 2.1.3 with oracle DB. Regexp works wrong in radgroupcheck table. What did I do wrong? Usergrop table -- 65658 testgroup testgroup1 15 65659 testgroup testgroup2 20 -- Radgroupcheck table -- 321 testgroup1 NAS-IP-Address !~ ^10.10 341 testgroup2 NAS-IP-Address =~ ^10.10 -- Radgroupreply table -- 682 testgroup1 Fall-Through= Yes 661 testgroup1 Cisco-AVPair+= ip:addr-pool=test1 681 testgroup2 Fall-Through= Yes 662 testgroup2 Cisco-AVPair+= ip:addr-pool=test2 -- Sending Access-Request of id 250 to 127.0.0.1 port 1812 User-Name = testgroup User-Password = test NAS-IP-Address = 10.10.1.1 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=250, length=46 Cisco-AVPair = ip:addr-pool=test2 Sending Access-Request of id 203 to 127.0.0.1 port 1812 User-Name = testgroup User-Password = test NAS-IP-Address = 10.11.1.1 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=203, length=46 Cisco-AVPair = ip:addr-pool=test2 Debug from last request: Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 6526, id=133, length=55 User-Name = testgroup User-Password = test NAS-IP-Address = 10.11.1.1 +- entering group authorize {...} [preprocess]expand: %{NAS-IP-Address} - 10.11.1.1 ++[preprocess] returns ok [auth_log] expand: /usr/local/var/log/radius/radacct/detail/%{Client-IP-Address}/detail-%Y%m%d - /usr/local/var/log/radius/radacct/detail/127.0.0.1/detail-20090205 [auth_log] /usr/local/var/log/radius/radacct/detail/%{Client-IP-Address}/detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/detail/127.0.0.1/detail-20090205 [auth_log] expand: %t - Thu Feb 5 16:39:28 2009 ++[auth_log] returns ok ++[chap] returns noop [suffix] No '@' in User-Name = testgroup, looking up realm NULL [suffix] Found realm NULL [suffix] Adding Stripped-User-Name = testgroup [suffix] Adding Realm = NULL [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [files] users: Matched entry DEFAULT at line 2 ++[files] returns ok [sqlauth] expand: %{User-Name} - testgroup [sqlauth] sql_set_user escaped user -- 'testgroup' rlm_sql (sqlauth): Reserving sql socket id: 7 [sqlauth] expand: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'testgroup' ORDER BY id SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'testgroup' ORDER BY id WARNING: Found User-Password == WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See man rlm_pap for more information. [sqlauth] User found in radcheck table [sqlauth] expand: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'testgroup' ORDER BY id SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'testgroup' ORDER BY id [sqlauth] expand: SELECT GroupName FROM usergroup WHERE UserName='%{SQL-User-Name}' OR CLID='%{Calling-Station-Id}' order by priority - SELECT GroupName FROM usergroup WHERE UserName='testgroup' OR CLID='' order by priority SELECT GroupName FROM usergroup WHERE UserName='testgroup' OR CLID='' order by priority [sqlauth] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'testgroup1' ORDER BY id SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'testgroup1' ORDER BY id
Re[2]: Radgroupcheck and regexp
Now I check this in 2.0.1. This work right in 2.0.1, but not in 2.1.3. Last version where this work is 2.0.5. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html