radgroupreply
Hi, I've put in the radgroupreply table (mysql) some reply item like idle-timeout. But in the radius accept response there is none of those items. If I put those same items on the radreply itworks. So anyone any idea ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radgroupreply
Yes I have it I have the user test001 with group1 in usergroup And group1 Idle-Timeout = 600 in radgroupreply I have some items in radreply for this user but none about idle-timeout So... -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Kostas Kalevras Envoyé : jeudi 30 septembre 2004 15:32 À : [EMAIL PROTECTED] Objet : Re: radgroupreply On Thu, 30 Sep 2004, EROS wrote: > Hi, > > > I've put in the radgroupreply table (mysql) some reply item like > idle-timeout. But in the radius accept response there is none of those > items. If I put those same items on the radreply itworks. > > So anyone any idea ? Have you also configured group membership (table usergroup)? > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radgroupreply
Yes I had it
rad_recv: Access-Request packet from host 192.168.200.1:4395, id=1,
length=48
User-Name = "test001"
CHAP-Password = 0xb9215f405119e840fdc14e628555747ff2
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
rlm_chap: Setting 'Auth-Type := CHAP'
modcall[authorize]: module "chap" returns ok for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "test001", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
modcall: entering group redundant for request 0
radius_xlat: 'test001'
rlm_sql (sql1): sql_set_user escaped user --> 'test001'
rlm_sql (sql1): Reserving sql socket id: 3
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = 'test001' ORDER BY id'
rlm_sql (sql1): User found in radcheck table
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Username = 'test001' ORDER BY id'
rlm_sql (sql1): Released sql socket id: 3
modcall[authorize]: module "sql1" returns ok for request 0
modcall: group redundant returns ok for request 0
rlm_sqlcounter: Entering module authorize code
sqlcounter_expand: 'SELECT SUM(AcctSessionTime) FROM radacct WHERE
UserName='%{User-Name}' GROUP BY UserName='%{User-Name}''
radius_xlat: 'SELECT SUM(AcctSessionTime) FROM radacct WHERE
UserName='test001' GROUP BY UserName='test001''
sqlcounter_expand: '%{sql1:SELECT SUM(AcctSessionTime) FROM radacct
WHERE UserName='test001' GROUP BY UserName='test001'}'
radius_xlat: Running registered xlat function of module sql1 for string
'SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='test001' GROUP
BY UserName='test001''
rlm_sql (sql1): - sql_xlat
radius_xlat: 'test001'
rlm_sql (sql1): sql_set_user escaped user --> 'test001'
radius_xlat: 'SELECT SUM(AcctSessionTime) FROM radacct WHERE
UserName='test001' GROUP BY UserName='test001''
rlm_sql (sql1): Reserving sql socket id: 2
rlm_sql (sql1): - sql_xlat finished
rlm_sql (sql1): Released sql socket id: 2
radius_xlat: '24388'
rlm_sqlcounter: (Check item - counter) is greater than zero
rlm_sqlcounter: Authorized user test001, check_item=54000, counter=24388
rlm_sqlcounter: Sent Reply-Item for user test001, Type=Session-Timeout,
value=29612
modcall[authorize]: module "noresetcounter" returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type CHAP
auth: type "CHAP"
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 0
rlm_chap: login attempt by "test001" with CHAP password
rlm_chap: Using clear text password test001 for user test001
authentication.
rlm_chap: chap user test001 authenticated succesfully
modcall[authenticate]: module "chap" returns ok for request 0
modcall: group Auth-Type returns ok for request 0
Processing the session section of radiusd.conf
modcall: entering group session for request 0
modcall: entering group redundant for request 0
modcall[session]: module "sql1" returns noop for request 0
modcall: group redundant returns noop for request 0
modcall: group session returns noop for request 0
Processing the post-auth section of radiusd.conf
modcall: entering group post-auth for request 0
modcall: entering group redundant for request 0
rlm_sql (sql1): Processing sql_postauth
radius_xlat: 'test001'
rlm_sql (sql1): sql_set_user escaped user --> 'test001'
radius_xlat: 'INSERT into radpostauth (id, user, pass, reply, date)
values ('', 'test001', 'Chap-Password', 'Access-Accept', NOW())'
rlm_sql (sql1) in sql_postauth: query is INSERT into radpostauth (id,
user, pass, reply, date) values ('', 'test001', 'Chap-Password',
'Access-Accept', NOW())
rlm_sql (sql1): Reserving sql socket id: 1
rlm_sql (sql1): Released sql socket id: 1
modcall[post-auth]: module "sql1" returns ok for request 0
modcall: group redundant returns ok for request 0
modcall: group post-auth returns ok for request 0
Sending Access-Accept of id 1 to 192.168.200.1:4395
Session-Timeout = 29612
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 3 seconds...
rad_recv: Access-Request packet from host 192.168.200.1:4395, id=1,
length=48
Sending duplicate reply to client Chillispot:4395 - ID: 1
Re-sending Access-Ac
radgroupreply
I've tried to change the request between user and group in sql.conf but
it doesn't work.
Somebody's some idea's ?
-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] De la part de EROS
Envoyé : jeudi 30 septembre 2004 23:03
À : [EMAIL PROTECTED]
Objet : radgroupreply
Yes I had it
rad_recv: Access-Request packet from host 192.168.200.1:4395, id=1,
length=48
User-Name = "test001"
CHAP-Password = 0xb9215f405119e840fdc14e628555747ff2
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
rlm_chap: Setting 'Auth-Type := CHAP'
modcall[authorize]: module "chap" returns ok for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "test001", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
modcall: entering group redundant for request 0
radius_xlat: 'test001'
rlm_sql (sql1): sql_set_user escaped user --> 'test001'
rlm_sql (sql1): Reserving sql socket id: 3
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = 'test001' ORDER BY id' rlm_sql (sql1): User found in radcheck
table
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Username = 'test001' ORDER BY id' rlm_sql (sql1): Released sql socket
id: 3
modcall[authorize]: module "sql1" returns ok for request 0
modcall: group redundant returns ok for request 0
rlm_sqlcounter: Entering module authorize code
sqlcounter_expand: 'SELECT SUM(AcctSessionTime) FROM radacct WHERE
UserName='%{User-Name}' GROUP BY UserName='%{User-Name}''
radius_xlat: 'SELECT SUM(AcctSessionTime) FROM radacct WHERE
UserName='test001' GROUP BY UserName='test001''
sqlcounter_expand: '%{sql1:SELECT SUM(AcctSessionTime) FROM radacct
WHERE UserName='test001' GROUP BY UserName='test001'}'
radius_xlat: Running registered xlat function of module sql1 for string
'SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='test001' GROUP
BY UserName='test001'' rlm_sql (sql1): - sql_xlat
radius_xlat: 'test001'
rlm_sql (sql1): sql_set_user escaped user --> 'test001'
radius_xlat: 'SELECT SUM(AcctSessionTime) FROM radacct WHERE
UserName='test001' GROUP BY UserName='test001'' rlm_sql (sql1):
Reserving sql socket id: 2 rlm_sql (sql1): - sql_xlat finished rlm_sql
(sql1): Released sql socket id: 2
radius_xlat: '24388'
rlm_sqlcounter: (Check item - counter) is greater than zero
rlm_sqlcounter: Authorized user test001, check_item=54000, counter=24388
rlm_sqlcounter: Sent Reply-Item for user test001, Type=Session-Timeout,
value=29612
modcall[authorize]: module "noresetcounter" returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type CHAP
auth: type "CHAP"
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 0
rlm_chap: login attempt by "test001" with CHAP password
rlm_chap: Using clear text password test001 for user test001
authentication.
rlm_chap: chap user test001 authenticated succesfully
modcall[authenticate]: module "chap" returns ok for request 0
modcall: group Auth-Type returns ok for request 0
Processing the session section of radiusd.conf
modcall: entering group session for request 0
modcall: entering group redundant for request 0
modcall[session]: module "sql1" returns noop for request 0
modcall: group redundant returns noop for request 0
modcall: group session returns noop for request 0
Processing the post-auth section of radiusd.conf
modcall: entering group post-auth for request 0
modcall: entering group redundant for request 0
rlm_sql (sql1): Processing sql_postauth
radius_xlat: 'test001'
rlm_sql (sql1): sql_set_user escaped user --> 'test001'
radius_xlat: 'INSERT into radpostauth (id, user, pass, reply, date)
values ('', 'test001', 'Chap-Password', 'Access-Accept', NOW())' rlm_sql
(sql1) in sql_postauth: query is INSERT into radpostauth (id, user,
pass, reply, date) values ('', 'test001', 'Chap-Password',
'Access-Accept', NOW()) rlm_sql (sql1): Reserving sql socket id: 1
rlm_sql (sql1): Released sql socket id: 1
modcall[post-auth]: module "sql1" returns ok for request 0
modcall: group redundant returns ok for request 0
modcall: group post-auth returns ok for request 0
Sending Access-Accept of
Re: radgroupreply
On Thu, 30 Sep 2004, EROS wrote: > Hi, > > > I've put in the radgroupreply table (mysql) some reply item like > idle-timeout. But in the radius accept response there is none of those > items. > If I put those same items on the radreply itworks. > > So anyone any idea ? Have you also configured group membership (table usergroup)? > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radgroupreply
On Thu, 30 Sep 2004, EROS wrote: > Yes I have it > > I have the user test001 with group1 in usergroup > And group1 Idle-Timeout = 600 in radgroupreply > I have some items in radreply for this user but none about idle-timeout > > So... ...so run the server in debug to see what happens > > > -Message d'origine- > De : [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] De la part de > Kostas Kalevras > Envoy? : jeudi 30 septembre 2004 15:32 > ? : [EMAIL PROTECTED] > Objet : Re: radgroupreply > > > On Thu, 30 Sep 2004, EROS wrote: > > > Hi, > > > > > > I've put in the radgroupreply table (mysql) some reply item like > > idle-timeout. But in the radius accept response there is none of those > > > items. If I put those same items on the radreply itworks. > > > > So anyone any idea ? > > Have you also configured group membership (table usergroup)? > > > > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > -- > Kostas Kalevras Network Operations Center > [EMAIL PROTECTED] National Technical University of Athens, Greece > Work Phone: +30 210 7721861 > 'Go back to the shadow' Gandalf > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : radgroupreply
I'm still trying to make the radgroupreply work but it doesn't want
Is somebody has it working (which freeradius version...) and how do I do
to succeed ?
thx
-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] De la part de EROS
Envoyé : vendredi 1 octobre 2004 14:15
À : [EMAIL PROTECTED]
Objet : radgroupreply
I've tried to change the request between user and group in sql.conf but
it doesn't work.
Somebody's some idea's ?
-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] De la part de EROS
Envoyé : jeudi 30 septembre 2004 23:03 À :
[EMAIL PROTECTED]
Objet : radgroupreply
Yes I had it
rad_recv: Access-Request packet from host 192.168.200.1:4395, id=1,
length=48
User-Name = "test001"
CHAP-Password = 0xb9215f405119e840fdc14e628555747ff2
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
rlm_chap: Setting 'Auth-Type := CHAP'
modcall[authorize]: module "chap" returns ok for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "test001", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
modcall: entering group redundant for request 0
radius_xlat: 'test001'
rlm_sql (sql1): sql_set_user escaped user --> 'test001'
rlm_sql (sql1): Reserving sql socket id: 3
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = 'test001' ORDER BY id' rlm_sql (sql1): User found in radcheck
table
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Username = 'test001' ORDER BY id' rlm_sql (sql1): Released sql socket
id: 3
modcall[authorize]: module "sql1" returns ok for request 0
modcall: group redundant returns ok for request 0
rlm_sqlcounter: Entering module authorize code
sqlcounter_expand: 'SELECT SUM(AcctSessionTime) FROM radacct WHERE
UserName='%{User-Name}' GROUP BY UserName='%{User-Name}''
radius_xlat: 'SELECT SUM(AcctSessionTime) FROM radacct WHERE
UserName='test001' GROUP BY UserName='test001''
sqlcounter_expand: '%{sql1:SELECT SUM(AcctSessionTime) FROM radacct
WHERE UserName='test001' GROUP BY UserName='test001'}'
radius_xlat: Running registered xlat function of module sql1 for string
'SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='test001' GROUP
BY UserName='test001'' rlm_sql (sql1): - sql_xlat
radius_xlat: 'test001'
rlm_sql (sql1): sql_set_user escaped user --> 'test001'
radius_xlat: 'SELECT SUM(AcctSessionTime) FROM radacct WHERE
UserName='test001' GROUP BY UserName='test001'' rlm_sql (sql1):
Reserving sql socket id: 2 rlm_sql (sql1): - sql_xlat finished rlm_sql
(sql1): Released sql socket id: 2
radius_xlat: '24388'
rlm_sqlcounter: (Check item - counter) is greater than zero
rlm_sqlcounter: Authorized user test001, check_item=54000, counter=24388
rlm_sqlcounter: Sent Reply-Item for user test001, Type=Session-Timeout,
value=29612
modcall[authorize]: module "noresetcounter" returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type CHAP
auth: type "CHAP"
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 0
rlm_chap: login attempt by "test001" with CHAP password
rlm_chap: Using clear text password test001 for user test001
authentication.
rlm_chap: chap user test001 authenticated succesfully
modcall[authenticate]: module "chap" returns ok for request 0
modcall: group Auth-Type returns ok for request 0
Processing the session section of radiusd.conf
modcall: entering group session for request 0
modcall: entering group redundant for request 0
modcall[session]: module "sql1" returns noop for request 0
modcall: group redundant returns noop for request 0
modcall: group session returns noop for request 0
Processing the post-auth section of radiusd.conf
modcall: entering group post-auth for request 0
modcall: entering group redundant for request 0
rlm_sql (sql1): Processing sql_postauth
radius_xlat: 'test001'
rlm_sql (sql1): sql_set_user escaped user --> 'test001'
radius_xlat: 'INSERT into radpostauth (id, user, pass, reply, date)
values ('', 'test001', 'Chap-Password', 'Access-Accept', NOW())' rlm_sql
(sql1) in sql_postauth: query is INSERT into radpostauth (id, user,
pass, reply, date) values (''
radgroupreply table
Can anyone explain to me the purpose and usage of the 'prio' column in the radgroupreply table? Much Googling has returned nothing, accept other questions. -- --- | Nick White | | Network Administrator | | Tele-NET Internet | | http://www.tele-net.net | | [EMAIL PROTECTED] | --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Struggling - radgroupcheck/radgroupreply
I need to have my NetworkGroup get passed one set of attributes and my
ServerGroup get passed another. But I have some EnterpriseAdmins who need
access to both sets so i need to pass the correct attribute back depending
on which device they try to auth from.
User Joe is a EnterpriseAdmin. He is a member of the NetworkGroup and the
ServerGroup so I need him to have the correct attributes passed to him
depending on which NAS-IP-Address he comes from respectivly. For instance,
if joe trys to log in through 192.168.0.50 I need to pass back "Class =
OU=ServerGroup". If joe trys to log in through 192.168.0.1 I need to pass
him "Class = OU=NetworkGroup". The way it stands no matter which
NAS-IP-Address he comes from because he is a member of both groups he gets
both attributes sent back from radgroupreply.
User Sally is a member of the NetworkGroup so I only want radgroupreply to
send just the attributes for the NetworkGroup.
User Bob is a ServerGroup so I only want bob to get the attributes from the
ServerGroup.
mysql> select * from radcheck;
++--+--++---+
| id | UserName | Attribute| op | Value
|
++--+--++---+
| 8 | joe | Password-With-Header | := |
{md5}928a40033e748ad825e92ec4f9870696 |
| 9 | sally| Password-With-Header | := |
{md5}928a40033e748ad825e92ec4f9870696 |
| 10 | bob | Password-With-Header | := |
{md5}928a40033e748ad825e92ec4f9870696 |
++--+--++---+
mysql> select * from usergroup;
+--+--+--+
| UserName | GroupName| priority |
+--+--+--+
| joe | NetworkGroup |1 |
| joe | ServerGroup |2 |
| sally| NetworkGroup |1 |
| bob | ServerGroup |1 |
+--+--+--+
mysql> select * from radgroupcheck;
++--+++--+
| id | GroupName| Attribute | op | Value|
++--+++--+
| 9 | ServerGroup | NAS-IP-Address | = | 192.168.0.50 |
| 10 | ServerGroup | Auth-Type | = | MD5 |
| 11 | NetworkGroup | NAS-IP-Address | = | 192.168.0.1 |
| 12 | NetworkGroup | Auth-Type | = | MD5 |
++--+++--+
mysql> select * from radgroupreply;
++--+---++-+
| id | GroupName| Attribute | op | Value |
++--+---++-+
| 17 | NetworkGroup | Class | := | OU=NetworkGroup |
| 18 | ServerGroup | Class | := | OU=serverGroup |
++--+---++-+
Steps to reproduce if needed.
insert into usergroup (UserName, GroupName, priority) VALUES ('joe',
'NetworkGroup', 1);
insert into usergroup (UserName, GroupName, priority) VALUES ('joe',
'ServerGroup', 2);
insert into usergroup (UserName, GroupName, priority) VALUES ('sally',
'NetworkGroup', 1);
insert into usergroup (UserName, GroupName, priority) VALUES ('bob',
'ServerGroup', 1);
insert into radgroupcheck (GroupName, Attribute, op, value) VALUES
('ServerGroup', 'NAS-IP-Address', '=', '192.168.0.50');
insert into radgroupcheck (GroupName, Attribute, op, value) VALUES
('ServerGroup', 'Auth-Type', '=', 'MD5');
insert into radgroupcheck (GroupName, Attribute, op, value) VALUES
('NetworkGroup', 'NAS-IP-Address', '=', '192.168.0.1');
insert into radgroupcheck (GroupName, Attribute, op, value) VALUES
('NetworkGroup', 'Auth-Type', '=', 'MD5');
insert into radgroupreply (GroupName, Attribute, op, Value) VALUES
('NetworkGroup', 'Class', ':=', 'OU=NetworkGroup');
insert into radgroupreply (GroupName, Attribute, op, Value) VALUES
('ServerGroup', 'Class', ':=', 'OU=serverGroup');
Thanks for your time.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radgroupreply field explanations?
Hi all, I'm upgraded to FreeRADIUS from an old version of ICRADIUS but having trouble migrating my old tables. To start with, the radgroupreply table of FreeRADIUS has two fields, op CHAR(2) and prio INT(10) not present in my older ICRADIUS table. I'm wondering if anyone can tell me what these two fields are for and maybe make a suggestion about what to do about them through the migration. Many thanks, --Scott! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : radgroupreply
On Sun, 3 Oct 2004, EROS wrote: > I'm still trying to make the radgroupreply work but it doesn't want > > Is somebody has it working (which freeradius version...) and how do I do > to succeed ? > > > thx > > modcall: entering group redundant for request 0 > radius_xlat: 'test001' > rlm_sql (sql1): sql_set_user escaped user --> 'test001' > rlm_sql (sql1): Reserving sql socket id: 3 > radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE > Username = 'test001' ORDER BY id' rlm_sql (sql1): User found in radcheck > table > radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE > Username = 'test001' ORDER BY id' rlm_sql (sql1): Released sql socket > id: 3 The group queries don't seem to be called at all. What do you have in your sql.conf? -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : RE : radgroupreply
Hi,
Thx for you help
I've commented out the sql { } lines, causes it doesn't want to work
with it.
I've this line in my radiusd.conf
sql sql1 {
$INCLUDE ${confdir}/sql_local.conf
}
If I don't comment the sql { } line in sql_local.conf the debug tells me
that it doesn't know the rlm_sql_sql1 driver
So the now the sql_local.conf :
#
# Configuration for the SQL module, when using MySQL.
#
# The database schema is available at:
#
# src/radiusd/src/modules/rlm_sql/drivers/rlm_sql_mysql/db_mysql.sql
#
# If you are using PostgreSQL, please use 'postgresql.conf', instead.
# If you are using Oracle, please use 'oracle.conf', instead.
# If you are using MS-SQL, please use 'mssql.conf', instead.
#
# $Id: sql.conf,v 1.41.2.1 2004/06/10 00:45:01 phampson Exp $
#
#sql {
# Database type
# Current supported are: rlm_sql_mysql, rlm_sql_postgresql,
# rlm_sql_iodbc, rlm_sql_oracle, rlm_sql_unixodbc,
rlm_sql_freetds
driver = "rlm_sql_mysql"
# Connect info
server = "localhost"
login = "X"
password = "YY"
# Database table configuration
radius_db = "freeradius"
# If you want both stop and start records logged to the
# same SQL table, leave this as is. If you want them in
# different tables, put the start table in acct_table1
# and stop table in acct_table2
acct_table1 = "radacct"
acct_table2 = "radacct"
# Allow for storing data after authentication
postauth_table = "radpostauth"
authcheck_table = "radcheck"
authreply_table = "radreply"
groupcheck_table = "radgroupcheck"
groupreply_table = "radgroupreply"
usergroup_table = "usergroup"
# Remove stale session if checkrad does not see a double login
deletestalesessions = yes
# Print all SQL statements when in debug mode (-x)
sqltrace = no
sqltracefile = ${logdir}/sqltrace.sql
# number of sql connections to make to server
num_sql_socks = 5
# number of seconds to dely retrying on a failed database
# connection (per_socket)
connect_failure_retry_delay = 60
# Safe characters list for sql queries. Everything else is
replaced
# with their mime-encoded equivalents.
# The default list should be ok
#safe-characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
###
# Query config: Username
###
# This is the username that will get substituted, escaped, and
added
# as attribute 'SQL-User-Name'. '%{SQL-User-Name}' should be
used below
# everywhere a username substitution is needed so you you can be
sure
# the username passed from the client is escaped properly.
#
# Uncomment the next line, if you want the sql_user_name to
mean:
#
#Use Stripped-User-Name, if it's there.
#Else use User-Name, if it's there,
#Else use hard-coded string "DEFAULT" as the user name.
#sql_user_name = "%{Stripped-User-Name:-%{User-Name:-DEFAULT}}"
#
sql_user_name = "%{User-Name}"
###
# Default profile
###
# This is the default profile. It is found in SQL by group
membership.
# That means that this profile must be a member of at least one
group
# which will contain the corresponding check and reply items.
# This profile will be queried in the authorize section for
every user.
# The point is to assign all users a default profile without
having to
# manually add each one to a group that will contain the
profile.
# The SQL module will also honor the User-Profile attribute.
This
# attribute can be set anywhere in the authorize section (ie the
users
# file). It is found exactly as the default profile is found.
# If it is set then it will *overwrite* the default profile
setting.
# The idea is to select profiles based on checks on the incoming
packets,
# not on user group membership. For example:
# -- users file --
# DEFAULT Service-Type == Outbound-User, User-Profile :=
"outbound"
# DEFAULT Service-Type == Framed-User, User-Profile :=
"framed"
#
radreply and radgroupreply
Hie all, Could you all please enlighten me whether if radius would send both replies to the NAS? For instance: X user in group TEST radreply 1 test Reply-Message = Hello, there X! Whereas radgroupreply - 1 TESTAcct-Interim-Interval == 600 Will these two reply information from two different table sent to NAS when X user has been authenticated? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radgroupreply table
N White <[EMAIL PROTECTED]> wrote: > Can anyone explain to me the purpose and usage of the 'prio' column in > the radgroupreply table? Order. "SELECT ... by prio" See the "users" file for examples: DEFAULT ... Foo-Stuff = 1 Bar-Junk = 2 is *not* the same as DEFAULT ... Bar-Junk = 2 Foo-Stuff = 1 Sometimes order *does* matter. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radgroupreply table
Alan DeKok wrote: N White <[EMAIL PROTECTED]> wrote: Can anyone explain to me the purpose and usage of the 'prio' column in the radgroupreply table? Order. "SELECT ... by prio" See the "users" file for examples: DEFAULT ... Foo-Stuff = 1 Bar-Junk = 2 is *not* the same as DEFAULT ... Bar-Junk = 2 Foo-Stuff = 1 Sometimes order *does* matter. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I see. So, for example, if a user belongs to two groups, which group has the "prio"rity. So is a lower number a higher priority? 0 being highest? Thanks! -- --- | Nick White | | Network Administrator | | Tele-NET Internet | | http://www.tele-net.net | | [EMAIL PROTECTED] | --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radgroupreply table
N White <[EMAIL PROTECTED]> wrote: > I see. So, for example, if a user belongs to two groups, which group has > the "prio"rity. So is a lower number a higher priority? 0 being highest? > Thanks! See your SQL docs for what priority means. The SQL queries use it, but other than that, FreeRADIUS doesn't even know it exists. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Struggling - radgroupcheck/radgroupreply
On Mon, 2007-10-22 at 19:30 -0400, Bryan Martin wrote:
> I need to have my NetworkGroup get passed one set of attributes and my
> ServerGroup get passed another. But I have some EnterpriseAdmins who need
> access to both sets so i need to pass the correct attribute back depending
> on which device they try to auth from.
This is getting to be an FAQ.
http://marc.info/?l=freeradius-users&m=119010719300080&w=2
>
> User Joe is a EnterpriseAdmin. He is a member of the NetworkGroup and the
> ServerGroup so I need him to have the correct attributes passed to him
> depending on which NAS-IP-Address he comes from respectivly. For instance,
> if joe trys to log in through 192.168.0.50 I need to pass back "Class =
> OU=ServerGroup". If joe trys to log in through 192.168.0.1 I need to pass
> him "Class = OU=NetworkGroup". The way it stands no matter which
> NAS-IP-Address he comes from because he is a member of both groups he gets
> both attributes sent back from radgroupreply.
>
> User Sally is a member of the NetworkGroup so I only want radgroupreply to
> send just the attributes for the NetworkGroup.
>
> User Bob is a ServerGroup so I only want bob to get the attributes from the
> ServerGroup.
>
> mysql> select * from radcheck;
> ++--+--++---+
> | id | UserName | Attribute| op | Value
> |
> ++--+--++---+
> | 8 | joe | Password-With-Header | := |
> {md5}928a40033e748ad825e92ec4f9870696 |
> | 9 | sally| Password-With-Header | := |
> {md5}928a40033e748ad825e92ec4f9870696 |
> | 10 | bob | Password-With-Header | := |
> {md5}928a40033e748ad825e92ec4f9870696 |
> ++--+--++---+
>
> mysql> select * from usergroup;
> +--+--+--+
> | UserName | GroupName| priority |
> +--+--+--+
> | joe | NetworkGroup |1 |
> | joe | ServerGroup |2 |
> | sally| NetworkGroup |1 |
> | bob | ServerGroup |1 |
> +--+--+--+
>
> mysql> select * from radgroupcheck;
> ++--+++--+
> | id | GroupName| Attribute | op | Value|
> ++--+++--+
> | 9 | ServerGroup | NAS-IP-Address | = | 192.168.0.50 |
> | 10 | ServerGroup | Auth-Type | = | MD5 |
> | 11 | NetworkGroup | NAS-IP-Address | = | 192.168.0.1 |
> | 12 | NetworkGroup | Auth-Type | = | MD5 |
> ++--+++--+
>
> mysql> select * from radgroupreply;
> ++--+---++-+
> | id | GroupName| Attribute | op | Value |
> ++--+---++-+
> | 17 | NetworkGroup | Class | := | OU=NetworkGroup |
> | 18 | ServerGroup | Class | := | OU=serverGroup |
> ++--+---++-+
>
>
> Steps to reproduce if needed.
> insert into usergroup (UserName, GroupName, priority) VALUES ('joe',
> 'NetworkGroup', 1);
> insert into usergroup (UserName, GroupName, priority) VALUES ('joe',
> 'ServerGroup', 2);
> insert into usergroup (UserName, GroupName, priority) VALUES ('sally',
> 'NetworkGroup', 1);
> insert into usergroup (UserName, GroupName, priority) VALUES ('bob',
> 'ServerGroup', 1);
>
> insert into radgroupcheck (GroupName, Attribute, op, value) VALUES
> ('ServerGroup', 'NAS-IP-Address', '=', '192.168.0.50');
> insert into radgroupcheck (GroupName, Attribute, op, value) VALUES
> ('ServerGroup', 'Auth-Type', '=', 'MD5');
> insert into radgroupcheck (GroupName, Attribute, op, value) VALUES
> ('NetworkGroup', 'NAS-IP-Address', '=', '192.168.0.1');
> insert into radgroupcheck (GroupName, Attribute, op, value) VALUES
> ('NetworkGroup', 'Auth-Type', '=', 'MD5');
>
> insert into radgroupreply (GroupName, Attribute, op, Value) VALUES
> ('NetworkGroup', 'Class', ':=', 'OU=NetworkGroup');
> insert into radgroupreply (GroupName, Attribute, op, Value) VALUES
> ('ServerGroup', 'Class', ':=', 'OU=serverGroup');
>
> Thanks for your time.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Failure to Process radgroupreply
Platfrom: CentOS 5.8
FreeRADIUS: 2.1.8
Backend: MySQL
I am unable to get FreeRadius to reply with attributes assigned in the
radgroupreply table for some groups. When the same attributes are
assigned in radreply, the server sends them as expected. Adding a
Fall-Through entry for the user in radreply makes no difference (the
server defaults to Fall-Through from the config). I can see no
difference in the structure of the user/groups between working and
non-working accounts.
I've spent most of the night combing the web, wiki, and other
resources, but I find nothing quite like this.
For instance:
# radcheck
testuser1 Cleartext-Password := password
# radreply (WORKS)
testuser1 Nomadix-Bw-Down := 768
# radusergroup
testuser1 test-group 1
# radgroupreply (DOES NOT WORK)
testuser1 Nomadix-Bw-Down := 768
Here is debug output from an auth request for this account (when the
pairs are only in radgroupreply). You'll notice there is no processing
of the radgroupreply table.
rad_recv: Access-Request packet from host xx.xx.xx.xx port 29817,
id=170, length=49
User-Name = "testuser1"
User-Password = "password"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "testuser1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[sql] expand: %{User-Name} -> testuser1
[sql] sql_set_user escaped user --> 'testuser1'
rlm_sql (sql): Reserving sql socket id: 0
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id,
username, attribute, value, op FROM radcheck WHERE username =
'testuser1' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id,
username, attribute, value, op FROM radreply WHERE username =
'testuser1' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username =
'%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM
radusergroup WHERE username = 'testuser1' ORDER BY priority
[sql] expand: SELECT id, groupname, attribute, Value, op FROM
radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT
id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname
= 'test-group' ORDER BY id
rlm_sql (sql): Released sql socket id: 0
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[noresetcounter] returns noop
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[dailycounter] returns noop
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[monthlycounter] returns noop
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[daypasscounter] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "password"
[pap] Using clear text password "password"
[pap] User authenticated successfully
++[pap] returns ok
Login OK: [testuser1] (from client wolfchase-gateway port 0)
+- entering group post-auth {...}
[sql] expand: %{User-Name} -> testuser1
[sql] sql_set_user escaped user --> 'testuser1'
[sql] expand: %{User-Password} -> password
[sql] expand: INSERT INTO radpostauth (username, pass, reply,
authdate) VALUES ( '%{User-Name}',
'%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
-> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES (
'testuser1', 'password', 'Access-Accept', '2012-04-05 06:58:06')
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES ( 'testuser1', 'password',
'Access-Accept', '2012-04-05 06:58:06')
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[exec] returns noop
Sending Access-Accept of id 170 to xx.xx.xx.xx port 29817
Finished request 166.
Going to the next request
Waking up in 3.0 seconds.
Thank you for any help.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RADGROUPREPLY QUERY NOT EXECUTED
Have tried several version builds on Centos 5.x - currently using FR 2.1.12 rlm_mysql stops after the group check query and does not execute the group reply query. 19:00:43 2012 : Info: [sql] expand: SELECT id, username, attribute, value, op FROM radreply Sun Sep 9 19:00:43 2012 : Info: [sql] expand: SELECT groupname FROM usergroup Sun Sep 9 19:00:43 2012 : Info: [sql] expand: SELECT id, groupname, attribute,Value, op FROM radgroupcheck Sun Sep 9 19:00:43 2012 : Debug: rlm_sql (sql): Released sql socket id: 4 Queries are listed during module instantiation and queries work when run manually. Have seen similar unresolved thread. Greatly appreciate any help. Thanks Message sent using DataCom.MW 1.2.0 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radgroupreply field explanations?
On Fri, 17 Sep 2004, Scott A. H. Phillips wrote: > Hi all, > > I'm upgraded to FreeRADIUS from an old version of ICRADIUS but having > trouble migrating my old tables. To start with, the radgroupreply table of > FreeRADIUS has two fields, op CHAR(2) and prio INT(10) not present in my > older ICRADIUS table. > > I'm wondering if anyone can tell me what these two fields are for and maybe > make a suggestion about what to do about them through the migration. > > Many thanks, > --Scott! Take a look at doc/rlm_sql: http://www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/doc/rlm_sql?rev=1.4&content-type=text/x-cvsweb-markup > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : RE : RE : radgroupreply
Hi,
I know I'm a bit stressing but is this something new about radgroupreply
?
Thx a lot
-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] De la part de EROS
Envoyé : lundi 4 octobre 2004 19:31
À : [EMAIL PROTECTED]
Objet : RE : RE : radgroupreply
Hi,
Thx for you help
I've commented out the sql { } lines, causes it doesn't want to work
with it. I've this line in my radiusd.conf
sql sql1 {
$INCLUDE ${confdir}/sql_local.conf
}
If I don't comment the sql { } line in sql_local.conf the debug tells me
that it doesn't know the rlm_sql_sql1 driver
So the now the sql_local.conf :
#
# Configuration for the SQL module, when using MySQL.
#
# The database schema is available at:
#
# src/radiusd/src/modules/rlm_sql/drivers/rlm_sql_mysql/db_mysql.sql
#
# If you are using PostgreSQL, please use 'postgresql.conf', instead. #
If you are using Oracle, please use 'oracle.conf', instead. # If you
are using MS-SQL, please use 'mssql.conf', instead. #
# $Id: sql.conf,v 1.41.2.1 2004/06/10 00:45:01 phampson Exp $
#
#sql {
# Database type
# Current supported are: rlm_sql_mysql, rlm_sql_postgresql,
# rlm_sql_iodbc, rlm_sql_oracle, rlm_sql_unixodbc,
rlm_sql_freetds
driver = "rlm_sql_mysql"
# Connect info
server = "localhost"
login = "X"
password = "YY"
# Database table configuration
radius_db = "freeradius"
# If you want both stop and start records logged to the
# same SQL table, leave this as is. If you want them in
# different tables, put the start table in acct_table1
# and stop table in acct_table2
acct_table1 = "radacct"
acct_table2 = "radacct"
# Allow for storing data after authentication
postauth_table = "radpostauth"
authcheck_table = "radcheck"
authreply_table = "radreply"
groupcheck_table = "radgroupcheck"
groupreply_table = "radgroupreply"
usergroup_table = "usergroup"
# Remove stale session if checkrad does not see a double login
deletestalesessions = yes
# Print all SQL statements when in debug mode (-x)
sqltrace = no
sqltracefile = ${logdir}/sqltrace.sql
# number of sql connections to make to server
num_sql_socks = 5
# number of seconds to dely retrying on a failed database
# connection (per_socket)
connect_failure_retry_delay = 60
# Safe characters list for sql queries. Everything else is
replaced
# with their mime-encoded equivalents.
# The default list should be ok
#safe-characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
###
# Query config: Username
###
# This is the username that will get substituted, escaped, and
added
# as attribute 'SQL-User-Name'. '%{SQL-User-Name}' should be
used below
# everywhere a username substitution is needed so you you can be
sure
# the username passed from the client is escaped properly.
#
# Uncomment the next line, if you want the sql_user_name to
mean:
#
#Use Stripped-User-Name, if it's there.
#Else use User-Name, if it's there,
#Else use hard-coded string "DEFAULT" as the user name.
#sql_user_name = "%{Stripped-User-Name:-%{User-Name:-DEFAULT}}"
#
sql_user_name = "%{User-Name}"
###
# Default profile
###
# This is the default profile. It is found in SQL by group
membership.
# That means that this profile must be a member of at least one
group
# which will contain the corresponding check and reply items.
# This profile will be queried in the authorize section for
every user.
# The point is to assign all users a default profile without
having to
# manually add each one to a group that will contain the
profile.
# The SQL module will also honor the User-Profile attribute.
This
# attribute can be set anywhere in the authorize section (ie the
users
# file). It is found exactly as the default profile is found.
# If it is set then it will *overwrite* the default profile
setting.
# The idea is to select profiles based on check
Re: radreply and radgroupreply
"seehoe yee" <[EMAIL PROTECTED]> wrote: > Could you all please enlighten me whether if radius would send both > replies to the NAS? Read doc/rlm_sql. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql not checking radgroupreply
> > I have the read_groups setting set to "yes" in sql.conf and the debug log > would make it appear that it's reading it in correctly. The mac is found in > radcheck and any attributes in radreply are correctly returned, but rlm_sql > never checks for any group memberships at all. I've done a trace on the sql > server and it confirms what I see in the debug log from radius - it just > never checks. > > Thoughts? Weird... Have you tried setting Fall-Through := yes in radcheck... In theory you shouldn't need to, but just to see if it works. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failure to Process radgroupreply
For reference, here is a debug from another account's auth request
which successfully processes radgroupreply and sends the pairs from
that table. The attributes are different here because the NAS is
different and I don't want to confuse it by assigning another vendor's
attributes. I did accidentally have the Nomadix-Bw-Up/Down in this
account's radgrouprely table, and they were also passed correctly
here, though I don't have that debug.
rad_recv: Access-Request packet from host xx.xx.xx.xx port 32772,
id=71, length=244
Acct-Session-Id = "645dcb12"
NAS-Port = 10
NAS-Port-Type = Wireless-802.11
User-Name = "tup140412"
Calling-Station-Id = "3C-8B-FE-D8-66-6E"
Called-Station-Id = "3C-D9-2B-7B-97-37"
Framed-IP-Address = 192.168.25.92
MS-CHAP2-Response =
0x4700c5c9e5b0d32cef356ea40cef22e904a48ab1f953dbb0a3b342fbdf00518cda391b29bf13efeffd84
MS-CHAP-Challenge = 0x20a511804f668694117f916ee1ef6a46
NAS-Identifier = "TW126LK026"
NAS-IP-Address = xx.xx.xx.xx
Framed-MTU = 1496
Connect-Info = "HTTPS"
Service-Type = Framed-User
Colubris-AVPair = "vsc-name=HP ProCurve"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
[suffix] No '@' in User-Name = "tup140412", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[sql] expand: %{User-Name} -> tup140412
[sql] sql_set_user escaped user --> 'tup140412'
rlm_sql (sql): Reserving sql socket id: 2
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id,
username, attribute, value, op FROM radcheck WHERE username =
'tup140412' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id,
username, attribute, value, op FROM radreply WHERE username =
'tup140412' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username =
'%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM
radusergroup WHERE username = 'tup140412' ORDER BY priority
[sql] expand: SELECT id, groupname, attribute, Value, op FROM
radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT
id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname
= 'hieTUPELO-guest-group' ORDER BY id
[sql] User found in group hieTUPELO-guest-group
[sql] expand: SELECT id, groupname, attribute, value, op FROM
radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT
id, groupname, attribute, value, op FROM radgroupreply WHERE groupname
= 'hieTUPELO-guest-group' ORDER BY id
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[noresetcounter] returns noop
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[dailycounter] returns noop
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[monthlycounter] returns noop
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[daypasscounter] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = MSCHAP
+- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv2 for tup140412 with NT-Password
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
Login OK: [tup140412] (from client xxx-gateway port 10 cli 3C-8B-FE-D8-66-6E)
+- entering group post-auth {...}
[sql] expand: %{User-Name} -> tup140412
[sql] sql_set_user escaped user --> 'tup140412'
[sql] expand: %{User-Password} ->
[sql] ... expanding second conditional
[sql] expand: %{Chap-Password} ->
[sql] expand: INSERT INTO radpostauth (username, pass, reply,
authdate) VALUES ( '%{User-Name}',
'%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
-> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES (
'tup140412', '', 'Access-Accept', '2012-04-05 08:01:35')
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES ( 'tup140412', '',
'Access-Accept', '2012-04-05 08:01:35')
rlm_sql (sql): Reserving sql socket id: 1
rlm_sql (sql): Released sql socket id: 1
++[sql] returns ok
++[exec] returns noop
Sending Access-Accept of id 71 to xx.xx.xx.xx port 32772
Idle
Re: Failure to Process radgroupreply
Andrew Long wrote: > I am unable to get FreeRadius to reply with attributes assigned in the > radgroupreply table for some groups. When the same attributes are > assigned in radreply, the server sends them as expected. Adding a > Fall-Through entry for the user in radreply makes no difference (the > server defaults to Fall-Through from the config). I can see no > difference in the structure of the user/groups between working and > non-working accounts. Did you set "read_groups = yes" in sql.conf? What about the comments just above that configuration? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failure to Process radgroupreply
> Did you set "read_groups = yes" in sql.conf? > > What about the comments just above that configuration? > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html It was commented out! Given the comments, though, do you have any idea why it would still have failed when I tested with Fall-Through enabled? I did it like this: # radreply account-to-test Fall-Through = yes So, I removed the comment and restarted radiusd, but I get the same results. Here is the radgroupreply: 4 xxx-guest-group Nomadix-Bw-Down:= 768 85 xxx-guest-group Nomadix-Bw-Up := 256 My packet capture shows none of the group items being returned. This test was done sending the request from RadTest; I'm going to check again in a moment with an actual Win7 client behind the Nomadix and will let you know... There is also the oddity that even though the line was commented previously, groups were being processed as I would see in the reply packets pairs that existed only in radgroupreply. Thank you, Alan. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failure to Process radgroupreply
I should have said... There is also the oddity that even though the line was commented previously, groups were being processed as I would see in the reply packets pairs that existed only in radgroupreply. JUST NOT THE ONES I WANT. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failure to Process radgroupreply
Andrew Long wrote: > It was commented out! Given the comments, though, do you have any idea > why it would still have failed when I tested with Fall-Through > enabled? I did it like this: > # radreply > account-to-test Fall-Through = yes It should work. > So, I removed the comment and restarted radiusd, but I get the same > results. Here is the radgroupreply: > 4 xxx-guest-group Nomadix-Bw-Down:= 768 > 85xxx-guest-group Nomadix-Bw-Up := 256 Again... > My packet capture shows none of the group items being returned. And debug mode will tell you what's going on. > This > test was done sending the request from RadTest; I'm going to check > again in a moment with an actual Win7 client behind the Nomadix and > will let you know... Why? Use radtest or radclient. RADIUS isn't magic. It doesn't require the "right" magic client software. Everything is in the packet. So... if you reproduce the packet, you reproduce the tests. > There is also the oddity that even though the line was commented > previously, groups were being processed as I would see in the reply > packets pairs that existed only in radgroupreply. No idea. It works for me when I test it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failure to Process radgroupreply
OK, the test from an actual client behind the Nomadix fails even after
un-commenting read_groups = yes and restarting, still no group
attributes passed in reply.
This debug is rather lengthy as I thought you might want to see some
of the earlier loading (though I snipped some).
What should I try next?
radiusd: Instantiating modules
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: Loading Virtual Servers
server {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = "/etc/raddb/huntgroups"
hints = "/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_realm
Module: Instantiating suffix
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_sql
Module: Instantiating sql
sql {
driver = "rlm_sql_mysql"
server = "localhost"
port = ""
login = "radiusd"
password = "radiusd"
radius_db = "radius2"
read_groups = yes
sqltrace = no
sqltracefile = "/var/log/radius/sqltrace.sql"
readclients = no
deletestalesessions = yes
num_sql_socks = 5
lifetime = 0
max_queries = 0
sql_user_name = "%{User-Name}"
default_user_profile = ""
nas_query = "SELECT id, nasname, shortname, type, secret FROM nas"
authorize_check_query = "SELECT id, username, attribute,
value, op FROM radcheck WHERE username =
'%{SQL-User-Name}' ORDER BY id"
authorize_reply_query = "SELECT id, username, attribute,
value, op FROM radreply WHERE username =
'%{SQL-User-Name}' ORDER BY id"
authorize_group_check_query = "SELECT id, groupname,
attribute, Value, op FROM radgroupcheck
WHERE groupname = '%{Sql-Group}' ORDER BY id"
authorize_group_reply_query = "SELECT id, groupname,
attribute, value, op FROM radgroupreply
WHERE groupname = '%{Sql-Group}' ORDER BY id"
accounting_onoff_query = " UPDATE radacct
SET acctstoptime = '%S',
acctsessiontime= unix_timestamp('%S') -
unix_timestamp(acctstarttime),
acctterminatecause = '%{Acct-Terminate-Cause}',
acctstopdelay = %{%{Acct-Delay-Time}:-0} WHERE
acctstoptime IS NULL AND nasipaddress =
'%{NAS-IP-Address}' AND acctstarttime <= '%S'"
accounting_update_query = " UPDATE radacct
SET framedipaddress = '%{Framed-IP-Address}',
acctsessiontime = '%{Acct-Session-Time}',
acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 |
'%{%{Acct-Input-Octets}:-0}',
acctoutputoctets= '%{%{Acct-Output-Gigawords}:-0}' << 32 |
'%{%{Acct-Output-Octets}:-0}'
WHERE acctsessionid = '%{Acct-Session-Id}' AND username
= '%{SQL-User-Name}' AND nasipaddress=
'%{NAS-IP-Address}'"
accounting_update_query_alt = " INSERT INTO radacct
(acctsessionid,acctuniqueid, username,
realm,nasipaddress, nasportid,
nasporttype,
Re: Failure to Process radgroupreply
I think we crossed each other across the water... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failure to Process radgroupreply
In case you missed it, the debug from latest test is a couple messages previous (our messages crossed). I have looked through it and with my limited knowledge see nothing exceptional except that processing stops with radgroupcheck and never moves to radgroupreply. Have you any ideas? - Andrew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failure to Process radgroupreply
On Thu, Apr 5, 2012 at 12:04 PM, Andrew Long wrote: > In case you missed it, the debug from latest test is a couple messages > previous (our messages crossed). I have looked through it and with my > limited knowledge see nothing exceptional except that processing stops > with radgroupcheck and never moves to radgroupreply. Have you any > ideas? > > - Andrew I apologize if this is "off-topic", but if someone wishes to take this on as contractual work, please send email with brief references to . The job would simply be to find/fix the problem with group processing. Thank you. - Andrew Long - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failure to Process radgroupreply
Andrew Long wrote: > In case you missed it, the debug from latest test is a couple messages > previous (our messages crossed). I have looked through it and with my > limited knowledge see nothing exceptional except that processing stops > with radgroupcheck and never moves to radgroupreply. Have you any > ideas? Run the queries manually, and try to sort it out. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failure to Process radgroupreply
> > Run the queries manually, and try to sort it out. > > Alan DeKok. Thank you. Just in case, I tested a build of 2.1.12 now avail through the stock repos on a CentOS 5.8 VM. It's working correctly, so I'm confident I can get there (an upgrade, to boot) without much too difficulty. - Andrew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADGROUPREPLY QUERY NOT EXECUTED
Works fine for me... All centos versions, all FR versions since 1.1.3... On 9/9/2012 7:33 PM, Mada wrote: Have tried several version builds on Centos 5.x - currently using FR 2.1.12 rlm_mysql stops after the group check query and does not execute the group reply query. 19:00:43 2012 : Info: [sql] expand: SELECT id, username, attribute, value, op FROM radreply Sun Sep 9 19:00:43 2012 : Info: [sql] expand: SELECT groupname FROM usergroup Sun Sep 9 19:00:43 2012 : Info: [sql] expand: SELECT id, groupname, attribute,Value, op FROM radgroupcheck Sun Sep 9 19:00:43 2012 : Debug: rlm_sql (sql): Released sql socket id: 4 Queries are listed during module instantiation and queries work when run manually. Have seen similar unresolved thread. Greatly appreciate any help. Thanks Message sent using DataCom.MW 1.2.0 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADGROUPREPLY QUERY NOT EXECUTED
On 9 Sep 2012, at 18:33, Mada wrote: > > Have tried several version builds on Centos 5.x - currently using FR 2.1.12 > > rlm_mysql stops after the group check query and does not execute the group > reply query. > > 19:00:43 2012 : Info: [sql] expand: SELECT id, username, attribute, value, > op FROM radreply > Sun Sep 9 19:00:43 2012 : Info: [sql] expand: SELECT groupname FROM > usergroup > Sun Sep 9 19:00:43 2012 : Info: [sql] expand: SELECT id, groupname, > attribute,Value, op FROM radgroupcheck > Sun Sep 9 19:00:43 2012 : Debug: rlm_sql (sql): Released sql socket id: 4 > > Queries are listed during module instantiation and queries work when run > manually. Have seen similar unresolved thread. Um weird... Don't suppose you want to build with 3.0 and see if the problem still exists? :) I'll check the code for something obvious. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADGROUPREPLY QUERY NOT EXECUTED
On 9 Sep 2012, at 20:39, Arran Cudbard-Bell wrote: > > On 9 Sep 2012, at 18:33, Mada wrote: > >> >> Have tried several version builds on Centos 5.x - currently using FR 2.1.12 >> >> rlm_mysql stops after the group check query and does not execute the group >> reply query. >> >> 19:00:43 2012 : Info: [sql] expand: SELECT id, username, attribute, value, >> op FROM radreply >> Sun Sep 9 19:00:43 2012 : Info: [sql] expand: SELECT groupname FROM >> usergroup >> Sun Sep 9 19:00:43 2012 : Info: [sql] expand: SELECT id, groupname, >> attribute,Value, op FROM radgroupcheck >> Sun Sep 9 19:00:43 2012 : Debug: rlm_sql (sql): Released sql socket id: 4 >> >> Queries are listed during module instantiation and queries work when run >> manually. Have seen similar unresolved thread. > > Um weird... > > Don't suppose you want to build with 3.0 and see if the problem still exists? > :) > > I'll check the code for something obvious. Wait... your query strings are massively truncated? -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADGROUPREPLY QUERY NOT EXECUTED
On Mon, Sep 10, 2012 at 12:33 AM, Mada wrote: > > Have tried several version builds on Centos 5.x - currently using FR 2.1.12 > > rlm_mysql stops after the group check query and does not execute the group > reply query. > > 19:00:43 2012 : Info: [sql] expand: SELECT id, username, attribute, value, > op FROM radreply > Sun Sep 9 19:00:43 2012 : Info: [sql] expand: SELECT groupname FROM > usergroup > Sun Sep 9 19:00:43 2012 : Info: [sql] expand: SELECT id, groupname, > attribute,Value, op FROM radgroupcheck > Sun Sep 9 19:00:43 2012 : Debug: rlm_sql (sql): Released sql socket id: 4 > > Queries are listed during module instantiation and queries work when run > manually. Have seen similar unresolved thread. I'm guessing you keep all the config files from the old versions, instead of using fresh config and modify-as-necessary? What's the value of "read_groups" in sql.conf (or whatever file contains your sql module instance)? Have you tried explicitly setting it to "yes"? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radgroupreply do not read (read_grous directive)
Hi,I am usind freeradius 2.0 an need to load radcheck, radreply, radgroupcheck and radgroupreply tables. But radcheck and radreply work. To load radgroupcheck e need to set Fall-Through = Yes, but radgroupreply don't work. The read_groups directive is 'Yes' but not appers in the radius debug mode.How can I do freeradius load radgroupreply? I have the Simultaneous-Use attribut in this table, I need to use this attribute to all users. Someone please? -- Acelerador POP Acelere a sua conexão discada em até 19 x. Use o Acelerador POP. É grátis, pegue já o seu. http://www.pop.com.br/acelerador - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: rlm_sql not checking radgroupreply
Arran, Yea - I did give that a try. I'm not sure if fall-through appears in the reply list at the end of the transaction like the other attributes do, but it didn't show up, nor did the group attributes show up. JD Re: rlm_sql not checking radgroupreply To: FreeRadius users mailing list mailto:freeradius-users%40lists.freeradius.org )> Subject: Re: rlm_sql not checking radgroupreply From: Arran Cudbard-Bell mailto:a.cudbardb%40freeradius.org )> Date: Mon, 26 Sep 2011 18:50:32 +0200 In-reply-to: < ( mailto:4E806228.97D9.0098.1%40wsc.edu )4e806228.97d9.009...@wsc.edu ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00530.html )> References: < ( mailto:4E806228.97D9.0098.1%40wsc.edu )4e806228.97d9.009...@wsc.edu ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00530.html )> Reply-to: FreeRadius users mailing list mailto:freeradius-users%40lists.freeradius.org )> I have the read_groups setting set to "yes" in sql.conf and the debug log would make it appear that it's reading it in correctly. The mac is found in radcheck and any attributes in radreply are correctly returned, but rlm_sql never checks for any group memberships at all. I've done a trace on the sql server and it confirms what I see in the debug log from radius - it just never checks. Thoughts? Weird... Have you tried setting Fall-Through := yes in radcheck... In theory you shouldn't need to, but just to see if it works. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ ! References: rlm_sql not checking radgroupreply ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00530.html ) From: "John Dunning" Previous by Date: Re: EAP authentication accept, user not found ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00531.html ) Previous by Thread: rlm_sql not checking radgroupreply ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00530.html ) Next by Thread: run more than one radius on single machine ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00077.html ) Freeradius-Users September 2011 archives indexes sorted by: [ thread ] ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/thread.html ) [ subject ] ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/subject.html ) [ author ] ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/author.html ) [ date ] ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/date.html ) Freeradius-Users list archive Table of Contents ( http://lists.freeradius.org/pipermail/freeradius-users/index.html ) More information about the Freeradius-Users mailing list ( http://lists.freeradius.org/mailman/listinfo/freeradius-users ) This archive was generated by a fusion of Pipermail (Mailman edition) and MHonArc ( http://www.mhonarc.org/ ). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: rlm_sql not checking radgroupreply
Hi John, Your sql configuration lacks of group_membership_query . Whitout this one, group checking is disabled silently during start up. Hope this helps! Angelo 2011/9/26 John Dunning > Arran, > Yea - I did give that a try. I'm not sure if fall-through appears in the > reply list at the end of the transaction like the other attributes do, but > it didn't show up, nor did the group attributes show up. > > JD > Re: rlm_sql not checking radgroupreply > -- > >- *To*: FreeRadius users mailing list < >freeradius-users@lists.freeradius.org> > - *Subject*: Re: rlm_sql not checking radgroupreply >- *From*: Arran Cudbard-Bell >- *Date*: Mon, 26 Sep 2011 18:50:32 +0200 >- *In-reply-to*: < <4E806228.97D9.0098.1%40wsc.edu> > > 4e806228.97d9.009...@wsc.edu<http://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00530.html> >> >- *References*: < <4E806228.97D9.0098.1%40wsc.edu> > > 4e806228.97d9.009...@wsc.edu<http://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00530.html> >> >- *Reply-to*: FreeRadius users mailing list < >freeradius-users@lists.freeradius.org> > > -- > > > I have the read_groups setting set to "yes" in sql.conf and the debug log > would make it appear that it's reading it in correctly. The mac is found in > radcheck and any attributes in radreply are correctly returned, but rlm_sql > never checks for any group memberships at all. I've done a trace on the sql > server and it confirms what I see in the debug log from radius - it just > never checks. > > Thoughts? > > > Weird... Have you tried setting Fall-Through := yes in radcheck... In > theory you shouldn't need to, but just to see if it works. > > -Arran > > Arran Cudbard-Bell > a.cudba...@freeradius.org > > Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ ! > > -- > >- *References*: > - *rlm_sql not checking > radgroupreply<http://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00530.html> > * > - *From:* "John Dunning" > > >- Previous by Date: Re: EAP authentication accept, user not > found<http://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00531.html> >- Previous by Thread: rlm_sql not checking > radgroupreply<http://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00530.html> >- Next by Thread: run more than one radius on single > machine<http://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00077.html> >- Freeradius-Users September 2011 archives indexes sorted by: [ thread > > ]<http://lists.freeradius.org/pipermail/freeradius-users/2011-September/thread.html> > [ subject > ]<http://lists.freeradius.org/pipermail/freeradius-users/2011-September/subject.html> > [ author > ]<http://lists.freeradius.org/pipermail/freeradius-users/2011-September/author.html> > [ date > ]<http://lists.freeradius.org/pipermail/freeradius-users/2011-September/date.html> >- Freeradius-Users list archive Table of > Contents<http://lists.freeradius.org/pipermail/freeradius-users/index.html> >- More information about the Freeradius-Users mailing > list<http://lists.freeradius.org/mailman/listinfo/freeradius-users> > > -- > *This archive was generated by a fusion of Pipermail (Mailman edition) and > MHonArc <http://www.mhonarc.org/>.* > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: rlm_sql not checking radgroupreply
Angelo - that was it!! Thanks so much. Just a note to the maintainersI used the dialup.conf from the 2.1.10 source. The debian packages don't have a dialup.conf for mssql, so I used the 2.1.10 source mssql directory and created a logical link for iodbc. It was, evidently, fixed in 2.1.11 as the one from that version has the query. Thanks all!! JD >>> Angelo Compagnucci 9/26/2011 12:46 PM >>> Hi John, Your sql configuration lacks of group_membership_query . Whitout this one, group checking is disabled silently during start up. Hope this helps! Angelo 2011/9/26 John Dunning Arran, Yea - I did give that a try. I'm not sure if fall-through appears in the reply list at the end of the transaction like the other attributes do, but it didn't show up, nor did the group attributes show up. JD Re: rlm_sql not checking radgroupreply To: FreeRadius users mailing list mailto:freeradius-users%40lists.freeradius.org )> Subject: Re: rlm_sql not checking radgroupreply From: Arran Cudbard-Bell mailto:a.cudbardb%40freeradius.org )> Date: Mon, 26 Sep 2011 18:50:32 +0200 In-reply-to: < ( mailto:4E806228.97D9.0098.1%40wsc.edu )4e806228.97d9.009...@wsc.edu ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00530.html )> References: < ( mailto:4E806228.97D9.0098.1%40wsc.edu )4e806228.97d9.009...@wsc.edu ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00530.html )> Reply-to: FreeRadius users mailing list mailto:freeradius-users%40lists.freeradius.org )> I have the read_groups setting set to "yes" in sql.conf and the debug log would make it appear that it's reading it in correctly. The mac is found in radcheck and any attributes in radreply are correctly returned, but rlm_sql never checks for any group memberships at all. I've done a trace on the sql server and it confirms what I see in the debug log from radius - it just never checks. Thoughts? Weird... Have you tried setting Fall-Through := yes in radcheck... In theory you shouldn't need to, but just to see if it works. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org Betelwiki, Betelwiki, Betelwikihttp://wiki.freeradius.org/ ! References: rlm_sql not checking radgroupreply ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00530.html ) From:"John Dunning" Previous by Date:Re: EAP authentication accept, user not found ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00531.html ) Previous by Thread:rlm_sql not checking radgroupreply ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00530.html ) Next by Thread:run more than one radius on single machine ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00077.html ) Freeradius-Users September 2011 archives indexes sorted by:[ thread ] ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/thread.html )[ subject ] ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/subject.html )[ author ] ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/author.html )[ date ] ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/date.html ) Freeradius-Users list archiveTable of Contents ( http://lists.freeradius.org/pipermail/freeradius-users/index.html ) More information about the Freeradius-Users mailing list ( http://lists.freeradius.org/mailman/listinfo/freeradius-users ) This archive was generated by a fusion of Pipermail (Mailman edition) andMHonArc ( http://www.mhonarc.org/ ). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: rlm_sql not checking radgroupreply
A month ago, I had to read the source code to understand why the group membership was disabled in my configuration! I'm using odbc also with mssql! How have you resolved the unix_timestamp issue? I had to rewrite queries converting the unix_timestamp to something like CONVERT(datetime, '%S', 20) to accomodate my db. Angelo 2011/9/26 John Dunning > Angelo - that was it!! Thanks so much. > > Just a note to the maintainersI used the dialup.conf from the 2.1.10 > source. The debian packages don't have a dialup.conf for mssql, so I used > the 2.1.10 source mssql directory and created a logical link for iodbc. > > It was, evidently, fixed in 2.1.11 as the one from that version has the > query. > > Thanks all!! > > JD > > > >>> Angelo Compagnucci 9/26/2011 12:46 PM > >>> > > Hi John, > > Your sql configuration lacks of group_membership_query . > > Whitout this one, group checking is disabled silently during start up. > > Hope this helps! > > Angelo > > 2011/9/26 John Dunning > >> Arran, >> Yea - I did give that a try. I'm not sure if fall-through appears in the >> reply list at the end of the transaction like the other attributes do, but >> it didn't show up, nor did the group attributes show up. >> JD >> Re: rlm_sql not checking radgroupreply >> -- >> >>- *To*: FreeRadius users mailing list < >>freeradius-users@lists.freeradius.org> >>- *Subject*: Re: rlm_sql not checking radgroupreply >>- *From*: Arran Cudbard-Bell >>- *Date*: Mon, 26 Sep 2011 18:50:32 +0200 >>- *In-reply-to*: < <4E806228.97D9.0098.1%40wsc.edu> >> >> 4e806228.97d9.009...@wsc.edu<http://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00530.html>> >> >>- *References*: < <4E806228.97D9.0098.1%40wsc.edu> >> >> 4e806228.97d9.009...@wsc.edu<http://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00530.html>> >> >>- *Reply-to*: FreeRadius users mailing list < >>freeradius-users@lists.freeradius.org> >> >> -- >> >> I have the read_groups setting set to "yes" in sql.conf and the debug >> log would make it appear that it's reading it in correctly. The mac is found >> in radcheck and any attributes in radreply are correctly returned, but >> rlm_sql never checks for any group memberships at all. I've done a trace on >> the sql server and it confirms what I see in the debug log from radius - it >> just never checks. >> Thoughts? >> >> >> Weird... Have you tried setting Fall-Through := yes in radcheck... In >> theory you shouldn't need to, but just to see if it works. >> >> -Arran >> >> Arran Cudbard-Bell >> a.cudba...@freeradius.org >> >> Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ ! >> >> -- >> >>- *References*: >> - *rlm_sql not checking >> radgroupreply<http://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00530.html> >> * >> - *From:* "John Dunning" >> >> >>- Previous by Date: Re: EAP authentication accept, user not >> found<http://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00531.html> >>- Previous by Thread: rlm_sql not checking >> radgroupreply<http://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00530.html> >>- Next by Thread: run more than one radius on single >> machine<http://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00077.html> >>- Freeradius-Users September 2011 archives indexes sorted by: [ thread >> >> ]<http://lists.freeradius.org/pipermail/freeradius-users/2011-September/thread.html> >> [ >>subject >> ]<http://lists.freeradius.org/pipermail/freeradius-users/2011-September/subject.html> >> [ >>author >> ]<http://lists.freeradius.org/pipermail/freeradius-users/2011-September/author.html> >> [ >>date >> ]<http://lists.freeradius.org/pipermail/freeradius-users/2011-September/date.html> >>- Freeradius-Users list archive Table of >> Contents<http://lists.freeradius.org/pipermail/freeradius-users/index.html> >>- More information about the Freeradius-Users mailing >> list<http://lists.freeradius.org/mailman/listinfo/freeradius-users> >> >> -- >> *This archive was generated by a fusion of Pipermail (Mailman edition) >> and MHonArc <http://www.mhonarc.org/>.* >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> >> > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: rlm_sql not checking radgroupreply
Honestly Angelo, I haven't gotten that far yetwas just trying to get auth working. Logging and accounting are still on the "to do list". If I figure out something I'll let you know! JD >>> Angelo Compagnucci 9/26/2011 2:43 PM >>> A month ago,I had to read the source code to understand why the group membership was disabled in my configuration! I'm using odbc also with mssql! How have you resolved theunix_timestamp issue? I had to rewrite queries converting theunix_timestamp to something like CONVERT(datetime, '%S', 20) to accomodate my db. Angelo 2011/9/26 John Dunning Angelo - that was it!! Thanks so much. Just a note to the maintainersI used the dialup.conf from the 2.1.10 source. The debian packages don't have a dialup.conf for mssql, so I used the 2.1.10 source mssql directory and created a logical link for iodbc. It was, evidently, fixed in 2.1.11 as the one from that version has the query. Thanks all!! JD >>> Angelo Compagnucci 9/26/2011 12:46 PM >>> Hi John, Your sql configuration lacks of group_membership_query . Whitout this one, group checking is disabled silently during start up. Hope this helps! Angelo 2011/9/26 John Dunning Arran, Yea - I did give that a try. I'm not sure if fall-through appears in the reply list at the end of the transaction like the other attributes do, but it didn't show up, nor did the group attributes show up. JD Re: rlm_sql not checking radgroupreply To: FreeRadius users mailing list mailto:freeradius-users%40lists.freeradius.org )> Subject: Re: rlm_sql not checking radgroupreply From: Arran Cudbard-Bell mailto:a.cudbardb%40freeradius.org )> Date: Mon, 26 Sep 2011 18:50:32 +0200 In-reply-to: < ( mailto:4E806228.97D9.0098.1%40wsc.edu )4e806228.97d9.009...@wsc.edu ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00530.html )> References: < ( mailto:4E806228.97D9.0098.1%40wsc.edu )4e806228.97d9.009...@wsc.edu ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00530.html )> Reply-to: FreeRadius users mailing list mailto:freeradius-users%40lists.freeradius.org )> I have the read_groups setting set to "yes" in sql.conf and the debug log would make it appear that it's reading it in correctly. The mac is found in radcheck and any attributes in radreply are correctly returned, but rlm_sql never checks for any group memberships at all. I've done a trace on the sql server and it confirms what I see in the debug log from radius - it just never checks. Thoughts? Weird... Have you tried setting Fall-Through := yes in radcheck... In theory you shouldn't need to, but just to see if it works. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org Betelwiki, Betelwiki, Betelwikihttp://wiki.freeradius.org/ ! References: rlm_sql not checking radgroupreply ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00530.html ) From:"John Dunning" Previous by Date:Re: EAP authentication accept, user not found ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00531.html ) Previous by Thread:rlm_sql not checking radgroupreply ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00530.html ) Next by Thread:run more than one radius on single machine ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/msg00077.html ) Freeradius-Users September 2011 archives indexes sorted by:[ thread ] ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/thread.html )[ subject ] ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/subject.html )[ author ] ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/author.html )[ date ] ( http://lists.freeradius.org/pipermail/freeradius-users/2011-September/date.html ) Freeradius-Users list archiveTable of Contents ( http://lists.freeradius.org/pipermail/freeradius-users/index.html ) More information about the Freeradius-Users mailing list ( http://lists.freeradius.org/mailman/listinfo/freeradius-users ) This archive was generated by a fusion of Pipermail (Mailman edition) andMHonArc ( http://www.mhonarc.org/ ). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mysql - radcheck, radreply, radgroupcheck and radgroupreply
Hi, I'm using Freeradius + Mysql to do the MAC Address authentication of the clients that connection on my APs (Mikrotik machines). In the mysql I've the follow: Table usergroup: UserName = MAC address GroupName = NAS-Port-ID - (the name of the AP where the client will be connected - ex. "MyAP1") Table radgroupcheck: GroupName = NAS-Port-ID - (the name of the AP where the client will be connected - ex. "MyAP1") Then I've four lines for each GroupName with the follow: Attribute: "Auth-Type" // op: ":=" // Value: "Local" Attribute: "NAS-IP-Address" // op: "==" // Value: "IP of the AP" Attribute: "NAS-Port-Identify" // op: "==" // Value: "Name of the AP - Ex: MyAP1" On the table radcheck I don't have anything. This table is empty. In the table radreply I've one record: UserName: "MAC Address of the client" Attribute: "Mikrotik-Rate-Limite" op: "=" Value: "64000/128000" The problem is: If the Freeradius don't find the UserName on the table radcheck it doesn't return the attributes that are on the table radreply, just the records of the table radgroupreply are returned. I need to return the reply different for each client because this parameter is the speed of upload and download and this values are different for each client. My questio is: Is it possible that the Freeradius return the values of the table radreply if I don't have any value on the radcheck? (The authentication was made in the radgroupcheck table) Thanks in advanced, Fabrício F.: Kammer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mysql - radcheck, radreply, radgroupcheck and radgroupreply
Anyone can help me with this??? Hi, I'm using Freeradius + Mysql to do the MAC Address authentication of the clients that connection on my APs (Mikrotik machines). In the mysql I've the follow: Table usergroup: UserName = MAC address GroupName = NAS-Port-ID - (the name of the AP where the client will be connected - ex. "MyAP1") Table radgroupcheck: GroupName = NAS-Port-ID - (the name of the AP where the client will be connected - ex. "MyAP1") Then I've four lines for each GroupName with the follow: Attribute: "Auth-Type" // op: ":=" // Value: "Local" Attribute: "NAS-IP-Address" // op: "==" // Value: "IP of the AP" Attribute: "NAS-Port-Identify" // op: "==" // Value: "Name of the AP - Ex: MyAP1" On the table radcheck I don't have anything. This table is empty. In the table radreply I've one record: UserName: "MAC Address of the client" Attribute: "Mikrotik-Rate-Limite" op: "=" Value: "64000/128000" The problem is: If the Freeradius don't find the UserName on the table radcheck it doesn't return the attributes that are on the table radreply, just the records of the table radgroupreply are returned. I need to return the reply different for each client because this parameter is the speed of upload and download and this values are different for each client. My questio is: Is it possible that the Freeradius return the values of the table radreply if I don't have any value on the radcheck? (The authentication was made in the radgroupcheck table) Thanks in advanced, Fabrício F.: Kammer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radgroupreply do not read (read_grous directive)
Did you put something in usergroup table to link users and groups? Ivan Kalik Kalik Informatika ISP Dana 14/1/2008, "Arlinelson Fernandes dos Santos" <[EMAIL PROTECTED]> piše: >Hi,I am usind freeradius 2.0 an need to load radcheck, radreply, >radgroupcheck and radgroupreply tables. But radcheck and radreply work. To load >radgroupcheck e need to set Fall-Through = Yes, but radgroupreply don't work. >The >read_groups directive is 'Yes' but not appers in the radius debug mode.How >can I do freeradius load radgroupreply? I have the Simultaneous-Use attribut in >this table, I need to use this attribute to all users. Someone >please? > > > >-- >Acelerador POP >Acelere a sua conexão discada em até 19 x. Use o Acelerador POP. É >grátis, pegue já o seu. >http://www.pop.com.br/acelerador > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radgroupreply do not read (read_grous directive)
Yes! I did. And I put attributes into all tables ckeck and reply. Did you put something in usergroup table to link users and groups? Ivan Kalik Kalik Informatika ISP Dana 14/1/2008, "Arlinelson Fernandes dos Santos" pi¹e: >Hi,I am usind freeradius 2.0 an need to load radcheck, radreply, >radgroupcheck and radgroupreply tables. But radcheck and radreply work. To load >radgroupcheck e need to set Fall-Through = Yes, but radgroupreply don't work. The >read_groups directive is 'Yes' but not appers in the radius debug mode.How >can I do freeradius load radgroupreply? I have the Simultaneous-Use attribut in >this table, I need to use this attribute to all users. Someone >please? > > > >-- >Acelerador POP >Acelere a sua conexão discada em até 19 x. Use o Acelerador POP. É grátis, pegue já o seu. >http://www.pop.com.br/acelerador > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Acelerador POP Acelere a sua conexão discada em até 19 x. Use o Acelerador POP. É grátis, pegue já o seu. http://www.pop.com.br/acelerador - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radgroupreply do not read (read_grous directive)
OK, can we see database entries for a user (and group he belongs to) and the debug of the access request? Or should I get my crystal ball back from the polisher? Ivan Kalik Kalik Informatika ISP Dana 15/1/2008, "Arlinelson Fernandes dos Santos" <[EMAIL PROTECTED]> piše: >Yes! I did. And I put attributes into all tables ckeck and >reply. > Did you put something in usergroup table to link users and groups? >Ivan Kalik Kalik Informatika ISP Dana 14/1/2008, >"Arlinelson Fernandes dos Santos": >Hi,I am >usind freeradius 2.0 an need to load radcheck, radreply, >radgroupcheck >and radgroupreply tables. But radcheck and radreply work. To load >>radgroupcheck e need to set Fall-Through = Yes, but radgroupreply don't work. >The >read_groups directive is 'Yes' but not appers in the radius debug >mode.How >can I do freeradius load radgroupreply? I have the >Simultaneous-Use attribut in >this table, I need to use this attribute to >all users. Someone >please? > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radgroupreply do not read (read_grous directive)
Ivan, While you're at it, can you check up on my forth-coming paperwork grade for Statistics B class? :-) Regards, Liran. 2008/1/15 <[EMAIL PROTECTED]>: > OK, can we see database entries for a user (and group he belongs to) and > the debug of the access request? Or should I get my crystal ball back > from the polisher? > > Ivan Kalik > Kalik Informatika ISP > > > Dana 15/1/2008, "Arlinelson Fernandes dos Santos" <[EMAIL PROTECTED]> > piše: > > >Yes! I did. And I put attributes into all tables ckeck and > reply. > Did you put something in usergroup table to link users and groups? > >Ivan Kalik Kalik Informatika ISP Dana 14/1/2008, > >"Arlinelson Fernandes dos Santos": >Hi,I am > >usind freeradius 2.0 an need to load radcheck, radreply, >radgroupcheck > >and radgroupreply tables. But radcheck and radreply work. To load > >>radgroupcheck e need to set Fall-Through = Yes, but radgroupreply don't > work. > >The >read_groups directive is 'Yes' but not appers in the radius debug > >mode.How >can I do freeradius load radgroupreply? I have the > >Simultaneous-Use attribut in >this table, I need to use this attribute to > >all users. Someone >please? > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radgroupreply do not read (read_grous directive)
Don't take your ball, not good. ;) Here's informations:##
radcheck++---+++-+|
id | UserName | Attribute
| op | Value |++---+++-+| 3 |
test-pap | Cleartext-Password | := | pw123 |++---+++-+##
radreply++---+-++---+| id
| UserName | Attribute
| op | Value |++---+-++---+| 6 |
test-pap | Upstream-Speed | = | 800
|| 7 | test-pap | Downstream-Speed |
= | 800 |++---+-++---+##
radgroupcheck+++++---+| id | GroupName | Attribute
| op | Value |+++++---+|
5 | f_pppoe_250k | Auth-Type
| = | PAP || 6 | f_pppoe_250k |
Simultaneous-Use | = | 1 |+++++---+ ##
radgroupreply
++--+---++--+|
id | GroupName | Attribute
| op |
Value
|++--+---++--+|
13 | f_pppoe_250k | Framed-Protocol | = |
PPP
|| 14 | f_pppoe_250k |
Framed-MTU | = |
1492
|| 15 | f_pppoe_250k |
Framed-Compression | = | Van-Jacobsen-TCP-IP || 16 | f_pppoe_250k |
Service-Type | = |
Framed-User |+---++--++--+
## radusergroup (same usergroup table in 1.3 version freeradius, I have both
tables) +---++--+ | UserName |
GroupName | priority |
+---++--+ | teste-pap | f_pppoe_250k
| 1 |
+---++--+ ## radiusd -X
rad_recv: Access-Request packet from host 7.7.7.1 port 32790, id=163,
length=73 Service-Type =
Framed-User Framed-Protocol =
PPP User-Name =
"test-pap" User-Password
= "pw123" NAS-IP-Address
= NAS-Port = 0
Processing the authorize section of radiusd.conf +- entering group
authorize ++[preprocess] returns ok ++[chap] returns noop
++[mschap] returns noop rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop radius_xlat: 'test-pap' rlm_sql (sql):
sql_set_user escaped user --> 'test-pap' rlm_sql (sql): Reserving sql
socket id: 3 radius_xlat: 'SELECT id, UserName, Attribute, Value,
op FROM
radcheck WHERE Username
= 'test-pap' ORDER BY
id' loading radcheck table ## rlm_sql
(sql): User found in radcheck table radius_xlat: 'SELECT id, UserName,
Attribute, Value, op
FROM radreply WHERE
Username = 'test-pap'
ORDER BY id' ### loading radreply table ## rlm_sql
(sql): Released sql socket id:
3
if found "Fall-Through = Yes" attribute, radgroupcheck is loaded,
but not radgroupreply # ++[sql] returns ok ++[expiration]
returns noop ++[logintime] returns noop ++[pap] returns updated
+- group authorize returns updated rad_check_password: Found
Auth-Type auth: type "PAP" Processing the authenticate
section of radiusd.conf +- entering group PAP rlm_pap: login attempt
with password ngc0bqi rlm_pap: Using clear text password. rlm_pap: User
authenticated successfully ++[pap] returns ok +- group PAP returns
ok Processing the post-auth section of radiusd.conf +- entering
group post-auth rlm_sql (sql): Processing sql_postauth rlm_sql (sql):
sql_set_user escaped user --> 'test-pap' radius_xlat: 'INSERT into
radpostauth (id, user, pass, reply, date) values ('', 'test-pap', 'ngc0bqi',
'Access-Accept', '2008-01-15 20:33:58')' rlm_sql (sql) in sql_postauth: query
is INSERT into radpostauth (id, user, pass, reply, date) values ('', 'test-pap',
'pw123', 'Access-Accept', '2008-01-15 20:33:58') rlm_sql (sql): Reserving sql
socket id: 2 rlm_sql (sql): Released sql socket id: 2 ++[sql] returns
ok +- group post-auth returns ok Sending Access-Accept of id 163 to
7.7.7.1 port 32790 # Here is
when radius server send "items reply" to radiusclient
# Upstream-Speed =
800 attribute in
radreply Downstream-Speed
= 800 ## attribute in radreply Finished
request 0 state 5 Going to the next request rad_recv:
Accounting-Request packet from host 7.7.7.1 port 32790, id=164, length=101
Acct-Session-Id =
"478D34D61E1F00&quo
Re: radgroupreply do not read (read_grous directive)
There is a typo in usergroup table. Group is set as teste-pap, while
other tables have group test-pap.
Ivan Kalik
Kalik Informatika ISP
Dana 15/1/2008, "Arlinelson Fernandes dos Santos" <[EMAIL PROTECTED]>
piše:
>Don't take your ball, not good. ;) Here's informations:##
>radcheck++---+++-+|
>id | UserName | Attribute
> | op | Value
> |++---+++-+| 3 |
>test-pap | Cleartext-Password | := | pw123
>|++---+++-+##
>radreply++---+-++---+| id
> | UserName | Attribute
> | op | Value |++---+-++---+| 6 |
>test-pap | Upstream-Speed | = | 800
>|| 7 | test-pap | Downstream-Speed |
>= | 800 |++---+-++---+##
>radgroupcheck+++++---+| id |
>GroupName| Attribute
> | op | Value
> |+++++---+|
>5 | f_pppoe_250k | Auth-Type
> | = | PAP|| 6 | f_pppoe_250k |
>Simultaneous-Use | = | 1
>|+++++---+ ##
>radgroupreply
>++--+---++--+|
>id | GroupName| Attribute
> | op |
>Value
>
> |++--+---++--+|
>13 | f_pppoe_250k | Framed-Protocol| = |
>PPP
> || 14 | f_pppoe_250k |
>Framed-MTU | = |
>1492
> || 15 | f_pppoe_250k |
>Framed-Compression | = | Van-Jacobsen-TCP-IP || 16 | f_pppoe_250k |
>Service-Type| = |
>Framed-User
>|+---++--++--+
>## radusergroup (same usergroup table in 1.3 version freeradius, I have both
>tables) +---++--+ | UserName |
>GroupName| priority|
>+---++--+ | teste-pap | f_pppoe_250k
>|1|
>+---++--+ ## radiusd -X
> rad_recv: Access-Request packet from host 7.7.7.1 port 32790, id=163,
>length=73 Service-Type =
>Framed-User Framed-Protocol =
>PPP User-Name =
>"test-pap" User-Password
>= "pw123" NAS-IP-Address
>= NAS-Port = 0
>Processing the authorize section of radiusd.conf +- entering group
>authorize ++[preprocess] returns ok ++[chap] returns noop
>++[mschap] returns noop rlm_eap: No EAP-Message, not doing EAP
>++[eap] returns noop radius_xlat: 'test-pap' rlm_sql (sql):
>sql_set_user escaped user --> 'test-pap' rlm_sql (sql): Reserving sql
>socket id: 3 radius_xlat: 'SELECT id, UserName, Attribute, Value,
>op FROM
>radcheck WHERE Username
>= 'test-pap' ORDER BY
>id' loading radcheck table ## rlm_sql
>(sql): User found in radcheck table radius_xlat: 'SELECT id, UserName,
>Attribute, Value, op
>FROM radreply WHERE
>Username = 'test-pap'
>ORDER BY id' ### loading radreply table ## rlm_sql
>(sql): Released sql socket id:
>3
> if found "Fall-Through = Yes" attribute, radgroupcheck is loaded,
>but not radgroupreply # ++[sql] returns ok ++[expiration]
>returns noop ++[logintime] returns noop ++[pap] returns updated
>+- group authorize returns updated rad_check_password: Found
>Auth-Type auth: type "PAP" Processing the authenticate
>section of radiusd.conf +- entering group PAP rlm_pap: login attempt
>with password ngc0bqi rlm_pap: Using clear text password. rlm_pap: User
>authenticated successfully ++[pap] returns ok +- group PAP returns
>ok Processing the post-auth section of radiusd.conf +- entering
>group post-auth rlm_sql (sql): Processing sql_postauth rlm_sql (sql):
>sql_set_user escaped user --> 'test-pap' radius_xlat: 'INSERT into
>radpostauth (id, user, pass, reply, date) values ('', 'test-pap', 'ngc0bqi',
>'Access-Accept', '2008-01-15 20:33:58')' rlm_sql (sql) in sql_postauth: query
>is INSERT into radpostauth (id, user, pass, reply, date) values ('',
>'test-pap',
>'pw123', 'Access-Accept', '2008-01-15 20:33:58') rlm_sql (sql): Reserving sql
>socket id: 2 rlm_sql (sql):
Re: radgroupreply do not read (read_grous directive)
Sorry! I was writing this post and correcting the align spaces when press the
"e" for accident. In my usergroup is test-pap. thanks. There is a typo in usergroup table. Group is set as teste-pap, while other
tables have group test-pap. Ivan Kalik Kalik Informatika ISP Dana 15/1/2008, "Arlinelson Fernandes dos Santos"
pi¹e: >Don't take your ball, not good. ;) Here's
informations:##
>radcheck++---+++-+| >id |
UserName | Attribute > | op | Value
|++---+++-+| 3 | >test-pap
| Cleartext-Password | := | pw123
|++---+++-+##
>radreply++---+-++---+| id > |
UserName | Attribute > | op | Value
|++---+-++---+| 6 | >test-pap
| Upstream-Speed | = | 800 >|| 7 | test-pap | Downstream-Speed
| >= | 800
|++---+-++---+##
>radgroupcheck+++++---+| id |
GroupName| Attribute > | op | Value
|+++++---+| >5 |
f_pppoe_250k | Auth-Type > | = | PAP|| 6 | f_pppoe_250k
| >Simultaneous-Use | = | 1
|+++++---+ ##
>radgroupreply
>++--+---++--+| >id | GroupName| Attribute> | op |
>Value >
|++--+---++--+|
>13 | f_pppoe_250k | Framed-Protocol| = | >PPP
> || 14 | f_pppoe_250k | >Framed-MTU | = | >1492> || 15 | f_pppoe_250k |
>Framed-Compression | = | Van-Jacobsen-TCP-IP || 16 | f_pppoe_250k |
>Service-Type| = | >Framed-User
|+---++--++--+
>## radusergroup (same usergroup table in 1.3 version freeradius, I have both >tables) +---++--+ | UserName |
>GroupName| priority|
>+---++--+ | teste-pap | f_pppoe_250k
>|1| >+---++--+ ## radiusd
-X > rad_recv: Access-Request packet from host 7.7.7.1 port 32790,
id=163, >length=73 Service-Type >Framed-User
Framed-Protocol >PPP User-Name >"test-pap"
User-Password >= "pw123" NAS-IP-Address >=
NAS-Port = 0 >Processing the authorize section of radiusd.conf +-
entering group >authorize ++[preprocess] returns ok ++[chap] returns
noop >++[mschap] returns noop rlm_eap: No EAP-Message, not doing EAP >++[eap] returns noop radius_xlat: 'test-pap' rlm_sql (sql):
>sql_set_user escaped user --> 'test-pap' rlm_sql (sql): Reserving sql
>socket id: 3 radius_xlat: 'SELECT id, UserName, Attribute, Value, >op
FROM >radcheck WHERE Username >= 'test-pap'
ORDER BY >id' loading radcheck table ##
rlm_sql >(sql): User found in radcheck table radius_xlat: 'SELECT id,
UserName, >Attribute, Value, op >FROM radreply
WHERE >Username = 'test-pap' >ORDER BY id' ###
loading radreply table ## rlm_sql >(sql): Released sql socket
id: >3
> if found "Fall-Through = Yes" attribute, radgroupcheck is
loaded, >but not radgroupreply # ++[sql] returns ok
++[expiration] >returns noop ++[logintime] returns noop ++[pap] returns
updated >+- group authorize returns updated rad_check_password:
Found >Auth-Type auth: type "PAP" Processing the
authenticate >section of radiusd.conf +- entering group PAP rlm_pap: login
attempt >with password ngc0bqi rlm_pap: Using clear text password.
rlm_pap: User >authenticated successfully ++[pap] returns ok +- group PAP
returns >ok Processing the post-auth section of radiusd.conf +-
entering >group post-auth rlm_sql (sql): Processing sql_postauth rlm_sql
(sql): >sql_set_user escaped user --> 'test-pap' radius_xlat: 'INSERT
into >radpostauth (id, user, pass, reply, date) values ('', 'test-pap',
'ngc0bqi', >'Access-Accept', '2008-01-15 20:33:58')' rlm_sql (sql) in
sql_postauth: query >is INSERT into radpostauth (id, user, pass, reply,
date) values ('', 'test-pap&
Re: radgroupreply do not read (read_grous directive)
OK, since that's correct I had a look at the debug. You are not doing group checking at all. You have done something to sql.conf to break it. Go back to the original sql.conf and just alter the connection details (user, pass, server). Leave rest as it is (we will sort out sumultaneous use later). Default configuration will do group checking. Remove Auth-Type from the radcheck table - let the server sort it out. Put := as an operator for Simultaneous-Use. Ivan Kalik Kalik Informatika ISP Dana 16/1/2008, "Arlinelson Fernandes dos Santos" <[EMAIL PROTECTED]> piše: >Sorry! I was writing this post and correcting the align spaces when press the >"e" for accident. In my usergroup is test-pap. thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radgroupreply do not read (read_grous directive)
Oh my God!!! This problem is killing me!I back the original sql.conf and have no Auth-Type in radcheck and other no in tables too.I put := in Simultaneous-Use.I test the connection and no groups table was read. The radius log is the same.I did install freeradius in other server and do the same. No radgroupreply. If you are using the freeradius version 2.0.0-pre1 working with reply attributes to NAS (same mine), PLEASE!!! Send me the config files. I need to know what is buggy. OK, since that's correct I had a look at the debug. You are not doing group checking at all. You have done something to sql.conf to break it. Go back to the original sql.conf and just alter the connection details (user, pass, server). Leave rest as it is (we will sort out sumultaneous use later). Default configuration will do group checking. Remove Auth-Type from the radcheck table - let the server sort it out. Put := as an operator for Simultaneous-Use. Ivan Kalik Kalik Informatika ISP Dana 16/1/2008, "Arlinelson Fernandes dos Santos" pi¹e: >Sorry! I was writing this post and correcting the align spaces when press the >"e" for accident. In my usergroup is test-pap. thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Acelerador POP Acelere a sua conexão discada em até 19 x. Use o Acelerador POP. É grátis, pegue já o seu. http://www.pop.com.br/acelerador - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radgroupreply do not read (read_grous directive)
Arlinelson Fernandes dos Santos wrote: > If you are using the freeradius version 2.0.0-pre1 Please upgrade to 2.0.0. It is *much* better. 2.0.0-pre1 is horrible in comparison to the final release. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radgroupreply do not read (read_grous directive)
Thank'sAlan DeKok!The pre1 version is buggy!!!I did install the final version like you said and all works fine!Now, I'm working to solver this: rlm_acct_unique: WARNING: Attribute Client-IP-Address was not found in request, unique ID MAY be inconsistentIf I release Client-IP-Address to Fremed-IP-Address in acct_unique session (radiusd.conf) the warning stop and unique session appers fine. But, I know this not the solution. I'm reading the wiki.freeradius.org to know how to solver. Arlinelson Fernandes dos Santos wrote: > If you are using the freeradius version 2.0.0-pre1Please upgrade to 2.0.0. It is *much* better. 2.0.0-pre1 is horrible in comparison to the final release.Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Acelerador POP Acelere a sua conexão discada em até 19 x. Use o Acelerador POP. É grátis, pegue já o seu. http://www.pop.com.br/acelerador - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radgroupreply do not read (read_grous directive)
Arlinelson Fernandes dos Santos wrote: > The pre1 version is buggy!!! Yes... which is why 2.0.0 was released. > Now, I'm working to solver this: rlm_acct_unique: WARNING: Attribute > Client-IP-Address was not found in request, unique ID MAY be inconsistent Grab the latest version from CVS. It has this issue fixed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
which one to use - Radgroupcheck or Radgroupreply
Hi All; I am using chillispor on a router with dd-wrt and I wanted to use the follwoing parameters, but dont know where to load them in my Freeradius Mysql config, pls: Session-Timeout = 3600Idle-Timeout = 600 Acct-Interim-Interval = 60WISPr-Redirection-URL = http://www.google.com/ WISPr-Bandwidth-Max-Up = 12800WISPr-Bandwidth-Max-Down = 25600 And also if i should use = or any other opertator pls? Thanks lucio === The Home CCTV Security System made easy! http://www.kaduco.com/our-list-products-services/cctv-security-camera-systems-digital-wired-wireless-home-commercial-uk.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radgroupreply issue with freeradius,mysql and daloradius
Hello.
I am having problems getting the radgroupreply attributes to work.
radreply works fine when adding reply attributes to users.
Now i have a user defined that belongs to a group (for example. SSL).
This group has groupreply attributes rfc 2865. (Class).
But when trying with radtest it does not seem to check for groups..
SQL-conf:
mysql> select * from usergroup;
+--+---+--+
| UserName | GroupName | priority |
+--+---+--+
| ssluser | SSL |1 |
+--+---+--+
1 row in set (0.00 sec)
mysql>
mysql> select * from radgroupreply;
++---+---+++
| id | groupname | attribute | op | value |
++---+---+++
| 10 | SSL | Class | = | ou=bblblbk |
++---+---+++
1 row in set (0.00 sec)
radtest:
[r...@centos]# radtest ssluser ssluser localhost 1812 testing123
Sending Access-Request of id 178 to 127.0.0.1 port 1812
User-Name = "ssluser"
User-Password = "ssluser"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=178,
length=20
[r...@centos]#
radiusd -X debug:
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 47384, id=178,
length=59
User-Name = "ssluser"
User-Password = "ssluser"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ssluser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
[sql] expand: %{User-Name} -> ssluser
[sql] sql_set_user escaped user --> 'ssluser'
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = BINARY '%{SQL-User-Name}' ORDER
BY id -> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = BINARY 'ssluser' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = BINARY '%{SQL-User-Name}' ORDER
BY id -> SELECT id, username, attribute, value, op FROM radreply
WHERE username = BINARY 'ssluser' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
groupname FROM radusergroup WHERE username = 'ssluser'
ORDER BY priority
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "ssluser"
[pap] Using clear text password "ssluser"
[pap] User authenticated successfully
++[pap] returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 178 to 127.0.0.1 port 47384
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 178 with timestamp +2
Ready to process requests.
I am probably missing something obvious here. Thankful for som help.
Regards
M
--
View this message in context:
http://www.nabble.com/radgroupreply-issue-with-freeradius%2Cmysql-and-daloradius-tp24184189p24184189.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with Ascend-Data-Rate in Radgroupreply
Hi All I am having a problem setting up a TX/RX for a user using Ascend-Data-Rate in Radgroupreply. I need to set them under group if i set them up for a single user it works fine. in Table radgroupreply I have group 1 Ascend-Data-Rate := rxspeed 2 Ascend-Data-Rate := txspeed but when the user is login on i am seeing that it is restricting the user RX/TX using the RXSPEED Anyidea? Thank you Sarky - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: which one to use - Radgroupcheck or Radgroupreply
On 4 Sep 2011, at 14:28, Lucio Godoy wrote: > Hi All; > > I am using chillispor on a router with dd-wrt and I wanted to use the > follwoing parameters, but dont know where to load them in my Freeradius Mysql > config, pls: > > Session-Timeout = 3600 > Idle-Timeout = 600 > Acct-Interim-Interval = 60 > WISPr-Redirection-URL = http://www.google.com/ > WISPr-Bandwidth-Max-Up = 12800 > WISPr-Bandwidth-Max-Down = 25600 > > And also if i should use = or any other opertator pls? > radreply, and either = or := operators. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: which one to use - Radgroupcheck or Radgroupreply
Thank you very much My biggest wish is make sure of the Acct-Interim-Interval feature Thanks Lucio -Original Message- From: Arran Cudbard-Bell Date: Sun, 4 Sep 2011 12:45:02 To: Subject: Re: which one to use - Radgroupcheck or Radgroupreply On 4 Sep 2011, at 14:28, Lucio Godoy wrote: Hi All; I am using chillispor on a router with dd-wrt and I wanted to use the follwoing parameters, but dont know where to load them in my Freeradius Mysql config, pls: Session-Timeout = 3600 Idle-Timeout = 600 Acct-Interim-Interval = 60 WISPr-Redirection-URL = http://www.google.com/ WISPr-Bandwidth-Max-Up = 12800 WISPr-Bandwidth-Max-Down = 25600 And also if i should use = or any other opertator pls? radreply, and either = or := operators. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org <mailto:a.cudba...@freeradius.org> RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Stuck with exec script from radgroupreply sql table
Hello List,
I am stuck with executing a script from my radgroupreply sql table and
hope someone can point me into the right direction, as I have been
fiddling around with this for days and lost my way.
I want to set a dynamic "Session-Timeout" for certain groups. For
testing purposes I created a TESTGROUP in the database table
radgroupreply with an entry like this:
id GroupName Attribute Value op
263TESTGROUP Session-Timeout `%{exec:/var/skripte/test.sh}`
==
my test.sh looks like this:
#!/bin/bash
logger "done"
echo 9
When I start radiusd in debug mode everything looks good, the user is
found, the group is found, then the script is executed.
But then there is no "exec output"...
I am sure I am missing a crucial step! Hope someone can help.
Here is the log output:
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER
BY id -> SELECT id, username, attribute, value, op FROM
radreply WHERE username = 'testradius' ORDER BY id
[sql] expand: SELECT groupname FROM usergroup
WHERE username = '%{SQL-User-Name}' ORDER BY priority ->
SELECT groupname FROM usergroup WHERE username =
'testradius' ORDER BY priority
[sql] expand: SELECT id, groupname, attribute, Value,
op FROM radgroupcheck WHERE groupname =
'%{Sql-Group}' ORDER BY id -> SELECT id, groupname,
attribute, Value, op FROM radgroupcheck
WHERE groupname = 'TESTGROUP' ORDER BY id
[sql] User found in group TESTGROUP
[sql] expand: SELECT id, groupname, attribute, value,
op FROM radgroupreply WHERE groupname =
'%{Sql-Group}' ORDER BY id -> SELECT id, groupname,
attribute, value, op FROM radgroupreply
WHERE groupname = 'TESTGROUP' ORDER BY id
[sql] Executing /var/skripte/test.sh
[sql] result 0
[sql] expand: %{exec:/var/skripte/test.sh} ->
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
User-Password in the request is correct.
Login OK: [testradius] (from client LOCALHOST_TESTING port 1234)
# Executing section post-auth from file /etc/raddb//sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 21 to 192.168.171.174 port 54825
Framed-IP-Address == 10.0.0.1
Service-Type == Framed-User
Framed-Protocol == PPP
Framed-MTU == 1500
Framed-Routing == None
Session-Timeout == 0
Context-Name == "local"
Finished request 2.
Thanks!
Stefan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radgroupreply issue with freeradius,mysql and daloradius
Hello again. Forget about this post. I found it. From the debug. Seems it was checking for radusergroup instead of usergroup... Sorry. Regards M -- View this message in context: http://www.nabble.com/radgroupreply-issue-with-freeradius%2Cmysql-and-daloradius-tp24184189p24184245.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RES: Stuck with exec script from radgroupreply sql table
> I want to set a dynamic "Session-Timeout" for certain groups. For
> testing purposes I created a TESTGROUP in the database table
> radgroupreply with an entry like this:
>
> id GroupName Attribute Value op
> 263TESTGROUP Session-Timeout `%{exec:/var/skripte/test.sh}`
> ==
Try to use a mysql procedure to return this value in the stand query.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RES: Stuck with exec script from radgroupreply sql table
lscrlstld schrieb:
>> I want to set a dynamic "Session-Timeout" for certain groups. For
>> testing purposes I created a TESTGROUP in the database table
>> radgroupreply with an entry like this:
>>
>> id GroupName Attribute Value op
>> 263TESTGROUP Session-Timeout `%{exec:/var/skripte/test.sh}`
>>
>> Try to use a mysql procedure to return this value in the stand query.
>>
>>
Hm thanks. I try to achieve, that users in certain groups have another
Session-Timeoutthan users from other groups.
I am not THAT much into mysql, but is it possible to form this into a
sane query?
Implement IF clauses depending if a user is in TESTGROUP and then
returning AV pairs?
Aren't such control flow functions quite slow in mysql?
But executing a script might not be a fast solution too :)
thx
regards
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
