Hello, I tried to port my users file to PostgreSQL today, but I am having a great deal of confusing trouble trying to get it to work. I am using the postgresql.conf file that came with Freeradius 1.1.0 and am having no trouble getting Freeradius to connect to Postgre. My problem comes when trying to authenticate to my firewall. First, I will explain the working "files-only" configuration:
::::::::::::::::: huntgroups ::::::::::::::::: switches NAS-IP-Address == 10.20.10.x switches NAS-IP-Address == 10.20.10.x switches NAS-IP-Address == 10.20.10.x switches NAS-IP-Address == 127.0.0.1 firewall NAS-IP-Address == 10.20.10.x firewall NAS-IP-Address == 10.20.10.x ::::::::: users ::::::::: DEFAULT Auth-Type = System Fall-Through = 1 admin Auth-Type := Kerberos, Huntgroup-Name == "switches" Service-Type == "Administrative-User" admin Auth-Type := Kerberos, Huntgroup-Name == "firewall" NS-Admin-Privilege = "All-VSYS-Root-Admin" When I do this with files only, it works great. I then tried to get the database setup to work. I left the huntgroups file alone and commented out the 2 'admin' entries in users. Now, this is my setup in the database that is not working: :::::::::::::::::::::: radgroupcheck :::::::::::::::::::::: id | groupname | attribute | op | value ----+-------------+----------------+----+------------- 1 | switches | Huntgroup-Name | == | switches 2 | firewall | Huntgroup-Name | == | firewall 5 | firewall | Auth-Type | := | Kerberos 6 | switches | Auth-Type | := | Kerberos ::::::::::::::::::::: radgroupreply ::::::::::::::::::::: id | groupname | attribute | op | value ----+-------------+--------------------+----+--------------------- 2 | firewall | NS-Admin-Privilege | = | All-VSYS-Root-Admin 1 | switches | Service-Type | = | Administrative-User ::::::::::::::: usergroup ::::::::::::::: id | username | groupname ----+----------+------------- 1 | admin | switches 2 | admin | firewall In this setup, I can authenticate with 'admin' using my Kerberos password for the 'switches' huntgroup, but I cannot authenticate to 'firewall'. Also, when I do radtest for an IP in the switches huntgroup, I get a reply of both 'Service-Type' and 'NS-Admin-Privilege', when I assumed that this would give me one or the other since they are in different groups. When running radiusd with the '-X' flag and trying to authenticate to firewall, I get the error: rlm_sql (sql): No matching entry in the database for request from user [admin] This shouldn't be the case since the user 'admin' is part of both groups. I am at a loss at this point what could be the problem. If anyone has any insight, I would greatly appreciate it. Thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html