Re: R: R: R: NAS-Identifier and radgroupcheck table
Hmm... that will cause all of the users to be rejected. Delete it. Yes I follow this howto http://wiki.freeradius.org/SQL_Huntgroup_HOWTO and, *DEFAULT Auth-Type := Reject That's not necessary. It should be deleted from the page. Thanks -- Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: R: R: R: NAS-Identifier and radgroupcheck table
Hello Alan, thank you for your response. Where is this coming from? I put a default entry at the button of users file. http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg51143.html My users file: debian:/etc/freeradius# cat users DEFAULT Auth-Type := Reject bobCleartext-Password := hello Reply-Message = Hola %{User-Name} The default configuration has *no* Auth-Type = Reject setting. You have added this locally. I follow this howto http://wiki.freeradius.org/SQL_Huntgroup_HOWTO and, at the button said: *Note: If you want to reject authentication by default then edit the raddb/users file and add this: * *DEFAULT Auth-Type := Reject * *Then add Auth-Type Accept with := as op in radgroupcheck for each group. * Sorry to ask again about that, but I can't get the correct configuration. Thank you. -- Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: R: R: R: NAS-Identifier and radgroupcheck table
Ana Gallardo wrote: DEFAULT Auth-Type := Reject Hmm... that will cause all of the users to be rejected. Delete it. I follow this howto http://wiki.freeradius.org/SQL_Huntgroup_HOWTO and, at the button said: *Note: If you want to reject authentication by default then edit the raddb/users file and add this: * *DEFAULT Auth-Type := Reject That's not necessary. It should be deleted from the page. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: R: R: R: NAS-Identifier and radgroupcheck table
Alan DeKok wrote: Ana Gallardo wrote: DEFAULT Auth-Type := Reject Hmm... that will cause all of the users to be rejected. Delete it. I follow this howto http://wiki.freeradius.org/SQL_Huntgroup_HOWTO and, at the button said: *Note: If you want to reject authentication by default then edit the raddb/users file and add this: * *DEFAULT Auth-Type := Reject That's not necessary. It should be deleted from the page. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Dear Ana, Could you tell me your name of NAS device which you are using ? Hung, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
R: R: R: NAS-Identifier and radgroupcheck table
Hello, sorry to ask again about this isuue, but I can't get the correct configuration. I follow your howto: http://wiki.freeradius.org/SQL_Huntgroup_HOWTO I want to filter users login from fixed NAS,but I always get an reject. I don't understand why in the example bellow: ++[request] returns notfound Thank you very much. EXAMPLE My SQL database: mysql select * from radcheck; +++++-+ | id | username | attribute | op | value | +++++-+ | 1 | ana| Cleartext-Password | := | claveAna| +++++-+ 1 rows in set (0.00 sec) mysql select * from radreply; ++--+---++--+ | id | username | attribute | op | value| ++--+---++--+ | 1 | ana | Reply-Message | += | Hola Anita | ++--+---++--+ 1 rows in set (0.00 sec) mysql select * from radusergroup; +--+---+--+ | username | groupname | priority | +--+---+--+ | ana | CAU1 |0 | +--+---+--+ 1 rows in set (0.00 sec) mysql select * from radgroupcheck; ++---++++ | id | groupname | attribute | op | value | ++---++++ | 1 | CAU1 | Huntgroup-Name | == | pccau1 | | 2 | CAU1 | Auth-Type | := | Accept | ++---++++ 2 rows in set (0.00 sec) mysql select * from radgroupreply; ++---+---++--+ | id | groupname | attribute | op | value| ++---+---++--+ | 1 | CAU1 | Reply-Message | += | Hola miembros del grupo CAU1 | ++---+---++--+ 1 rows in set (0.00 sec) mysql select * from nas; +++---+---+---+++---+---+ | id | nasname| shortname | type | ports | secret | server | community | description | +++---+---+---+++---+---+ | 1 | X.X.X.X | pcCAU1| other | NULL | cau123 | NULL | NULL | CAU1 computer | +++---+---+---+++---+---+ 1 rows in set (0.00 sec) In my users file: debian:/etc/freeradius# cat users DEFAULT Auth-Type := Reject bobCleartext-Password := hello Reply-Message = Hola %{User-Name} My default server: authorize { update request { Huntgroup-Name = %{sql:select shortname from nas where nasname=\%{Client-IP-Address}\} } preprocess mschap suffix eap { ok = return } files sql expiration pap } Request with radtest + ana + pcCAU1 rad_recv: Access-Request packet from host X.X.X.X port 45281, id=133, length=55 User-Name = ana User-Password = claveAna NAS-IP-Address = 127.0.1.1 NAS-Port = 0 +- entering group authorize {...} sql_xlat expand: %{User-Name} - ana sql_set_user escaped user -- 'ana' expand: select shortname from nas where nasname=%{Client-IP-Address} - select shortname from nas where nasname=X.X.X.X expand: /var/log/freeradius/sqltrace.sql - /var/log/freeradius/sqltrace.sql rlm_sql (sql): Reserving sql socket id: 3 rlm_sql_mysql: query: select shortname from nas where nasname=X.X.X.X sql_xlat finished rlm_sql (sql): Released sql socket id: 3 expand: %{sql:select shortname from nas where nasname=%{Client-IP-Address}} - pcCAU1 ++[request] returns notfound ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = ana, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry DEFAULT at line 9 ++[files] returns ok [sql] expand: %{User-Name} - ana [sql] sql_set_user escaped user -- 'ana' rlm_sql (sql): Reserving sql socket id: 2 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = BINARY '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = BINARY 'ana' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = BINARY 'ana' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = BINARY '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radreply
Re: R: R: R: NAS-Identifier and radgroupcheck table
Ana Gallardo wrote: sorry to ask again about this isuue, but I can't get the correct configuration. I follow your howto: http://wiki.freeradius.org/SQL_Huntgroup_HOWTO I want to filter users login from fixed NAS,but I always get an reject. ... [expiration] Checking Expiration time: '02 Dec 2010' ++[expiration] returns ok [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = Reject Where is this coming from? The default configuration has *no* Auth-Type = Reject setting. You have added this locally. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: R: R: R: NAS-Identifier and radgroupcheck table
On 04/26/2010 08:46 AM, Ana Gallardo wrote: Hello, sorry to ask again about this isuue, but I can't get the correct configuration. I follow your howto: http://wiki.freeradius.org/SQL_Huntgroup_HOWTO I want to filter users login from fixed NAS,but I always get an reject. I don't understand why in the example bellow: ++[request] returns notfound I believe rlm_sql is being invoked to satisfy the update request using a sql select and I believe the return code of notfound isn't meaningful in this context. You probably also should read doc/rlm_sql and make sure you understand the meanings of the operators, specifically the difference between =, == and := -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
R: R: R: NAS-Identifier and radgroupcheck table
You're right: putting the parameter in the first lines of the file everything is OK (and now I'm sure of that). Thanks. Arrigo -Messaggio originale- Da: freeradius-users-bounces+a.savio=bascom...@lists.freeradius.org [mailto:freeradius-users-bounces+a.savio=bascom...@lists.freeradius.org] Per conto di t...@kalik.net Inviato: mercoledì 7 gennaio 2009 12.52 A: FreeRadius users mailing list Oggetto: Re: R: R: NAS-Identifier and radgroupcheck table I followed your suggestion, but I still have the problem. I put DEFAULT Auth-Type := Reject at the bottom of users file. It should be on the same line: DEFAULT Auth-Type := Reject And it should go to the front of the users file. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html