On Thu, May 30, 2002 at 09:27:32AM -0400, Deramus, Chris wrote: > Simon, > > I follow what you are saying, I changed a few tables per your suggestions, > no success. I'm going to copy paste what I have, I apologize in advanced for > the length of this post. > > mysql> select * from radcheck; > +----+----------+-----------+---------+------+ > | id | UserName | Attribute | Value | op | > +----+----------+-----------+---------+------+ > | 1 | TestRad | Password | TestRad | := | > | 2 | Radius | Password | TestRad | := | > +----+----------+-----------+---------+------+ > 2 rows in set (0.00 sec)
This looks fine. Since you have cleartext passwords set also make sure that you have encryption_scheme = clear in the pap section of the modules section in radiusd.conf. > mysql> select * from radgroupcheck; > +----+-----------+-----------------+-------------+------+ > | id | GroupName | Attribute | Value | op | > +----+-----------+-----------------+-------------+------+ > | 1 | Radius | Password | TestRad | := | > | 2 | Radius | Auth-Type | PAP | := | > | 3 | Radius | Framed-Protocol | PPP | == | > | 4 | Radius | Service-Type | Framed-User | == | > +----+-----------+-----------------+-------------+------+ > 4 rows in set (0.00 sec) Remove the row with id = 1. > mysql> select * from radgroupreply; > +----+-----------+--------------------+-------------+------+------+ > | id | GroupName | Attribute | Value | op | prio | > +----+-----------+--------------------+-------------+------+------+ > | 2 | Radius | Framed-Protocol | PPP | == | 0 | > | 3 | Radius | Service-Type | Framed-User | == | 0 | > | 1 | Radius | Auth-Type | PAP | := | 0 | > | 4 | Radius | Framed-Compression | None | == | 0 | > +----+-----------+--------------------+-------------+------+------+ > 4 rows in set (0.00 sec) Remove row with id = 1, you don't set auth-type in radgroupreply. Change all the other op fields to ':='. Are you sure your NAS wants the above attributes in return? Just making sure. > mysql> select * from radgroup > +----+----------+-----------+ > | id | UserName | GroupName | > +----+----------+-----------+ > | 1 | TestRad | Radius | > | 2 | Radius | Radius | > +----+----------+-----------+ > 2 rows in set (0.00 sec) This looks fine, if this is actually the usergroup table. Have you updated the querys in sql.conf to reflect the table name change? Using 'Radius' as both a username and groupname might get confusing though. > I am trying to send out the first authorization/authentication request as > part of the Radius group. Multiple users will have this group name and group > password. Next I want the user TestRad to authenticate himself. After these > two authentication requests pass through, everything *should* be okay. I think the whole group thing in your vpn-concentrator is what's confusing the whole issue. I _believe_ though i could ofcourse be wrong, that your NAS will just send a "normal" radius auth packet when it wants to authenticate the group, Ie. User-Name = "groupname". The whole group bit used in the freeradius sql tables are just used internally by the rlm_sql* modules for easier grouping handling of accounts/attributes. Try making the changes i noted above, if that doesn't help include the output of 'radiusd -X' when you try logging on with one of your clients. -- Simon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
