I am a radius rookie. I have FreeRadius 1.0.0 installed on Slack 9.1 and
have the mySql compatibility working as well. I ran the script that was
included with the source code to create the mySql tables. My problem is not
with getting the server running - it's that I can't make it deny access when
I want, or accept when I want. I'm using NTRadPing for testing.
For example...there's only one username defined (bammons) in the table
"usergroup", and that user is a member of groupname "administrators". In
the table "radcheck", I setup "username" = "bammons", "Attribute" =
"Password", "op" = "==" and "Value" = "wtfover".
So at that point I've setup a user and a password for that user, right?
After it validates, it's supposed to look @ the table "radreply" for what to
do, right? In "radreply", I define "username" = "bammons", "Attribute" =
"Auth-Type", "op" = "==" and "Value" = "Accept".
You may know that that does NOT result in the "Access-Accept" message I
expected to see, but I can't figure out why. I'm running radiusd in full
debug mode (radiusd -xxyz -l stdout) and I see the following:
modcall: entering group authenticate for request 34
modcall [authenticate]: module "unix" returns notfound for request 34
modcall: group authenticate returns notfound for request 34
auth: Failed to validate the user.
OK, so I see that it wants to find an entry for the group "administrators"
in the "radgroupcheck" table. So I add that - "groupname" =
"administrators", "attribute" = Auth-Type, "op" = "==" and "Value" = "Local"
(I picked "local" because it's listed as an "Auth-Type" value in the Hassell
Radius book) and then that works, I get "Access-Accept" back from the
server.
WHY is that required? WHAT can I do about the error message that appears,
"Warning: Found 2 auth-types on request for user 'bammons'"? I've tried
putting "Service-Type" in place of "Auth-Type" in "radgroupcheck" but that
doesn't work...what am I missing here?
Back to the working config...I change the Auth-Type in "radreply" to
"Reject", but I still get an "Access - Accept" reply - this is (I suspect)
because any Auth-Type entries found in "radgroupcheck" take precedence over
any others...except that just doesn't seem right, what am I missing?
I guess ultimately despite trying to read everything I could find, I just
don't get how the RADIUS system steps through the different tables.
Thanks for your gentle replies.
Brian Ammons
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
