Hello,
First, you should place Auth-Type := Accept in your radcheck not radreply Second, please show us your configuration files.
Best Regards,
Brian Ammons wrote:
I am a radius rookie. I have FreeRadius 1.0.0 installed on Slack 9.1 and have the mySql compatibility working as well. I ran the script that was included with the source code to create the mySql tables. My problem is not with getting the server running - it's that I can't make it deny access when I want, or accept when I want. I'm using NTRadPing for testing.
For example...there's only one username defined (bammons) in the table "usergroup", and that user is a member of groupname "administrators". In the table "radcheck", I setup "username" = "bammons", "Attribute" = "Password", "op" = "==" and "Value" = "wtfover".
So at that point I've setup a user and a password for that user, right? After it validates, it's supposed to look @ the table "radreply" for what to do, right? In "radreply", I define "username" = "bammons", "Attribute" = "Auth-Type", "op" = "==" and "Value" = "Accept".
You may know that that does NOT result in the "Access-Accept" message I expected to see, but I can't figure out why. I'm running radiusd in full debug mode (radiusd -xxyz -l stdout) and I see the following:
modcall: entering group authenticate for request 34 modcall [authenticate]: module "unix" returns notfound for request 34 modcall: group authenticate returns notfound for request 34 auth: Failed to validate the user.
OK, so I see that it wants to find an entry for the group "administrators" in the "radgroupcheck" table. So I add that - "groupname" = "administrators", "attribute" = Auth-Type, "op" = "==" and "Value" = "Local" (I picked "local" because it's listed as an "Auth-Type" value in the Hassell Radius book) and then that works, I get "Access-Accept" back from the server.
WHY is that required? WHAT can I do about the error message that appears, "Warning: Found 2 auth-types on request for user 'bammons'"? I've tried putting "Service-Type" in place of "Auth-Type" in "radgroupcheck" but that doesn't work...what am I missing here?
Back to the working config...I change the Auth-Type in "radreply" to "Reject", but I still get an "Access - Accept" reply - this is (I suspect) because any Auth-Type entries found in "radgroupcheck" take precedence over any others...except that just doesn't seem right, what am I missing?
I guess ultimately despite trying to read everything I could find, I just don't get how the RADIUS system steps through the different tables.
Thanks for your gentle replies.
Brian Ammons
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- George Chelidze
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
