|
I have searched the archive and came close to figuring this out, but I have not been able to get a user to exist in 2 groups and have each authenticate. I have one set of systems that need Login-User and then reply with one set of responses and another set that need Framed-User and reply with a different set of responses.
I have both groups working if I have the user in just one group. If the user is in 2 groups, one group works and the other Rejects. What is wrong with my configuration? There is an accounting request packet in the trace below that show that sreed is logged into one of the Framed-User devices. Then there is the packet from treed trying to log into a Login-User device. Configuration tables: 1 USERGROUP 2 80 sreed MS1-AP1 3 76 treed MS1-AP1 4 78 sreed Router-Admin 5 79 treed Router-Admin 6 81 dreed Router-Admin 7 8 RADCHECK 9 331 dreed User-Password == password 10 269 treed User-Password == password 11 267 sreed User-Password == password 12 13 RADGROUPCHECK 14 31 Router-Admin Service-Type == Login-User 15 28 MS1-AP1 Service-Type == Framed-User 16 17 RADREPLY 18 33 sreed Fall-Through = yes 19 43 treed Fall-Through = yes 20 21 RADGROUPREPLY 22 33 MS1-AP1 Port-Limit = 128k 15 23 34 Router-Admin Mikrotik-Group = full 10 24 39 Router-Admin Fall-Through = Yes 10 25 37 MS1-AP1 Fall-Through = Yes 15 Debug trace: rlm_sql_mysql: Starting connect to MySQL server for #1 rlm_sql (sql): Connected new DB handle, #1 rlm_sql (sql): starting 2 rlm_sql (sql): Attempting to connect rlm_sql_mysql #2 rlm_sql_mysql: Starting connect to MySQL server for #2 rlm_sql (sql): Connected new DB handle, #2 rlm_sql (sql): starting 3 rlm_sql (sql): Attempting to connect rlm_sql_mysql #3 rlm_sql_mysql: Starting connect to MySQL server for #3 rlm_sql (sql): Connected new DB handle, #3 rlm_sql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_mysql #4 rlm_sql_mysql: Starting connect to MySQL server for #4 rlm_sql (sql): Connected new DB handle, #4 rlm_sql (sql): - generate_sql_clients rlm_sql (sql): Query: SELECT * FROM nas rlm_sql (sql): Reserving sql socket id: 4 rlm_sql_mysql: query: SELECT * FROM nas rlm_sql (sql): Read entry nasname=nwnr0004.nwadmin.net,shortname=nwnr0004,secret=sbr28tsr rlm_sql (sql): Adding client 10.2.49.5 (nwnr0004) to clients list rlm_sql (sql): Read entry nasname=nwnr0003.nwadmin.net,shortname=nwnr0003,secret=sbr28tsr rlm_sql (sql): Adding client 10.2.49.4 (nwnr0003) to clients list rlm_sql (sql): Read entry nasname=nwnr0002.nwadmin.net,shortname=nwnr0002,secret=sbr28tsr rlm_sql (sql): Adding client 10.0.1.4 (nwnr0002) to clients list rlm_sql (sql): Read entry nasname=hotspot.nwwhome.net,shortname=hotspot,secret=testing123 rlm_sql (sql): Adding client 192.168.100.13 (hotspot) to clients list rlm_sql (sql): Read entry nasname=nwnr0001.nwadmin.net,shortname=nwnr0001,secret=sbr28tsr rlm_sql (sql): Adding client 10.0.0.1 (nwnr0001) to clients list rlm_sql (sql): Released sql socket id: 4 Module: Instantiated sql (sql) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "/etc/shadow" unix: group = "(null)" unix: radwtmp = "/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded radutmp radutmp: filename = "/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Listening on authentication *:1812 Listening on accounting *:1813 Listening on proxy *:1814 Ready to process requests. rad_recv: Accounting-Request packet from host 192.168.100.13:1201, id=165, length=177 Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 17564 NAS-Port-Type = Ethernet User-Name = "sreed" Calling-Station-Id = "00:05:9E:81:8B:DD" Called-Station-Id = "TestAP" NAS-Port-Id = "TestAP" Acct-Session-Id = "81700264" Framed-IP-Address = 172.17.1.100 Acct-Authentic = RADIUS Acct-Session-Time = 54602 Acct-Input-Octets = 80 Acct-Input-Gigawords = 0 Acct-Input-Packets = 8 Acct-Output-Octets = 130 Acct-Output-Gigawords = 0 Acct-Output-Packets = 8 Acct-Status-Type = Alive NAS-Identifier = "HotSpot" NAS-IP-Address = 192.168.100.13 Acct-Delay-Time = 0 Processing the preacct section of radiusd.conf modcall: entering group preacct for request 0 modcall[preacct]: module "preprocess" returns noop for request 0 rlm_acct_unique: Hashing 'NAS-Port = 17564,Client-IP-Address = 192.168.100.13,NAS-IP-Address = 192.168.100.13,Acct-Session-Id = "81700264",User-Name = "sreed"' rlm_acct_unique: Acct-Unique-Session-ID = "4553128d21acc6cf". modcall[preacct]: module "acct_unique" returns ok for request 0 rlm_realm: No '@' in User-Name = "sreed", looking up realm NULL rlm_realm: No such realm "NULL" modcall[preacct]: module "suffix" returns noop for request 0 modcall: group preacct returns ok for request 0 Processing the accounting section of radiusd.conf modcall: entering group accounting for request 0 radius_xlat: '/var/log/radius/radacct/192.168.100.13/detail-20060405' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radius/radacct/192.168.100.13/detail-20060405 modcall[accounting]: module "detail" returns ok for request 0 modcall[accounting]: module "unix" returns noop for request 0 radius_xlat: '/var/log/radius/radutmp' radius_xlat: 'sreed' modcall[accounting]: module "radutmp" returns ok for request 0 radius_xlat: 'sreed' rlm_sql (sql): sql_set_user escaped user --> 'sreed' radius_xlat: 'UPDATE radacct ? SET FramedIPAddress = '172.17.1.100', ? AcctSessionTime = '54602', ? AcctInputOctets = '80', ? AcctOutputOctets = '130' ? WHERE AcctSessionId = '81700264' ? AND UserName = 'sreed' ? AND NASIPAddress= '192.168.100.13'' radius_xlat: '/var/log/radius/sqltrace.sql' rlm_sql (sql): Reserving sql socket id: 3 rlm_sql_mysql: query: UPDATE radacct ? SET FramedIPAddress = '172.17.1.100', ? AcctSessionTime = '54602', ? AcctInputOctets = '80', ? AcctOutputOctets = '130' ? WHERE AcctSessionId = '81700264' ? AND UserName = 'sreed' ? AND NASIPAddress= '192.168.100.13' rlm_sql (sql): Released sql socket id: 3 modcall[accounting]: module "sql" returns ok for request 0 modcall: group accounting returns ok for request 0 Sending Accounting-Response of id 165 to 192.168.100.13:1201 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.100.13:1201, id=166, length=83 Service-Type = Login-User User-Name = "treed" User-Password = "password" Calling-Station-Id = "192.168.100.240" NAS-Identifier = "HotSpot" NAS-IP-Address = 192.168.100.13 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "treed", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 radius_xlat: 'treed' rlm_sql (sql): sql_set_user escaped user --> 'treed' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'treed' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 2 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'treed' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'treed' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'treed' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'treed' ORDER BY id' rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'treed' ORDER BY id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'treed' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.prio' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'treed' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.prio rlm_sql (sql): No matching entry in the database for request from user [treed] rlm_sql (sql): Released sql socket id: 2 modcall[authorize]: module "sql" returns notfound for request 1 modcall: group authorize returns ok for request 1 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [treed/password] (from client hotspot port 0 cli 192.168.100.240) Processing the post-auth section of radiusd.conf modcall: entering group Post-Auth-Type for request 1 rlm_sql (sql): Processing sql_postauth radius_xlat: 'treed' rlm_sql (sql): sql_set_user escaped user --> 'treed' radius_xlat: 'INSERT into radpostauth (id, user, pass, reply, date) values ('', 'treed', 'password', 'Access-Reject', NOW())' radius_xlat: '/var/log/radius/sqltrace.sql' rlm_sql (sql) in sql_postauth: query is INSERT into radpostauth (id, user, pass, reply, date) values ('', 'treed', 'password', 'Access-Reject', NOW()) rlm_sql (sql): Reserving sql socket id: 1 rlm_sql_mysql: query: INSERT into radpostauth (id, user, pass, reply, date) values ('', 'treed', 'password', 'Access-Reject', NOW()) rlm_sql (sql): Released sql socket id: 1 modcall[post-auth]: module "sql" returns ok for request 1 modcall: group Post-Auth-Type returns ok for request 1 Delaying request 1 for 1 seconds Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... rad_recv: Access-Request packet from host 192.168.100.13:1201, id=166, length=83 Sending Access-Reject of id 166 to 192.168.100.13:1201 Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 3 seconds... Scott Reed Owner NewWays Wireless Networking Network Design, Installation and Administration www.nwwnet.net ---------- Original Message ----------- From: "debik" <[EMAIL PROTECTED]> To: "FreeRadius users mailing list" <[email protected]> Sent: Wed, 5 Apr 2006 20:26:14 +0200 Subject: Re: Couldn't stop freeradius server!! > Try "killall radiusd" or "killall freeradius". > I have debian and that commands are allwright. > > ----- Original Message ----- > From: "lmyho" <[EMAIL PROTECTED]> > To: "FreeRadius users mailing list" <[email protected]> > Sent: Tuesday, April 04, 2006 6:19 PM > Subject: Re: Couldn't stop freeradius server!! > > > > > --- monish ar <[EMAIL PROTECTED]> wrote: > >> Instead of using the command to stop the radius daemon, herez another > >> simple way..... > >> At the console type " ps -ax | grep radiusd" , this will give u the list > >> of > >> radius servers currently > >> along with its process IDs. The next thing u do is type " kill pid# " , > >> PID# refers to the process > >> id number of ur currently running radius daemon. Hope it helps... > >> Dunno bout the NAS list though... > > > > Hi Monish, > > > > Thank you for the idea! I checked, and found the process. but on this > > debian > > system, the process is actually named "freeradius", instead of the > > traditional > > "radiusd".:( So there are indeed some changes on how the freeradius is > > run on > > debian. Do you have more idea about it? > > Can anyone tell me more on how the debian is running the freeradius and > > how I can > > stop the server from command line in debian system? (pls see problem > > detail below) > > > > Thanks a lot!! > > leo > > > >> On 4/4/06, lmyho <[EMAIL PROTECTED]> wrote: > >> > > >> > Hi All, > >> > > >> > Installed freeradius 1.1.0-1 on debian system (2.6.15-1-686). The > >> > radius > >> > server started automatically well each time when the system booting. > >> > But I > > wanted to stop it to do some testing using my modified configuration > > files. I tried > > to stop the server using command: 'freeradius stop' ('radiusd' doesn't > > work on this > > debian - anyone knows why??) > >> > > >> > But so werid, no matter what command I gave, with parameter > >> > stop|start|restart, the server ALWAYS goes to START again!! even from > >> > the > > /etc/init.d/freeradius I can read that the 'stop' param should stop the > > server! Can > > anyone tell me why the command couldn't stop the server?? and how should I > > stop it?? > >> > > >> > The log file shows entries like this for each of my trying, even the > >> > command given was to "stop": > >> > > >> > Tue Apr 4 01:14:13 2006 : Info: Using deprecated naslist file. > >> > Support > >> > for this will go away soon. > >> > Tue Apr 4 01:14:13 2006 : Error: There appears to be another RADIUS > >> > server running on the authenticat > >> > > >> > What is happenning here? (I couldn't top the running deamon, so is the > >> > 2nd line above) > >> > > >> > Also, from the log file I noticed: even when the system automatically > >> > started the freeradius server deamon, it was "Using deprecated naslist > >> > file". > > Log entries show like this: > >> > > >> > Fri Mar 31 13:51:54 2006 : Info: Using deprecated naslist file. > >> > Support > >> > for this will go away soon. > >> > Fri Mar 31 13:51:54 2006 : Info: rlm_exec: Wait=yes but no output > >> > defined. > >> > Did you mean output=none? > >> > Fri Mar 31 13:51:55 2006 : Info: Ready to process requests. > >> > > >> > Can anyone tell me what is happenning here?? Why it's using the > >> > deprecating naslist file? The installed radiusd.conf file doesn't show > >> > the > > server will use the naslist > >> > file at all! from where I can stop the server to use this deprecating > >> > file? Also what does the 2nd line of the above log entries mean? > >> > > >> > Any help would be greatly appreciated! Thank you so much for help in > >> > advance!! > >> > > >> > Best regrads, > >> > leo > >> > >> > >> > > > > > > __________________________________________________ > > Do You Yahoo!? > > Tired of spam? Yahoo! Mail has the best spam protection around > > http://mail.yahoo.com > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ------- End of Original Message ------- |
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
