Re: User in Multiple Groups

Thu, 06 Apr 2006 06:17:53 -0700

I did not usurp a thread, I reposted my own.

I changed radcheck to have := instead of ==.  No change.

First query returns:
+----+--------------+--------------+-------------+----+
| id | GroupName    | Attribute    | Value       | op |
+----+--------------+--------------+-------------+----+
| 28 | MS1-AP1      | Service-Type | Framed-User | == |
| 31 | Router-Admin | Service-Type | Login-User  | == |
+----+--------------+--------------+-------------+----+
Second query returns +----+--------------+----------------+-------+----+
| id | GroupName    | Attribute      | Value | op |
+----+--------------+----------------+-------+----+
| 34 | Router-Admin | Mikrotik-Group | full  | =  |
| 39 | Router-Admin | Fall-Through   | Yes   | =  |
| 37 | MS1-AP1      | Fall-Through   | Yes   | =  |
| 33 | MS1-AP1      | Port-Limit     | 128k  | =  |
+----+--------------+----------------+-------+----+

I have a document from the FreeRadius WIKI (rlm_sql) that says, "Processing continues to the next group IF:
    There was not a match for the last group's check items OR
    Fall-Through was set in the last group's reply items.
If the user logs into a router, the request is for Login-User and they should get the Router-Admin replies.  If they log in to an AP, the request is Framed-User and they should get the AP replies.


Scott Reed
Owner
NewWays
Wireless Networking
Network Design, Installation and Administration
www.nwwnet.net


---------- Original Message -----------
From: Phil Mayers <[EMAIL PROTECTED]>
To: FreeRadius users mailing list <[email protected]>
Sent: Thu, 06 Apr 2006 13:22:39 +0100
Subject: Re: User in Multiple Groups

> Scott Reed wrote:
> > I have searched the archive and came close to figuring this out, but I have not
>
> Don't start your query as part of another thread please.
>
> >
> > Configuration tables:
> >       1 USERGROUP
> >       2 80      sreed   MS1-AP1
> >       3 76      treed   MS1-AP1
> >       4 78      sreed   Router-Admin
> >       5 79      treed   Router-Admin
> >       6 81      dreed   Router-Admin
> >       7
> >       8 RADCHECK
> >       9 331     dreed   User-Password   ==      password
> >      10 269     treed   User-Password   ==      password
> >      11 267     sreed   User-Password   ==      password
>
> This should be ":=" for User-Password. If the match is failing, that may
> be the issue.
>
> >      12
> >      13 RADGROUPCHECK
> >      14 31      Router-Admin     Service-Type    ==      Login-User
> >      15 28      MS1-AP1          Service-Type    ==      Framed-User
> >      16
> >      17 RADREPLY
> >      18 33      sreed   Fall-Through    =       yes
> >      19 43      treed   Fall-Through    =       yes
> >      20
> >      21 RADGROUPREPLY
> >      22 33      MS1-AP1          Port-Limit        =       128k     15
> >      23 34      Router-Admin     Mikrotik-Group  =       full    10
> >      24 39      Router-Admin     Fall-Through     =      Yes     10
> >      25 37      MS1-AP1          Fall-Through     =      Yes     15
>
> I don't think Fall-Through does anything in rlm_sql. What are you
> expecting it to do?
>
> > rad_recv: Access-Request packet from host 192.168.100.13:1201, id=166, length=83
> >         Service-Type = Login-User
> >         User-Name = "treed"
> >         User-Password = "password"
> >         Calling-Station-Id = "192.168.100.240"
> >         NAS-Identifier = "HotSpot"
> >         NAS-IP-Address = 192.168.100.13
> >   Processing the authorize section of radiusd.conf
> > modcall: entering group authorize for request 1
> >   modcall[authorize]: module "preprocess" returns ok for request 1
> >   modcall[authorize]: module "chap" returns noop for request 1
> >   modcall[authorize]: module "mschap" returns noop for request 1
> >     rlm_realm: No '@' in User-Name = "treed", looking up realm NULL
> >     rlm_realm: No such realm "NULL"
> >   modcall[authorize]: module "suffix" returns noop for request 1
> > radius_xlat:  'treed'
> > rlm_sql (sql): sql_set_user escaped user --> 'treed'
> > rlm_sql_mysql: query:  SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
> > Username = 'treed' ORDER BY id
> > rlm_sql_mysql: query:  SELECT
> > radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op  
> > FROM radgroupcheck,usergroup WHERE usergroup.Username = 'treed' AND
> > usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id
>
> What is the result of this query if you execute it directly against the
> database?
>
> > rlm_sql_mysql: query:  SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
> > Username = 'treed' ORDER BY id
>
> > rlm_sql_mysql: query:  SELECT
> > radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op  
> > FROM radgroupreply,usergroup WHERE usergroup.Username = 'treed' AND
> > usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.prio
>
> Again, what does this query give against the database?
>
> > rlm_sql (sql): No matching entry in the database for request from user [treed]
>
> This error code is returned if the check items don't match the request.
>
> Possibly take a look in:
>
> src/modules/rlm_sql/rlm_sql.c
>
> ...around line 860 (depending on the version you're running) and
> uncomment these lines:
>
> /*
>  * Uncomment these lines for debugging
>  * Recompile, and run 'radiusd -X'
>  */
>
> /*
> DEBUG2("rlm_sql:  check items");
> vp_listdebug(check_tmp);
> DEBUG2("rlm_sql:  reply items");
> vp_listdebug(reply_tmp);
> */
>
> ...then recompile and run again.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
------- End of Original Message ------- 
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to