Hello I am currently trying to have my FreeRadius server check the "Service-Type" values, and reject Login attempts from a user that should be used for service-type Outbound only.
My client equipment always send the "Service-Type" attribute in its requests. This attribute is defined into the check databases, but debug mode says: >>Debug: rlm_checkval: Could not find attribute named Service-Type in check >>pairs I really do not see what is wrong and why value checking is not done properly. It should find the attribute in the database, and reject the request. Can you help me out ? Below is my radcheck table, relevant parts of my radiusd.config and the debug output. mysql> select * from radcheck; +----+----------+--------------+----+----------+ | id | UserName | Attribute | op | Value | +----+----------+--------------+----+----------+ | 3 | admin | Password | == | cisco | | 5 | admin | Service-Type | == | Outbound | +----+----------+--------------+----+----------+ checkval { item-name = Service-Type check-name = Service-Type data-type = string notfound-reject = yes } //... authorize { preprocess chap suffix eap #files sql checkval } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } eap } rad_recv: Access-Request packet from host 10.10.107.68:1645, id=6, length=86 NAS-IP-Address = 10.10.107.68 NAS-Port = 500 NAS-Port-Type = Virtual User-Name = "admin" Calling-Station-Id = "XXX.XXX.XXX.XXX" User-Password = "cisco" Service-Type = Login-User Wed Aug 30 11:30:13 2006 : Debug: Processing the authorize section of radiusd.conf Wed Aug 30 11:30:13 2006 : Debug: modcall: entering group authorize for request 1 Wed Aug 30 11:30:13 2006 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 1 Wed Aug 30 11:30:13 2006 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 1 Wed Aug 30 11:30:13 2006 : Debug: modcall[authorize]: module "preprocess" returns ok for request 1 Wed Aug 30 11:30:13 2006 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 1 Wed Aug 30 11:30:13 2006 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 1 Wed Aug 30 11:30:13 2006 : Debug: modcall[authorize]: module "chap" returns noop for request 1 Wed Aug 30 11:30:13 2006 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 1 Wed Aug 30 11:30:13 2006 : Debug: rlm_realm: No '@' in User-Name = "admin", looking up realm NULL Wed Aug 30 11:30:13 2006 : Debug: rlm_realm: No such realm "NULL" Wed Aug 30 11:30:13 2006 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 1 Wed Aug 30 11:30:13 2006 : Debug: modcall[authorize]: module "suffix" returns noop for request 1 Wed Aug 30 11:30:13 2006 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 1 Wed Aug 30 11:30:13 2006 : Debug: rlm_eap: No EAP-Message, not doing EAP Wed Aug 30 11:30:13 2006 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 1 Wed Aug 30 11:30:13 2006 : Debug: modcall[authorize]: module "eap" returns noop for request 1 Wed Aug 30 11:30:13 2006 : Debug: modsingle[authorize]: calling sql (rlm_sql) for request 1 Wed Aug 30 11:30:13 2006 : Debug: radius_xlat: 'admin' Wed Aug 30 11:30:13 2006 : Debug: rlm_sql (sql): sql_set_user escaped user --> 'admin' Wed Aug 30 11:30:13 2006 : Debug: radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'admin' ORDER BY id' Wed Aug 30 11:30:13 2006 : Debug: rlm_sql (sql): Reserving sql socket id: 3 Wed Aug 30 11:30:13 2006 : Debug: radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'admin' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' Wed Aug 30 11:30:13 2006 : Debug: radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'admin' ORDER BY id' Wed Aug 30 11:30:13 2006 : Debug: radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'admin' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' Wed Aug 30 11:30:13 2006 : Debug: rlm_sql (sql): Released sql socket id: 3 Wed Aug 30 11:30:13 2006 : Debug: modsingle[authorize]: returned from sql (rlm_sql) for request 1 Wed Aug 30 11:30:13 2006 : Debug: modcall[authorize]: module "sql" returns ok for request 1 Wed Aug 30 11:30:13 2006 : Debug: modsingle[authorize]: calling checkval (rlm_checkval) for request 1 Wed Aug 30 11:30:13 2006 : Debug: rlm_checkval: Item Name: Service-Type, Value: Login-User Wed Aug 30 11:30:13 2006 : Debug: rlm_checkval: Could not find attribute named Service-Type in check pairs Wed Aug 30 11:30:13 2006 : Debug: modsingle[authorize]: returned from checkval (rlm_checkval) for request 1 Wed Aug 30 11:30:13 2006 : Debug: modcall[authorize]: module "checkval" returns notfound for request 1 Wed Aug 30 11:30:13 2006 : Debug: modcall: group authorize returns ok for request 1 Wed Aug 30 11:30:13 2006 : Debug: auth: type Local Wed Aug 30 11:30:13 2006 : Debug: auth: user supplied User-Password matches local User-Password Sending Access-Accept of id 6 to 10.10.107.68:1645 Cisco-AVPair += "ipsec:tunnel-password=admin123" Cisco-AVPair == "ipsec:addr-pool=admin" Cisco-AVPair == "ipsec:inacl=admin" Service-Type == Outbound-User Cisco-AVPair += "shell:priv-lvl=0" Cisco-AVPair += "ipsec:key-exchange=ike" Cisco-AVPair += "ipsec:key-exchange=preshared-key" Tunnel-Type:0 == ESP Wed Aug 30 11:30:13 2006 : Debug: Finished request 1 Wed Aug 30 11:30:13 2006 : Debug: Going to the next request Thanks for your help ! G. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html