Hi, freeradius 1.1.7 + postgres 8.1.9
radgroupcheck not work (( http://wiki.freeradius.org/Rlm_sql point 5 not work (( Why attributes are summarised ? Help me! Full info: INSERT INTO radcheck (id, username, attribute, op, value) VALUES (1, 'sproot', 'User-Password', '==', '123'); INSERT INTO radgroupcheck (id, groupname, attribute, op, value) VALUES (2, 'juniper_pppoe_64k', 'Huntgroup-Name', '==', 'juniper'); INSERT INTO radgroupcheck (id, groupname, attribute, op, value) VALUES (1, 'cisco_pppoe_64k', 'Client-IP-Address', '==', '172.25.0.1'); INSERT INTO radgroupreply (id, groupname, attribute, op, value) VALUES (1, 'cisco_pppoe_64k', 'Cisco-AVPair', '=', 'lcp:interface-config#1=rate-limit input 64000 8000 8000 conform-action transmit exceed-action drop'); INSERT INTO radgroupreply (id, groupname, attribute, op, value) VALUES (2, 'cisco_pppoe_64k', 'Cisco-AVPair', '+=', 'lcp:interface-config#1=rate-limit output 64000 8000 8000 conform-action transmit exceed-action drop'); INSERT INTO radgroupreply (id, groupname, attribute, op, value) VALUES (3, 'juniper_pppoe_64k', 'ERX-Egress-Policy-Name', '=', 'pppoe-64kbps-policy'); INSERT INTO radgroupreply (id, groupname, attribute, op, value) VALUES (4, 'juniper_pppoe_64k', 'ERX-Egress-Statistics', '=', '1'); INSERT INTO radgroupreply (id, groupname, attribute, op, value) VALUES (5, 'juniper_pppoe_64k', 'ERX-Ingress-Policy-Name', '=', 'pppoe-64kbps-policy'); INSERT INTO radgroupreply (id, groupname, attribute, op, value) VALUES (6, 'juniper_pppoe_64k', 'ERX-Ingress-Statistics', '=', '1'); INSERT INTO radgroupreply (id, groupname, attribute, op, value) VALUES (7, 'juniper_pppoe_64k', 'ERX-Primary-Dns', '=', '1.1.1.1'); INSERT INTO radgroupreply (id, groupname, attribute, op, value) VALUES (8, 'juniper_pppoe_64k', 'ERX-Secondary-Dns', '=', '2.2.2.2'); INSERT INTO radreply (id, username, attribute, op, value) VALUES (1, 'sproot', 'Framed-IP-Address', '=', '192.168.1.2'); INSERT INTO radreply (id, username, attribute, op, value) VALUES (2, 'sproot', 'Framed-IP-Netmask', '=', '255.255.255.255'); INSERT INTO usergroup (username, groupname, priority) VALUES ('sproot', 'cisco_pppoe_64k', 0); INSERT INTO usergroup (username, groupname, priority) VALUES ('sproot', 'juniper_pppoe_64k', 0); ################################ "huntgroups" file: juniper NAS-IP-Address == 172.25.0.10 cisco NAS-IP-Address == 172.25.0.1 ################################ "users" file: DEFAULT Simultaneous-Use := 1 Fall-Through = 1 ################################ "clients.conf" file: client 127.0.0.1 { secret = testing123 shortname = localhost nastype = other } client 10.0.1.2 { secret = testing123 shortname = localhost nastype = other } client 172.25.0.1 { secret = test shortname = nas.lan nastype = cisco } ################################ "postgresql.conf" file: sql { driver = "rlm_sql_postgresql" server = "localhost" login = "radius" password = "diametr" radius_db = "radius" acct_table1 = "radacct" acct_table2 = "radacct" read_groups = yes postauth_table = "radpostauth" authcheck_table = "radcheck" authreply_table = "radreply" groupcheck_table = "radgroupcheck" groupreply_table = "radgroupreply" usergroup_table = "usergroup" deletestalesessions = no sqltrace = yes sqltracefile = ${logdir}/sqltrace.sql num_sql_socks = 5 sql_user_name = "%{User-Name}" authorize_check_query = "SELECT id, UserName, Attribute, Value, Op \ FROM ${authcheck_table} \ WHERE Username = '%{SQL-User-Name}' \ ORDER BY id" authorize_reply_query = "SELECT id, UserName, Attribute, Value, Op \ FROM ${authreply_table} \ WHERE Username = '%{SQL-User-Name}' \ ORDER BY id" authorize_group_check_query = "SELECT ${groupcheck_table}.id, ${groupcheck_table}.GroupName, \ ${groupcheck_table}.Attribute, ${groupcheck_table}.Value,${groupcheck_table}.Op \ FROM ${groupcheck_table}, ${usergroup_table} \ WHERE ${usergroup_table}.Username = '%{SQL-User-Name}' AND ${usergroup_table}.GroupName = ${groupcheck_table}.GroupName \ ORDER BY ${groupcheck_table}.id" authorize_group_reply_query = "SELECT ${groupreply_table}.id, ${groupreply_table}.GroupName, ${groupreply_table}.Attribute, \ ${groupreply_table}.Value, ${groupreply_table}.Op \ FROM ${groupreply_table},${usergroup_table} \ WHERE ${usergroup_table}.Username = '%{SQL-User-Name}' AND ${usergroup_table}.GroupName = ${groupreply_table}.GroupName \ ORDER BY ${groupreply_table}.id" authenticate_query = "SELECT Value,Attribute FROM ${authcheck_table} \ WHERE UserName = '%{User-Name}' AND ( Attribute = 'User-Password' OR Attribute = 'Crypt-Password' ) \ ORDER BY Attribute DESC" group_membership_query = "SELECT GroupName FROM ${usergroup_table} WHERE UserName='%{SQL-User-Name}'" simul_count_query = "SELECT COUNT(*) FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND AcctStopTime IS NULL" accounting_start_query = "INSERT into ${acct_table1} \ (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctAuthentic, \ ConnectInfo_start, CalledStationId, CallingStationId, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, XAscendSessionSvrKey, \ ERXIngressPolicyName, ERXEgressPolicyName, ERXPppoeDescription, CiscoAVPair) \ values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', \ '%{NAS-Port}', '%{NAS-Port-Type}', ('%S'::timestamp - '%{Acct-Delay-Time:-0}'::interval), '%{Acct-Authentic}', '%{Connect-Info}', \ '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', \ NULLIF('%{Framed-IP-Address}', '')::inet, 0, '%{X-Ascend-Session-Svr-Key}', '%{ERX-Ingress-Policy-Name}', '%{ERX-Egress-Policy-Name}', '%{ERX-Pppoe-Description}', '%{Cisco-AVPair}')" accounting_stop_query = "UPDATE ${acct_table2} \ SET AcctStopTime = ('%S'::timestamp - '%{Acct-Delay-Time:-0}'::interval), \ AcctSessionTime = NULLIF('%{Acct-Session-Time}', '')::bigint, \ AcctInputOctets = (('%{Acct-Input-Gigawords:-0}'::bigint << 32) + '%{Acct-Input-Octets:-0}'::bigint), \ AcctOutputOctets = (('%{Acct-Output-Gigawords:-0}'::bigint << 32) + '%{Acct-Output-Octets:-0}'::bigint), \ AcctTerminateCause = '%{Acct-Terminate-Cause}', AcctStopDelay = 0, \ FramedIPAddress = NULLIF('%{Framed-IP-Address}', '')::inet, ConnectInfo_stop = '%{Connect-Info}' \ WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' \ AND NASIPAddress = '%{NAS-IP-Address}' AND AcctStopTime IS NULL" } ################################ "radius.conf" file: prefix = /opt/freeradius exec_prefix = ${prefix} sysconfdir = ${prefix}/etc localstatedir = ${prefix}/var sbindir = ${exec_prefix}/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd log_file = ${logdir}/radius.log libdir = ${exec_prefix}/lib pidfile = ${run_dir}/radiusd.pid user = radius group = radius max_request_time = 20 delete_blocked_requests = no cleanup_delay = 5 max_requests = 5120000 bind_address = "10.0.1.2" port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log_stripped_names = no log_auth = yes log_auth_badpass = no log_auth_goodpass = no usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no checkrad = ${sbindir}/checkrad security { max_attributes = 50 reject_delay = 1 status_server = no } proxy_requests = no $INCLUDE ${confdir}/proxy.conf $INCLUDE ${confdir}/clients.conf snmp = no $INCLUDE ${confdir}/snmp.conf thread pool { start_servers = 32 max_servers = 64 min_spare_servers = 8 max_spare_servers = 32 max_requests_per_server = 500 } modules { pap { auto_header = yes } chap { authtype = CHAP } pam { pam_auth = radiusd } unix { cache = no cache_reload = 600 radwtmp = ${logdir}/radwtmp } $INCLUDE ${confdir}/eap.conf mschap { } ldap { server = "ldap.your.domain" basedn = "o=My Org,c=UA" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" start_tls = no access_attr = "dialupAccess" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 edir_account_policy_check=no timeout = 4 timelimit = 3 net_timeout = 1 } checkval { item-name = Calling-Station-Id check-name = Calling-Station-Id data-type = string } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users preproxy_usersfile = ${confdir}/preproxy_users compat = no } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0640 } detail auth_log { detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d detailperm = 0600 } detail reply_log { detailfile = ${radacctdir}/%{Client-IP-Address}/reply-detail-%Y%m%d detailperm = 0600 } acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } $INCLUDE ${confdir}/postgresql.conf radutmp { filename = ${logdir}/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 0600 callerid = "yes" } radutmp sradutmp { filename = ${logdir}/sradutmp perm = 0644 callerid = "no" } attr_filter { attrsfile = ${confdir}/attrs } counter daily { filename = ${raddbdir}/db.daily key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User cache-size = 5000 } always fail { rcode = fail } always reject { rcode = reject } always ok { rcode = ok simulcount = 0 mpp = no } expr { } digest { } exec { wait = yes input_pairs = request } exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = request output_pairs = reply } ippool main_pool { range-start = 192.168.1.1 range-stop = 192.168.3.254 netmask = 255.255.255.0 cache-size = 800 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex override = no maximum-timeout = 0 } } instantiate { exec expr } authorize { preprocess auth_log chap mschap files sql pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } } preacct { preprocess acct_unique files } accounting { detail sql } session { sql } post-auth { reply_log } pre-proxy { } post-proxy { } ################################ Packet-Type = Access-Request Sun Sep 23 02:40:21 2007 Cisco-AVPair = "client-mac-address=000c.293b.eba6" Framed-Protocol = PPP User-Name = "sproot" CHAP-Password = 0x017c2048ee32d9a2fbe809c193930c17b3 NAS-Port-Type = Virtual NAS-Port = 268435472 NAS-Port-Id = "1/0/0/0" Service-Type = Framed-User NAS-IP-Address = 172.25.0.1 Acct-Session-Id = "00000010" Client-IP-Address = 172.25.0.1 CHAP-Challenge = 0xd59ee4fe7f305d7d9aace2827f6d2b72 Huntgroup-Name = "cisco" Packet-Type = Access-Accept Sun Sep 23 02:40:21 2007 Framed-IP-Address = 192.168.1.2 Framed-IP-Netmask = 255.255.255.255 Cisco-AVPair = "lcp:interface-config#1=rate-limit input 64000 8000 8000 conform-action transmit exceed-action drop" Cisco-AVPair += "lcp:interface-config#1=rate-limit output 64000 8000 8000 conform-action transmit exceed-action drop" ERX-Egress-Policy-Name = "pppoe-64kbps-policy" ERX-Egress-Statistics = enable ERX-Ingress-Policy-Name = "pppoe-64kbps-policy" ERX-Ingress-Statistics = enable ERX-Primary-Dns = 1.1.1.1 ERX-Secondary-Dns = 2.2.2.2 P.S. sorry for my bad english... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
