Re: Freeradius crash during EAP-TTLS authentication
Hello, Did you have the opportunity to push this patch ? The crash does not occur very soon (around once a month). Many thanks Regards Thomas On 28.03.2012 17:15, Alan DeKok wrote: Thomas Fagart wrote: Here's the debug output this happens specialy when we add a virtual server as a fallback server. OK... it looks like the proxy_reply doesn't exist. I'll push a patch. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using attibutes
Hi, Our WIFI access is managed by EAP-TTLS/EAP-PEAP with radius authentication based on LDAP. So users can connect and use Internet, however is possible to limit access (bandwith, connecting time) with Freeradius ? In other words, it seems (maybe i'm wrong) that Freeradius can send attribut with values when answering with Access Accept packet. I guess that clients have to understand it for being effective right ? So when using access point with EAP protocol, i guess native EAP client have to be compatibe with an attribut list ? This behaviour seems to be implemented in captive portal, and attributes can be managed in portal configuration. Is it possible with EAP access (native client or secure w2 like ?) BR, -- Emmanuel BILLOT CATEL - Dpt. Système et Réseaux Rectorat - Académie d'Orléans-Tours 10, rue Molière - 45000 Orléans Tél : 02 38 79 45 57 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius crash during EAP-TTLS authentication
Thomas Fagart wrote: Did you have the opportunity to push this patch ? Yes. See github.com Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using attibutes
Emmanuel BILLOT wrote: Our WIFI access is managed by EAP-TTLS/EAP-PEAP with radius authentication based on LDAP. So users can connect and use Internet, however is possible to limit access (bandwith, connecting time) with Freeradius ? FreeRADIUS isn't a router. See your NAS documentation for which attributes it needs to do access limitation. Many NASes CANNOT do such limitation. In other words, it seems (maybe i'm wrong) that Freeradius can send attribut with values when answering with Access Accept packet. I guess that clients have to understand it for being effective right ? Yes. So when using access point with EAP protocol, i guess native EAP client have to be compatibe with an attribut list ? No. The EAP client is the end user PC. Only the NAS needs to understand RADIUS attributes. This behaviour seems to be implemented in captive portal, and attributes can be managed in portal configuration. Is it possible with EAP access (native client or secure w2 like ?) No. Captive portals are not compatible with EAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using attibutes
Le 21/05/2012 10:47, Alan DeKok a écrit : Emmanuel BILLOT wrote: Hi, Thanks for your answers. So you mean that NAS (indeed access point for us) have to understand attributes. Any RFC that NAS doc may refer to ? If there isn't any doc or attribut, do you know any way to managed users connexions when using EAP protocol ? Regards, Our WIFI access is managed by EAP-TTLS/EAP-PEAP with radius authentication based on LDAP. So users can connect and use Internet, however is possible to limit access (bandwith, connecting time) with Freeradius ? FreeRADIUS isn't a router. See your NAS documentation for which attributes it needs to do access limitation. Many NASes CANNOT do such limitation. In other words, it seems (maybe i'm wrong) that Freeradius can send attribut with values when answering with Access Accept packet. I guess that clients have to understand it for being effective right ? Yes. So when using access point with EAP protocol, i guess native EAP client have to be compatibe with an attribut list ? No. The EAP client is the end user PC. Only the NAS needs to understand RADIUS attributes. This behaviour seems to be implemented in captive portal, and attributes can be managed in portal configuration. Is it possible with EAP access (native client or secure w2 like ?) No. Captive portals are not compatible with EAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Emmanuel BILLOT CATEL - Dpt. Système et Réseaux Rectorat - Académie d'Orléans-Tours 10, rue Molière - 45000 Orléans Tél : 02 38 79 45 57 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using attibutes
Emmanuel BILLOT wrote: So you mean that NAS (indeed access point for us) have to understand attributes. Any RFC that NAS doc may refer to ? Lots. But that doesn't matter. The NAS documentation describes what attributes the NAS understands. The RFCs describe dozens of attributes that the NAS *doesn't* understand. Don't read the RFCs. Read the NAS docs. That's why I said to read the NAS docs. If there isn't any doc or attribut, do you know any way to managed users connexions when using EAP protocol ? Write your own software. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using attibutes
Le 21/05/2012 11:04, Alan DeKok a écrit : Emmanuel BILLOT wrote: So you mean that NAS (indeed access point for us) have to understand attributes. Any RFC that NAS doc may refer to ? Lots. But that doesn't matter. The NAS documentation describes what attributes the NAS understands. The RFCs describe dozens of attributes that the NAS *doesn't* understand. Don't read the RFCs. Read the NAS docs. That's why I said to read the NAS docs. If there isn't any doc or attribut, do you know any way to managed users connexions when using EAP protocol ? Write your own software. Ok thank you for answering. BR, Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Emmanuel BILLOT CATEL - Dpt. Système et Réseaux Rectorat - Académie d'Orléans-Tours 10, rue Molière - 45000 Orléans Tél : 02 38 79 45 57 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2 Certs for 2 SSID (802.1x)
Thanks Matthew, it's tested okay. On Fri, May 18, 2012 at 5:44 PM, Matthew Newton m...@leicester.ac.ukwrote: On Fri, May 18, 2012 at 11:35:39AM +0800, C.F. Yeung wrote: Sorry to bother again, how should I rewrite the unlang for the condition that if the Called-Station-Id contains eduroam? if (Called-Station-Id == xx-xx-xx-xx-xx-xx:eduroam) { man unlang - look for regular expressions. if (Called-Station-Id =~ /eduroam/) { or you may want something more like if (Called-Station-Id =~ /:eduroam$/) { to check that it ends in :eduroam Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Test Client which supports PAP Access-Challenge
Hello, I'm interested in a radius test client which supports pap ACCESS-Challenge. Can anyone point me to one or to a library which allows me to easily write on preferrably in perl? Cheers, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Test Client which supports PAP Access-Challenge
On Mon, May 21, 2012 at 02:17:30PM +0200, Thomas Glanzmann wrote: I'm interested in a radius test client which supports pap ACCESS-Challenge. Can anyone point me to one or to a library which You should not be getting a challenge with PAP, so there is no need for a test client for it. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How do I set a reply attribute that is not sent in the Access-Accept
Thanks, I knew where the dictionaries are and read that file. Is there a vendor number that I would use that FreeRADIUS would know not to send in the access-accept message? This is the bit I can't find. thanks, On Fri, May 18, 2012 at 10:57 AM, Alan DeKok al...@deployingradius.comwrote: niall el-assaad wrote: I remember reading somewhere I could define a RADIUS dictionary with certain numbers that FreeRADIUS would not send externally, but after looking for an hour I can't find it. raddb/dictionary Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Test Client which supports PAP Access-Challenge
Hello Matthew, You should not be getting a challenge with PAP, so there is no need for a test client for it. for Citrix Netscaler and VMware View 5.1 if you want to support two-factor authentication for example with rlm_smsotp this is necessary. However there is currently no test client for it that I'm aware of. The Net::Radius::Packet perl library is probably the quickest approch to get something working, I'll post it here, if I got one. See also: http://wiki.freeradius.org/Rlm_smsotp http://thread.gmane.org/gmane.comp.dial-up.freeradius.user/86365 Cheers, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How do I set a reply attribute that is not sent in the Access-Accept
niall el-assaad wrote: Thanks, I knew where the dictionaries are and read that file. Well... read it again. It's pretty clear. Is there a vendor number that I would use that FreeRADIUS would know not to send in the access-accept message? Uh... no. Because the attributes in raddb/dictionary are for that purpose. This is the bit I can't find. Because it makes no sense. What part of these comments are unclear? # If you want to add entries to the dictionary file, # which are NOT going to be placed in a RADIUS packet, # add them here. Your requirement is to have attributes NOT sent in an Acccess-Accept. So... use the numbers as documented in that file. Using vendor-specific attributes for that is pointless, wrong, inconsistent, incorrect, broken, and generally a bad idea. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Test Client which supports PAP Access-Challenge
Hi Thomas, On Mon, May 21, 2012 at 02:41:26PM +0200, Thomas Glanzmann wrote: You should not be getting a challenge with PAP, so there is no need for a test client for it. for Citrix Netscaler and VMware View 5.1 if you want to support two-factor authentication for example with rlm_smsotp this is necessary. Hmm interesting - thanks. New one to me. However there is currently no test client for it that I'm aware of. The Net::Radius::Packet perl library is probably the quickest approch to get something working, I'll post it here, if I got one. Looks like radclient has support: radclient.c:1007 } else if (strcmp(argv[2], challenge) == 0) { if (server_port == 0) server_port = getport(radius); if (server_port == 0) server_port = PW_AUTH_UDP_PORT; packet_code = PW_ACCESS_CHALLENGE; So use 'challenge' instead of acct, auth, status, etc. Cheers, Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Test Client which supports PAP Access-Challenge
On Mon, May 21, 2012 at 02:23:12PM +0100, Matthew Newton wrote: Looks like radclient has support: Forget that - I've not had enough coffee yet today :) You need to respond to the challenge, not send one yourself... Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Test Client which supports PAP Access-Challenge
Hello Matthew, Forget that - I've not had enough coffee yet today :) You need to respond to the challenge, not send one yourself... exactly, however the Authen::Radius perl module saved my day: #!/usr/bin/perl -w # Thomas Glanzmann 16:06 2012-05-21 # First Argument is username, second argument is password # Authen::Radius requires a legacy dictionary without advanced # keywords like encrypted or $INCLUDEs use strict; use warnings FATAL = 'all'; use Authen::Radius; my $r = new Authen::Radius(Host = '127.0.0.1', Secret = 'testing123'); Authen::Radius-load_dictionary('/home/sithglan/work/smsotpd/dictionary'); $r-add_attributes ( { Name = 'User-Name', Value = $ARGV[0] }, { Name = 'User-Password', Value = $ARGV[1] }, ); $r-send_packet(ACCESS_REQUEST) || die; my $type = $r-recv_packet(); print server response type = $type\n; my $state = undef; for $a ($r-get_attributes()) { if ($a-{Name} eq 'State') { $state = $a-{RawValue}; } } print Enter otp: ; my $otp = STDIN; chomp($otp); $r-add_attributes ( { Name = 'User-Name', Value = $ARGV[0] }, { Name = 'User-Password', Value = $otp }, ); $r-send_packet(ACCESS_REQUEST) || die; $type = $r-recv_packet(); print server response type = $type\n; # Execution: (minisqueeze) [~/work/smsotpd] ./pap_challenge_request.pl 'administra...@directory.gmvl.de' 'password' server response type = 11 Enter otp: 82701 server response type = 2 # radiusd -X rad_recv: Access-Request packet from host 127.0.0.1 port 49189, id=40, length=71 User-Name = administra...@directory.gmvl.de User-Password = password # Executing section authorize from file /local/freeradius-server-2.1.9/etc/raddb/sites-enabled/default +- entering group authorize {...} [preprocess]expand: %{User-Name} - administra...@directory.gmvl.de [preprocess]expand: %{User-Name} - administra...@directory.gmvl.de [preprocess] hints: Matched DEFAULT at 4 [preprocess]expand: %{1}@DIRECTORY.GMVL.DE - administra...@directory.gmvl.de ++[preprocess] returns ok [files] users: Matched entry DEFAULT at line 1 ++[files] returns ok ++[smsotp] returns ok Found Auth-Type = smsotp # Executing group from file /local/freeradius-server-2.1.9/etc/raddb/sites-enabled/default +- entering group smsotp {...} rlm_krb5: verify_krb_v5_tgt: host key not found : Configuration file does not specify default realm ++[krb5] returns ok rlm_smsotp: Generate OTP rlm_smsotp: Uniq id is 5500455282 rlm_smsotp: Sending Access-Challenge. ++[smsotp] returns handled Sending Access-Challenge of id 40 to 127.0.0.1 port 49189 Reply-Message = Enter Mobile PIN: State = 0x35353030343535323832 Finished request 18. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 49189, id=41, length=102 Reply-Message = Enter Mobile PIN: State = 0x35353030343535323832 User-Name = administra...@directory.gmvl.de User-Password = 82701 # Executing section authorize from file /local/freeradius-server-2.1.9/etc/raddb/sites-enabled/default +- entering group authorize {...} [preprocess]expand: %{User-Name} - administra...@directory.gmvl.de [preprocess]expand: %{User-Name} - administra...@directory.gmvl.de [preprocess] hints: Matched DEFAULT at 4 [preprocess]expand: %{1}@DIRECTORY.GMVL.DE - administra...@directory.gmvl.de ++[preprocess] returns ok [files] users: Matched entry DEFAULT at line 1 ++[files] returns ok rlm_smsotp: Found reply to access challenge (AUTZ), Adding Auth-Type 'smsotp-reply' ++[smsotp] returns ok Found Auth-Type = smsotp-reply # Executing group from file /local/freeradius-server-2.1.9/etc/raddb/sites-enabled/default +- entering group smsotp-reply {...} rlm_smsotp: Found reply to access challenge rlm_smsotp: SocketReply is OK ++[smsotp] returns ok # Executing section post-auth from file /local/freeradius-server-2.1.9/etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 41 to 127.0.0.1 port 49189 Finished request 19. Cheers, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
User management hints
Hi everyone. I'm new to Freeradius, and I would like to write a very simple user management php/mysql script, that should allow me to do some simple things: 1) create a user; 2) set expire date for a user; 3) disable user, automatically at expire date or manually if needed. I installed successfully freeradius with mysql on a debian box and tested a new user with radtest. I also began to study sql schema, but I can't find many information on internet about it. Can anyone you suggest me some good documentation, just to begin? Thank you very much. Regards. -- GP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Test Client which supports PAP Access-Challenge
Hello everyone, find attached the new and improved version for checking pap access challenge: (minisqueeze) [~/work/smsotpd] ./pap_challenge_request.pl Enter username: directory\Administrator Enter password: server response type = Access-Reject (3) (minisqueeze) [~/work/smsotpd] ./pap_challenge_request.pl Enter username: directory\Administrator Enter password: server response type = Access-Challenge (11) Enter otp: 97350 server response type = Access-Accept (2) Cheers, Thomas pap_challenge_request.pl Description: Perl program ATTRIBUTE User-Name 1 string ATTRIBUTE User-Password 2 string ATTRIBUTE CHAP-Password 3 octets ATTRIBUTE NAS-IP-Address 4 ipaddr ATTRIBUTE NAS-Port5 integer ATTRIBUTE Service-Type6 integer ATTRIBUTE Framed-Protocol 7 integer ATTRIBUTE Framed-IP-Address 8 ipaddr ATTRIBUTE Framed-IP-Netmask 9 ipaddr ATTRIBUTE Framed-Routing 10 integer ATTRIBUTE Filter-Id 11 string ATTRIBUTE Framed-MTU 12 integer ATTRIBUTE Framed-Compression 13 integer ATTRIBUTE Login-IP-Host 14 ipaddr ATTRIBUTE Login-Service 15 integer ATTRIBUTE Login-TCP-Port 16 integer ATTRIBUTE Reply-Message 18 string ATTRIBUTE Callback-Number 19 string ATTRIBUTE Callback-Id 20 string ATTRIBUTE Framed-Route22 string ATTRIBUTE Framed-IPX-Network 23 ipaddr ATTRIBUTE State 24 octets ATTRIBUTE Class 25 octets ATTRIBUTE Vendor-Specific 26 octets ATTRIBUTE Session-Timeout 27 integer ATTRIBUTE Idle-Timeout28 integer ATTRIBUTE Termination-Action 29 integer ATTRIBUTE Called-Station-Id 30 string ATTRIBUTE Calling-Station-Id 31 string ATTRIBUTE NAS-Identifier 32 string ATTRIBUTE Proxy-State 33 octets ATTRIBUTE Login-LAT-Service 34 string ATTRIBUTE Login-LAT-Node 35 string ATTRIBUTE Login-LAT-Group 36 octets ATTRIBUTE Framed-AppleTalk-Link 37 integer ATTRIBUTE Framed-AppleTalk-Network38 integer ATTRIBUTE Framed-AppleTalk-Zone 39 string ATTRIBUTE CHAP-Challenge 60 octets ATTRIBUTE NAS-Port-Type 61 integer ATTRIBUTE Port-Limit 62 integer ATTRIBUTE Login-LAT-Port 63 string - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Escaped backslash in User-Name when sending Access-Accept
Hi, I'm having some issues authenticating iOS clients (with FreeRADIUS v2.1.10 installed on a Ubuntu server) with EAP-TLS when the username contains a domain name in the form of Domain\Username (the account is in Active Directory). I think the issue is caused by the fact that the final Access-Accept reply has the backslash after the domain name escaped, so that the output looks like this: Sending Access-Accept of id 171 to 172.27.28.84 port 32769 User-Name = ocg\\cmctrf3 instead of containing the original, un-escaped domain\username: Sending Access-Accept of id 171 to 172.27.28.84 port 32769 User-Name = ocg\cmctrf3 Mine is just a theory, but I cannot verify it until I figure out how to have the un-escaped ocg\cmctrf3 string being sent in the output instead of the current escaped one. So my question is how do I cause the User-Name to be send un-escaped? Do I make a change in the clients.con file...? The eap.conf file...? If so, under which section and where..? Sorry for what may look like a dumb question, but I could not find this mentioned anywhere else. As a side-note, if I omit the domain name in the iOS device and just login with the username cmctrf3 for example, the iPhones/iPads are able to login without problems. The issue only occurs when the domain name appears before escaped. All other devices (Windows and Mac desktops) seem to be able to get past that escaped sequence without problems. Below is a blurb showing the debug output. I do see the un-escaped ocg\cmctrf3 being logged, but the escaped one at the end is what is porbably biting me. Thanks, Roberto Franceschetti # Executing section authorize from file /etc/freeradius/clients.conf +- entering group authorize {...} ++[preprocess] returns ok [suffix] No '@' in User-Name = ocg\cmctrf3, skipping NULL due to config. ++[suffix] returns noop [ntdomain] Looking up realm ocgov for User-Name = ocg\cmctrf3 [ntdomain] No such realm ocgov ++[ntdomain] returns noop ++[mschap] returns noop [eap] EAP packet type response id 10 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/clients.conf +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv success [peap] Received EAP-TLV response. [peap] Success [eap] Freeing handler ++[eap] returns ok Login OK: [ocg\\cmctrf3] (from client 172.27.28.84 port 29 cli f0-cb-a1-2b-61-4d) # Executing section post-auth from file /etc/freeradius/clients.conf +- entering group post-auth {...} ++[exec] returns noop } # server lwap-clients Sending Access-Accept of id 171 to 172.27.28.84 port 32769 MS-MPPE-Recv-Key = 0x15c9ba070e3579e43c54314c24e7e09f4753c779e4e013b4bbd080a2cab4bbb2 MS-MPPE-Send-Key = 0x4f27c90c8fdf27be122e70c2c4d82bebd65797dafebe2ebb4ca91bedfd244cb5 EAP-Message = 0x030a0004 Message-Authenticator = 0x User-Name = ocg\\cmctrf3 PLEASE NOTE: Florida has a very broad public records law (F. S. 119). All e-mails to and from County Officials are kept as a public record. Your e-mail communications, including your e-mail address may be disclosed to the public and media at any time. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Escaped backslash in User-Name when sending Access-Accept
Roberto Franceschetti wrote: Mine is just a theory, but I cannot verify it until I figure out how to have the un-escaped ocg\cmctrf3 string being sent in the output instead of the current escaped one. It probably is not escaped. Some logs and debug outputs escape before outputting to syslog or the screen, but some do not, so it is hard to be sure what you are seeing without taking an actual packet dump and looking at the actual bytes sent. The only time you should ever have to deal with problems with unescaping in the User-Name attribute is when you edit it by hand, for example, if you take an inner tunnel copy of the user-name and then place it by hand in the outer reply (which you should only do if you can trust your NAS and the network between it to keep that secret.) If you do such a thing, it is very hard to get an unescaped edited string back into an attribute, because any attribute you define will be escaped when you try to glue it back together with an xlat. You can, however, do so using %{1}, %{2}, %{3} etc from a regexp match. # The following will take the User-Name from the request and put it into the reply, # without adding any escaping. if (User-Name =~ /(.*)/) { update reply { User-Name = %{1} } } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How do I find out the query error?
Hi, I have a Freeradius + Mysql on Ubuntu 12.04 running. I can make it work and Accpet the requests using the original sql scheme, but I need to change the DB in order for it to work with a DB I already have, because my web aplication is already designed to make changes to this DB and it would be a huge effort to reprogram everything. I have changed the DB and table names in sql.conf and it seems to be connectiong ok, but it appears to be some problem in the SQL query but it won't show the error message, this is what I get on debug: Mon May 21 14:07:18 2012 : Debug: rlm_sql (sql): Reserving sql socket id: 4 Mon May 21 14:07:18 2012 : Info: [sql] expand: SELECT id, username, attribute, value, op FROM login_radius WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM login_radius WHERE username = 'coizado' ORDER BY id Mon May 21 14:07:18 2012 : Debug: rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM login_radius WHERE username = 'coizado' ORDER BY id Mon May 21 14:07:18 2012 : Debug: rlm_sql_mysql: MYSQL check_error: 1054 received Mon May 21 14:07:18 2012 : Error: rlm_sql_getvpdata: database query error Mon May 21 14:07:18 2012 : Error: [sql] SQL query error; rejecting user Mon May 21 14:07:18 2012 : Debug: rlm_sql (sql): Released sql socket id: 4 Mon May 21 14:07:18 2012 : Info: ++[sql] returns fail I already have sqltrace = yes in sql.conf, but it seems to have no diference. Any idea as to where should I look to find out what exactly is the sql error? Thanks in advance. -- View this message in context: http://freeradius.1045715.n5.nabble.com/How-do-I-find-out-the-query-error-tp5713188.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html