PAP questions.

Keith Woodworth kwoody at citytel.net
Sun Sep 10 02:22:16 CEST 2006 

On Sat, 9 Sep 2006, Alan DeKok wrote:

|->Keith Woodworth <kwoody at citytel.net> wrote:
|->> Anyway here is the error:
|->>
|->> radiusd.conf: "PAP" modules aren't allowed in 'authorize' sections -- they
|->> have no such method.
|->
|->  That's in 1.1.3.  In 2.0, that is allowed.

That error was from 1.1.2, now I'm running 1.1.3.

|->> And while Radius seems to send an Access-Accept, the dialup user gets an
|->> error 691 password invalid.
|->
|->  Because you're not sending the same reply attributes as in the
|->previous example.  Fix that.
|->
|->> Again I get Access-Accept, but a 691 password error on the client side.
|->
|->  Again because the replies are empty.

Which table do the replys come from?

In the debug:

radius_xlat:  'tester'
rlm_sql (sql): sql_set_user escaped user --> 'tester'
radius_xlat:  'SELECT id, UserName, Attribute, Value, op           FROM
radcheck           WHERE Username = 'tester'           ORDER BY id'

Here is the select from radcheck, which has the user tester in it.

rlm_sql (sql): Reserving sql socket id: 2
radius_xlat:  'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'tester' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat:  'SELECT id, UserName, Attribute, Value, op           FROM
radreply           WHERE Username = 'tester'           ORDER BY id'

Radreply is populated, but the username tester is not listed there, so no
match obvioiusly.

radius_xlat:  'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = 'tester' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'

rlm_sql (sql): Released sql socket id: 2
  modcall[authorize]: module "sql" returns ok for request 2
modcall: leaving group authorize (returns ok) for request 2
auth: type Crypt
Sending Access-Accept of id 130 to 204.244.99.67 port 1645

So where to put the reply items? Should I not be using a default entry to
reply to all users that authenticate?

More information about the Freeradius-Users mailing list