unidentified users and vlan assignment

Phil Mayers p.mayers at imperial.ac.uk
Wed Sep 15 18:19:20 CEST 2010 

On 15/09/10 16:49, Fabien COMBERNOUS wrote:
>   On 15/09/2010 17:29, Phil Mayers wrote:
>>
>>
>> Please post the full debugging output.

Sigh. This is not the full debugging output. You're making it hard to 
help you.

>
> +- entering group authorize {...}
> ++[preprocess] returns ok
> [chap] Setting 'Auth-Type := CHAP'

This is not macauth. This is CHAP. You can't authenticate unknown CHAP 
users, because you need their password (which you don't have if they are 
unknown)

> ++[chap] returns ok
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "08-00-0f-44-c7-42", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] No EAP-Message, not doing EAP
> ++[eap] returns noop
> ++[unix] returns notfound
> rlm_opendirectory: The SACL group "com.apple.access_radius" does not
> exist on this system.
> rlm_opendirectory: The host 10.2.2.230 does not have an access group.
> rlm_opendirectory: no access control groups, all users allowed.
> ++[opendirectory] returns ok
> ++- entering group redundant_sql {...}
> [sql1] expand: %{User-Name} -> 08-00-0f-44-c7-42
> [sql1] sql_set_user escaped user --> '08-00-0f-44-c7-42'
> rlm_sql (sql1): Reserving sql socket id: 1
> [sql1] expand: SELECT id, username, attribute, value, op FROM radcheck
> WHERE username = '%{SQL-User-Name}'
> [sql1] expand: SELECT groupname FROM radusergroup WHERE username =
> '%{SQL-User-Name}' ORDER BY prior
> rlm_sql (sql1): Released sql socket id: 1
> [sql1] User 08-00-0f-44-c7-42 not found
> +++[sql1] returns notfound
> ++- group redundant_sql returns notfound
> ++? if (notfound)
> ? Evaluating (notfound) -> TRUE
> ++? if (notfound) -> TRUE
> ++- entering if (notfound) {...}
> +++[reply] returns notfound
> ++- if (notfound) returns notfound
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING! No "known good" password found for the user.
> Authentication may fail because of this.

See?

> ++[pap] returns noop
> Found Auth-Type = CHAP
> +- entering group CHAP {...}
> [chap] login attempt by "08-00-0f-44-c7-42" with CHAP password
> [chap] Cleartext-Password is required for authentication
> ++[chap] returns invalid
> Failed to authenticate the user.
> Using Post-Auth-Type Reject
> +- entering group REJECT {...}
> [attr_filter.access_reject] expand: %{User-Name} -> 08-00-0f-44-c7-42
> attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] returns updated

This filter will remove the VLAN, because auth failed (and it wouldn't 
work anyway)

More information about the Freeradius-Users mailing list