radiusd -X SQL suggests "not found" however user attributes are in the radcheck table?

Kaya Saman kayasaman at gmail.com
Tue Jul 31 20:22:39 CEST 2012


On Tue, Jul 31, 2012 at 6:25 PM, Fajar A. Nugraha <list at fajar.net> wrote:
> On Tue, Jul 31, 2012 at 11:31 PM, Kaya Saman <kayasaman at gmail.com> wrote:
>> mysql> select * from radcheck;
>> +----+--------------+-------------------------+----+----------+
>> | id | username     | attribute               | op | value    |
>> +----+--------------+-------------------------+----+----------+
>> |  1 | 0015c5537baa | Auth-Type               | := | Accept   |
>
> Is this intentional? You DO know what setting that means, right?

I am not 100% sure what this attribute means.... I however didn't
include it - I think DaloRADIUS put that in.

I used the MAC address authentication portion in DaloRADIUS when
creating the user. I would think that it simple 'accepts' the username
0015.... without any other checks etc....

It does however come up here:

http://wiki.freeradius.org/Mac-Auth/693d45c56f0152ba1e0e0166f525f10a2e7cd74b

and it is stated that it shouldn't be used for dot1x which is what I
am trying to use it with.

>
>
>> |  2 | 0015c5537baa | Tunnel-Type             | =  | VLAN     |
>> |  3 | 0015c5537baa | Tunnel-Medium-Type      | =  | IEEE-802 |
>> |  4 | 0015c5537baa | Tunnel-Private-Group-Id | =  | 20       |
>> |  5 | 0015c5537baa | Tunnel-Preference       | =  | 0x000000 |
>> +----+--------------+-------------------------+----+----------+
>
>
> I'd suggest you change "=" to ":=", but it looks like you don't know
> what the tables are for, as AFAIK those attributes should be in
> radreply (also with ":="), not in radcheck. So just delete those rows
> for now.

Yes good observation - I am still learning RADIUS and don't have much
experience as a professional admin either but I am eager to learn
though I know it will be a long and hard road :-)

In the meantime I applied the settings you suggested by putting in the
:= instead of = and also using REPLY too over CHECK.

It is now working :-)

eth0      Link encap:Ethernet  HWaddr 00:15:C5:53:7B:AA
          inet addr:10.10.10.3

without having MAB enabled on the switch the default subnet the system
goes to is on the 10.0.0.0/24 range which is VLAN1 (and what I
provisioned my test setup to do) so this is all but perfect!

I should have seen from the CHECK or REPLY that it was kind of obvious
boolean logic - check if username & password := accept, if yes then
respond (reply) with values (defined).

- rookie mistake :-)

>
> I highly suggest you re-read the documentation, including the included
> doc/rlm_sql (also available on
> https://github.com/alandekok/freeradius-server/blob/v2.1.x/doc/rlm_sql)

Many thanks for this!


P.s. since information on FreeRADIUS is quite sparse and takes a lot
of practiced knowledge and experience - what is the best way for a
beginner to understand the fundamental concepts of the MySQL tables
and the types of information that RADIUS can dish out, as obviously it
is quite versatile and can be used from Wireless hotspots to ISP's?

As stated I am keen and interested but while most people on this list
have n amount of years experience I still haven't clocked 1 year yet.

>
> --
> Fajar
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Best Regards,


Kaya


More information about the Freeradius-Users mailing list