Subject: rlm_sql: Failed to create the pair: Unknown attribute
Tony DeMatteis
tonyd at commspeed.net
Tue Jul 8 01:04:04 CEST 2014
Changed back to =+ per Alan, still seeing the same error and resulting
reject.
On 07/07/2014 03:40 PM, Tony DeMatteis wrote:
> Thank you very much for your reply!
>
>
> I changed my operator to ":=" but get the same reject/error.
>
>
>
> mysql> select * from radgroupreply where groupname = 'NOC-Admin';
> +----+-----------+----------------------------+----+-------------------------+
> | id | groupname | attribute | op |
> value |
> +----+-----------+----------------------------+----+-------------------------+
> | 1 | NOC-Admin | Mikrotik-Group | := |
> full |
> | 7 | NOC-Admin | APC-Service-Type | := |
> 1 |
> | 8 | NOC-Admin | APC-Outlets | := |
> "1,2,3,4,5,6,7,8" |
> | 10 | NOC-Admin | DragonWave-Privilege-Level | := |
> DragonWave-Super-User |
> +----+-----------+----------------------------+----+-------------------------+
> 4 rows in set (0.00 sec)
>
> mysql>
>
> On 07/07/2014 11:45 AM, Mike Poole wrote:
>> Tony,
>> I'm replying at the top instead of inline.
>> Our FreeRADIUS SQL returns this for :
>>
>> 44418AS id
>> 1-1-1 AS groupname
>> Mikrotik-Rate-Limit AS attribute
>> 1000k/2001k 2000k/4000k 750k/1500k 1800/1800 7 AS value
>> ?AS op
>> I think your problem is with the op (operator). It should be "?" and
>> I believe it should be at the end.
>>
>> We use custom tables and stored procedures to do this.
>>
>> For the "group" query all I return is a groupname, such as the
>> package ID '1-1-1'
>> SELECT packageId as "groupname"; (I believe this is where you are
>> having the trouble.
>>
>> Let me know if it helps or if I can do anything else
>> Message: 2
>> Date: Mon, 07 Jul 2014 08:03:03 -0700
>> From: Tony DeMatteis <tonyd at commspeed.net <mailto:tonyd at commspeed.net>>
>> To: freeradius-users at lists.freeradius.org
>> <mailto:freeradius-users at lists.freeradius.org>
>> Subject: rlm_sql: Failed to create the pair: Unknown attribute
>> "DragonWave-Privilege-Level" requires a hex string, not
>> "DragonWave-Super-User"
>> Message-ID: <53BAB6A7.2040309 at commspeed.net
>> <mailto:53BAB6A7.2040309 at commspeed.net>>
>> Content-Type: text/plain; charset="iso-8859-1"; Format="flowed"
>> Greetings,
>> I am setting up/migrating to a new Radius server. My current server
>> is using flat files (users/clients). Not a huge deployment, but now
>> have designs to scale larger. I've run into a problem with one reply
>> attribute I can't seem to identify the problem. I've searched the
>> documentation (and Googled), and while probably in from of my eyes, I
>> can't seem to find the cause/solution. The same reply attributes
>> work fine in my current/production server, but fail (and only when
>> trying to include the "DragonWave-Privilege-Level" reply attribute).
>> Now one note, in my production server in my user stanza I use the "="
>> operator for each of the reply attributes. However, in my new
>> server, when using the "=" as the operator in the reply attribute I
>> was receiving only one attribute upon authentication. I then thought
>> I understood from the documentation that I needed to use "+=" in my
>> reply attributes. After making that change, all the group attributes
>> were returned. One difference may be that I am specifying the
>> "group" attributes under each "user" (current/production) vs in a
>> "group" which is referenced (new server)? I am in no way well versed
>> in all the nuances of radius (but working that direction), so if I'm
>> overlooking the obvious I would greatly appreciate a nudge in the
>> right direction.
>> Thank you very much,
>> tony
>> #*************************
>> #
>> #// CURRENT SERVER
>> #
>> #*************************
>> #
>> # System information
>> #
>> admin at radius:/home/admin# uname -a
>> Linux radius 3.5.0-45-generic #68~precise1-Ubuntu SMP Wed Dec 4
>> 16:18:46 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
>> admin at radius:/home/admin# cat /etc/issue Ubuntu 12.04.4 LTS \n \l
>> admin at radius:/home/admin# freeradius -v
>> freeradius: FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu,
>> built on Feb 24 2014 at 15:16:50 Copyright (C) 1999-2010 The
>> FreeRADIUS server project and contributors.
>> There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
>> PARTICULAR PURPOSE.
>> You may redistribute copies of FreeRADIUS under the terms of the GNU
>> General Public License.
>> For more information about these matters, see the file named COPYRIGHT.
>> #
>> # /etc/freeradius/users
>> #
>> "testuser" ClearText-Password := "tester"
>> Reply-Message = "Hello, %{User-Name}",
>> Mikrotik-Group = "full",
>> DragonWave-Privilege-Level = "DragonWave-Super-User",
>> APC-Service-Type = 1,
>> APC-Outlets = "1,2,3,4,5,6,7,8"
>> #
>> # radtest and result
>> #
>> admin at radius:/home/admin# radtest testuser tester localhost 10
>> testing123 0 10.10.0.120
>> Sending Access-Request of id 25 to 127.0.0.1 port 1812
>> User-Name = "testuser"
>> User-Password = "tester"
>> NAS-IP-Address = 10.10.0.120
>> NAS-Port = 10
>> Framed-Protocol = PPP
>> rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=25,
>> length=70
>> Reply-Message = "Hello, testuser"
>> Mikrotik-Group = "full"
>> DragonWave-Privilege-Level = DragonWave-Super-User
>> APC-Service-Type = Admin
>> APC-Outlets = "1,2,3,4,5,6,7,8"
>> #*************************
>> #
>> #// NEW SERVER
>> #
>> #*************************
>> admin at radius1:/home/admin# uname -a
>> Linux radius1.mydomain.net 2.6.32-431.20.3.el6.i686 #1 SMP Thu Jun 19
>> 19:51:30 UTC 2014 i686 i686 i386 GNU/Linux
>> admin at radius1:/home/admin# cat /etc/issue CentOS release 6.5 (Final)
>> Kernel \r on an \m
>> admin at radius1:/home/admin# radiusd -v
>> radiusd: FreeRADIUS Version 2.1.12, for host i386-redhat-linux-gnu,
>> built on Oct 3 2012 at 01:20:08 Copyright (C) 1999-2011 The
>> FreeRADIUS server project and contributors.
>> There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
>> PARTICULAR PURPOSE.
>> You may redistribute copies of FreeRADIUS under the terms of the GNU
>> General Public License.
>> For more information about these matters, see the file named COPYRIGHT.
>> #*************************
>> #
>> #// radtest
>> #
>> #*************************
>> admin at radius1:/home/admin# radtest testuser tester 216.x.x.x 10
>> testing123 0 10.10.0.120
>> Sending Access-Request of id 119 to 216.x.x.x port 1812
>> User-Name = "testuser"
>> User-Password = "tester"
>> NAS-IP-Address = 10.10.0.120
>> NAS-Port = 10
>> Message-Authenticator = 0x00000000000000000000000000000000
>> rad_recv: Access-Reject packet from host 216.x.x.x port 1812, id=119,
>> length=20
>> #*************************
>> #
>> #// Partial debug output
>> #
>> #*************************
>> Ready to process requests.
>> rad_recv: Access-Request packet from host 216.x.x.x port 50707, id=119,
>> length=75
>> User-Name = "testuser"
>> User-Password = "tester"
>> NAS-IP-Address = 10.10.0.120
>> NAS-Port = 10
>> Message-Authenticator = 0x17fec73c577cb5fd95d9dd3656c3a8db
>> # Executing section authorize from file /etc/raddb/sites-enabled/default
>> +- entering group authorize {...}
>> ++- entering policy filter_username {...}
>> +++? if (User-Name =~ /^ /)
>> ? Evaluating (User-Name =~ /^ /) -> FALSE
>> +++? if (User-Name =~ /^ /) -> FALSE
>> +++? if (User-Name =~ / $$/)
>> ? Evaluating (User-Name =~ / $$/) -> FALSE
>> +++? if (User-Name =~ / $$/) -> FALSE
>> +++? if (User-Name != "%{tolower:%{User-Name}}")
>> expand: %{User-Name} -> testuser
>> expand: %{tolower:%{User-Name}} -> testuser
>> ? Evaluating (User-Name != "%{tolower:%{User-Name}}") -> FALSE
>> +++? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
>> ++- policy filter_username returns notfound
>> ++[preprocess] returns ok
>> ++[chap] returns noop
>> ++[mschap] returns noop
>> ++[digest] returns noop
>> [suffix] No '@' in User-Name = "testuser", looking up realm NULL
>> [suffix] No such realm "NULL"
>> ++[suffix] returns noop
>> [eap] No EAP-Message, not doing EAP
>> ++[eap] returns noop
>> [sql] expand: %{User-Name} -> testuser
>> [sql] sql_set_user escaped user --> 'testuser'
>> rlm_sql (sql): Reserving sql socket id: 3
>> [sql] expand: SELECT id, username, attribute, value, op
>> FROM radcheck WHERE username = '%{SQL-User-Name}'
>> ORDER BY id -> SELECT id, username, attribute, value, op FROM
>> radcheck WHERE username = 'testuser' ORDER BY id
>> [sql] User found in radcheck table
>> [sql] expand: SELECT id, username, attribute, value, op
>> FROM radreply WHERE username = '%{SQL-User-Name}'
>> ORDER BY id -> SELECT id, username, attribute, value, op FROM
>> radreply WHERE username = 'testuser' ORDER BY id
>> [sql] expand: SELECT groupname FROM radusergroup
>> WHERE username = '%{SQL-User-Name}' ORDER BY priority ->
>> SELECT groupname FROM radusergroup WHERE username =
>> 'testuser' ORDER BY priority
>> [sql] expand: SELECT id, groupname, attribute, Value, op
>> FROM radgroupcheck WHERE groupname = '%{Sql-Group}'
>> ORDER BY id -> SELECT id, groupname, attribute, Value,
>> op FROM radgroupcheck WHERE groupname = 'NOC-Admin'
>> ORDER BY id
>> [sql] User found in group NOC-Admin
>> [sql] expand: SELECT id, groupname, attribute, value, op
>> FROM radgroupreply WHERE groupname = '%{Sql-Group}'
>> ORDER BY id -> SELECT id, groupname, attribute, value,
>> op FROM radgroupreply WHERE groupname = 'NOC-Admin'
>> ORDER BY id
>> rlm_sql: Failed to create the pair: Unknown attribute
>> "DragonWave-Privilege-Level" requires a hex string, not
>> "DragonWave-Super-User"
>> rlm_sql (sql): Error getting data from database
>> [sql] Error retrieving reply pairs for group NOC-Admin
>> [sql] Error processing groups; rejecting user
>> rlm_sql (sql): Released sql socket id: 3
>> ++[sql] returns fail
>> Using Post-Auth-Type Reject
>> # Executing group from file /etc/raddb/sites-enabled/default
>> +- entering group REJECT {...}
>> [attr_filter.access_reject] expand: %{User-Name} -> testuser
>> attr_filter: Matched entry DEFAULT at line 11
>> ++[attr_filter.access_reject] returns updated
>> Delaying reject of request 0 for 1 seconds
>> Going to the next request
>> Waking up in 0.9 seconds.
>> Sending delayed reject for request 0
>> Sending Access-Reject of id 119 to 216.x.x.x port 50707
>> Waking up in 4.9 seconds.
>> Cleaning up request 0 ID 119 with timestamp +54
>> Ready to process requests.
>> #*************************
>> #
>> #// Manual query based on radiusd -X debug output
>> #
>> #*************************
>> mysql> SELECT id, groupname, attribute, value, op
>> FROM radgroupreply WHERE groupname = 'NOC-Admin'
>> ORDER BY id;
>> +----+---------------------+----------------------------+-----------------------+----+
>> | id | groupname | attribute |
>> value | op |
>> +----+---------------------+----------------------------+-----------------------+----+
>> | 1 | NOC-Admin | Mikrotik-Group |
>> full | += |
>> | 7 | NOC-Admin | APC-Service-Type |
>> 1 | += |
>> | 8 | NOC-Admin | APC-Outlets |
>> "1,2,3,4,5,6,7,8" | += |
>> | 10 | NOC-Admin | DragonWave-Privilege-Level |
>> DragonWave-Super-User | += |
>> +----+---------------------+----------------------------+-----------------------+----+
>> 5 rows in set (0.00 sec)
>> mysql>
>> # /usr/share/freeradius/dictionary.dragonwave
>> #*************************
>> #
>> #// Dragonwave Dictionary Definition
>> #
>> #*************************
>> # -*- text -*-
>> # http://www.dragonwaveinc.com
>> #
>> # $Id$
>> #
>> VENDOR DragonWave 7262
>> BEGIN-VENDOR DragonWave
>> # Used to determine the user login privilege level.
>> ATTRIBUTE DragonWave-Privilege-Level 1 integer
>> # Read-only access.
>> VALUE DragonWave-Privilege-Level DragonWave-Admin-User 1
>> # Limited read-write access.
>> VALUE DragonWave-Privilege-Level DragonWave-NOC-User 2
>> # Unlimited read-write access.
>> VALUE DragonWave-Privilege-Level DragonWave-Super-User 3
>> END-VENDOR DragonWave
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL:
>> <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140707/88f8e297/attachment.html>
>> ------------------------------
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>> End of Freeradius-Users Digest, Vol 111, Issue 13
>> *************************************************
>>
>>
>> -
>> List info/subscribe/unsubscribe? Seehttp://www.freeradius.org/list/users.html
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140707/d02116a3/attachment-0001.html>
More information about the Freeradius-Users
mailing list