Authenticating users on LDAP based on Group name

Jose Torres-Berrocal jetsystemservices at gmail.com
Wed Apr 22 05:31:10 CEST 2015


Debug output using group options:

radiusd: FreeRADIUS Version 2.2.5, for host i386-portbld-freebsd8.3, built
on Sep 29 2014 at 22:08:50
Copyright (C) 1999-2013 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.
Starting - reading configuration files ...
including configuration file /usr/pbi/freeradius-i386/etc/raddb/radiusd.conf
including configuration file /usr/pbi/freeradius-i386/etc/raddb/clients.conf
including files in directory /usr/pbi/freeradius-i386/etc/raddb/modules/
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/wimax
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/always
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/attr_filter
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/attr_rewrite
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/cache
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/chap
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/checkval
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/counter
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/cui
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/detail
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/
detail.example.com
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/detail.log
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/dhcp_sqlippool
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/sql/mysql/ippool-dhcp.conf
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/digest
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/dynamic_clients
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/echo
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/etc_group
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/exec
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/expiration
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/expr
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/files
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/inner-eap
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/ippool
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/krb5
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/ldap
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/linelog
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/otp
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/logintime
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/mac2ip
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/mac2vlan
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/mschap
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/ntlm_auth
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/opendirectory
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/pam
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/pap
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/passwd
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/perl
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/policy
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/preprocess
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/radrelay
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/radutmp
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/realm
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/redis
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/rediswho
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/replicate
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/smbpasswd
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/smsotp
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/soh
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/sql_log
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/sradutmp
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/unix
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/acct_unique
including configuration file /usr/pbi/freeradius-i386/etc/raddb/modules/motp
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/modules/datacounter_acct
including configuration file /usr/pbi/freeradius-i386/etc/raddb/eap.conf
including configuration file /usr/pbi/freeradius-i386/etc/raddb/sql.conf
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/sql/mysql/dialup.conf
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/sql/mysql/dialup.conf
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/sql/mysql/counter.conf
including configuration file /usr/pbi/freeradius-i386/etc/raddb/policy.conf
including files in directory
/usr/pbi/freeradius-i386/etc/raddb/sites-enabled/
including configuration file
/usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default
main {
allow_core_dumps = yes
}
Core dumps are enabled.
including dictionary file /usr/pbi/freeradius-i386/etc/raddb/dictionary
main {
name = "radiusd"
prefix = "/usr/pbi/freeradius-i386"
localstatedir = "/var"
sbindir = "/usr/pbi/freeradius-i386/sbin"
logdir = "/var/log"
run_dir = "/var/run"
radacctdir = "/var/log/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/radiusd.pid"
checkrad = "/usr/pbi/freeradius-i386/sbin/checkrad"
debug_level = 0
proxy_requests = yes
 log {
  stripped_names = yes
  auth = yes
  auth_badpass = no
  auth_goodpass = no
  msg_badpass = ""
  msg_goodpass = ""
 }
 security {
  max_attributes = 200
  reject_delay = 1
  status_server = no
  allow_vulnerable_openssl = no
 }
}
radiusd: #### Loading Realms and Home Servers ####
radiusd: #### Loading Clients ####
 client squid {
  ipaddr = 192.168.56.1
  require_message_authenticator = no
  secret = "squid4030"
  shortname = "squid"
  nastype = "other"
 }
radiusd: #### Instantiating modules ####
 instantiate {
 Module: Linked to module rlm_exec
 Module: Instantiating module "exec" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/exec
  exec {
  wait = no
  input_pairs = "request"
  shell_escape = yes
  timeout = 10
  }
 Module: Linked to module rlm_expr
 Module: Instantiating module "expr" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/expr
 Module: Linked to module rlm_counter
 Module: Instantiating module "daily" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/counter
  counter daily {
  filename = "/var/log/radacct/timecounter/db.daily"
  key = "User-Name"
  reset = "daily"
  count-attribute = "Acct-Session-Time"
  counter-name = "Daily-Session-Time"
  check-name = "Max-Daily-Session"
  reply-name = "Session-Timeout"
  cache-size = 5000
  }
rlm_counter: Counter attribute Daily-Session-Time is number 11273
rlm_counter: Current Time: 1429671947 [2015-04-21 23:05:47], Next reset
1429675200 [2015-04-22 00:00:00]
 Module: Instantiating module "weekly" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/counter
  counter weekly {
  filename = "/var/log/radacct/timecounter/db.weekly"
  key = "User-Name"
  reset = "weekly"
  count-attribute = "Acct-Session-Time"
  counter-name = "Weekly-Session-Time"
  check-name = "Max-Weekly-Session"
  reply-name = "Session-Timeout"
  cache-size = 5000
  }
rlm_counter: Counter attribute Weekly-Session-Time is number 11275
rlm_counter: Current Time: 1429671947 [2015-04-21 23:05:47], Next reset
1430020800 [2015-04-26 00:00:00]
 Module: Instantiating module "monthly" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/counter
  counter monthly {
  filename = "/var/log/radacct/timecounter/db.monthly"
  key = "User-Name"
  reset = "monthly"
  count-attribute = "Acct-Session-Time"
  counter-name = "Monthly-Session-Time"
  check-name = "Max-Monthly-Session"
  reply-name = "Session-Timeout"
  cache-size = 5000
  }
rlm_counter: Counter attribute Monthly-Session-Time is number 11277
rlm_counter: Current Time: 1429671947 [2015-04-21 23:05:47], Next reset
1430452800 [2015-05-01 00:00:00]
 Module: Instantiating module "forever" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/counter
  counter forever {
  filename = "/var/log/radacct/timecounter/db.forever"
  key = "User-Name"
  reset = "never"
  count-attribute = "Acct-Session-Time"
  counter-name = "Forever-Session-Time"
  check-name = "Max-Forever-Session"
  reply-name = "Session-Timeout"
  cache-size = 5000
  }
rlm_counter: Counter attribute Forever-Session-Time is number 11279
rlm_counter: Current Time: 1429671947 [2015-04-21 23:05:47], Next reset 0
[2015-04-21 23:00:00]
 Module: Linked to module rlm_expiration
 Module: Instantiating module "expiration" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/expiration
  expiration {
  reply-message = "Password Has Expired  "
  }
 Module: Linked to module rlm_logintime
 Module: Instantiating module "logintime" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/logintime
  logintime {
  reply-message = "You are calling outside your allowed timespan  "
  minimum-timeout = 60
  }
 }
radiusd: #### Loading Virtual Servers ####
server { # from file ?�(rlm_logintime
 modules {
  Module: Creating Auth-Type = MOTP
  Module: Creating Auth-Type = digest
  Module: Creating Auth-Type = LDAP
  Module: Creating Autz-Type = Status-Server
  Module: Creating Acct-Type = Status-Server
  Module: Creating Post-Auth-Type = REJECT
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_pap
 Module: Instantiating module "pap" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/pap
  pap {
  encryption_scheme = "auto"
  auto_header = no
  }
 Module: Linked to module rlm_chap
 Module: Instantiating module "chap" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/chap
 Module: Linked to module rlm_mschap
 Module: Instantiating module "mschap" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/mschap
  mschap {
  use_mppe = yes
  require_encryption = no
  require_strong = no
  with_ntdomain_hack = yes
  allow_retry = yes
  }
 Module: Instantiating module "motp" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/motp
  exec motp {
  wait = yes
  program = " /usr/pbi/freeradius-i386/etc/raddb/scripts/otpverify.sh
%{request:User-Name} %{request:User-Password} %{reply:MOTP-Init-Secret}
%{reply:MOTP-PIN} %{reply:MOTP-Offset}"
  input_pairs = "request"
  shell_escape = yes
  }
 Module: Linked to module rlm_digest
 Module: Instantiating module "digest" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/digest
 Module: Linked to module rlm_unix
 Module: Instantiating module "unix" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/unix
  unix {
  radwtmp = "/var/log/radwtmp"
  }
 Module: Linked to module rlm_ldap
 Module: Instantiating module "ldap" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/ldap
  ldap {
  server = "jetsms-srv2003.jetdom.local"
  port = 389
  password = "Tramontane10520"
  expect_password = yes
  identity = "cn=pfsense,cn=Users,dc=jetdom,dc=local"
  net_timeout = 1
  timeout = 4
  timelimit = 3
  max_uses = 0
  tls_mode = no
  start_tls = no
  tls_require_cert = "allow"
   tls {
    start_tls = no
    cacertfile =
"/usr/pbi/freeradius-i386/etc/raddb/certs/ca_ldap1_cert.pem"
    cacertdir = "/usr/pbi/freeradius-i386/etc/raddb/certs/"
    certfile =
"/usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.crt"
    keyfile =
"/usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.key"
    randfile = "/usr/pbi/freeradius-i386/etc/raddb/certs/random"
    require_cert = "never"
   }
  basedn = "cn=Users,dc=jetdom,dc=local"
  filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
  base_filter = "(objectclass=*)"
  auto_header = no
  access_attr_used_for_allow = yes
  groupname_attribute = "cn"
  groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
  groupmembership_attribute = "memberOf"
  dictionary_mapping = "/usr/pbi/freeradius-i386/etc/raddb/ldap.attrmap"
  ldap_debug = 0
  ldap_connections_number = 5
  compare_check_items = no
  do_xlat = yes
  set_auth_type = yes
   keepalive {
    idle = 60
    probes = 3
    interval = 3
   }
  }
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap<->radius mappings from file
/usr/pbi/freeradius-i386/etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password
rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS
Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS
Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS
Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS
Tunnel-Private-Group-Id
conns: 0x28516580
 Module: Linked to module rlm_eap
 Module: Instantiating module "eap" from file
/usr/pbi/freeradius-i386/etc/raddb/eap.conf
  eap {
  default_eap_type = "mschapv2"
  timer_expire = 60
  ignore_unknown_eap_types = no
  cisco_accounting_username_bug = no
  max_sessions = 4096
  }
 Module: Linked to sub-module rlm_eap_md5
 Module: Instantiating eap-md5
 Module: Linked to sub-module rlm_eap_leap
 Module: Instantiating eap-leap
 Module: Linked to sub-module rlm_eap_gtc
 Module: Instantiating eap-gtc
   gtc {
    challenge = "Password: "
    auth_type = "PAP"
   }
 Module: Linked to sub-module rlm_eap_tls
 Module: Instantiating eap-tls
   tls {
    rsa_key_exchange = no
    dh_key_exchange = yes
    rsa_key_length = 512
    dh_key_length = 512
    verify_depth = 0
    CA_path = "/usr/pbi/freeradius-i386/etc/raddb/certs"
    pem_file_type = yes
    private_key_file =
"/usr/pbi/freeradius-i386/etc/raddb/certs/server_key.pem"
    certificate_file =
"/usr/pbi/freeradius-i386/etc/raddb/certs/server_cert.pem"
    CA_file = "/usr/pbi/freeradius-i386/etc/raddb/certs/ca_cert.pem"
    private_key_password = "whatever"
    dh_file = "/usr/pbi/freeradius-i386/etc/raddb/certs/dh"
    random_file = "/usr/pbi/freeradius-i386/etc/raddb/certs/random"
    fragment_size = 1024
    include_length = yes
    check_crl = no
    cipher_list = "DEFAULT"
    ecdh_curve = "prime256v1"
    cache {
    enable = no
    lifetime = 24
    max_entries = 255
    }
    verify {
    }
    ocsp {
    enable = no
    override_cert_url = no
    url = "http://127.0.0.1/ocsp/"
    use_nonce = yes
    timeout = 0
    softfail = no
    }
   }
 Module: Linked to sub-module rlm_eap_ttls
 Module: Instantiating eap-ttls
   ttls {
    default_eap_type = "md5"
    copy_request_to_tunnel = no
    use_tunneled_reply = no
    include_length = yes
   }
 Module: Linked to sub-module rlm_eap_peap
 Module: Instantiating eap-peap
   peap {
    default_eap_type = "mschapv2"
    copy_request_to_tunnel = no
    use_tunneled_reply = no
    proxy_tunneled_request_as_eap = yes
    soh = no
   }
 Module: Linked to sub-module rlm_eap_mschapv2
 Module: Instantiating eap-mschapv2
   mschapv2 {
    with_ntdomain_hack = no
    send_error = no
   }
 Module: Checking authorize {...} for more modules to load
 Module: Linked to module rlm_preprocess
 Module: Instantiating module "preprocess" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/preprocess
  preprocess {
  huntgroups = "/usr/pbi/freeradius-i386/etc/raddb/huntgroups"
  hints = "/usr/pbi/freeradius-i386/etc/raddb/hints"
  with_ascend_hack = no
  ascend_channels_per_line = 23
  with_ntdomain_hack = no
  with_specialix_jetstream_hack = no
  with_cisco_vsa_hack = no
  with_alvarion_vsa_hack = no
  }
reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/huntgroups
reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/hints
 Module: Linked to module rlm_realm
 Module: Instantiating module "suffix" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/realm
  realm suffix {
  format = "suffix"
  delimiter = "@"
  ignore_default = no
  ignore_null = yes
  }
 Module: Instantiating module "ntdomain" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/realm
  realm ntdomain {
  format = "prefix"
  delimiter = "\"
  ignore_default = no
  ignore_null = yes
  }
 Module: Linked to module rlm_files
 Module: Instantiating module "files" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/files
  files {
  usersfile = "/usr/pbi/freeradius-i386/etc/raddb/users"
  acctusersfile = "/usr/pbi/freeradius-i386/etc/raddb/acct_users"
  preproxy_usersfile = "/usr/pbi/freeradius-i386/etc/raddb/preproxy_users"
  compat = "no"
  }
reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/users
reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/acct_users
reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/preproxy_users
 Module: Linked to module rlm_sql
 Module: Instantiating module "sql" from file
/usr/pbi/freeradius-i386/etc/raddb/sql.conf
  sql {
  driver = "rlm_sql_mysql"
  server = "lamp.jetdom.local"
  port = "3306"
  login = "radius"
  password = "radpass"
  radius_db = "radius"
  read_groups = yes
  sqltrace = no
  sqltracefile = "/var/log/sqltrace.sql"
  readclients = yes
  deletestalesessions = yes
  num_sql_socks = 5
  lifetime = 0
  max_queries = 0
  sql_user_name = "%{User-Name}"
  default_user_profile = ""
  nas_query = "SELECT id, nasname, shortname, type, secret, server FROM nas"
  authorize_check_query = "SELECT id, username, attribute, value, op
    FROM radcheck           WHERE username = '%{SQL-User-Name}'
ORDER BY id"
  authorize_reply_query = "SELECT id, username, attribute, value, op
    FROM radreply           WHERE username = '%{SQL-User-Name}'
ORDER BY id"
  authorize_group_check_query = "SELECT id, groupname, attribute,
Value, op           FROM radgroupcheck           WHERE groupname =
'%{Sql-Group}'           ORDER BY id"
  authorize_group_reply_query = "SELECT id, groupname, attribute,
value, op           FROM radgroupreply           WHERE groupname =
'%{Sql-Group}'           ORDER BY id"
  accounting_onoff_query = "          UPDATE radacct           SET
     acctstoptime       =  '%S',              acctsessiontime    =
 unix_timestamp('%S') -
 unix_timestamp(acctstarttime),              acctterminatecause =
 '%{Acct-Terminate-Cause}',              acctstopdelay      =
 %{%{Acct-Delay-Time}:-0}           WHERE acctstoptime IS NULL
AND nasipaddress      =  '%{NAS-IP-Address}'           AND acctstarttime
  <= '%S'"
  accounting_update_query = "           UPDATE radacct           SET
       framedipaddress = '%{Framed-IP-Address}',
 acctsessiontime     = '%{Acct-Session-Time}',              acctinputoctets
    = '%{%{Acct-Input-Gigawords}:-0}'  << 32 |
       '%{%{Acct-Input-Octets}:-0}',              acctoutputoctets    =
'%{%{Acct-Output-Gigawords}:-0}' << 32 |
 '%{%{Acct-Output-Octets}:-0}'           WHERE acctsessionid =
'%{Acct-Session-Id}'           AND username        = '%{SQL-User-Name}'
      AND nasipaddress    = '%{NAS-IP-Address}'"
  accounting_update_query_alt = "           INSERT INTO radacct
(acctsessionid,    acctuniqueid,      username,              realm,
   nasipaddress,      nasportid,              nasporttype,
 acctstarttime,     acctsessiontime,              acctauthentic,
 connectinfo_start, acctinputoctets,              acctoutputoctets,
calledstationid,   callingstationid,              servicetype,
 framedprotocol,    framedipaddress,              acctstartdelay,
xascendsessionsvrkey)           VALUES             ('%{Acct-Session-Id}',
'%{Acct-Unique-Session-Id}',              '%{SQL-User-Name}',
 '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',
 '%{NAS-Port-Type}',              DATE_SUB('%S',
INTERVAL (%{%{Acct-Session-Time}:-0} +
%{%{Acct-Delay-Time}:-0}) SECOND),
'%{Acct-Session-Time}',              '%{Acct-Authentic}', '',
 '%{%{Acct-Input-Gigawords}:-0}' << 32 |
 '%{%{Acct-Input-Octets}:-0}',
 '%{%{Acct-Output-Gigawords}:-0}' << 32 |
 '%{%{Acct-Output-Octets}:-0}',              '%{Called-Station-Id}',
'%{Calling-Station-Id}',              '%{Service-Type}',
'%{Framed-Protocol}',              '%{Framed-IP-Address}',
 '0', '%{X-Ascend-Session-Svr-Key}')"
  accounting_start_query = "           INSERT INTO radacct
(acctsessionid,    acctuniqueid,     username,              realm,
   nasipaddress,     nasportid,              nasporttype,
 acctstarttime,    acctstoptime,              acctsessiontime,
 acctauthentic,    connectinfo_start,              connectinfo_stop,
acctinputoctets,  acctoutputoctets,              calledstationid,
 callingstationid, acctterminatecause,              servicetype,
 framedprotocol,   framedipaddress,              acctstartdelay,
acctstopdelay,    xascendsessionsvrkey)           VALUES
('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
 '%{SQL-User-Name}',              '%{Realm}', '%{NAS-IP-Address}',
'%{NAS-Port}',              '%{NAS-Port-Type}', '%S', NULL,
 '0', '%{Acct-Authentic}', '%{Connect-Info}',              '', '0', '0',
           '%{Called-Station-Id}', '%{Calling-Station-Id}', '',
 '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}',
   '%{%{Acct-Delay-Time}:-0}', '0', '%{X-Ascend-Session-Svr-Key}')"
  accounting_start_query_alt = "           UPDATE radacct SET
 acctstarttime     = '%S',              acctstartdelay    =
'%{%{Acct-Delay-Time}:-0}',              connectinfo_start =
'%{Connect-Info}'           WHERE acctsessionid  = '%{Acct-Session-Id}'
      AND username         = '%{SQL-User-Name}'           AND nasipaddress
    = '%{NAS-IP-Address}'"
  accounting_stop_query = "           UPDATE radacct SET
 acctstoptime       = '%S',              acctsessiontime    =
'%{Acct-Session-Time}',              acctinputoctets    =
'%{%{Acct-Input-Gigawords}:-0}' << 32 |
'%{%{Acct-Input-Octets}:-0}',              acctoutputoctets   =
'%{%{Acct-Output-Gigawords}:-0}' << 32 |
'%{%{Acct-Output-Octets}:-0}',              acctterminatecause =
'%{Acct-Terminate-Cause}',              acctstopdelay      =
'%{%{Acct-Delay-Time}:-0}',              connectinfo_stop   =
'%{Connect-Info}'           WHERE acctsessionid   = '%{Acct-Session-Id}'
        AND username          = '%{SQL-User-Name}'           AND
nasipaddress      = '%{NAS-IP-Address}'"
  accounting_stop_query_alt = "           INSERT INTO radacct
(acctsessionid, acctuniqueid, username,              realm, nasipaddress,
nasportid,              nasporttype, acctstarttime, acctstoptime,
   acctsessiontime, acctauthentic, connectinfo_start,
 connectinfo_stop, acctinputoctets, acctoutputoctets,
 calledstationid, callingstationid, acctterminatecause,
 servicetype, framedprotocol, framedipaddress,              acctstartdelay,
acctstopdelay)           VALUES             ('%{Acct-Session-Id}',
'%{Acct-Unique-Session-Id}',              '%{SQL-User-Name}',
 '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',
 '%{NAS-Port-Type}',              DATE_SUB('%S',                  INTERVAL
(%{%{Acct-Session-Time}:-0} +                  %{%{Acct-Delay-Time}:-0})
SECOND),              '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}',
'',              '%{Connect-Info}',
 '%{%{Acct-Input-Gigawords}:-0}' << 32 |
 '%{%{Acct-Input-Octets}:-0}',
 '%{%{Acct-Output-Gigawords}:-0}' << 32 |
 '%{%{Acct-Output-Octets}:-0}',              '%{Called-Station-Id}',
'%{Calling-Station-Id}',              '%{Acct-Terminate-Cause}',
   '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}',
     '0', '%{%{Acct-Delay-Time}:-0}')"
  group_membership_query = "SELECT groupname           FROM radusergroup
        WHERE username = '%{SQL-User-Name}'           ORDER BY priority"
  connect_failure_retry_delay = 60
  simul_count_query = ""
  simul_verify_query = "SELECT radacctid, acctsessionid, username,
                       nasipaddress, nasportid, framedipaddress,
                     callingstationid, framedprotocol
         FROM radacct                                WHERE username =
'%{SQL-User-Name}'                                AND acctstoptime IS NULL"
  postauth_query = "INSERT INTO radpostauth
(username, pass, reply, authdate)                           VALUES (
                    '%{User-Name}',
'%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S')"
  safe-characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
  }
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
rlm_sql (sql): Attempting to connect to radius at lamp.jetdom.local:3306/radius
rlm_sql (sql): starting 0
rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
rlm_sql_mysql: Starting connect to MySQL server for #0
rlm_sql (sql): Connected new DB handle, #0
rlm_sql (sql): starting 1
rlm_sql (sql): Attempting to connect rlm_sql_mysql #1
rlm_sql_mysql: Starting connect to MySQL server for #1
rlm_sql (sql): Connected new DB handle, #1
rlm_sql (sql): starting 2
rlm_sql (sql): Attempting to connect rlm_sql_mysql #2
rlm_sql_mysql: Starting connect to MySQL server for #2
rlm_sql (sql): Connected new DB handle, #2
rlm_sql (sql): starting 3
rlm_sql (sql): Attempting to connect rlm_sql_mysql #3
rlm_sql_mysql: Starting connect to MySQL server for #3
rlm_sql (sql): Connected new DB handle, #3
rlm_sql (sql): starting 4
rlm_sql (sql): Attempting to connect rlm_sql_mysql #4
rlm_sql_mysql: Starting connect to MySQL server for #4
rlm_sql (sql): Connected new DB handle, #4
rlm_sql (sql): Processing generate_sql_clients
rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname,
shortname, type, secret, server FROM nas
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql (sql): Released sql socket id: 4
 Module: Linked to module rlm_checkval
 Module: Instantiating module "checkval" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/checkval
  checkval {
  item-name = "Calling-Station-Id"
  check-name = "Calling-Station-Id"
  data-type = "string"
  notfound-reject = no
  }
rlm_checkval: Registered name Calling-Station-Id for attribute 31
 Module: Checking preacct {...} for more modules to load
 Module: Linked to module rlm_acct_unique
 Module: Instantiating module "acct_unique" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/acct_unique
  acct_unique {
  key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier,
NAS-Port"
  }
 Module: Checking accounting {...} for more modules to load
 Module: Linked to module rlm_detail
 Module: Instantiating module "detail" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/detail
  detail {
  detailfile =
"/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
  header = "%t"
  detailperm = 384
  dirperm = 493
  locking = no
  log_packet_header = no
  }
 Module: Instantiating module "datacounterdaily" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/datacounter_acct
  exec datacounterdaily {
  wait = yes
  program = "/bin/sh
/usr/pbi/freeradius-i386/etc/raddb/scripts/datacounter_acct.sh
%{request:User-Name} daily %{request:Acct-Input-Octets}
%{request:Acct-Output-Octets}"
  input_pairs = "request"
  shell_escape = yes
  }
 Module: Instantiating module "datacounterweekly" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/datacounter_acct
  exec datacounterweekly {
  wait = yes
  program = "/bin/sh
/usr/pbi/freeradius-i386/etc/raddb/scripts/datacounter_acct.sh
%{request:User-Name} weekly %{request:Acct-Input-Octets}
%{request:Acct-Output-Octets}"
  input_pairs = "request"
  shell_escape = yes
  }
 Module: Instantiating module "datacountermonthly" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/datacounter_acct
  exec datacountermonthly {
  wait = yes
  program = "/bin/sh
/usr/pbi/freeradius-i386/etc/raddb/scripts/datacounter_acct.sh
%{request:User-Name} monthly %{request:Acct-Input-Octets}
%{request:Acct-Output-Octets}"
  input_pairs = "request"
  shell_escape = yes
  }
 Module: Instantiating module "datacounterforever" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/datacounter_acct
  exec datacounterforever {
  wait = yes
  program = "/bin/sh
/usr/pbi/freeradius-i386/etc/raddb/scripts/datacounter_acct.sh
%{request:User-Name} forever %{request:Acct-Input-Octets}
%{request:Acct-Output-Octets}"
  input_pairs = "request"
  shell_escape = yes
  }
 Module: Linked to module rlm_radutmp
 Module: Instantiating module "radutmp" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/radutmp
  radutmp {
  filename = "/var/log/radutmp"
  username = "%{User-Name}"
  case_sensitive = yes
  check_with_nas = yes
  perm = 384
  callerid = yes
  }
 Module: Linked to module rlm_attr_filter
 Module: Instantiating module "attr_filter.accounting_response" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/attr_filter
  attr_filter attr_filter.accounting_response {
  attrsfile = "/usr/pbi/freeradius-i386/etc/raddb/attrs.accounting_response"
  key = "%{User-Name}"
  relaxed = no
  }
reading pairlist file
/usr/pbi/freeradius-i386/etc/raddb/attrs.accounting_response
 Module: Checking session {...} for more modules to load
 Module: Checking pre-proxy {...} for more modules to load
 Module: Instantiating module "attr_filter.pre-proxy" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/attr_filter
  attr_filter attr_filter.pre-proxy {
  attrsfile = "/usr/pbi/freeradius-i386/etc/raddb/attrs.pre-proxy"
  key = "%{Realm}"
  relaxed = no
  }
reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/attrs.pre-proxy
 Module: Checking post-proxy {...} for more modules to load
 Module: Instantiating module "attr_filter.post-proxy" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/attr_filter
  attr_filter attr_filter.post-proxy {
  attrsfile = "/usr/pbi/freeradius-i386/etc/raddb/attrs"
  key = "%{Realm}"
  relaxed = no
  }
reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/attrs
 Module: Checking post-auth {...} for more modules to load
 Module: Instantiating module "attr_filter.access_reject" from file
/usr/pbi/freeradius-i386/etc/raddb/modules/attr_filter
  attr_filter attr_filter.access_reject {
  attrsfile = "/usr/pbi/freeradius-i386/etc/raddb/attrs.access_reject"
  key = "%{User-Name}"
  relaxed = no
  }
reading pairlist file /usr/pbi/freeradius-i386/etc/raddb/attrs.access_reject
 } # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
  type = "auth"
  ipaddr = 192.168.56.1
  port = 1812
}
listen {
  type = "acct"
  ipaddr = 192.168.56.1
  port = 1813
}
Listening on authentication address 192.168.56.1 port 1812
Listening on accounting address 192.168.56.1 port 1813
Listening on proxy address 192.168.56.1 port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.56.1 port 5829, id=1,
length=71
User-Name = "administrator"
User-Password = "jet10520b"
NAS-Port = 111
NAS-Port-Type = Async
NAS-IP-Address = 192.168.56.1
# Executing section authorize from file
/usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "administrator", skipping NULL due to config.
++[suffix] = noop
[ntdomain] No '\' in User-Name = "administrator", skipping NULL due to
config.
++[ntdomain] = noop
[eap] No EAP-Message, not doing EAP
++[eap] = noop
  [ldap] Entering ldap_groupcmp()
[files] expand: cn=Users,dc=jetdom,dc=local -> cn=Users,dc=jetdom,dc=local
[files] expand: %{Stripped-User-Name} ->
[files] ... expanding second conditional
[files] expand: %{User-Name} -> administrator
[files] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(sAMAccountName=administrator)
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] attempting LDAP reconnection
  [ldap] (re)connect to jetsms-srv2003.jetdom.local:389, authentication 0
  [ldap] setting TLS CACert File to
/usr/pbi/freeradius-i386/etc/raddb/certs/ca_ldap1_cert.pem
  [ldap] setting TLS CACert Directory to
/usr/pbi/freeradius-i386/etc/raddb/certs/
  [ldap] setting TLS Require Cert to never
  [ldap] setting TLS Cert File to
/usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.crt
  [ldap] setting TLS Key File to
/usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.key
  [ldap] setting TLS Rand File to
/usr/pbi/freeradius-i386/etc/raddb/certs/random
  [ldap] bind as cn=pfsense,cn=Users,dc=jetdom,dc=local/Tramontane10520 to
jetsms-srv2003.jetdom.local:389
  [ldap] waiting for bind result ...
  [ldap] Bind was successful
  [ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter
(sAMAccountName=administrator)
  [ldap] ldap_release_conn: Release Id: 0
[files] expand:
(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))
->
(|(&(objectClass=GroupOfNames)(member=CN\3dAdministrator\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dAdministrator\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal)))
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter
(&(cn=InternetAccess)(|(&(objectClass=GroupOfNames)(member=CN\3dAdministrator\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dAdministrator\2cCN\3dUsers\2cDC\3djetdom\2cDC\3dlocal))))
  [ldap] object not found
  [ldap] ldap_release_conn: Release Id: 0
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in CN=Administrator,CN=Users,DC=jetdom,DC=local,
with filter (objectclass=*)
  [ldap] performing search in
CN=InternetAccess,CN=Users,DC=jetdom,DC=local, with filter
(cn=InternetAccess)
rlm_ldap::ldap_groupcmp: User found in group InternetAccess
  [ldap] ldap_release_conn: Release Id: 0
[files] users: Matched entry DEFAULT at line 5
++[files] = ok
++policy redundant {
[sql] expand: %{User-Name} -> administrator
[sql] sql_set_user escaped user --> 'administrator'
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: SELECT id, username, attribute, value, op           FROM
radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY
id -> SELECT id, username, attribute, value, op           FROM radcheck
      WHERE username = 'administrator'           ORDER BY id
[sql] expand: SELECT groupname           FROM radusergroup           WHERE
username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT
groupname           FROM radusergroup           WHERE username =
'administrator'           ORDER BY priority
rlm_sql (sql): Released sql socket id: 3
[sql] User administrator not found
+++[sql] = notfound
++} # policy redundant = notfound
++policy redundant {
[ldap] performing user authorization for administrator
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> administrator
[ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(sAMAccountName=administrator)
[ldap] expand: cn=Users,dc=jetdom,dc=local -> cn=Users,dc=jetdom,dc=local
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in cn=Users,dc=jetdom,dc=local, with filter
(sAMAccountName=administrator)
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that the
user is configured correctly?
  [ldap] ldap_release_conn: Release Id: 0
+++[ldap] = ok
++} # policy redundant = ok
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[daily] = noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[weekly] = noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[monthly] = noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[forever] = noop
rlm_checkval: Could not find item named Calling-Station-Id in request
rlm_checkval: Could not find attribute named Calling-Station-Id in check
pairs
++[checkval] = notfound
++[expiration] = noop
++[logintime] = noop
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] = noop
+} # group authorize = ok
Found Auth-Type = Accept
Auth-Type = Accept, accepting the user
expand:  ->
Login OK: [administrator] (from client squid port 111)
# Executing section post-auth from file
/usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default
+group post-auth {
++policy redundant {
[sql] expand: %{User-Name} -> administrator
[sql] sql_set_user escaped user --> 'administrator'
[sql] expand: %{User-Password} -> jet10520b
[sql] expand: INSERT INTO radpostauth                           (username,
pass, reply, authdate)                           VALUES (
        '%{User-Name}',
'%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth
        (username, pass, reply, authdate)                           VALUES
(                           'administrator',
'jet10520b',                           'Access-Accept', '2015-04-21
23:06:58')
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth
              (username, pass, reply, authdate)
VALUES (                           'administrator',
  'jet10520b',                           'Access-Accept', '2015-04-21
23:06:58')
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql (sql): Released sql socket id: 2
+++[sql] = ok
++} # policy redundant = ok
++[exec] = noop
+} # group post-auth = ok
Sending Access-Accept of id 1 to 192.168.56.1 port 5829
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 1 with timestamp +71
Ready to process requests.



On Tue, Apr 21, 2015 at 9:44 AM, Alan DeKok <aland at deployingradius.com>
wrote:

> On Apr 21, 2015, at 12:07 AM, Jose Torres-Berrocal <
> jetsystemservices at gmail.com> wrote:
> > I noticed that my problem is that when using group options I get
> authorized
> > successfully but does not get authenticated (Using Compare Check Items =
> No
> > results in Access-Accept). When not using group options I get authorized
> > and authenticated successfully.
>
>   So... what does the debug output say?  You posted the configuration
> files, which aren't necessary, and don't help.
>
> > Is there a way to do a two pass process?  If I could run the first pass
> > without group options and the second pass if authenticated run with group
> > options, I will get my desired result.
>
>   The correct solution is to fix your policies.  They're wrong now.  It's
> best to understand *why* they're wrong, and fix the problem.
>
> > By the way I found how to run in debug mode in pfsense and do some
> custome
> > changes in the Users.conf file.
>
>   Then post the debug output here.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>


More information about the Freeradius-Users mailing list