<HTML>
<HEAD>
<META content="text/html; charset=iso-8859-1" http-equiv=Content-Type>
<META content="Open WebMail 2.32 20040525" name=GENERATOR>
</HEAD>
<BODY bgColor=#ffffff>
<font size="2">I have searched the archive and came close to figuring this out, but I have not been able to get a user to exist in 2 groups and have each authenticate. I have one set of systems that need Login-User and then reply with one set of responses and another set that need Framed-User and reply with a different set of responses.
<br />I have both groups working if I have the user in just one group. If the user is in 2 groups, one group works and the other Rejects. What is wrong with my configuration?
<br />
<br />There is an accounting request packet in the trace below that show that sreed is logged into one of the Framed-User devices. Then there is the packet from treed trying to log into a Login-User device.
<br />
<br />Configuration tables:
<br /> 1 USERGROUP
<br /> 2 80 sreed MS1-AP1
<br /> 3 76 treed MS1-AP1
<br /> 4 78 sreed Router-Admin
<br /> 5 79 treed Router-Admin
<br /> 6 81 dreed Router-Admin
<br /> 7
<br /> 8 RADCHECK
<br /> 9 331 dreed User-Password == password
<br /> 10 269 treed User-Password == password
<br /> 11 267 sreed User-Password == password
<br /> 12
<br /> 13 RADGROUPCHECK
<br /> 14 31 Router-Admin Service-Type == Login-User
<br /> 15 28 MS1-AP1 Service-Type == Framed-User
<br /> 16
<br /> 17 RADREPLY
<br /> 18 33 sreed Fall-Through = yes
<br /> 19 43 treed Fall-Through = yes
<br /> 20
<br /> 21 RADGROUPREPLY
<br /> 22 33 MS1-AP1 Port-Limit = 128k 15
<br /> 23 34 Router-Admin Mikrotik-Group = full 10
<br /> 24 39 Router-Admin Fall-Through = Yes 10
<br /> 25 37 MS1-AP1 Fall-Through = Yes 15
<br />
<br />Debug trace:
<br />rlm_sql_mysql: Starting connect to MySQL server for #1
<br />rlm_sql (sql): Connected new DB handle, #1
<br />rlm_sql (sql): starting 2
<br />rlm_sql (sql): Attempting to connect rlm_sql_mysql #2
<br />rlm_sql_mysql: Starting connect to MySQL server for #2
<br />rlm_sql (sql): Connected new DB handle, #2
<br />rlm_sql (sql): starting 3
<br />rlm_sql (sql): Attempting to connect rlm_sql_mysql #3
<br />rlm_sql_mysql: Starting connect to MySQL server for #3
<br />rlm_sql (sql): Connected new DB handle, #3
<br />rlm_sql (sql): starting 4
<br />rlm_sql (sql): Attempting to connect rlm_sql_mysql #4
<br />rlm_sql_mysql: Starting connect to MySQL server for #4
<br />rlm_sql (sql): Connected new DB handle, #4
<br />rlm_sql (sql): - generate_sql_clients
<br />rlm_sql (sql): Query: SELECT * FROM nas
<br />rlm_sql (sql): Reserving sql socket id: 4
<br />rlm_sql_mysql: query: SELECT * FROM nas
<br />rlm_sql (sql): Read entry nasname=nwnr0004.nwadmin.net,shortname=nwnr0004,secret=sbr28tsr
<br />rlm_sql (sql): Adding client 10.2.49.5 (nwnr0004) to clients list
<br />rlm_sql (sql): Read entry nasname=nwnr0003.nwadmin.net,shortname=nwnr0003,secret=sbr28tsr
<br />rlm_sql (sql): Adding client 10.2.49.4 (nwnr0003) to clients list
<br />rlm_sql (sql): Read entry nasname=nwnr0002.nwadmin.net,shortname=nwnr0002,secret=sbr28tsr
<br />rlm_sql (sql): Adding client 10.0.1.4 (nwnr0002) to clients list
<br />rlm_sql (sql): Read entry nasname=hotspot.nwwhome.net,shortname=hotspot,secret=testing123
<br />rlm_sql (sql): Adding client 192.168.100.13 (hotspot) to clients list
<br />rlm_sql (sql): Read entry nasname=nwnr0001.nwadmin.net,shortname=nwnr0001,secret=sbr28tsr
<br />rlm_sql (sql): Adding client 10.0.0.1 (nwnr0001) to clients list
<br />rlm_sql (sql): Released sql socket id: 4
<br />Module: Instantiated sql (sql)
<br />Module: Loaded Acct-Unique-Session-Id
<br /> acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
<br />Module: Instantiated acct_unique (acct_unique)
<br />Module: Loaded detail
<br /> detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
<br /> detail: detailperm = 384
<br /> detail: dirperm = 493
<br /> detail: locking = no
<br />Module: Instantiated detail (detail)
<br />Module: Loaded System
<br /> unix: cache = no
<br /> unix: passwd = "(null)"
<br /> unix: shadow = "/etc/shadow"
<br /> unix: group = "(null)"
<br /> unix: radwtmp = "/var/log/radius/radwtmp"
<br /> unix: usegroup = no
<br /> unix: cache_reload = 600
<br />Module: Instantiated unix (unix)
<br />Module: Loaded radutmp
<br /> radutmp: filename = "/var/log/radius/radutmp"
<br /> radutmp: username = "%{User-Name}"
<br /> radutmp: case_sensitive = yes
<br /> radutmp: check_with_nas = yes
<br /> radutmp: perm = 384
<br /> radutmp: callerid = yes
<br />Module: Instantiated radutmp (radutmp)
<br />Module: Loaded eap
<br /> eap: default_eap_type = "md5"
<br /> eap: timer_expire = 60
<br /> eap: ignore_unknown_eap_types = no
<br /> eap: cisco_accounting_username_bug = no
<br />rlm_eap: Loaded and initialized type md5
<br />rlm_eap: Loaded and initialized type leap
<br /> gtc: challenge = "Password: "
<br /> gtc: auth_type = "PAP"
<br />rlm_eap: Loaded and initialized type gtc
<br /> mschapv2: with_ntdomain_hack = no
<br />rlm_eap: Loaded and initialized type mschapv2
<br />Module: Instantiated eap (eap)
<br />Listening on authentication *:1812
<br />Listening on accounting *:1813
<br />Listening on proxy *:1814
<br />Ready to process requests.
<br />rad_recv: Accounting-Request packet from host 192.168.100.13:1201, id=165, length=177
<br /> Service-Type = Framed-User
<br /> Framed-Protocol = PPP
<br /> NAS-Port = 17564
<br /> NAS-Port-Type = Ethernet
<br /> User-Name = "sreed"
<br /> Calling-Station-Id = "00:05:9E:81:8B:DD"
<br /> Called-Station-Id = "TestAP"
<br /> NAS-Port-Id = "TestAP"
<br /> Acct-Session-Id = "81700264"
<br /> Framed-IP-Address = 172.17.1.100
<br /> Acct-Authentic = RADIUS
<br /> Acct-Session-Time = 54602
<br /> Acct-Input-Octets = 80
<br /> Acct-Input-Gigawords = 0
<br /> Acct-Input-Packets = 8
<br /> Acct-Output-Octets = 130
<br /> Acct-Output-Gigawords = 0
<br /> Acct-Output-Packets = 8
<br /> Acct-Status-Type = Alive
<br /> NAS-Identifier = "HotSpot"
<br /> NAS-IP-Address = 192.168.100.13
<br /> Acct-Delay-Time = 0
<br /> Processing the preacct section of radiusd.conf
<br />modcall: entering group preacct for request 0
<br /> modcall[preacct]: module "preprocess" returns noop for request 0
<br />rlm_acct_unique: Hashing 'NAS-Port = 17564,Client-IP-Address = 192.168.100.13,NAS-IP-Address = 192.168.100.13,Acct-Session-Id = "81700264",User-Name = "sreed"'
<br />rlm_acct_unique: Acct-Unique-Session-ID = "4553128d21acc6cf".
<br /> modcall[preacct]: module "acct_unique" returns ok for request 0
<br /> rlm_realm: No '@' in User-Name = "sreed", looking up realm NULL
<br /> rlm_realm: No such realm "NULL"
<br /> modcall[preacct]: module "suffix" returns noop for request 0
<br />modcall: group preacct returns ok for request 0
<br /> Processing the accounting section of radiusd.conf
<br />modcall: entering group accounting for request 0
<br />radius_xlat: '/var/log/radius/radacct/192.168.100.13/detail-20060405'
<br />rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radius/radacct/192.168.100.13/detail-20060405
<br /> modcall[accounting]: module "detail" returns ok for request 0
<br /> modcall[accounting]: module "unix" returns noop for request 0
<br />radius_xlat: '/var/log/radius/radutmp'
<br />radius_xlat: 'sreed'
<br /> modcall[accounting]: module "radutmp" returns ok for request 0
<br />radius_xlat: 'sreed'
<br />rlm_sql (sql): sql_set_user escaped user --> 'sreed'
<br />radius_xlat: 'UPDATE radacct ? SET FramedIPAddress = '172.17.1.100', ? AcctSessionTime = '54602', ? AcctInputOctets = '80', ? AcctOutputOctets = '130' ? WHERE AcctSessionId = '81700264' ? AND UserName = 'sreed' ? AND NASIPAddress= '192.168.100.13''
<br />radius_xlat: '/var/log/radius/sqltrace.sql'
<br />rlm_sql (sql): Reserving sql socket id: 3
<br />rlm_sql_mysql: query: UPDATE radacct ? SET FramedIPAddress = '172.17.1.100', ? AcctSessionTime = '54602', ? AcctInputOctets = '80', ? AcctOutputOctets = '130' ? WHERE AcctSessionId = '81700264' ? AND UserName = 'sreed' ? AND NASIPAddress= '192.168.100.13'
<br />rlm_sql (sql): Released sql socket id: 3
<br /> modcall[accounting]: module "sql" returns ok for request 0
<br />modcall: group accounting returns ok for request 0
<br />Sending Accounting-Response of id 165 to 192.168.100.13:1201
<br />Finished request 0
<br />Going to the next request
<br />--- Walking the entire request list ---
<br />Waking up in 6 seconds...
<br />rad_recv: Access-Request packet from host 192.168.100.13:1201, id=166, length=83
<br /> Service-Type = Login-User
<br /> User-Name = "treed"
<br /> User-Password = "password"
<br /> Calling-Station-Id = "192.168.100.240"
<br /> NAS-Identifier = "HotSpot"
<br /> NAS-IP-Address = 192.168.100.13
<br /> Processing the authorize section of radiusd.conf
<br />modcall: entering group authorize for request 1
<br /> modcall[authorize]: module "preprocess" returns ok for request 1
<br /> modcall[authorize]: module "chap" returns noop for request 1
<br /> modcall[authorize]: module "mschap" returns noop for request 1
<br /> rlm_realm: No '@' in User-Name = "treed", looking up realm NULL
<br /> rlm_realm: No such realm "NULL"
<br /> modcall[authorize]: module "suffix" returns noop for request 1
<br />radius_xlat: 'treed'
<br />rlm_sql (sql): sql_set_user escaped user --> 'treed'
<br />radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'treed' ORDER BY id'
<br />rlm_sql (sql): Reserving sql socket id: 2
<br />rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'treed' ORDER BY id
<br />radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'treed' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
<br />rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'treed' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id
<br />radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'treed' ORDER BY id'
<br />rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'treed' ORDER BY id
<br />radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'treed' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.prio'
<br />rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'treed' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.prio
<br />rlm_sql (sql): No matching entry in the database for request from user [treed]
<br />rlm_sql (sql): Released sql socket id: 2
<br /> modcall[authorize]: module "sql" returns notfound for request 1
<br />modcall: group authorize returns ok for request 1
<br />auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
<br />auth: Failed to validate the user.
<br />Login incorrect: [treed/password] (from client hotspot port 0 cli 192.168.100.240)
<br /> Processing the post-auth section of radiusd.conf
<br />modcall: entering group Post-Auth-Type for request 1
<br />rlm_sql (sql): Processing sql_postauth
<br />radius_xlat: 'treed'
<br />rlm_sql (sql): sql_set_user escaped user --> 'treed'
<br />radius_xlat: 'INSERT into radpostauth (id, user, pass, reply, date) values ('', 'treed', 'password', 'Access-Reject', NOW())'
<br />radius_xlat: '/var/log/radius/sqltrace.sql'
<br />rlm_sql (sql) in sql_postauth: query is INSERT into radpostauth (id, user, pass, reply, date) values ('', 'treed', 'password', 'Access-Reject', NOW())
<br />rlm_sql (sql): Reserving sql socket id: 1
<br />rlm_sql_mysql: query: INSERT into radpostauth (id, user, pass, reply, date) values ('', 'treed', 'password', 'Access-Reject', NOW())
<br />rlm_sql (sql): Released sql socket id: 1
<br /> modcall[post-auth]: module "sql" returns ok for request 1
<br />modcall: group Post-Auth-Type returns ok for request 1
<br />Delaying request 1 for 1 seconds
<br />Finished request 1
<br />Going to the next request
<br />--- Walking the entire request list ---
<br />Waking up in 1 seconds...
<br />rad_recv: Access-Request packet from host 192.168.100.13:1201, id=166, length=83
<br />Sending Access-Reject of id 166 to 192.168.100.13:1201
<br />Waking up in 1 seconds...
<br />--- Walking the entire request list ---
<br />Waking up in 3 seconds...
<br />
<br />
<br />
<br />
<br />Scott Reed
<br />
Owner
<br />
NewWays
<br />
Wireless Networking
<br />
Network Design, Installation and Administration
<br />
<a target="_blank" href="http://www.nwwnet.net/">www.nwwnet.net</a>
<br />
<br />
<br /><b>---------- Original Message
-----------</b>
<br />
From: "debik" <debik@vp.pl>
<br />
To: "FreeRadius users mailing list"
<freeradius-users@lists.freeradius.org>
<br />
Sent: Wed, 5 Apr 2006 20:26:14 +0200
<br />
Subject: Re: Couldn't stop freeradius server!!
<br />
<br />> Try "killall radiusd" or "killall
freeradius".
<br />>
I have debian and that commands are allwright.
<br />>
<br />>
----- Original Message -----
<br />>
From: "lmyho" <lm_yho@yahoo.com>
<br />>
To: "FreeRadius users mailing list"
<freeradius-users@lists.freeradius.org>
<br />>
Sent: Tuesday, April 04, 2006 6:19 PM
<br />>
Subject: Re: Couldn't stop freeradius server!!
<br />>
<br />>
>
<br />>
> --- monish ar <monish.ar@gmail.com> wrote:
<br />>
>> Instead of using the command to stop the radius daemon, herez
another
<br />>
>> simple way.....
<br />>
>> At the console type " ps -ax | grep radiusd" , this
will give u the list
<br />>
>> of
<br />>
>> radius servers currently
<br />>
>> along with its process IDs. The next thing u do is type "
kill pid# " ,
<br />>
>> PID# refers to the process
<br />>
>> id number of ur currently running radius daemon. Hope it helps...
<br />>
>> Dunno bout the NAS list though...
<br />>
>
<br />>
> Hi Monish,
<br />>
>
<br />>
> Thank you for the idea! I checked, and found the process. but
on this
<br />>
> debian
<br />>
> system, the process is actually named "freeradius", instead of
the
<br />>
> traditional
<br />>
> "radiusd".:( So there are indeed some changes on how the
freeradius is
<br />>
> run on
<br />>
> debian. Do you have more idea about it?
<br />>
> Can anyone tell me more on how the debian is running the freeradius and
<br />>
> how I can
<br />>
> stop the server from command line in debian system? (pls see problem
<br />>
> detail below)
<br />>
>
<br />>
> Thanks a lot!!
<br />>
> leo
<br />>
>
<br />>
>> On 4/4/06, lmyho <lm_yho@yahoo.com> wrote:
<br />>
>> >
<br />>
>> > Hi All,
<br />>
>> >
<br />>
>> > Installed freeradius 1.1.0-1 on debian system (2.6.15-1-686).
The
<br />>
>> > radius
<br />>
>> > server started automatically well each time when the system
booting.
<br />>
>> > But I
<br />>
> wanted to stop it to do some testing using my modified configuration
<br />>
> files. I tried
<br />>
> to stop the server using command: 'freeradius stop' ('radiusd' doesn't
<br />>
> work on this
<br />>
> debian - anyone knows why??)
<br />>
>> >
<br />>
>> > But so werid, no matter what command I gave, with parameter
<br />>
>> > stop|start|restart, the server ALWAYS goes to START again!! even
from
<br />>
>> > the
<br />>
> /etc/init.d/freeradius I can read that the 'stop' param should stop the
<br />>
> server! Can
<br />>
> anyone tell me why the command couldn't stop the server?? and how should I
<br />>
> stop it??
<br />>
>> >
<br />>
>> > The log file shows entries like this for each of my trying, even
the
<br />>
>> > command given was to "stop":
<br />>
>> >
<br />>
>> > Tue Apr 4 01:14:13 2006 : Info: Using deprecated naslist
file.
<br />>
>> > Support
<br />>
>> > for this will go away soon.
<br />>
>> > Tue Apr 4 01:14:13 2006 : Error: There appears to be another
RADIUS
<br />>
>> > server running on the authenticat
<br />>
>> >
<br />>
>> > What is happenning here? (I couldn't top the running deamon,
so is the
<br />>
>> > 2nd line above)
<br />>
>> >
<br />>
>> > Also, from the log file I noticed: even when the system
automatically
<br />>
>> > started the freeradius server deamon, it was "Using
deprecated naslist
<br />>
>> > file".
<br />>
> Log entries show like this:
<br />>
>> >
<br />>
>> > Fri Mar 31 13:51:54 2006 : Info: Using deprecated naslist file.
<br />>
>> > Support
<br />>
>> > for this will go away soon.
<br />>
>> > Fri Mar 31 13:51:54 2006 : Info: rlm_exec: Wait=yes but no output
<br />>
>> > defined.
<br />>
>> > Did you mean output=none?
<br />>
>> > Fri Mar 31 13:51:55 2006 : Info: Ready to process requests.
<br />>
>> >
<br />>
>> > Can anyone tell me what is happenning here?? Why it's using the
<br />>
>> > deprecating naslist file? The installed radiusd.conf file doesn't
show
<br />>
>> > the
<br />>
> server will use the naslist
<br />>
>> > file at all! from where I can stop the server to use this
deprecating
<br />>
>> > file? Also what does the 2nd line of the above log entries
mean?
<br />>
>> >
<br />>
>> > Any help would be greatly appreciated! Thank you so much for
help in
<br />>
>> > advance!!
<br />>
>> >
<br />>
>> > Best regrads,
<br />>
>> > leo
<br />>
>>
<br />>
>>
<br />>
>>
<br />>
>
<br />>
>
<br />>
> __________________________________________________
<br />>
> Do You Yahoo!?
<br />>
> Tired of spam? Yahoo! Mail has the best spam protection around
<br />>
> <a target="_blank" href="http://mail.yahoo.com/">http://mail.yahoo.com</a>
<br />>
> -
<br />>
> List info/subscribe/unsubscribe? See
<br />>
> <a target="_blank" href="http://www.freeradius.org/list/users.html">http://www.freeradius.org/list/users.html</a>
<br />>
<br />>
-
<br />>
List info/subscribe/unsubscribe? See <a target="_blank" href="http://www.freeradius.org/list/users.html">http://www.freeradius.org/list/users.html</a>
<br /><b>------- End
of Original Message
-------</b>
<br />
</font>
</BODY>
</HTML>