<HTML>
<HEAD>
<META content="text/html; charset=iso-8859-1" http-equiv=Content-Type>
<META content="Open WebMail 2.32 20040525" name=GENERATOR>
</HEAD>
<BODY bgColor=#ffffff>
<font size="2">Surely someone has users in mulitple groups and can tell me how to make that work.
<br />
<br />Scott Reed
<br />
Owner
<br />
NewWays
<br />
Wireless Networking
<br />
Network Design, Installation and Administration
<br />
<a target="_blank" href="http://www.nwwnet.net/">www.nwwnet.net</a>
<br />
<br />
<br /><b>---------- Original Message
-----------</b>
<br />
From: "Scott Reed" <sreed@nwwnet.net>
<br />
To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org>
<br />
Sent: Wed, 5 Apr 2006 07:25:29 -0500
<br />
Subject: User in Multiple Groups
<br />
<br />>
<font size="2">I have searched the archive and came close to figuring this out,
but I have not been able to get a user to exist in 2 groups and have each
authenticate. I have one set of systems that need Login-User and then reply
with one set of responses and another set that need Framed-User and reply with a
different set of
responses.
<br />> I have both groups working if I have the user in just one group. If
the user is in 2 groups, one group works and the other Rejects. What is wrong
with my
configuration?
<br />>
<br />> There is an accounting request packet in the trace below that
show that sreed is logged into one of the Framed-User devices. Then there is
the packet from treed trying to log into a Login-User
device.
<br />>
<br />> Configuration
tables:
<br />> 1
USERGROUP
<br />> 2 80 sreed
MS1-AP1
<br />> 3 76 treed
MS1-AP1
<br />> 4 78 sreed
Router-Admin
<br />> 5 79 treed
Router-Admin
<br />> 6 81 dreed
Router-Admin
<br />>
7
<br />> 8
RADCHECK
<br />> 9 331 dreed User-Password ==
password
<br />> 10 269 treed User-Password ==
password
<br />> 11 267 sreed User-Password ==
password
<br />>
12
<br />> 13
RADGROUPCHECK
<br />> 14 31 Router-Admin Service-Type ==
Login-User
<br />> 15 28 MS1-AP1 Service-Type ==
Framed-User
<br />>
16
<br />> 17
RADREPLY
<br />> 18 33 sreed Fall-Through =
yes
<br />> 19 43 treed Fall-Through =
yes
<br />>
20
<br />> 21
RADGROUPREPLY
<br />> 22 33 MS1-AP1 Port-Limit = 128k
15
<br />> 23 34 Router-Admin Mikrotik-Group = full
10
<br />> 24 39 Router-Admin Fall-Through = Yes
10
<br />> 25 37 MS1-AP1 Fall-Through = Yes
15
<br />>
<br />> Debug
trace:
<br />> rlm_sql_mysql: Starting connect to MySQL server for
#1
<br />> rlm_sql (sql): Connected new DB handle,
#1
<br />> rlm_sql (sql): starting
2
<br />> rlm_sql (sql): Attempting to connect rlm_sql_mysql
#2
<br />> rlm_sql_mysql: Starting connect to MySQL server for
#2
<br />> rlm_sql (sql): Connected new DB handle,
#2
<br />> rlm_sql (sql): starting
3
<br />> rlm_sql (sql): Attempting to connect rlm_sql_mysql
#3
<br />> rlm_sql_mysql: Starting connect to MySQL server for
#3
<br />> rlm_sql (sql): Connected new DB handle,
#3
<br />> rlm_sql (sql): starting
4
<br />> rlm_sql (sql): Attempting to connect rlm_sql_mysql
#4
<br />> rlm_sql_mysql: Starting connect to MySQL server for
#4
<br />> rlm_sql (sql): Connected new DB handle,
#4
<br />> rlm_sql (sql): -
generate_sql_clients
<br />> rlm_sql (sql): Query: SELECT * FROM
nas
<br />> rlm_sql (sql): Reserving sql socket id:
4
<br />> rlm_sql_mysql: query: SELECT * FROM
nas
<br />> rlm_sql (sql): Read entry
nasname=nwnr0004.nwadmin.net,shortname=nwnr0004,secret=sbr28tsr
<br />> rlm_sql (sql): Adding client 10.2.49.5 (nwnr0004) to clients
list
<br />> rlm_sql (sql): Read entry
nasname=nwnr0003.nwadmin.net,shortname=nwnr0003,secret=sbr28tsr
<br />> rlm_sql (sql): Adding client 10.2.49.4 (nwnr0003) to clients
list
<br />> rlm_sql (sql): Read entry
nasname=nwnr0002.nwadmin.net,shortname=nwnr0002,secret=sbr28tsr
<br />> rlm_sql (sql): Adding client 10.0.1.4 (nwnr0002) to clients
list
<br />> rlm_sql (sql): Read entry
nasname=hotspot.nwwhome.net,shortname=hotspot,secret=testing123
<br />> rlm_sql (sql): Adding client 192.168.100.13 (hotspot) to clients
list
<br />> rlm_sql (sql): Read entry
nasname=nwnr0001.nwadmin.net,shortname=nwnr0001,secret=sbr28tsr
<br />> rlm_sql (sql): Adding client 10.0.0.1 (nwnr0001) to clients
list
<br />> rlm_sql (sql): Released sql socket id:
4
<br />> Module: Instantiated sql
(sql)
<br />> Module: Loaded
Acct-Unique-Session-Id
<br />> acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address,
NAS-Port"
<br />> Module: Instantiated acct_unique
(acct_unique)
<br />> Module: Loaded
detail
<br />> detail: detailfile =
"/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
<br />> detail: detailperm =
384
<br />> detail: dirperm =
493
<br />> detail: locking =
no
<br />> Module: Instantiated detail
(detail)
<br />> Module: Loaded
System
<br />> unix: cache =
no
<br />> unix: passwd =
"(null)"
<br />> unix: shadow =
"/etc/shadow"
<br />> unix: group =
"(null)"
<br />> unix: radwtmp =
"/var/log/radius/radwtmp"
<br />> unix: usegroup =
no
<br />> unix: cache_reload =
600
<br />> Module: Instantiated unix
(unix)
<br />> Module: Loaded
radutmp
<br />> radutmp: filename =
"/var/log/radius/radutmp"
<br />> radutmp: username =
"%{User-Name}"
<br />> radutmp: case_sensitive =
yes
<br />> radutmp: check_with_nas =
yes
<br />> radutmp: perm =
384
<br />> radutmp: callerid =
yes
<br />> Module: Instantiated radutmp
(radutmp)
<br />> Module: Loaded
eap
<br />> eap: default_eap_type =
"md5"
<br />> eap: timer_expire =
60
<br />> eap: ignore_unknown_eap_types =
no
<br />> eap: cisco_accounting_username_bug =
no
<br />> rlm_eap: Loaded and initialized type
md5
<br />> rlm_eap: Loaded and initialized type
leap
<br />> gtc: challenge = "Password:
"
<br />> gtc: auth_type =
"PAP"
<br />> rlm_eap: Loaded and initialized type
gtc
<br />> mschapv2: with_ntdomain_hack =
no
<br />> rlm_eap: Loaded and initialized type
mschapv2
<br />> Module: Instantiated eap
(eap)
<br />> Listening on authentication
*:1812
<br />> Listening on accounting
*:1813
<br />> Listening on proxy
*:1814
<br />> Ready to process
requests.
<br />> rad_recv: Accounting-Request packet from host 192.168.100.13:1201,
id=165,
length=177
<br />> Service-Type =
Framed-User
<br />> Framed-Protocol =
PPP
<br />> NAS-Port =
17564
<br />> NAS-Port-Type =
Ethernet
<br />> User-Name =
"sreed"
<br />> Calling-Station-Id =
"00:05:9E:81:8B:DD"
<br />> Called-Station-Id =
"TestAP"
<br />> NAS-Port-Id =
"TestAP"
<br />> Acct-Session-Id =
"81700264"
<br />> Framed-IP-Address =
172.17.1.100
<br />> Acct-Authentic =
RADIUS
<br />> Acct-Session-Time =
54602
<br />> Acct-Input-Octets =
80
<br />> Acct-Input-Gigawords =
0
<br />> Acct-Input-Packets =
8
<br />> Acct-Output-Octets =
130
<br />> Acct-Output-Gigawords =
0
<br />> Acct-Output-Packets =
8
<br />> Acct-Status-Type =
Alive
<br />> NAS-Identifier =
"HotSpot"
<br />> NAS-IP-Address =
192.168.100.13
<br />> Acct-Delay-Time =
0
<br />> Processing the preacct section of
radiusd.conf
<br />> modcall: entering group preacct for request
0
<br />> modcall[preacct]: module "preprocess" returns noop for
request
0
<br />> rlm_acct_unique: Hashing 'NAS-Port = 17564,Client-IP-Address =
192.168.100.13,NAS-IP-Address = 192.168.100.13,Acct-Session-Id =
"81700264",User-Name =
"sreed"'
<br />> rlm_acct_unique: Acct-Unique-Session-ID =
"4553128d21acc6cf".
<br />> modcall[preacct]: module "acct_unique" returns ok for
request
0
<br />> rlm_realm: No '@' in User-Name = "sreed", looking up
realm
NULL
<br />> rlm_realm: No such realm
"NULL"
<br />> modcall[preacct]: module "suffix" returns noop for
request
0
<br />> modcall: group preacct returns ok for request
0
<br />> Processing the accounting section of
radiusd.conf
<br />> modcall: entering group accounting for request
0
<br />> radius_xlat:
'/var/log/radius/radacct/192.168.100.13/detail-20060405'
<br />> rlm_detail:
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to
/var/log/radius/radacct/192.168.100.13/detail-20060405
<br />> modcall[accounting]: module "detail" returns ok for
request
0
<br />> modcall[accounting]: module "unix" returns noop for
request
0
<br />> radius_xlat:
'/var/log/radius/radutmp'
<br />> radius_xlat:
'sreed'
<br />> modcall[accounting]: module "radutmp" returns ok for
request
0
<br />> radius_xlat:
'sreed'
<br />> rlm_sql (sql): sql_set_user escaped user -->
'sreed'
<br />> radius_xlat: 'UPDATE radacct ? SET FramedIPAddress = '172.17.1.100',
? AcctSessionTime = '54602', ? AcctInputOctets = '80', ? AcctOutputOctets =
'130' ? WHERE AcctSessionId = '81700264' ? AND UserName = 'sreed' ? AND
NASIPAddress=
'192.168.100.13''
<br />> radius_xlat:
'/var/log/radius/sqltrace.sql'
<br />> rlm_sql (sql): Reserving sql socket id:
3
<br />> rlm_sql_mysql: query: UPDATE radacct ? SET FramedIPAddress =
'172.17.1.100', ? AcctSessionTime = '54602', ? AcctInputOctets = '80', ?
AcctOutputOctets = '130' ? WHERE AcctSessionId = '81700264' ? AND UserName =
'sreed' ? AND NASIPAddress=
'192.168.100.13'
<br />> rlm_sql (sql): Released sql socket id:
3
<br />> modcall[accounting]: module "sql" returns ok for request
0
<br />> modcall: group accounting returns ok for request
0
<br />> Sending Accounting-Response of id 165 to
192.168.100.13:1201
<br />> Finished request
0
<br />> Going to the next
request
<br />> --- Walking the entire request list
---
<br />> Waking up in 6
seconds...
<br />> rad_recv: Access-Request packet from host 192.168.100.13:1201,
id=166,
length=83
<br />> Service-Type =
Login-User
<br />> User-Name =
"treed"
<br />> User-Password =
"password"
<br />> Calling-Station-Id =
"192.168.100.240"
<br />> NAS-Identifier =
"HotSpot"
<br />> NAS-IP-Address =
192.168.100.13
<br />> Processing the authorize section of
radiusd.conf
<br />> modcall: entering group authorize for request
1
<br />> modcall[authorize]: module "preprocess" returns ok for
request
1
<br />> modcall[authorize]: module "chap" returns noop for
request
1
<br />> modcall[authorize]: module "mschap" returns noop for
request
1
<br />> rlm_realm: No '@' in User-Name = "treed", looking up
realm
NULL
<br />> rlm_realm: No such realm
"NULL"
<br />> modcall[authorize]: module "suffix" returns noop for
request
1
<br />> radius_xlat:
'treed'
<br />> rlm_sql (sql): sql_set_user escaped user -->
'treed'
<br />> radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck
WHERE Username = 'treed' ORDER BY
id'
<br />> rlm_sql (sql): Reserving sql socket id:
2
<br />> rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM
radcheck WHERE Username = 'treed' ORDER BY
id
<br />> radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'treed' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY
radgroupcheck.id'
<br />> rlm_sql_mysql: query: SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'treed' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY
radgroupcheck.id
<br />> radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply
WHERE Username = 'treed' ORDER BY
id'
<br />> rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM
radreply WHERE Username = 'treed' ORDER BY
id
<br />> radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = 'treed' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY
radgroupreply.prio'
<br />> rlm_sql_mysql: query: SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = 'treed' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY
radgroupreply.prio
<br />> rlm_sql (sql): No matching entry in the database for request from
user
[treed]
<br />> rlm_sql (sql): Released sql socket id:
2
<br />> modcall[authorize]: module "sql" returns notfound for
request
1
<br />> modcall: group authorize returns ok for request
1
<br />> auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the
user
<br />> auth: Failed to validate the
user.
<br />> Login incorrect: [treed/password] (from client hotspot port 0 cli
192.168.100.240)
<br />> Processing the post-auth section of
radiusd.conf
<br />> modcall: entering group Post-Auth-Type for request
1
<br />> rlm_sql (sql): Processing
sql_postauth
<br />> radius_xlat:
'treed'
<br />> rlm_sql (sql): sql_set_user escaped user -->
'treed'
<br />> radius_xlat: 'INSERT into radpostauth (id, user, pass, reply, date)
values ('', 'treed', 'password', 'Access-Reject',
NOW())'
<br />> radius_xlat:
'/var/log/radius/sqltrace.sql'
<br />> rlm_sql (sql) in sql_postauth: query is INSERT into radpostauth (id,
user, pass, reply, date) values ('', 'treed', 'password', 'Access-Reject',
NOW())
<br />> rlm_sql (sql): Reserving sql socket id:
1
<br />> rlm_sql_mysql: query: INSERT into radpostauth (id, user, pass,
reply, date) values ('', 'treed', 'password', 'Access-Reject',
NOW())
<br />> rlm_sql (sql): Released sql socket id:
1
<br />> modcall[post-auth]: module "sql" returns ok for request
1
<br />> modcall: group Post-Auth-Type returns ok for request
1
<br />> Delaying request 1 for 1
seconds
<br />> Finished request
1
<br />> Going to the next
request
<br />> --- Walking the entire request list
---
<br />> Waking up in 1
seconds...
<br />> rad_recv: Access-Request packet from host 192.168.100.13:1201,
id=166,
length=83
<br />> Sending Access-Reject of id 166 to
192.168.100.13:1201
<br />> Waking up in 1
seconds...
<br />> --- Walking the entire request list
---
<br />> Waking up in 3
seconds...
<br />>
<br />> Scott Reed
<br />>
Owner
<br />>
NewWays
<br />>
Wireless Networking
<br />>
Network Design, Installation and Administration
<br />>
<a href="http://www.nwwnet.net/" target="_blank">www.nwwnet.net</a>
<br />>
<br />> <b>---------- Original Message
-----------</b>
<br />>
From: "debik" <debik@vp.pl>
<br />>
To: "FreeRadius users mailing list"
<freeradius-users@lists.freeradius.org>
<br />>
Sent: Wed, 5 Apr 2006 20:26:14 +0200
<br />>
Subject: Re: Couldn't stop freeradius server!!
<br />>
<br />> > Try "killall radiusd" or "killall
freeradius".
<br />> >
I have debian and that commands are allwright.
<br />> >
<br />> >
----- Original Message -----
<br />> >
From: "lmyho" <lm_yho@yahoo.com>
<br />> >
To: "FreeRadius users mailing list"
<freeradius-users@lists.freeradius.org>
<br />> >
Sent: Tuesday, April 04, 2006 6:19 PM
<br />> >
Subject: Re: Couldn't stop freeradius server!!
<br />> >
<br />> >
>
<br />> >
> --- monish ar <monish.ar@gmail.com> wrote:
<br />> >
>> Instead of using the command to stop the radius daemon, herez
another
<br />> >
>> simple way.....
<br />> >
>> At the console type " ps -ax | grep radiusd" , this
will give u the list
<br />> >
>> of
<br />> >
>> radius servers currently
<br />> >
>> along with its process IDs. The next thing u do is type "
kill pid# " ,
<br />> >
>> PID# refers to the process
<br />> >
>> id number of ur currently running radius daemon. Hope it helps...
<br />> >
>> Dunno bout the NAS list though...
<br />> >
>
<br />> >
> Hi Monish,
<br />> >
>
<br />> >
> Thank you for the idea! I checked, and found the process. but
on this
<br />> >
> debian
<br />> >
> system, the process is actually named "freeradius", instead of
the
<br />> >
> traditional
<br />> >
> "radiusd".:( So there are indeed some changes on how the
freeradius is
<br />> >
> run on
<br />> >
> debian. Do you have more idea about it?
<br />> >
> Can anyone tell me more on how the debian is running the freeradius and
<br />> >
> how I can
<br />> >
> stop the server from command line in debian system? (pls see problem
<br />> >
> detail below)
<br />> >
>
<br />> >
> Thanks a lot!!
<br />> >
> leo
<br />> >
>
<br />> >
>> On 4/4/06, lmyho <lm_yho@yahoo.com> wrote:
<br />> >
>> >
<br />> >
>> > Hi All,
<br />> >
>> >
<br />> >
>> > Installed freeradius 1.1.0-1 on debian system (2.6.15-1-686).
The
<br />> >
>> > radius
<br />> >
>> > server started automatically well each time when the system
booting.
<br />> >
>> > But I
<br />> >
> wanted to stop it to do some testing using my modified configuration
<br />> >
> files. I tried
<br />> >
> to stop the server using command: 'freeradius stop' ('radiusd' doesn't
<br />> >
> work on this
<br />> >
> debian - anyone knows why??)
<br />> >
>> >
<br />> >
>> > But so werid, no matter what command I gave, with parameter
<br />> >
>> > stop|start|restart, the server ALWAYS goes to START again!! even
from
<br />> >
>> > the
<br />> >
> /etc/init.d/freeradius I can read that the 'stop' param should stop the
<br />> >
> server! Can
<br />> >
> anyone tell me why the command couldn't stop the server?? and how should I
<br />> >
> stop it??
<br />> >
>> >
<br />> >
>> > The log file shows entries like this for each of my trying, even
the
<br />> >
>> > command given was to "stop":
<br />> >
>> >
<br />> >
>> > Tue Apr 4 01:14:13 2006 : Info: Using deprecated naslist
file.
<br />> >
>> > Support
<br />> >
>> > for this will go away soon.
<br />> >
>> > Tue Apr 4 01:14:13 2006 : Error: There appears to be another
RADIUS
<br />> >
>> > server running on the authenticat
<br />> >
>> >
<br />> >
>> > What is happenning here? (I couldn't top the running deamon,
so is the
<br />> >
>> > 2nd line above)
<br />> >
>> >
<br />> >
>> > Also, from the log file I noticed: even when the system
automatically
<br />> >
>> > started the freeradius server deamon, it was "Using
deprecated naslist
<br />> >
>> > file".
<br />> >
> Log entries show like this:
<br />> >
>> >
<br />> >
>> > Fri Mar 31 13:51:54 2006 : Info: Using deprecated naslist file.
<br />> >
>> > Support
<br />> >
>> > for this will go away soon.
<br />> >
>> > Fri Mar 31 13:51:54 2006 : Info: rlm_exec: Wait=yes but no output
<br />> >
>> > defined.
<br />> >
>> > Did you mean output=none?
<br />> >
>> > Fri Mar 31 13:51:55 2006 : Info: Ready to process requests.
<br />> >
>> >
<br />> >
>> > Can anyone tell me what is happenning here?? Why it's using the
<br />> >
>> > deprecating naslist file? The installed radiusd.conf file doesn't
show
<br />> >
>> > the
<br />> >
> server will use the naslist
<br />> >
>> > file at all! from where I can stop the server to use this
deprecating
<br />> >
>> > file? Also what does the 2nd line of the above log entries
mean?
<br />> >
>> >
<br />> >
>> > Any help would be greatly appreciated! Thank you so much for
help in
<br />> >
>> > advance!!
<br />> >
>> >
<br />> >
>> > Best regrads,
<br />> >
>> > leo
<br />> >
>>
<br />> >
>>
<br />> >
>>
<br />> >
>
<br />> >
>
<br />> >
> __________________________________________________
<br />> >
> Do You Yahoo!?
<br />> >
> Tired of spam? Yahoo! Mail has the best spam protection around
<br />> >
> <a href="http://mail.yahoo.com/" target="_blank">http://mail.yahoo.com</a>
<br />> >
> -
<br />> >
> List info/subscribe/unsubscribe? See
<br />> >
> <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a>
<br />> >
<br />> >
-
<br />> >
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a>
<br />> <b>------- End
of Original Message
-------</b>
<br />>
</font>
<br /><b>------- End of Original Message
-------</b>
<br />
</font>
</BODY>
</HTML>