Alan,<br>
<br>
I'm using the man rlm_passwd examples and the examples within
radiusd.conf and still I can't manage to make User-Group membership to
work.<br>
<br>
Here's my config:<br>
<br>
<span style="text-decoration: underline;">in radiusd.conf</span> :<br>
<br>
passwd MyGroup {<br>
filename = /etc/MyGroup<br>
format = "~Group-Name:::*,User-Name"<br>
hashsize = 50<br>
ignoreislike = yes<br>
allowmultiplekeys = yes<br>
delimiter = ":"<br>
}<br>
<br>
# Similar configuration, for the /etc/group file. Adds a Group-Name<br>
# attribute for every group that the user is member of.<br>
#<br>
#passwd etc_group {<br>
# filename = /etc/group<br>
# format = "=Group-Name:::*,User-Name"<br>
# hashsize = 50<br>
# ignorenislike = yes<br>
# allowmultiplekeys = yes<br>
# delimiter = ":"<br>
#}<br>
<br>
<span style="text-decoration: underline;">My /etc/MyGroup file :</span><br>
<br>
FIGrp:::*,Ami<br>
FIGrp:::*,John<br>
<br>
<span style="text-decoration: underline;">My users file :</span><br>
<br>
Ami Auth-Type := Local, Pool-Name := FITest, User-Password == "ami123"<br>
Reply-Message = "Hello, %u",<br>
Service-Type = Framed-User,<br>
Framed-Protocol = PPP<br>
<br>
FIGrp Auth-Type := Local<br>
Reply-Message = "Hello from Group, %u"<br>
<br>
<span style="text-decoration: underline;">My dictionary file:</span><br>
<br>
#ATTRIBUTE
My-Local-String
3000 string<br>
#ATTRIBUTE
My-Local-IPAddr
3001 ipaddr<br>
#ATTRIBUTE
My-Local-Integer
3002 integer<br>
ATTRIBUTE
My-Group
3003 string<br>
<br>
<span style="text-decoration: underline;">When I start radiusd -X :</span><br>
<br>
Starting - reading configuration files ...<br>
reread_config: reading radiusd.conf<br>
Config: including file: /usr/local/etc/raddb/proxy.conf<br>
Config: including file: /usr/local/etc/raddb/clients.conf<br>
Config: including file: /usr/local/etc/raddb/snmp.conf<br>
Config: including file: /usr/local/etc/raddb/eap.conf<br>
Config: including file: /usr/local/etc/raddb/sql.conf<br>
main: prefix = "/usr/local"<br>
main: localstatedir = "/usr/local/var"<br>
main: logdir = "/usr/local/var/log/radius"<br>
main: libdir = "/usr/local/lib"<br>
main: radacctdir = "/usr/local/var/log/radius/radacct"<br>
main: hostname_lookups = no<br>
main: max_request_time = 30<br>
main: cleanup_delay = 5<br>
main: max_requests = 1024<br>
main: delete_blocked_requests = 0<br>
main: port = 0<br>
main: allow_core_dumps = no<br>
main: log_stripped_names = no<br>
main: log_file = "/usr/local/var/log/radius/radius.log"<br>
main: log_auth = yes<br>
main: log_auth_badpass = yes<br>
main: log_auth_goodpass = yes<br>
main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"<br>
main: user = "(null)"<br>
main: group = "(null)"<br>
main: usercollide = no<br>
main: lower_user = "no"<br>
main: lower_pass = "no"<br>
main: nospace_user = "no"<br>
main: nospace_pass = "no"<br>
main: checkrad = "/usr/local/sbin/checkrad"<br>
main: proxy_requests = yes<br>
proxy: retry_delay = 5<br>
proxy: retry_count = 3<br>
proxy: synchronous = no<br>
proxy: default_fallback = yes<br>
proxy: dead_time = 120<br>
proxy: post_proxy_authorize = no<br>
proxy: wake_all_if_all_dead = no<br>
security: max_attributes = 200<br>
security: reject_delay = 1<br>
security: status_server = no<br>
main: debug_level = 0<br>
read_config_files: reading dictionary<br>
read_config_files: reading naslist<br>
Using deprecated naslist file. Support for this will go away soon.<br>
read_config_files: reading clients<br>
read_config_files: reading realms<br>
radiusd: entering modules setup<br>
Module: Library search path is /usr/local/lib<br>
Module: Loaded exec<br>
exec: wait = yes<br>
exec: program = "(null)"<br>
exec: input_pairs = "request"<br>
exec: output_pairs = "(null)"<br>
exec: packet_type = "(null)"<br>
rlm_exec: Wait=yes but no output defined. Did you mean output=none?<br>
Module: Instantiated exec (exec)<br>
Module: Loaded expr<br>
Module: Instantiated expr (expr)<br>
Module: Loaded PAP<br>
pap: encryption_scheme = "crypt"<br>
Module: Instantiated pap (pap)<br>
Module: Loaded CHAP<br>
Module: Instantiated chap (chap)<br>
Module: Loaded MS-CHAP<br>
mschap: use_mppe = yes<br>
mschap: require_encryption = no<br>
mschap: require_strong = no<br>
mschap: with_ntdomain_hack = no<br>
mschap: passwd = "(null)"<br>
mschap: ntlm_auth = "(null)"<br>
Module: Instantiated mschap (mschap)<br>
Module: Loaded System<br>
unix: cache = no<br>
unix: passwd = "(null)"<br>
unix: shadow = "(null)"<br>
unix: group = "(null)"<br>
unix: radwtmp = "/usr/local/var/log/radius/radwtmp"<br>
unix: usegroup = no<br>
unix: cache_reload = 600<br>
Module: Instantiated unix (unix)<br>
Module: Loaded eap<br>
eap: default_eap_type = "md5"<br>
eap: timer_expire = 60<br>
eap: ignore_unknown_eap_types = no<br>
eap: cisco_accounting_username_bug = no<br>
rlm_eap: Loaded and initialized type md5<br>
rlm_eap: Loaded and initialized type leap<br>
gtc: challenge = "Password: "<br>
gtc: auth_type = "PAP"<br>
rlm_eap: Loaded and initialized type gtc<br>
mschapv2: with_ntdomain_hack = no<br>
rlm_eap: Loaded and initialized type mschapv2<br>
Module: Instantiated eap (eap)<br>
Module: Loaded preprocess<br>
preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups"<br>
preprocess: hints = "/usr/local/etc/raddb/hints"<br>
preprocess: with_ascend_hack = no<br>
preprocess: ascend_channels_per_line = 23<br>
preprocess: with_ntdomain_hack = no<br>
preprocess: with_specialix_jetstream_hack = no<br>
preprocess: with_cisco_vsa_hack = no<br>
Module: Instantiated preprocess (preprocess)<br>
Module: Loaded realm<br>
realm: format = "suffix"<br>
realm: delimiter = "@"<br>
realm: ignore_default = no<br>
realm: ignore_null = no<br>
Module: Instantiated realm (suffix)<br>
Module: Loaded files<br>
files: usersfile = "/usr/local/etc/raddb/users"<br>
files: acctusersfile = "/usr/local/etc/raddb/acct_users"<br>
files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"<br>
files: compat = "no"<br>
Module: Instantiated files (files)<br>
Module: Loaded Acct-Unique-Session-Id<br>
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"<br>
Module: Instantiated acct_unique (acct_unique)<br>
Module: Loaded detail<br>
detail: detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"<br>
detail: detailperm = 384<br>
detail: dirperm = 493<br>
detail: locking = no<br>
Module: Instantiated detail (detail)<br>
Module: Loaded radutmp<br>
radutmp: filename = "/usr/local/var/log/radius/radutmp"<br>
radutmp: username = "%{User-Name}"<br>
radutmp: case_sensitive = yes<br>
radutmp: check_with_nas = yes<br>
radutmp: perm = 384<br>
radutmp: callerid = yes<br>
Module: Instantiated radutmp (radutmp)<br>
Module: Loaded IPPOOL<br>
ippool: session-db = "/usr/local/etc/raddb/db.ippool"<br>
ippool: ip-index = "/usr/local/etc/raddb/db.ipindex"<br>
ippool: range-start = <a href="http://10.10.10.1">10.10.10.1</a> IP address [<a href="http://10.10.10.1">10.10.10.1</a>]<br>
ippool: range-stop = <a href="http://10.10.10.10">10.10.10.10</a> IP address [<a href="http://10.10.10.10">10.10.10.10</a>]<br>
ippool: netmask = <a href="http://255.255.255.0">255.255.255.0</a> IP address [<a href="http://255.255.255.0">255.255.255.0</a>]<br>
ippool: cache-size = 10<br>
ippool: override = yes<br>
ippool: maximum-timeout = 0<br>
Module: Instantiated ippool (FITest)<br>
detail: detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d"<br>
detail: detailperm = 384<br>
detail: dirperm = 493<br>
detail: locking = no<br>
Module: Instantiated detail (reply_log)<br>
Listening on authentication *:1812<br>
Listening on accounting *:1813<br>
Ready to process requests.<br>
<br>
[root@test1 raddb]# vi radiusd.conf<br>
[root@test1 raddb]# vi radiusd.conf<br>
[root@test1 raddb]# less /etc/FIGroup<br>
[root@test1 raddb]# less /etc/FIGroup<br>
[root@test1 raddb]# vi users<br>
[root@test1 raddb]# vi dictionary<br>
[root@test1 raddb]# radiusd -X<br>
Starting - reading configuration files ...<br>
reread_config: reading radiusd.conf<br>
Config: including file: /usr/local/etc/raddb/proxy.conf<br>
Config: including file: /usr/local/etc/raddb/clients.conf<br>
Config: including file: /usr/local/etc/raddb/snmp.conf<br>
Config: including file: /usr/local/etc/raddb/eap.conf<br>
Config: including file: /usr/local/etc/raddb/sql.conf<br>
main: prefix = "/usr/local"<br>
main: localstatedir = "/usr/local/var"<br>
main: logdir = "/usr/local/var/log/radius"<br>
main: libdir = "/usr/local/lib"<br>
main: radacctdir = "/usr/local/var/log/radius/radacct"<br>
main: hostname_lookups = no<br>
main: max_request_time = 30<br>
main: cleanup_delay = 5<br>
main: max_requests = 1024<br>
main: delete_blocked_requests = 0<br>
main: port = 0<br>
main: allow_core_dumps = no<br>
main: log_stripped_names = no<br>
main: log_file = "/usr/local/var/log/radius/radius.log"<br>
main: log_auth = yes<br>
main: log_auth_badpass = yes<br>
main: log_auth_goodpass = yes<br>
main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"<br>
main: user = "(null)"<br>
main: group = "(null)"<br>
main: usercollide = no<br>
main: lower_user = "no"<br>
main: lower_pass = "no"<br>
main: nospace_user = "no"<br>
main: nospace_pass = "no"<br>
main: checkrad = "/usr/local/sbin/checkrad"<br>
main: proxy_requests = yes<br>
proxy: retry_delay = 5<br>
proxy: retry_count = 3<br>
proxy: synchronous = no<br>
proxy: default_fallback = yes<br>
proxy: dead_time = 120<br>
proxy: post_proxy_authorize = no<br>
proxy: wake_all_if_all_dead = no<br>
security: max_attributes = 200<br>
security: reject_delay = 1<br>
security: status_server = no<br>
main: debug_level = 0<br>
read_config_files: reading dictionary<br>
read_config_files: reading naslist<br>
Using deprecated naslist file. Support for this will go away soon.<br>
read_config_files: reading clients<br>
read_config_files: reading realms<br>
radiusd: entering modules setup<br>
Module: Library search path is /usr/local/lib<br>
Module: Loaded exec<br>
exec: wait = yes<br>
exec: program = "(null)"<br>
exec: input_pairs = "request"<br>
exec: output_pairs = "(null)"<br>
exec: packet_type = "(null)"<br>
rlm_exec: Wait=yes but no output defined. Did you mean output=none?<br>
Module: Instantiated exec (exec)<br>
Module: Loaded expr<br>
Module: Instantiated expr (expr)<br>
Module: Loaded PAP<br>
pap: encryption_scheme = "crypt"<br>
Module: Instantiated pap (pap)<br>
Module: Loaded CHAP<br>
Module: Instantiated chap (chap)<br>
Module: Loaded MS-CHAP<br>
mschap: use_mppe = yes<br>
mschap: require_encryption = no<br>
mschap: require_strong = no<br>
mschap: with_ntdomain_hack = no<br>
mschap: passwd = "(null)"<br>
mschap: ntlm_auth = "(null)"<br>
Module: Instantiated mschap (mschap)<br>
Module: Loaded System<br>
unix: cache = no<br>
unix: passwd = "(null)"<br>
unix: shadow = "(null)"<br>
unix: group = "(null)"<br>
unix: radwtmp = "/usr/local/var/log/radius/radwtmp"<br>
unix: usegroup = no<br>
unix: cache_reload = 600<br>
Module: Instantiated unix (unix)<br>
Module: Loaded eap<br>
eap: default_eap_type = "md5"<br>
eap: timer_expire = 60<br>
eap: ignore_unknown_eap_types = no<br>
eap: cisco_accounting_username_bug = no<br>
rlm_eap: Loaded and initialized type md5<br>
rlm_eap: Loaded and initialized type leap<br>
gtc: challenge = "Password: "<br>
gtc: auth_type = "PAP"<br>
rlm_eap: Loaded and initialized type gtc<br>
mschapv2: with_ntdomain_hack = no<br>
rlm_eap: Loaded and initialized type mschapv2<br>
Module: Instantiated eap (eap)<br>
Module: Loaded preprocess<br>
preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups"<br>
preprocess: hints = "/usr/local/etc/raddb/hints"<br>
preprocess: with_ascend_hack = no<br>
preprocess: ascend_channels_per_line = 23<br>
preprocess: with_ntdomain_hack = no<br>
preprocess: with_specialix_jetstream_hack = no<br>
preprocess: with_cisco_vsa_hack = no<br>
Module: Instantiated preprocess (preprocess)<br>
Module: Loaded realm<br>
realm: format = "suffix"<br>
realm: delimiter = "@"<br>
realm: ignore_default = no<br>
realm: ignore_null = no<br>
Module: Instantiated realm (suffix)<br>
Module: Loaded files<br>
files: usersfile = "/usr/local/etc/raddb/users"<br>
files: acctusersfile = "/usr/local/etc/raddb/acct_users"<br>
files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"<br>
files: compat = "no"<br>
Module: Instantiated files (files)<br>
Module: Loaded Acct-Unique-Session-Id<br>
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"<br>
Module: Instantiated acct_unique (acct_unique)<br>
Module: Loaded detail<br>
detail: detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"<br>
detail: detailperm = 384<br>
detail: dirperm = 493<br>
detail: locking = no<br>
Module: Instantiated detail (detail)<br>
Module: Loaded radutmp<br>
radutmp: filename = "/usr/local/var/log/radius/radutmp"<br>
radutmp: username = "%{User-Name}"<br>
radutmp: case_sensitive = yes<br>
radutmp: check_with_nas = yes<br>
radutmp: perm = 384<br>
radutmp: callerid = yes<br>
Module: Instantiated radutmp (radutmp)<br>
Module: Loaded IPPOOL<br>
ippool: session-db = "/usr/local/etc/raddb/db.ippool"<br>
ippool: ip-index = "/usr/local/etc/raddb/db.ipindex"<br>
ippool: range-start = <a href="http://10.10.10.1">10.10.10.1</a> IP address [<a href="http://10.10.10.1">10.10.10.1</a>]<br>
ippool: range-stop = <a href="http://10.10.10.10">10.10.10.10</a> IP address [<a href="http://10.10.10.10">10.10.10.10</a>]<br>
ippool: netmask = <a href="http://255.255.255.0">255.255.255.0</a> IP address [<a href="http://255.255.255.0">255.255.255.0</a>]<br>
ippool: cache-size = 10<br>
ippool: override = yes<br>
ippool: maximum-timeout = 0<br>
Module: Instantiated ippool (FITest)<br>
detail: detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d"<br>
detail: detailperm = 384<br>
detail: dirperm = 493<br>
detail: locking = no<br>
Module: Instantiated detail (reply_log)<br>
Listening on authentication *:1812<br>
Listening on accounting *:1813<br>
Ready to process requests.<br>
<br>
------------------------------------------------------------<br>
<br>
Is there anything in the examples I'm missing ?<br>
<br>
Thanks,<br>
<br>
Ami<br>
<br>
<br>
<br>
<br><div><span class="gmail_quote">On 8/27/06, <b class="gmail_sendername">Alan DeKok</b> <<a href="mailto:aland@deployingradius.com">aland@deployingradius.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
"Ami Schieber" <<a href="mailto:ami.schieber@gmail.com">ami.schieber@gmail.com</a>> wrote:<br>> Ok. I've probably mis-read the documents.<br>> Can someone please provide an example of how to specify group membership to
<br>> a user and then define return values for this group ?<br><br> Should I cut & paste the documentation from "man rlm_passwd" here?<br><br> What part of that documentation is unclear?<br><br> Alan DeKok.
<br>--<br> <a href="http://deployingradius.com">http://deployingradius.com</a> - The web site of the book<br> <a href="http://deployingradius.com/blog/">http://deployingradius.com/blog/</a> - The blog<br>-<br>List info/subscribe/unsubscribe? See
<a href="http://www.freeradius.org/list/users.html">http://www.freeradius.org/list/users.html</a><br></blockquote></div><br>