<br>I recently setup a freeradius 2 server with MySQL and I am having an issue where it doesn't appear to be doing group checks. <br><br>If I have a user set to a group it doesn't appear to check the attributes set in that group: <br>
<br>+----+----------+--------------+----+------------------------------------------+ <br>| id | username | attribute | op | value | <br>+----+----------+--------------+----+------------------------------------------+ <br>
| 15 | user1 | SHA-Password | := | 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 | <br>+----+----------+--------------+----+------------------------------------------+ <br>1 row in set (0.00 sec) <br><br>mysql> select * from radusergroup where username = 'user1'; <br>
+----------+-----------+----------+ <br>| username | groupname | priority | <br>+----------+-----------+----------+ <br>| user1 | admin | 1 | <br>+----------+-----------+----------+ <br>1 row in set (0.00 sec) <br>
<br>mysql> select * from radgroupcheck where groupname = 'admin'; <br>+----+-----------+----------------+----+--------+ <br>| id | groupname | attribute | op | value | <br>+----+-----------+----------------+----+--------+ <br>
| 3 | admin | NAS-Identifier | == | Adtran | <br>+----+-----------+----------------+----+--------+ <br>1 row in set (0.00 sec) <br><br><br>If I understand correctly the following request should be denied because the NAS-Identifier in the request doesn't match the one specified in the groupcheck table. However, it is replying with Accept-Accept. <br>
<br><br><br>rad_recv: Access-Request packet from host 64.185.12.105 port 7458, id=61, length=56 <br> User-Name = "user1" <br> User-Password = "password" <br> NAS-Identifier = "Zhone MxK" <br>
+- entering group authorize <br>++[preprocess] returns ok <br>++[chap] returns noop <br>++[mschap] returns noop <br> rlm_realm: No '@' in User-Name = "user1", looking up realm NULL <br> rlm_realm: No such realm "NULL" <br>
++[suffix] returns noop <br> rlm_eap: No EAP-Message, not doing EAP <br>++[eap] returns noop <br>++[unix] returns notfound <br>++[files] returns noop <br> expand: %{User-Name} -> user1 <br>rlm_sql (sql): sql_set_user escaped user --> 'user1' <br>
rlm_sql (sql): Reserving sql socket id: 3 <br> expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'user1' ORDER BY id <br>
rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'user1' ORDER BY id <br>rlm_sql (sql): User found in radcheck table <br> expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'user1' ORDER BY id <br>
rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'user1' ORDER BY id <br> expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'user1' ORDER BY priority <br>
rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = 'user1' ORDER BY priority <br> expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'admin' ORDER BY id <br>
rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'admin' ORDER BY id <br>rlm_sql (sql): Released sql socket id: 3 <br>++[sql] returns ok <br>
++[expiration] returns noop <br>++[logintime] returns noop <br>rlm_pap: Normalizing SHA-Password from hex encoding <br>++[pap] returns updated <br> rad_check_password: Found Auth-Type <br>auth: type "PAP" <br>
+- entering group PAP <br>rlm_pap: login attempt with password "password" <br>rlm_pap: Using SHA1 encryption. <br>rlm_pap: User authenticated successfully <br>++[pap] returns ok <br>Login OK: [user1/password] (from client lab-mxk-1 port 0) <br>
+- entering group post-auth <br>rlm_sql (sql): Processing sql_postauth <br> expand: %{User-Name} -> user1 <br>rlm_sql (sql): sql_set_user escaped user --> 'user1' <br> expand: %{User-Password} -> password <br>
expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'user1', 'password', 'Access-Accept', '2010-02-24 10:56:24') <br>
expand: /var/log/freeradius/sqltrace.sql -> /var/log/freeradius/sqltrace.sql <br>rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'user1', 'password', 'Access-Accept', '2010-02-24 10:56:24') <br>
rlm_sql (sql): Reserving sql socket id: 2 <br>rlm_sql_mysql: query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'user1', 'password', 'Access-Accept', '2010-02-24 10:56:24') <br>
rlm_sql (sql): Released sql socket id: 2 <br>++[sql] returns ok <br>++[exec] returns noop <br>Sending Access-Accept of id 61 to 64.185.12.105 port 7458 <br>Finished request 0. <br>Going to the next request <br>Waking up in 4.9 seconds. <br>
Cleaning up request 0 ID 61 with timestamp +9 <br>Ready to process requests. <br><br><br>Any help would be greatly appreciated. <br><br>Thanks, <br>Craig<br>