<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<style>
<!--
@font-face
{font-family:Calibri}
@font-face
{font-family:Tahoma}
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif"}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{margin:0cm;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif"}
span.E-postmall17
{font-family:"Calibri","sans-serif";
color:windowtext}
span.BallongtextChar
{font-family:"Tahoma","sans-serif"}
.MsoChpDefault
{}
@page WordSection1
{margin:70.85pt 70.85pt 70.85pt 70.85pt}
div.WordSection1
{}
-->
</style>
</head>
<body lang="SV" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span lang="EN-GB">Hello,</span></p>
<p class="MsoNormal"><span lang="EN-GB"> </span></p>
<p class="MsoNormal"><span lang="EN-GB">Never played around with groups using rlm_sql and the default schema..<br>
I am reading what i assume is saying that it should be possible to have several groups to a account and each group should be able to supply that specific groups radgroupreply attributes..</span></p>
<p class="MsoNormal"><b><span lang="EN-GB">Number 4 below sure sounds like it should get all the accounts groups first and then process them according to priority? Below test shows it only reads the first group? And no matter what priority..<br>
Is that how it should work or what am i missing here?</span></b><span lang="EN-GB"><br>
<br>
</span></p>
<p class="MsoNormal"><span lang="EN-GB">1.Search the radcheck table for any check attributes specific to the user</span></p>
<p class="MsoNormal"><span lang="EN-GB">2.If check attributes are found, and there's a match, pull the reply items from the radreply table for this user and add them to the reply</span></p>
<p class="MsoNormal"><span lang="EN-GB">3.Group processing then begins if any of the following conditions are met:</span></p>
<p class="MsoNormal"><span lang="EN-GB" style="font-family:"Arial","sans-serif"">◦</span><span lang="EN-GB">The user IS NOT found in radcheck</span></p>
<p class="MsoNormal"><span lang="EN-GB" style="font-family:"Arial","sans-serif"">◦</span><span lang="EN-GB">The user IS found in radcheck, but the check items don't match</span></p>
<p class="MsoNormal"><span lang="EN-GB" style="font-family:"Arial","sans-serif"">◦</span><span lang="EN-GB">The user IS found in radcheck, the check items DO match AND Fall-Through is set in the radreply table</span></p>
<p class="MsoNormal"><span lang="EN-GB" style="font-family:"Arial","sans-serif"">◦</span><span lang="EN-GB">The user IS found in radcheck, the check items DO match AND the read_groups directive is set to 'yes'</span></p>
<p class="MsoNormal"><span lang="EN-GB">4.If groups are to be processed for this user, the first thing that is done is the list of groups this user is a member of is pulled from the usergroup table ordered by the priority field. The priority field of the usergroup
table allows us to control the order in which groups are processed, so that we can emulate the ordering in the users file. This can be important in many cases.</span></p>
<p class="MsoNormal"><span lang="EN-GB">5.For each group this user is a member of, the corresponding check items are pulled from radgroupcheck table and compared with the request. If there is a match, the reply items for this group are pulled from the radgroupreply
table and applied.</span></p>
<p class="MsoNormal"><span lang="EN-GB">6.Processing continues to the next group IF:</span></p>
<p class="MsoNormal"><span lang="EN-GB" style="font-family:"Arial","sans-serif"">◦</span><span lang="EN-GB">There was not a match for the last group's check items OR</span></p>
<p class="MsoNormal"><span lang="EN-GB" style="font-family:"Arial","sans-serif"">◦</span><span lang="EN-GB">Fall-Through was set in the last group's reply items (The above is exactly the same as in the users file)</span></p>
<p class="MsoNormal"><span lang="EN-GB">7.Finally, if the user has a User-Profile attribute set or the Default Profile option is set in the sql.conf, then steps 4-6 are repeated for the groups that the profile is a member of.<b><br>
<br>
To test it i added som data to</b></span></p>
<p class="MsoNormal"><b><span lang="EN-GB"> </span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB">mysql> select * from radcheck;</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB">+----+----------+-----------+----+-------+</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB">| id | username | attribute | op | value |</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB">+----+----------+-----------+----+-------+</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB">| 8 | alex | Password | := | test |</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB">+----+----------+-----------+----+-------+</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB"><br>
mysql> select * from radusergroup;</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB">+----------+------------------+----------+</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB">| username | groupname | priority |</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB">+----------+------------------+----------+</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB">| alex | mega-admin-group | 0 |</span></b></p>
<p class="MsoNormal"><b>| alex | cisco_admin | 1 |</b></p>
<p class="MsoNormal"><b>+----------+------------------+----------+</b></p>
<p class="MsoNormal"><b><span lang="EN-GB"><br>
mysql> select * from radgroupreply;</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB">+----+------------------+----------------+----+----------------------------------+</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB">| id | groupname | attribute | op | value |</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB">+----+------------------+----------------+----+----------------------------------+</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB">| 1 | mega-admin-group | Reply-Message | = | test-mega-admin-reply-attribute |</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB">| 2 | mega-admin-group | NAS-Identifier | = | test-NAS |</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB">| 3 | cisco_admin | Service-Type | = | NAS-Prompt-User |</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB">| 4 | cisco_admin | cisco-avpair | = | shell:priv-lvl=15 |</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB">+----+------------------+----------------+----+----------------------------------+</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB">5 rows in set (0.00 sec)<br>
<br>
root@noc1:/etc/freeradius# radtest -x alex test localhost 1812 testing123</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB">Sending Access-Request of id 69 to 127.0.0.1 port 1812</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB"> User-Name = "alex"</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB"> User-Password = "test"</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB"> NAS-IP-Address = 10.173.2.10</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB"> NAS-Port = 1812</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB">rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=69, length=63</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB"> Reply-Message = "test-mega-admin-reply-attribute"</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB"> NAS-Identifier = "test-NAS" < -- Only replies from group mega-admin-group<br>
<br>
<br>
</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB">And freeradius debug is showing it only checked replies from the first group..<br>
<br>
rad_recv: Access-Request packet from host 127.0.0.1 port 49061, id=3, length=56</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB"> User-Name = "alex"</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB"> User-Password = "test"</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB"> NAS-IP-Address = 10.173.2.10</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB"> NAS-Port = 1812</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB"># Executing section authorize from file /etc/freeradius/sites-enabled/default</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB">+- entering group authorize {...}</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB">++[preprocess] returns ok</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB">rlm_perl: rlm_perl::Itux DEBUG::Inside authorize Function.</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB">rlm_perl: Added pair User-Name = alex</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB">rlm_perl: Added pair User-Password = test</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB">rlm_perl: Added pair NAS-Port = 1812</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB">rlm_perl: Added pair NAS-IP-Address = 10.173.2.10</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB">++[perl] returns ok</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB">++[chap] returns noop</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB">++[mschap] returns noop</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB">++[digest] returns noop</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB">[suffix] No '@' in User-Name = "alex", looking up realm NULL</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB">[suffix] No such realm "NULL"</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB">++[suffix] returns noop</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB">[sql] expand: %{User-Name} -> alex</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB">[sql] sql_set_user escaped user --> 'alex'</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB">rlm_sql (sql): Reserving sql socket id: 3</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB">[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'alex' ORDER BY id</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB">[sql] User found in radcheck table</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB">[sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply
WHERE username = 'alex' ORDER BY id</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB">[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'alex'
ORDER BY priority</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB">[sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value,
op FROM radgroupcheck WHERE groupname = 'mega-admin-group' ORDER BY id</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB">[sql] User found in group mega-admin-group</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB">[sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value,
op FROM radgroupreply WHERE groupname = 'mega-admin-group' ORDER BY id</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB">rlm_sql (sql): Released sql socket id: 3</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB">++[sql] returns ok</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB">++[expiration] returns noop</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB">++[logintime] returns noop</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB">++[pap] returns updated</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB">Found Auth-Type = PAP</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB">!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB">!!! Replacing User-Password in config items with Cleartext-Password. !!!</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB">!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB">!!! Please update your configuration so that the "known good" !!!</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB">!!! clear text password is in Cleartext-Password, and not in User-Password. !!!</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB">!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB"># Executing group from file /etc/freeradius/sites-enabled/default</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB">+- entering group PAP {...}</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB">[pap] login attempt with password "test"</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB">[pap] Using clear text password "test"</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB">[pap] User authenticated successfully</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB">++[pap] returns ok</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB">Login OK: [alex] (from client localhost port 1812)</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB"># Executing section post-auth from file /etc/freeradius/sites-enabled/default</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB">+- entering group post-auth {...}</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB">++[exec] returns noop</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB">Sending Access-Accept of id 3 to 127.0.0.1 port 49061</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB"> Reply-Message = "test-mega-admin-reply-attribute"</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB">Finished request 10.</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB">Going to the next request</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB">Waking up in 4.9 seconds.</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB">Cleaning up request 10 ID 3 with timestamp +7141</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB">Ready to process requests.<br>
<br>
</span></b></p>
<p class="MsoNormal"><b><span lang="EN-GB"><br>
<br>
</span></b><b><span lang="EN-GB" style="font-size:10.0pt"></span></b></p>
<p class="MsoNormal"><span lang="EN-GB">Thx <br>
<br>
Alex</span></p>
<p class="MsoNormal"><span lang="EN-GB"> </span></p>
</div>
<br>
<div><font face="Tahoma" size="1">********* DISCLAIMER ********* <br>
<br>
This message and any attachment are confidential and may be privileged or otherwise protected from disclosure and may include proprietary information. If you are not the intended recipient, please telephone or email the sender and delete this message and any
attachment from your system. If you are not the intended recipient you must not copy this message or attachment or disclose the contents to any other person
<br>
</font></div>
</body>
</html>