<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<font face="monospace">Greetings,<br>
<br>
I am setting up/migrating to a new Radius server. My current
server is using flat files (users/clients). Not a huge
deployment, but now have designs to scale larger. I've run into a
problem with one reply attribute I can't seem to identify the
problem. I've searched the documentation (and Googled), and while
probably in from of my eyes, I can't seem to find the
cause/solution. The same reply attributes work fine in my
current/production server, but fail (and only when trying to
include the "DragonWave-Privilege-Level" reply attribute). Now
one note, in my production server in my user stanza I use the "="
operator for each of the reply attributes. However, in my new
server, when using the "=" as the operator in the reply attribute
I was receiving only one attribute upon authentication. I then
thought I understood from the documentation that I needed to use
"+=" in my reply attributes. After making that change, all the
group attributes were returned. One difference may be that I am
specifying the "group" attributes under each "user"
(current/production) vs in a "group" which is referenced (new
server)? I am in no way well versed in all the nuances of radius
(but working that direction), so if I'm overlooking the obvious I
would greatly appreciate a nudge in the right direction.<br>
<br>
Thank you very much,<br>
<br>
tony<br>
<br>
<br>
</font><br>
<font face="monospace"><font face="monospace"><font face="monospace"><font
face="monospace"><font face="monospace">#*************************<br>
</font>#<br>
#// CURRENT SERVER<br>
#<br>
#*************************<br>
</font></font></font><br>
#<br>
# System information<br>
#<br>
admin@radius:/home/admin# uname -a<br>
Linux radius 3.5.0-45-generic #68~precise1-Ubuntu SMP Wed Dec 4
16:18:46 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux<br>
<br>
admin@radius:/home/admin# cat /etc/issue<br>
Ubuntu 12.04.4 LTS \n \l<br>
<br>
admin@radius:/home/admin# freeradius -v<br>
freeradius: FreeRADIUS Version 2.1.10, for host
x86_64-pc-linux-gnu, built on Feb 24 2014 at 15:16:50<br>
Copyright (C) 1999-2010 The FreeRADIUS server project and
contributors.<br>
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR
A<br>
PARTICULAR PURPOSE.<br>
You may redistribute copies of FreeRADIUS under the terms of the<br>
GNU General Public License.<br>
For more information about these matters, see the file named
COPYRIGHT.<br>
<br>
#<br>
# /etc/freeradius/users<br>
#<br>
"testuser" ClearText-Password := "tester"<br>
Reply-Message = "Hello, %{User-Name}",<br>
Mikrotik-Group = "full",<br>
DragonWave-Privilege-Level = "DragonWave-Super-User",<br>
APC-Service-Type = 1,<br>
APC-Outlets = "1,2,3,4,5,6,7,8"<br>
<br>
#<br>
# radtest and result<br>
#<br>
admin@radius:/home/admin# radtest testuser tester localhost 10
testing123 0 10.10.0.120<br>
Sending Access-Request of id 25 to 127.0.0.1 port 1812<br>
User-Name = "testuser"<br>
User-Password = "tester"<br>
NAS-IP-Address = 10.10.0.120<br>
NAS-Port = 10<br>
Framed-Protocol = PPP<br>
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812,
id=25, length=70<br>
Reply-Message = "Hello, testuser"<br>
Mikrotik-Group = "full"<br>
DragonWave-Privilege-Level = DragonWave-Super-User<br>
APC-Service-Type = Admin</font><br>
<font face="monospace"><font face="monospace">APC-Outlets =
"1,2,3,4,5,6,7,8"</font><br>
</font><br>
<br>
<br>
<font face="monospace"><font face="monospace"><font face="monospace"><font
face="monospace">#*************************<br>
</font>#<br>
#// NEW SERVER<br>
#<br>
#*************************<br>
</font></font>admin@radius1:/home/admin# uname -a<br>
Linux radius1.mydomain.net 2.6.32-431.20.3.el6.i686 #1 SMP Thu Jun
19 19:51:30 UTC 2014 i686 i686 i386 GNU/Linux<br>
<br>
admin@radius1:/home/admin# cat /etc/issue<br>
CentOS release 6.5 (Final)<br>
Kernel \r on an \m<br>
<br>
admin@radius1:/home/admin# radiusd -v<br>
radiusd: FreeRADIUS Version 2.1.12, for host
i386-redhat-linux-gnu, built on Oct 3 2012 at 01:20:08<br>
Copyright (C) 1999-2011 The FreeRADIUS server project and
contributors.<br>
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR
A<br>
PARTICULAR PURPOSE.<br>
You may redistribute copies of FreeRADIUS under the terms of the<br>
GNU General Public License.<br>
For more information about these matters, see the file named
COPYRIGHT.<br>
<br>
</font><br>
<font face="monospace"><font face="monospace"><font face="monospace">#*************************<br>
</font>#<br>
#// radtest<br>
#<br>
#*************************<br>
</font>admin@radius1:/home/admin# radtest testuser tester
216.x.x.x 10 testing123 0 10.10.0.120<br>
Sending Access-Request of id 119 to 216.x.x.x port 1812<br>
User-Name = "testuser"<br>
User-Password = "tester"<br>
NAS-IP-Address = 10.10.0.120<br>
NAS-Port = 10<br>
Message-Authenticator = 0x00000000000000000000000000000000<br>
rad_recv: Access-Reject packet from host 216.x.x.x port 1812,
id=119, length=20<br>
<br>
<br>
</font><font face="monospace"><font face="monospace">#*************************<br>
</font>#<br>
#// Partial debug output<br>
#<br>
#*************************<br>
Ready to process requests.<br>
rad_recv: Access-Request packet from host 216.x.x.x port 50707,
id=119, length=75<br>
User-Name = "testuser"<br>
User-Password = "tester"<br>
NAS-IP-Address = 10.10.0.120<br>
NAS-Port = 10<br>
Message-Authenticator = 0x17fec73c577cb5fd95d9dd3656c3a8db<br>
# Executing section authorize from file
/etc/raddb/sites-enabled/default<br>
+- entering group authorize {...}<br>
++- entering policy filter_username {...}<br>
+++? if (User-Name =~ /^ /)<br>
? Evaluating (User-Name =~ /^ /) -> FALSE<br>
+++? if (User-Name =~ /^ /) -> FALSE<br>
+++? if (User-Name =~ / $$/)<br>
? Evaluating (User-Name =~ / $$/) -> FALSE<br>
+++? if (User-Name =~ / $$/) -> FALSE<br>
+++? if (User-Name != "%{tolower:%{User-Name}}")<br>
expand: %{User-Name} -> testuser<br>
expand: %{tolower:%{User-Name}} -> testuser<br>
? Evaluating (User-Name != "%{tolower:%{User-Name}}") -> FALSE<br>
+++? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE<br>
++- policy filter_username returns notfound<br>
++[preprocess] returns ok<br>
++[chap] returns noop<br>
++[mschap] returns noop<br>
++[digest] returns noop<br>
[suffix] No '@' in User-Name = "testuser", looking up realm NULL<br>
[suffix] No such realm "NULL"<br>
++[suffix] returns noop<br>
[eap] No EAP-Message, not doing EAP<br>
++[eap] returns noop<br>
[sql] expand: %{User-Name} -> testuser<br>
[sql] sql_set_user escaped user --> 'testuser'<br>
rlm_sql (sql): Reserving sql socket id: 3<br>
[sql] expand: SELECT id, username, attribute, value,
op FROM radcheck WHERE username =
'%{SQL-User-Name}' ORDER BY id -> SELECT id,
username, attribute, value, op FROM radcheck
WHERE username = 'testuser' ORDER BY id<br>
[sql] User found in radcheck table<br>
[sql] expand: SELECT id, username, attribute, value,
op FROM radreply WHERE username =
'%{SQL-User-Name}' ORDER BY id -> SELECT id,
username, attribute, value, op FROM radreply
WHERE username = 'testuser' ORDER BY id<br>
[sql] expand: SELECT groupname FROM
radusergroup WHERE username =
'%{SQL-User-Name}' ORDER BY priority -> SELECT
groupname FROM radusergroup WHERE username =
'testuser' ORDER BY priority<br>
[sql] expand: SELECT id, groupname, attribute,
Value, op FROM radgroupcheck WHERE groupname =
'%{Sql-Group}' ORDER BY id -> SELECT id, groupname,
attribute, Value, op FROM
radgroupcheck WHERE groupname = 'NOC-Admin'
ORDER BY id<br>
[sql] User found in group NOC-Admin<br>
[sql] expand: SELECT id, groupname, attribute,
value, op FROM radgroupreply WHERE groupname =
'%{Sql-Group}' ORDER BY id -> SELECT id, groupname,
attribute, value, op FROM
radgroupreply WHERE groupname = 'NOC-Admin'
ORDER BY id<br>
rlm_sql: Failed to create the pair: Unknown attribute
"DragonWave-Privilege-Level" requires a hex string, not "</font><font
face="monospace"><font face="monospace">DragonWave-</font></font><font
face="monospace"><font face="monospace"><font face="monospace">Super-User</font></font>"<br>
rlm_sql (sql): Error getting data from database<br>
[sql] Error retrieving reply pairs for group NOC-Admin<br>
[sql] Error processing groups; rejecting user<br>
rlm_sql (sql): Released sql socket id: 3<br>
++[sql] returns fail<br>
Using Post-Auth-Type Reject<br>
# Executing group from file /etc/raddb/sites-enabled/default<br>
+- entering group REJECT {...}<br>
[attr_filter.access_reject] expand: %{User-Name} ->
testuser<br>
attr_filter: Matched entry DEFAULT at line 11<br>
++[attr_filter.access_reject] returns updated<br>
Delaying reject of request 0 for 1 seconds<br>
Going to the next request<br>
Waking up in 0.9 seconds.<br>
Sending delayed reject for request 0<br>
Sending Access-Reject of id 119 to 216.x.x.x port 50707<br>
Waking up in 4.9 seconds.<br>
Cleaning up request 0 ID 119 with timestamp +54<br>
Ready to process requests.<br>
<br>
<br>
</font><br>
<font face="monospace"><font face="monospace"><font face="monospace">#*************************<br>
</font>#<br>
</font></font><font face="monospace"><font face="monospace"><font
face="monospace">#// Manual query based on radiusd -X debug
output<br>
</font>#<br>
#*************************<br>
</font>mysql> SELECT id, groupname, attribute, value,
op FROM radgroupreply WHERE groupname =
'NOC-Admin' ORDER BY id;<br>
+----+---------------------+----------------------------+-----------------------+----+<br>
| id | groupname | attribute |
value | op |<br>
+----+---------------------+----------------------------+-----------------------+----+<br>
| 1 | NOC-Admin | Mikrotik-Group |
full | += |<br>
| 7 | NOC-Admin | APC-Service-Type |
1 | += |<br>
| 8 | NOC-Admin | APC-Outlets |
"1,2,3,4,5,6,7,8" | += |<br>
| 10 | NOC-Admin | DragonWave-Privilege-Level |
DragonWave-</font><font face="monospace"><font face="monospace">Super-User</font>
| += |<br>
+----+---------------------+----------------------------+-----------------------+----+<br>
5 rows in set (0.00 sec)<br>
<br>
mysql></font><br>
<br>
<br>
<font face="monospace"><font face="monospace"><font face="monospace">#
/usr/share/freeradius/dictionary.dragonwave<br>
#*************************<br>
</font>#<br>
</font></font><font face="monospace"><font face="monospace"><font
face="monospace">#// Dragonwave Dictionary Definition<br>
</font>#<br>
#*************************<br>
</font># -*- text -*-<br>
# <a class="moz-txt-link-freetext" href="http://www.dragonwaveinc.com">http://www.dragonwaveinc.com</a><br>
#<br>
# $Id$<br>
#<br>
VENDOR DragonWave 7262<br>
<br>
BEGIN-VENDOR DragonWave<br>
<br>
# Used to determine the user login privilege level.<br>
ATTRIBUTE DragonWave-Privilege-Level 1 integer<br>
<br>
# Read-only access.<br>
VALUE DragonWave-Privilege-Level
DragonWave-Admin-User 1<br>
# Limited read-write access.<br>
VALUE DragonWave-Privilege-Level
DragonWave-NOC-User 2<br>
# Unlimited read-write access.<br>
VALUE DragonWave-Privilege-Level
DragonWave-Super-User 3<br>
<br>
END-VENDOR DragonWave<br>
</font><br>
</body>
</html>