<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<font face="monospace">Thank you very much for your reply!<br>
<br>
<br>
I changed my operator to ":=" but get the same reject/error.<br>
<br>
<br>
</font><br>
<font face="monospace">mysql> select * from radgroupreply where
groupname = 'NOC-Admin';<br>
+----+-----------+----------------------------+----+-------------------------+<br>
| id | groupname | attribute | op |
value |<br>
+----+-----------+----------------------------+----+-------------------------+<br>
| 1 | NOC-Admin | Mikrotik-Group | := |
full |<br>
| 7 | NOC-Admin | APC-Service-Type | := |
1 |<br>
| 8 | NOC-Admin | APC-Outlets | := |
"1,2,3,4,5,6,7,8" |<br>
| 10 | NOC-Admin | DragonWave-Privilege-Level | := |
DragonWave-Super-User |<br>
+----+-----------+----------------------------+----+-------------------------+<br>
4 rows in set (0.00 sec)<br>
<br>
mysql></font><br>
<br>
<div class="moz-cite-prefix">On 07/07/2014 11:45 AM, Mike Poole
wrote:<br>
</div>
<blockquote
cite="mid:be66d05fb21b418781b37ad028c13271@EX2013DAG-A.pavlovmedia.corp"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Exchange Server">
<!-- converted from rtf -->
<style><!-- .EmailQuote { margin-left: 1pt; padding-left: 4pt; border-left: #800000 2px solid; } --></style>
<font face="Calibri" size="2"><span style="font-size:11pt;">
<div>Tony,</div>
<div> </div>
<div>I'm replying at the top instead of inline. </div>
<div> </div>
<div>Our FreeRADIUS SQL returns this for :<br>
<br>
44418AS id </div>
<div>1-1-1 AS groupname</div>
<div>Mikrotik-Rate-Limit AS attribute</div>
<div>1000k/2001k 2000k/4000k 750k/1500k 1800/1800 7 AS value</div>
<div><font face="Cambria Math">≔<font face="Calibri"> AS op</font></font></div>
<div> </div>
<div>I think your problem is with the op (operator). It
should be "<font face="Cambria Math">≔</font>" and I believe
it should be at the end.<br>
<br>
We use custom tables and stored procedures to do this.<br>
<br>
For the "group" query all I return is a groupname, such as
the package ID '1-1-1'</div>
<div> </div>
<div>SELECT packageId as "groupname"; (I believe this is where
you are having the trouble.<br>
<br>
Let me know if it helps or if I can do anything else</div>
<div> </div>
<div>Message: 2</div>
<div>Date: Mon, 07 Jul 2014 08:03:03 -0700</div>
<div>From: Tony DeMatteis <<a moz-do-not-send="true"
href="mailto:tonyd@commspeed.net">tonyd@commspeed.net</a>></div>
<div>To: <a moz-do-not-send="true"
href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a></div>
<div>Subject: rlm_sql: Failed to create the pair: Unknown
attribute</div>
<div> "DragonWave-Privilege-Level" requires a hex
string, not</div>
<div> "DragonWave-Super-User"</div>
<div>Message-ID: <<a moz-do-not-send="true"
href="mailto:53BAB6A7.2040309@commspeed.net">53BAB6A7.2040309@commspeed.net</a>></div>
<div>Content-Type: text/plain; charset="iso-8859-1";
Format="flowed"</div>
<div> </div>
<div>Greetings,</div>
<div> </div>
<div>I am setting up/migrating to a new Radius server. My
current server is using flat files (users/clients). Not a
huge deployment, but now have designs to scale larger. I've
run into a problem with one reply attribute I can't seem to
identify the problem.
I've searched the documentation (and Googled), and while
probably in from of my eyes, I can't seem to find the
cause/solution. The same reply attributes work fine in my
current/production server, but fail (and only when trying to
include the "DragonWave-Privilege-Level"
reply attribute). Now one note, in my production server in
my user stanza I use the "=" operator for each of the reply
attributes. However, in my new server, when using the "="
as the operator in the reply attribute I was receiving only
one attribute upon
authentication. I then thought I understood from the
documentation that I needed to use "+=" in my reply
attributes. After making that change, all the group
attributes were returned. One difference may be that I am
specifying the "group" attributes under
each "user" (current/production) vs in a "group" which is
referenced (new server)? I am in no way well versed in all
the nuances of radius (but working that direction), so if
I'm overlooking the obvious I would greatly appreciate a
nudge in the right direction.</div>
<div> </div>
<div>Thank you very much,</div>
<div> </div>
<div>tony</div>
<div> </div>
<div> </div>
<div> </div>
<div>#*************************</div>
<div>#</div>
<div>#// CURRENT SERVER</div>
<div>#</div>
<div>#*************************</div>
<div> </div>
<div>#</div>
<div># System information</div>
<div>#</div>
<div>admin@radius:/home/admin# uname -a</div>
<div>Linux radius 3.5.0-45-generic #68~precise1-Ubuntu SMP Wed
Dec 4 16:18:46 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux</div>
<div> </div>
<div>admin@radius:/home/admin# cat /etc/issue Ubuntu 12.04.4
LTS \n \l</div>
<div> </div>
<div>admin@radius:/home/admin# freeradius -v</div>
<div>freeradius: FreeRADIUS Version 2.1.10, for host
x86_64-pc-linux-gnu, built on Feb 24 2014 at 15:16:50
Copyright (C) 1999-2010 The FreeRADIUS server project and
contributors.</div>
<div>There is NO warranty; not even for MERCHANTABILITY or
FITNESS FOR A PARTICULAR PURPOSE.</div>
<div>You may redistribute copies of FreeRADIUS under the terms
of the GNU General Public License.</div>
<div>For more information about these matters, see the file
named COPYRIGHT.</div>
<div> </div>
<div>#</div>
<div># /etc/freeradius/users</div>
<div>#</div>
<div>"testuser" ClearText-Password := "tester"</div>
<div> Reply-Message = "Hello, %{User-Name}",</div>
<div> Mikrotik-Group = "full",</div>
<div> DragonWave-Privilege-Level =
"DragonWave-Super-User",</div>
<div> APC-Service-Type = 1,</div>
<div> APC-Outlets = "1,2,3,4,5,6,7,8"</div>
<div> </div>
<div>#</div>
<div># radtest and result</div>
<div>#</div>
<div>admin@radius:/home/admin# radtest testuser tester
localhost 10</div>
<div>testing123 0 10.10.0.120</div>
<div>Sending Access-Request of id 25 to 127.0.0.1 port 1812</div>
<div> User-Name = "testuser"</div>
<div> User-Password = "tester"</div>
<div> NAS-IP-Address = 10.10.0.120</div>
<div> NAS-Port = 10</div>
<div> Framed-Protocol = PPP</div>
<div>rad_recv: Access-Accept packet from host 127.0.0.1 port
1812, id=25,</div>
<div>length=70</div>
<div> Reply-Message = "Hello, testuser"</div>
<div> Mikrotik-Group = "full"</div>
<div> DragonWave-Privilege-Level = DragonWave-Super-User</div>
<div> APC-Service-Type = Admin</div>
<div>APC-Outlets = "1,2,3,4,5,6,7,8"</div>
<div> </div>
<div> </div>
<div> </div>
<div>#*************************</div>
<div>#</div>
<div>#// NEW SERVER</div>
<div>#</div>
<div>#*************************</div>
<div>admin@radius1:/home/admin# uname -a</div>
<div>Linux radius1.mydomain.net 2.6.32-431.20.3.el6.i686 #1
SMP Thu Jun 19</div>
<div>19:51:30 UTC 2014 i686 i686 i386 GNU/Linux</div>
<div> </div>
<div>admin@radius1:/home/admin# cat /etc/issue CentOS release
6.5 (Final) Kernel \r on an \m</div>
<div> </div>
<div>admin@radius1:/home/admin# radiusd -v</div>
<div>radiusd: FreeRADIUS Version 2.1.12, for host
i386-redhat-linux-gnu, built on Oct 3 2012 at 01:20:08
Copyright (C) 1999-2011 The FreeRADIUS server project and
contributors.</div>
<div>There is NO warranty; not even for MERCHANTABILITY or
FITNESS FOR A PARTICULAR PURPOSE.</div>
<div>You may redistribute copies of FreeRADIUS under the terms
of the GNU General Public License.</div>
<div>For more information about these matters, see the file
named COPYRIGHT.</div>
<div> </div>
<div> </div>
<div>#*************************</div>
<div>#</div>
<div>#// radtest</div>
<div>#</div>
<div>#*************************</div>
<div>admin@radius1:/home/admin# radtest testuser tester
216.x.x.x 10 </div>
<div>testing123 0 10.10.0.120</div>
<div>Sending Access-Request of id 119 to 216.x.x.x port 1812</div>
<div> User-Name = "testuser"</div>
<div> User-Password = "tester"</div>
<div> NAS-IP-Address = 10.10.0.120</div>
<div> NAS-Port = 10</div>
<div> Message-Authenticator =
0x00000000000000000000000000000000</div>
<div>rad_recv: Access-Reject packet from host 216.x.x.x port
1812, id=119, </div>
<div>length=20</div>
<div> </div>
<div> </div>
<div>#*************************</div>
<div>#</div>
<div>#// Partial debug output</div>
<div>#</div>
<div>#*************************</div>
<div>Ready to process requests.</div>
<div>rad_recv: Access-Request packet from host 216.x.x.x port
50707, id=119, </div>
<div>length=75</div>
<div> User-Name = "testuser"</div>
<div> User-Password = "tester"</div>
<div> NAS-IP-Address = 10.10.0.120</div>
<div> NAS-Port = 10</div>
<div> Message-Authenticator =
0x17fec73c577cb5fd95d9dd3656c3a8db</div>
<div># Executing section authorize from file
/etc/raddb/sites-enabled/default</div>
<div>+- entering group authorize {...}</div>
<div>++- entering policy filter_username {...}</div>
<div>+++? if (User-Name =~ /^ /)</div>
<div>? Evaluating (User-Name =~ /^ /) -> FALSE</div>
<div>+++? if (User-Name =~ /^ /) -> FALSE</div>
<div>+++? if (User-Name =~ / $$/)</div>
<div>? Evaluating (User-Name =~ / $$/) -> FALSE</div>
<div>+++? if (User-Name =~ / $$/) -> FALSE</div>
<div>+++? if (User-Name != "%{tolower:%{User-Name}}")</div>
<div> expand: %{User-Name} -> testuser</div>
<div> expand: %{tolower:%{User-Name}} -> testuser</div>
<div>? Evaluating (User-Name != "%{tolower:%{User-Name}}")
-> FALSE</div>
<div>+++? if (User-Name != "%{tolower:%{User-Name}}") ->
FALSE</div>
<div>++- policy filter_username returns notfound</div>
<div>++[preprocess] returns ok</div>
<div>++[chap] returns noop</div>
<div>++[mschap] returns noop</div>
<div>++[digest] returns noop</div>
<div>[suffix] No '@' in User-Name = "testuser", looking up
realm NULL</div>
<div>[suffix] No such realm "NULL"</div>
<div>++[suffix] returns noop</div>
<div>[eap] No EAP-Message, not doing EAP</div>
<div>++[eap] returns noop</div>
<div>[sql] expand: %{User-Name} -> testuser</div>
<div>[sql] sql_set_user escaped user --> 'testuser'</div>
<div>rlm_sql (sql): Reserving sql socket id: 3</div>
<div>[sql] expand: SELECT id, username, attribute, value,
op </div>
<div>FROM radcheck WHERE username =
'%{SQL-User-Name}' </div>
<div>ORDER BY id -> SELECT id, username, attribute, value,
op FROM </div>
<div>radcheck WHERE username = 'testuser' ORDER BY
id</div>
<div>[sql] User found in radcheck table</div>
<div>[sql] expand: SELECT id, username, attribute, value,
op </div>
<div>FROM radreply WHERE username =
'%{SQL-User-Name}' </div>
<div>ORDER BY id -> SELECT id, username, attribute, value,
op FROM </div>
<div>radreply WHERE username = 'testuser' ORDER BY
id</div>
<div>[sql] expand: SELECT groupname FROM
radusergroup </div>
<div>WHERE username = '%{SQL-User-Name}' ORDER BY
priority -> </div>
<div>SELECT groupname FROM radusergroup
WHERE username = </div>
<div>'testuser' ORDER BY priority</div>
<div>[sql] expand: SELECT id, groupname, attribute, Value,
op </div>
<div>FROM radgroupcheck WHERE groupname =
'%{Sql-Group}' </div>
<div>ORDER BY id -> SELECT id, groupname,
attribute, Value, </div>
<div>op FROM radgroupcheck WHERE groupname
= 'NOC-Admin' </div>
<div>ORDER BY id</div>
<div>[sql] User found in group NOC-Admin</div>
<div>[sql] expand: SELECT id, groupname, attribute, value,
op </div>
<div>FROM radgroupreply WHERE groupname =
'%{Sql-Group}' </div>
<div>ORDER BY id -> SELECT id, groupname,
attribute, value, </div>
<div>op FROM radgroupreply WHERE groupname
= 'NOC-Admin' </div>
<div>ORDER BY id</div>
<div>rlm_sql: Failed to create the pair: Unknown attribute </div>
<div>"DragonWave-Privilege-Level" requires a hex string, not </div>
<div>"DragonWave-Super-User"</div>
<div>rlm_sql (sql): Error getting data from database</div>
<div>[sql] Error retrieving reply pairs for group NOC-Admin</div>
<div>[sql] Error processing groups; rejecting user</div>
<div>rlm_sql (sql): Released sql socket id: 3</div>
<div>++[sql] returns fail</div>
<div>Using Post-Auth-Type Reject</div>
<div># Executing group from file
/etc/raddb/sites-enabled/default</div>
<div>+- entering group REJECT {...}</div>
<div>[attr_filter.access_reject] expand: %{User-Name}
-> testuser</div>
<div>attr_filter: Matched entry DEFAULT at line 11</div>
<div>++[attr_filter.access_reject] returns updated</div>
<div>Delaying reject of request 0 for 1 seconds</div>
<div>Going to the next request</div>
<div>Waking up in 0.9 seconds.</div>
<div>Sending delayed reject for request 0</div>
<div>Sending Access-Reject of id 119 to 216.x.x.x port 50707</div>
<div>Waking up in 4.9 seconds.</div>
<div>Cleaning up request 0 ID 119 with timestamp +54</div>
<div>Ready to process requests.</div>
<div> </div>
<div> </div>
<div> </div>
<div>#*************************</div>
<div>#</div>
<div>#// Manual query based on radiusd -X debug output</div>
<div>#</div>
<div>#*************************</div>
<div>mysql> SELECT id, groupname, attribute,
value, op </div>
<div>FROM radgroupreply WHERE groupname =
'NOC-Admin' </div>
<div>ORDER BY id;</div>
<div>+----+---------------------+----------------------------+-----------------------+----+</div>
<div>| id | groupname | attribute |
</div>
<div>value | op |</div>
<div>+----+---------------------+----------------------------+-----------------------+----+</div>
<div>| 1 | NOC-Admin | Mikrotik-Group |
</div>
<div>full | += |</div>
<div>| 7 | NOC-Admin | APC-Service-Type |
</div>
<div>1 | += |</div>
<div>| 8 | NOC-Admin | APC-Outlets |
</div>
<div>"1,2,3,4,5,6,7,8" | += |</div>
<div>| 10 | NOC-Admin | DragonWave-Privilege-Level |
</div>
<div>DragonWave-Super-User | += |</div>
<div>+----+---------------------+----------------------------+-----------------------+----+</div>
<div>5 rows in set (0.00 sec)</div>
<div> </div>
<div>mysql></div>
<div> </div>
<div> </div>
<div># /usr/share/freeradius/dictionary.dragonwave</div>
<div>#*************************</div>
<div>#</div>
<div>#// Dragonwave Dictionary Definition</div>
<div>#</div>
<div>#*************************</div>
<div># -*- text -*-</div>
<div># <a moz-do-not-send="true"
href="http://www.dragonwaveinc.com">http://www.dragonwaveinc.com</a></div>
<div>#</div>
<div># $Id$</div>
<div>#</div>
<div>VENDOR DragonWave 7262</div>
<div> </div>
<div>BEGIN-VENDOR DragonWave</div>
<div> </div>
<div># Used to determine the user login privilege level.</div>
<div>ATTRIBUTE DragonWave-Privilege-Level 1
integer</div>
<div> </div>
<div># Read-only access.</div>
<div>VALUE DragonWave-Privilege-Level
DragonWave-Admin-User 1</div>
<div># Limited read-write access.</div>
<div>VALUE DragonWave-Privilege-Level
DragonWave-NOC-User 2</div>
<div># Unlimited read-write access.</div>
<div>VALUE DragonWave-Privilege-Level
DragonWave-Super-User 3</div>
<div> </div>
<div>END-VENDOR DragonWave</div>
<div> </div>
<div>-------------- next part --------------</div>
<div>An HTML attachment was scrubbed...</div>
<div>URL: <<a moz-do-not-send="true"
href="http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140707/88f8e297/attachment.html">http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140707/88f8e297/attachment.html</a>></div>
<div> </div>
<div>------------------------------</div>
<div> </div>
<div>-</div>
<div>List info/subscribe/unsubscribe? See <a
moz-do-not-send="true"
href="http://www.freeradius.org/list/users.html">http://www.freeradius.org/list/users.html</a></div>
<div> </div>
<div>End of Freeradius-Users Digest, Vol 111, Issue 13</div>
<div>*************************************************</div>
<div> </div>
</span></font>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">-
List info/subscribe/unsubscribe? See <a class="moz-txt-link-freetext" href="http://www.freeradius.org/list/users.html">http://www.freeradius.org/list/users.html</a></pre>
</blockquote>
<br>
</body>
</html>