<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    Changed back to =+ per Alan, still seeing the same error and
    resulting reject.<br>
    <br>
    <div class="moz-cite-prefix">On 07/07/2014 03:40 PM, Tony DeMatteis
      wrote:<br>
    </div>
    <blockquote cite="mid:53BB21F4.6080601@commspeed.net" type="cite">
      <meta content="text/html; charset=ISO-8859-1"
        http-equiv="Content-Type">
      <font face="monospace">Thank you very much for your reply!<br>
        <br>
        <br>
        I changed my operator to ":=" but get the same reject/error.<br>
        <br>
        <br>
      </font><br>
      <font face="monospace">mysql> select * from radgroupreply where
        groupname = 'NOC-Admin';<br>
+----+-----------+----------------------------+----+-------------------------+<br>
        | id | groupname | attribute                  | op |
        value                   |<br>
+----+-----------+----------------------------+----+-------------------------+<br>
        |  1 | NOC-Admin | Mikrotik-Group             | := |
        full                    |<br>
        |  7 | NOC-Admin | APC-Service-Type           | := |
        1                       |<br>
        |  8 | NOC-Admin | APC-Outlets                | := |
        "1,2,3,4,5,6,7,8"       |<br>
        | 10 | NOC-Admin | DragonWave-Privilege-Level | := |
        DragonWave-Super-User   |<br>
+----+-----------+----------------------------+----+-------------------------+<br>
        4 rows in set (0.00 sec)<br>
        <br>
        mysql></font><br>
      <br>
      <div class="moz-cite-prefix">On 07/07/2014 11:45 AM, Mike Poole
        wrote:<br>
      </div>
      <blockquote
        cite="mid:be66d05fb21b418781b37ad028c13271@EX2013DAG-A.pavlovmedia.corp"
        type="cite">
        <meta http-equiv="Content-Type" content="text/html;
          charset=ISO-8859-1">
        <meta name="Generator" content="Microsoft Exchange Server">
        <!-- converted from rtf -->
        <style><!-- .EmailQuote { margin-left: 1pt; padding-left: 4pt; border-left: #800000 2px solid; } --></style>
        <font face="Calibri" size="2"><span style="font-size:11pt;">
            <div>Tony,</div>
            <div> </div>
            <div>I'm replying at the top instead of inline. </div>
            <div> </div>
            <div>Our FreeRADIUS SQL returns this for :<br>
              <br>
              44418AS id </div>
            <div>1-1-1 AS groupname</div>
            <div>Mikrotik-Rate-Limit AS attribute</div>
            <div>1000k/2001k 2000k/4000k 750k/1500k 1800/1800 7 AS value</div>
            <div><font face="Cambria Math">≔<font face="Calibri"> AS op</font></font></div>
            <div> </div>
            <div>I think your problem is with the op (operator).  It
              should be "<font face="Cambria Math">≔</font>" and I
              believe it should be at the end.<br>
              <br>
              We use custom tables and stored procedures to do this.<br>
              <br>
              For the "group" query all I return is a groupname, such as
              the package ID '1-1-1'</div>
            <div> </div>
            <div>SELECT packageId as "groupname"; (I believe this is
              where you are having the trouble.<br>
              <br>
              Let me know if it helps or if I can do anything else</div>
            <div> </div>
            <div>Message: 2</div>
            <div>Date: Mon, 07 Jul 2014 08:03:03 -0700</div>
            <div>From: Tony DeMatteis <<a moz-do-not-send="true"
                href="mailto:tonyd@commspeed.net">tonyd@commspeed.net</a>></div>
            <div>To: <a moz-do-not-send="true"
                href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a></div>
            <div>Subject: rlm_sql: Failed to create the pair: Unknown
              attribute</div>
            <div>        "DragonWave-Privilege-Level"    requires a hex
              string, not</div>
            <div>        "DragonWave-Super-User"</div>
            <div>Message-ID: <<a moz-do-not-send="true"
                href="mailto:53BAB6A7.2040309@commspeed.net">53BAB6A7.2040309@commspeed.net</a>></div>
            <div>Content-Type: text/plain; charset="iso-8859-1";
              Format="flowed"</div>
            <div> </div>
            <div>Greetings,</div>
            <div> </div>
            <div>I am setting up/migrating to a new Radius server.  My
              current server is using flat files (users/clients).  Not a
              huge deployment, but now have designs to scale larger. 
              I've run into a problem with one reply attribute I can't
              seem to identify the problem.  I've searched the
              documentation (and Googled), and while probably in from of
              my eyes, I can't seem to find the cause/solution.  The
              same reply attributes work fine in my current/production
              server, but fail (and only when trying to include the
              "DragonWave-Privilege-Level" reply attribute).  Now one
              note, in my production server in my user stanza I use the
              "=" operator for each of the reply attributes.  However,
              in my new server, when using the "=" as the operator in
              the reply attribute I was receiving only one attribute
              upon authentication.  I then thought I understood from the
              documentation that I needed to use "+=" in my reply
              attributes.  After making that change, all the group
              attributes were returned.  One difference may be that I am
              specifying the "group" attributes under each "user"
              (current/production) vs in a "group" which is referenced
              (new server)?  I am in no way well versed in all the
              nuances of radius (but working that direction), so if I'm
              overlooking the obvious I would greatly appreciate a nudge
              in the right direction.</div>
            <div> </div>
            <div>Thank you very much,</div>
            <div> </div>
            <div>tony</div>
            <div> </div>
            <div> </div>
            <div> </div>
            <div>#*************************</div>
            <div>#</div>
            <div>#// CURRENT SERVER</div>
            <div>#</div>
            <div>#*************************</div>
            <div> </div>
            <div>#</div>
            <div># System information</div>
            <div>#</div>
            <div>admin@radius:/home/admin# uname -a</div>
            <div>Linux radius 3.5.0-45-generic #68~precise1-Ubuntu SMP
              Wed Dec 4 16:18:46 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux</div>
            <div> </div>
            <div>admin@radius:/home/admin# cat /etc/issue Ubuntu 12.04.4
              LTS \n \l</div>
            <div> </div>
            <div>admin@radius:/home/admin# freeradius -v</div>
            <div>freeradius: FreeRADIUS Version 2.1.10, for host
              x86_64-pc-linux-gnu, built on Feb 24 2014 at 15:16:50
              Copyright (C) 1999-2010 The FreeRADIUS server project and
              contributors.</div>
            <div>There is NO warranty; not even for MERCHANTABILITY or
              FITNESS FOR A PARTICULAR PURPOSE.</div>
            <div>You may redistribute copies of FreeRADIUS under the
              terms of the GNU General Public License.</div>
            <div>For more information about these matters, see the file
              named COPYRIGHT.</div>
            <div> </div>
            <div>#</div>
            <div># /etc/freeradius/users</div>
            <div>#</div>
            <div>"testuser" ClearText-Password := "tester"</div>
            <div>     Reply-Message = "Hello, %{User-Name}",</div>
            <div>     Mikrotik-Group = "full",</div>
            <div>     DragonWave-Privilege-Level =
              "DragonWave-Super-User",</div>
            <div>     APC-Service-Type = 1,</div>
            <div>     APC-Outlets = "1,2,3,4,5,6,7,8"</div>
            <div> </div>
            <div>#</div>
            <div># radtest and result</div>
            <div>#</div>
            <div>admin@radius:/home/admin# radtest testuser tester
              localhost 10</div>
            <div>testing123 0 10.10.0.120</div>
            <div>Sending Access-Request of id 25 to 127.0.0.1 port 1812</div>
            <div>     User-Name = "testuser"</div>
            <div>     User-Password = "tester"</div>
            <div>     NAS-IP-Address = 10.10.0.120</div>
            <div>     NAS-Port = 10</div>
            <div>     Framed-Protocol = PPP</div>
            <div>rad_recv: Access-Accept packet from host 127.0.0.1 port
              1812, id=25,</div>
            <div>length=70</div>
            <div>     Reply-Message = "Hello, testuser"</div>
            <div>     Mikrotik-Group = "full"</div>
            <div>     DragonWave-Privilege-Level = DragonWave-Super-User</div>
            <div>     APC-Service-Type = Admin</div>
            <div>APC-Outlets = "1,2,3,4,5,6,7,8"</div>
            <div> </div>
            <div> </div>
            <div> </div>
            <div>#*************************</div>
            <div>#</div>
            <div>#// NEW SERVER</div>
            <div>#</div>
            <div>#*************************</div>
            <div>admin@radius1:/home/admin# uname -a</div>
            <div>Linux radius1.mydomain.net 2.6.32-431.20.3.el6.i686 #1
              SMP Thu Jun 19</div>
            <div>19:51:30 UTC 2014 i686 i686 i386 GNU/Linux</div>
            <div> </div>
            <div>admin@radius1:/home/admin# cat /etc/issue CentOS
              release 6.5 (Final) Kernel \r on an \m</div>
            <div> </div>
            <div>admin@radius1:/home/admin# radiusd -v</div>
            <div>radiusd: FreeRADIUS Version 2.1.12, for host
              i386-redhat-linux-gnu, built on Oct  3 2012 at 01:20:08
              Copyright (C) 1999-2011 The FreeRADIUS server project and
              contributors.</div>
            <div>There is NO warranty; not even for MERCHANTABILITY or
              FITNESS FOR A PARTICULAR PURPOSE.</div>
            <div>You may redistribute copies of FreeRADIUS under the
              terms of the GNU General Public License.</div>
            <div>For more information about these matters, see the file
              named COPYRIGHT.</div>
            <div> </div>
            <div> </div>
            <div>#*************************</div>
            <div>#</div>
            <div>#// radtest</div>
            <div>#</div>
            <div>#*************************</div>
            <div>admin@radius1:/home/admin# radtest testuser tester
              216.x.x.x 10 </div>
            <div>testing123 0 10.10.0.120</div>
            <div>Sending Access-Request of id 119 to 216.x.x.x port 1812</div>
            <div>     User-Name = "testuser"</div>
            <div>     User-Password = "tester"</div>
            <div>     NAS-IP-Address = 10.10.0.120</div>
            <div>     NAS-Port = 10</div>
            <div>     Message-Authenticator =
              0x00000000000000000000000000000000</div>
            <div>rad_recv: Access-Reject packet from host 216.x.x.x port
              1812, id=119, </div>
            <div>length=20</div>
            <div> </div>
            <div> </div>
            <div>#*************************</div>
            <div>#</div>
            <div>#// Partial debug output</div>
            <div>#</div>
            <div>#*************************</div>
            <div>Ready to process requests.</div>
            <div>rad_recv: Access-Request packet from host 216.x.x.x
              port 50707, id=119, </div>
            <div>length=75</div>
            <div>     User-Name = "testuser"</div>
            <div>     User-Password = "tester"</div>
            <div>     NAS-IP-Address = 10.10.0.120</div>
            <div>     NAS-Port = 10</div>
            <div>     Message-Authenticator =
              0x17fec73c577cb5fd95d9dd3656c3a8db</div>
            <div># Executing section authorize from file
              /etc/raddb/sites-enabled/default</div>
            <div>+- entering group authorize {...}</div>
            <div>++- entering policy filter_username {...}</div>
            <div>+++? if (User-Name =~ /^ /)</div>
            <div>? Evaluating (User-Name =~ /^ /) -> FALSE</div>
            <div>+++? if (User-Name =~ /^ /) -> FALSE</div>
            <div>+++? if (User-Name =~ / $$/)</div>
            <div>? Evaluating (User-Name =~ / $$/) -> FALSE</div>
            <div>+++? if (User-Name =~ / $$/) -> FALSE</div>
            <div>+++? if (User-Name != "%{tolower:%{User-Name}}")</div>
            <div>     expand: %{User-Name} -> testuser</div>
            <div>     expand: %{tolower:%{User-Name}} -> testuser</div>
            <div>? Evaluating (User-Name != "%{tolower:%{User-Name}}")
              -> FALSE</div>
            <div>+++? if (User-Name != "%{tolower:%{User-Name}}") ->
              FALSE</div>
            <div>++- policy filter_username returns notfound</div>
            <div>++[preprocess] returns ok</div>
            <div>++[chap] returns noop</div>
            <div>++[mschap] returns noop</div>
            <div>++[digest] returns noop</div>
            <div>[suffix] No '@' in User-Name = "testuser", looking up
              realm NULL</div>
            <div>[suffix] No such realm "NULL"</div>
            <div>++[suffix] returns noop</div>
            <div>[eap] No EAP-Message, not doing EAP</div>
            <div>++[eap] returns noop</div>
            <div>[sql]     expand: %{User-Name} -> testuser</div>
            <div>[sql] sql_set_user escaped user --> 'testuser'</div>
            <div>rlm_sql (sql): Reserving sql socket id: 3</div>
            <div>[sql]     expand: SELECT id, username, attribute,
              value, op           </div>
            <div>FROM radcheck           WHERE username =
              '%{SQL-User-Name}'           </div>
            <div>ORDER BY id -> SELECT id, username, attribute,
              value, op           FROM </div>
            <div>radcheck WHERE username = 'testuser'           ORDER BY
              id</div>
            <div>[sql] User found in radcheck table</div>
            <div>[sql]     expand: SELECT id, username, attribute,
              value, op           </div>
            <div>FROM radreply           WHERE username =
              '%{SQL-User-Name}'           </div>
            <div>ORDER BY id -> SELECT id, username, attribute,
              value, op           FROM </div>
            <div>radreply WHERE username = 'testuser'           ORDER BY
              id</div>
            <div>[sql]     expand: SELECT groupname           FROM
              radusergroup           </div>
            <div>WHERE username = '%{SQL-User-Name}'           ORDER BY
              priority -> </div>
            <div>SELECT groupname           FROM radusergroup          
              WHERE username = </div>
            <div>'testuser'           ORDER BY priority</div>
            <div>[sql]     expand: SELECT id, groupname, attribute,
              Value, op           </div>
            <div>FROM radgroupcheck           WHERE groupname =
              '%{Sql-Group}'           </div>
            <div>ORDER BY id -> SELECT id, groupname,
              attribute,           Value, </div>
            <div>op           FROM radgroupcheck           WHERE
              groupname = 'NOC-Admin' </div>
            <div>ORDER BY id</div>
            <div>[sql] User found in group NOC-Admin</div>
            <div>[sql]     expand: SELECT id, groupname, attribute,
              value, op           </div>
            <div>FROM radgroupreply           WHERE groupname =
              '%{Sql-Group}'           </div>
            <div>ORDER BY id -> SELECT id, groupname,
              attribute,           value, </div>
            <div>op           FROM radgroupreply           WHERE
              groupname = 'NOC-Admin' </div>
            <div>ORDER BY id</div>
            <div>rlm_sql: Failed to create the pair: Unknown attribute </div>
            <div>"DragonWave-Privilege-Level" requires a hex string, not
            </div>
            <div>"DragonWave-Super-User"</div>
            <div>rlm_sql (sql): Error getting data from database</div>
            <div>[sql] Error retrieving reply pairs for group NOC-Admin</div>
            <div>[sql] Error processing groups; rejecting user</div>
            <div>rlm_sql (sql): Released sql socket id: 3</div>
            <div>++[sql] returns fail</div>
            <div>Using Post-Auth-Type Reject</div>
            <div># Executing group from file
              /etc/raddb/sites-enabled/default</div>
            <div>+- entering group REJECT {...}</div>
            <div>[attr_filter.access_reject]     expand: %{User-Name}
              -> testuser</div>
            <div>attr_filter: Matched entry DEFAULT at line 11</div>
            <div>++[attr_filter.access_reject] returns updated</div>
            <div>Delaying reject of request 0 for 1 seconds</div>
            <div>Going to the next request</div>
            <div>Waking up in 0.9 seconds.</div>
            <div>Sending delayed reject for request 0</div>
            <div>Sending Access-Reject of id 119 to 216.x.x.x port 50707</div>
            <div>Waking up in 4.9 seconds.</div>
            <div>Cleaning up request 0 ID 119 with timestamp +54</div>
            <div>Ready to process requests.</div>
            <div> </div>
            <div> </div>
            <div> </div>
            <div>#*************************</div>
            <div>#</div>
            <div>#// Manual query based on radiusd -X debug output</div>
            <div>#</div>
            <div>#*************************</div>
            <div>mysql> SELECT id, groupname, attribute,          
              value, op           </div>
            <div>FROM radgroupreply           WHERE groupname =
              'NOC-Admin'           </div>
            <div>ORDER BY id;</div>
            <div>+----+---------------------+----------------------------+-----------------------+----+</div>
            <div>| id | groupname           | attribute                 
              | </div>
            <div>value                 | op |</div>
            <div>+----+---------------------+----------------------------+-----------------------+----+</div>
            <div>|  1 | NOC-Admin           | Mikrotik-Group            
              | </div>
            <div>full                  | += |</div>
            <div>|  7 | NOC-Admin           | APC-Service-Type          
              | </div>
            <div>1                     | += |</div>
            <div>|  8 | NOC-Admin           | APC-Outlets               
              | </div>
            <div>"1,2,3,4,5,6,7,8"     | += |</div>
            <div>| 10 | NOC-Admin           | DragonWave-Privilege-Level
              | </div>
            <div>DragonWave-Super-User | += |</div>
            <div>+----+---------------------+----------------------------+-----------------------+----+</div>
            <div>5 rows in set (0.00 sec)</div>
            <div> </div>
            <div>mysql></div>
            <div> </div>
            <div> </div>
            <div># /usr/share/freeradius/dictionary.dragonwave</div>
            <div>#*************************</div>
            <div>#</div>
            <div>#// Dragonwave Dictionary Definition</div>
            <div>#</div>
            <div>#*************************</div>
            <div># -*- text -*-</div>
            <div>#    <a moz-do-not-send="true"
                href="http://www.dragonwaveinc.com">http://www.dragonwaveinc.com</a></div>
            <div>#</div>
            <div>#    $Id$</div>
            <div>#</div>
            <div>VENDOR        DragonWave                    7262</div>
            <div> </div>
            <div>BEGIN-VENDOR    DragonWave</div>
            <div> </div>
            <div># Used to determine the user login privilege level.</div>
            <div>ATTRIBUTE    DragonWave-Privilege-Level        1   
              integer</div>
            <div> </div>
            <div>#        Read-only access.</div>
            <div>VALUE        DragonWave-Privilege-Level
              DragonWave-Admin-User        1</div>
            <div>#         Limited read-write access.</div>
            <div>VALUE        DragonWave-Privilege-Level
              DragonWave-NOC-User        2</div>
            <div>#         Unlimited read-write access.</div>
            <div>VALUE        DragonWave-Privilege-Level
              DragonWave-Super-User        3</div>
            <div> </div>
            <div>END-VENDOR    DragonWave</div>
            <div> </div>
            <div>-------------- next part --------------</div>
            <div>An HTML attachment was scrubbed...</div>
            <div>URL: <<a moz-do-not-send="true"
href="http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140707/88f8e297/attachment.html">http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140707/88f8e297/attachment.html</a>></div>
            <div> </div>
            <div>------------------------------</div>
            <div> </div>
            <div>-</div>
            <div>List info/subscribe/unsubscribe? See <a
                moz-do-not-send="true"
                href="http://www.freeradius.org/list/users.html">http://www.freeradius.org/list/users.html</a></div>
            <div> </div>
            <div>End of Freeradius-Users Digest, Vol 111, Issue 13</div>
            <div>*************************************************</div>
            <div> </div>
          </span></font> <br>
        <fieldset class="mimeAttachmentHeader"></fieldset>
        <br>
        <pre wrap="">-
List info/subscribe/unsubscribe? See <a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://www.freeradius.org/list/users.html">http://www.freeradius.org/list/users.html</a></pre>
      </blockquote>
      <br>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">-
List info/subscribe/unsubscribe? See <a class="moz-txt-link-freetext" href="http://www.freeradius.org/list/users.html">http://www.freeradius.org/list/users.html</a></pre>
    </blockquote>
    <br>
  </body>
</html>