<div dir="ltr">Dear Alan,<div><br></div><div>Thank you for your response, I feel really bad bothering everybody on the list with these basic questions but for some reason it just doesn't work yet: </div><div>I do have the "sql" module listed in the "authorize" section, when I login with the test user (which is in the Huntgroup) I get the following response:</div><div><br></div><div><div>rad_recv: Access-Request packet from host 192.168.56.2 port 55666, id=170, length=63</div><div><span class="" style="white-space:pre"> </span>User-Name = "test"</div><div><span class="" style="white-space:pre"> </span>User-Password = "radius"</div><div><span class="" style="white-space:pre"> </span>NAS-Identifier = "TESTRN01701"</div><div><span class="" style="white-space:pre"> </span>NAS-IP-Address = 192.168.56.2</div><div># Executing section authorize from file /etc/raddb/sites-enabled/default</div><div>+- entering group authorize {...}</div><div>++[preprocess] returns ok</div><div>sql_xlat</div><div><span class="" style="white-space:pre"> </span>expand: %{User-Name} -> test</div><div>sql_set_user escaped user --> 'test'</div><div><span class="" style="white-space:pre"> </span>expand: SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{NAS-IP-Address}' -> SELECT groupname FROM radhuntgroup WHERE nasipaddress='192.168.56.2'</div><div>rlm_sql (sql): Reserving sql socket id: 0</div><div>sql_xlat finished</div><div>rlm_sql (sql): Released sql socket id: 0</div><div><span class="" style="white-space:pre"> </span>expand: %{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{NAS-IP-Address}'} -> site_a</div><div>++[reply] returns ok</div><div>++[chap] returns noop</div><div>++[mschap] returns noop</div><div>++[digest] returns noop</div><div>[suffix] No '@' in User-Name = "test", looking up realm NULL</div><div>[suffix] No such realm "NULL"</div><div>++[suffix] returns noop</div><div>[eap] No EAP-Message, not doing EAP</div><div>++[eap] returns noop</div><div>[sql] <span class="" style="white-space:pre"> </span>expand: %{User-Name} -> test</div><div>[sql] sql_set_user escaped user --> 'test'</div><div>rlm_sql (sql): Reserving sql socket id: 4</div><div>[sql] <span class="" style="white-space:pre"> </span>expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test' ORDER BY id</div><div>[sql] User found in radcheck table</div><div>[sql] <span class="" style="white-space:pre"> </span>expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test' ORDER BY id</div><div>[sql] <span class="" style="white-space:pre"> </span>expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'test' ORDER BY priority</div><div>[sql] <span class="" style="white-space:pre"> </span>expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'site_a_admins' ORDER BY id</div><div>rlm_sql (sql): Released sql socket id: 4</div><div>++[sql] returns ok</div><div>++[expiration] returns noop</div><div>++[logintime] returns noop</div><div>++[pap] returns updated</div><div>Found Auth-Type = PAP</div><div># Executing group from file /etc/raddb/sites-enabled/default</div><div>+- entering group PAP {...}</div><div>[pap] login attempt with password "radius"</div><div>[pap] Using clear text password "radius"</div><div>[pap] User authenticated successfully</div><div>++[pap] returns ok</div><div># Executing section post-auth from file /etc/raddb/sites-enabled/default</div><div>+- entering group post-auth {...}</div><div>[reply_log] <span class="" style="white-space:pre"> </span>expand: /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d -> /var/log/radius/radacct/<a href="http://192.168.56.2/reply-detail-20140911">192.168.56.2/reply-detail-20140911</a></div><div>[reply_log] /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /var/log/radius/radacct/<a href="http://192.168.56.2/reply-detail-20140911">192.168.56.2/reply-detail-20140911</a></div><div>[reply_log] <span class="" style="white-space:pre"> </span>expand: %t -> Thu Sep 11 02:27:31 2014</div><div>++[reply_log] returns ok</div><div>Sending Access-Accept of id 170 to 192.168.56.2 port 55666</div><div><span class="" style="white-space:pre"> </span>Juniper-Local-User-Name := "super-users"</div><div>Finished request 2.</div><div>Going to the next request</div><div>Waking up in 4.9 seconds.</div><div>Cleaning up request 2 ID 170 with timestamp +192</div><div>Ready to process requests.</div></div><div><br></div><div>When I try to logon with the test2 user (which is not in the Huntgroup) I get the following:</div><div><br></div><div><div>rad_recv: Access-Request packet from host 192.168.56.2 port 59531, id=109, length=64</div><div><span class="" style="white-space:pre"> </span>User-Name = "test2"</div><div><span class="" style="white-space:pre"> </span>User-Password = "radius"</div><div><span class="" style="white-space:pre"> </span>NAS-Identifier = "TESTRN01701"</div><div><span class="" style="white-space:pre"> </span>NAS-IP-Address = 192.168.56.2</div><div># Executing section authorize from file /etc/raddb/sites-enabled/default</div><div>+- entering group authorize {...}</div><div>++[preprocess] returns ok</div><div>sql_xlat</div><div><span class="" style="white-space:pre"> </span>expand: %{User-Name} -> test2</div><div>sql_set_user escaped user --> 'test2'</div><div><span class="" style="white-space:pre"> </span>expand: SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{NAS-IP-Address}' -> SELECT groupname FROM radhuntgroup WHERE nasipaddress='192.168.56.2'</div><div>rlm_sql (sql): Reserving sql socket id: 3</div><div>sql_xlat finished</div><div>rlm_sql (sql): Released sql socket id: 3</div><div><span class="" style="white-space:pre"> </span>expand: %{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{NAS-IP-Address}'} -> site_a</div><div>++[reply] returns ok</div><div>++[chap] returns noop</div><div>++[mschap] returns noop</div><div>++[digest] returns noop</div><div>[suffix] No '@' in User-Name = "test2", looking up realm NULL</div><div>[suffix] No such realm "NULL"</div><div>++[suffix] returns noop</div><div>[eap] No EAP-Message, not doing EAP</div><div>++[eap] returns noop</div><div>[sql] <span class="" style="white-space:pre"> </span>expand: %{User-Name} -> test2</div><div>[sql] sql_set_user escaped user --> 'test2'</div><div>rlm_sql (sql): Reserving sql socket id: 2</div><div>[sql] <span class="" style="white-space:pre"> </span>expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test2' ORDER BY id</div><div>[sql] User found in radcheck table</div><div>[sql] <span class="" style="white-space:pre"> </span>expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test2' ORDER BY id</div><div>[sql] <span class="" style="white-space:pre"> </span>expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'test2' ORDER BY priority</div><div>rlm_sql (sql): Released sql socket id: 2</div><div>++[sql] returns ok</div><div>++[expiration] returns noop</div><div>++[logintime] returns noop</div><div>++[pap] returns updated</div><div>Found Auth-Type = PAP</div><div># Executing group from file /etc/raddb/sites-enabled/default</div><div>+- entering group PAP {...}</div><div>[pap] login attempt with password "radius"</div><div>[pap] Using clear text password "radius"</div><div>[pap] User authenticated successfully</div><div>++[pap] returns ok</div><div># Executing section post-auth from file /etc/raddb/sites-enabled/default</div><div>+- entering group post-auth {...}</div><div>[reply_log] <span class="" style="white-space:pre"> </span>expand: /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d -> /var/log/radius/radacct/<a href="http://192.168.56.2/reply-detail-20140911">192.168.56.2/reply-detail-20140911</a></div><div>[reply_log] /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /var/log/radius/radacct/<a href="http://192.168.56.2/reply-detail-20140911">192.168.56.2/reply-detail-20140911</a></div><div>[reply_log] <span class="" style="white-space:pre"> </span>expand: %t -> Thu Sep 11 02:30:39 2014</div><div>++[reply_log] returns ok</div><div>Sending Access-Accept of id 109 to 192.168.56.2 port 59531</div><div>Finished request 3.</div><div>Going to the next request</div><div>Waking up in 4.9 seconds.</div><div>Cleaning up request 3 ID 109 with timestamp +380</div><div>Ready to process requests.</div></div><div><br></div><div><br></div><div>Thanks in advance!</div><div><br></div><div class="gmail_extra"><br clear="all"><div><div dir="ltr"><div>Kind regards,</div><div><br></div><div>Jeroen Bosch</div><div><br></div><div><img src="http://netyce.com/dev/wp-content/themes/netYCE/img/logo.gif"><br></div><div><i style="font-size:x-small"><b>Design Driven Networking - Smarter, better, controllable networks </b></i></div><div><font size="1"><b><i><br></i></b></font><div><font size="1"><font color="#999999">Jeroen Bosch</font> <font color="#999999">| Developer</font></font></div><div><span style="color:rgb(136,136,136);font-size:x-small">Business Centre Leeuwenveldseweg 5n, 1382 LV Weesp, NL</span><br style="color:rgb(136,136,136);font-size:x-small"></div><div><font size="1"><font color="#999999">m:</font> +31 6 22768473 <span style="color:rgb(136,136,136)">| t: </span><a value="+31208943412" style="color:rgb(17,85,204)">+31 20 894 3412</a><span style="color:rgb(136,136,136)"> </span><br></font><div><font size="1"><a href="mailto:jeroen.bosch@netyce.com" target="_blank">jeroen.bosch@netyce.com</a> <font color="#999999">|</font> <a href="http://www.netyce.com" target="_blank">www.netyce.com</a></font></div></div></div></div></div>
<br><div class="gmail_quote">On Thu, Sep 11, 2014 at 5:39 PM, Alan DeKok <span dir="ltr"><<a href="mailto:aland@deployingradius.com" target="_blank">aland@deployingradius.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">Jeroen Bosch wrote:<br>
> If I understand the guide correctly only the test user should be able to<br>
> logon to site_a, however I am also granted access using my test2 user<br>
> credentials: did I overlook something? Again, thanks in advance!<br>
<br>
</span> You also need to list the "sql" module in the "authorize" section.<br>
<br>
And run the server in debugging mode to see what it's doing. Really.<br>
<div class="HOEnZb"><div class="h5"><br>
Alan DeKok.<br>
-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br>
</div></div></blockquote></div><br></div></div>