Hello. I want freeradius to authenticate users with Cleartext-Password locally and proxy others with realms. I use SQL for users, groups, nas and huntgroups. The problem: When logging in with the user with Cleartext-Password all passwords are accepted. The proxied users need the correct password. What am i missing? Please help. My set up consists of: AAA Client -> Freeradius 2.1.6 with MySQL -> RADIUS-server ##sites-enabled/default authorize section # SQL query huntgroups update request { Huntgroup-Name := "%{sql:select groupname from radhuntgroup where nasipaddress=\"%{NAS-IP-Address}\"}" } # # # SQL query Proxy-To-Realm # update control { Proxy-To-Realm := "%{sql:select authserver from authmethod where username =\"%{User-Name}\"}" } radhuntgroup table: mysql> select * from radhuntgroup; +----+-------------+--------------+-----------+ | id | groupname | nasipaddress | nasportid | +----+-------------+--------------+-----------+ | 4 | VPN-service | x.x.x.x | NULL | radgroupcheck table: mysql> select * from radgroupcheck; +----+-----------+----------------+----+-------------+ | id | groupname | attribute | op | value | +----+-----------+----------------+----+-------------+ | 8 | VPN-AUTH | Huntgroup-Name | == | VPN-Service | | 9 | VPN-AUTH | Auth-Type | := | Accept | usergroup table; mysql> select * from usergroup; +--------------+-----------+----------+ | UserName | GroupName | priority | +--------------+-----------+----------+ | testuser | VPN-AUTH | 0 | | safewordtest | VPN-AUTH | 0 | +--------------+-----------+----------+ users-file # On no match, the user is denied access. DEFAULT Auth-Type := Reject Users are defined in radcheck. testuser is to be authenticated locally safewordtest is to be proxied (table authmethod). mysql> select * from radcheck; +----+--------------+--------------------+----+----------+ | id | username | attribute | op | value | +----+--------------+--------------------+----+----------+ | 33 | testuser | Cleartext-Password | := | testuser | | 39 | safewordtest | Cleartext-Password | := | testttsd | +----+--------------+--------------------+----+----------+ mysql> select * from authmethod; +--------------+------------+----------+ | username | authserver | priority | +--------------+------------+----------+ | safewordtest | Safeword | 1 | +--------------+------------+----------+ Debug: Incorrect username/password. rad_recv: Access-Request packet from host x.x.x.x port 1812, id=38, length=70 User-Name = "testuser" User-Password = "wrongpasswordibelieve" NAS-IP-Address = x.x.x.x +- entering group authorize {...} ++[preprocess] returns ok sql_xlat expand: %{User-Name} -> testuser sql_set_user escaped user --> 'testuser' expand: select groupname from radhuntgroup where nasipaddress="%{NAS-IP-Address}" -> select groupname from radhuntgroup where nasipaddress="x.x.x.x" rlm_sql (sql): Reserving sql socket id: 3 sql_xlat finished rlm_sql (sql): Released sql socket id: 3 expand: %{sql:select groupname from radhuntgroup where nasipaddress="%{NAS-IP-Address}"} -> VPN-Service ++[request] returns ok sql_xlat expand: %{User-Name} -> testuser sql_set_user escaped user --> 'testuser' expand: select authserver from authmethod where username ="%{User-Name}" -> select authserver from authmethod where username ="testuser" rlm_sql (sql): Reserving sql socket id: 2 SQL query did not return any results rlm_sql (sql): Released sql socket id: 2 expand: %{sql:select authserver from authmethod where username ="%{User-Name}"} -> ++[control] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "testuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 204 ++[files] returns ok [sql] expand: %{User-Name} -> testuser [sql] sql_set_user escaped user --> 'testuser' rlm_sql (sql): Reserving sql socket id: 1 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'testuser' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'testuser' ORDER BY id [sql] expand: SELECT groupname FROM usergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM usergroup WHERE username = 'testuser' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'VPN-AUTH' ORDER BY id [sql] User found in group VPN-AUTH [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'VPN-AUTH' ORDER BY id rlm_sql (sql): Released sql socket id: 1 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop WARNING: You set Proxy-To-Realm = , but the realm does not exist! Cancelling invalid proxy request. Found Auth-Type = Accept Auth-Type = Accept, accepting the user +- entering group post-auth {...} [sql] expand: %{User-Name} -> testuser [sql] sql_set_user escaped user --> 'testuser' [sql] expand: %{User-Password} -> wrongpasswordibelieve [sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'testuser', 'wrongpasswordibelieve', 'Access-Accept', '2009-08-13 21:01:08') rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'testuser', 'wrongpasswordibelieve', 'Access-Accept', '2009-08-13 21:01:08') rlm_sql (sql): Reserving sql socket id: 0 rlm_sql (sql): Released sql socket id: 0 ++[sql] returns ok ++[exec] returns noop Sending Access-Accept of id 38 to x.x.x.x port 1812 Class := 0x6f753d7672663337302c6f753d72657472726565 Finished request 0. -- View this message in context: http://www.nabble.com/Problem-authenticating-cleartext-passwords-locally-and... Sent from the FreeRadius - User mailing list archive at Nabble.com.