On 15/09/2010 17:29, Phil Mayers wrote:
Please post the full debugging output.
+- entering group authorize {...} ++[preprocess] returns ok [chap] Setting 'Auth-Type := CHAP' ++[chap] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "08-00-0f-44-c7-42", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound rlm_opendirectory: The SACL group "com.apple.access_radius" does not exist on this system. rlm_opendirectory: The host 10.2.2.230 does not have an access group. rlm_opendirectory: no access control groups, all users allowed. ++[opendirectory] returns ok ++- entering group redundant_sql {...} [sql1] expand: %{User-Name} -> 08-00-0f-44-c7-42 [sql1] sql_set_user escaped user --> '08-00-0f-44-c7-42' rlm_sql (sql1): Reserving sql socket id: 1 [sql1] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' [sql1] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY prior rlm_sql (sql1): Released sql socket id: 1 [sql1] User 08-00-0f-44-c7-42 not found +++[sql1] returns notfound ++- group redundant_sql returns notfound ++? if (notfound) ? Evaluating (notfound) -> TRUE ++? if (notfound) -> TRUE ++- entering if (notfound) {...} +++[reply] returns notfound ++- if (notfound) returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = CHAP +- entering group CHAP {...} [chap] login attempt by "08-00-0f-44-c7-42" with CHAP password [chap] Cleartext-Password is required for authentication ++[chap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> 08-00-0f-44-c7-42 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 2 for 1 seconds
Have you tested this? With radclient/radtest? It should work, from what I can see.
no. I didn't tested. Thank you for your help. -- *Fabien COMBERNOUS* /unix system engineer/ www.kezia.com <http://www.kezia.com/> *Tel: +33 (0) 467 992 986* Kezia Group