On 15/09/2010 17:29, Phil Mayers wrote:
Please post the full debugging output.
+- entering group authorize {...}
++[preprocess] returns ok
[chap] Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "08-00-0f-44-c7-42", looking up realm
NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
rlm_opendirectory: The SACL group "com.apple.access_radius" does not
exist on this system.
rlm_opendirectory: The host 10.2.2.230 does not have an access
group.
rlm_opendirectory: no access control groups, all users allowed.
++[opendirectory] returns ok
++- entering group redundant_sql {...}
[sql1] expand: %{User-Name} -> 08-00-0f-44-c7-42
[sql1] sql_set_user escaped user --> '08-00-0f-44-c7-42'
rlm_sql (sql1): Reserving sql socket id: 1
[sql1] expand: SELECT id, username, attribute, value,
op FROM radcheck WHERE username =
'%{SQL-User-Name}'
[sql1] expand: SELECT groupname FROM
radusergroup WHERE username = '%{SQL-User-Name}'
ORDER BY prior
rlm_sql (sql1): Released sql socket id: 1
[sql1] User 08-00-0f-44-c7-42 not found
+++[sql1] returns notfound
++- group redundant_sql returns notfound
++? if (notfound)
? Evaluating (notfound) -> TRUE
++? if (notfound) -> TRUE
++- entering if (notfound) {...}
+++[reply] returns notfound
++- if (notfound) returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = CHAP
+- entering group CHAP {...}
[chap] login attempt by "08-00-0f-44-c7-42" with CHAP password
[chap] Cleartext-Password is required for authentication
++[chap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} ->
08-00-0f-44-c7-42
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 2 for 1 seconds
Have you tested this? With radclient/radtest? It should work, from
what I can see.
no. I didn't tested.
Thank you for your help.
--
Fabien COMBERNOUS
unix system engineer
www.kezia.com
Tel: +33 (0) 467 992 986