Dear Alan, Thank you for your response, I feel really bad bothering everybody on the list with these basic questions but for some reason it just doesn't work yet: I do have the "sql" module listed in the "authorize" section, when I login with the test user (which is in the Huntgroup) I get the following response: rad_recv: Access-Request packet from host 192.168.56.2 port 55666, id=170, length=63 User-Name = "test" User-Password = "radius" NAS-Identifier = "TESTRN01701" NAS-IP-Address = 192.168.56.2 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok sql_xlat expand: %{User-Name} -> test sql_set_user escaped user --> 'test' expand: SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{NAS-IP-Address}' -> SELECT groupname FROM radhuntgroup WHERE nasipaddress='192.168.56.2' rlm_sql (sql): Reserving sql socket id: 0 sql_xlat finished rlm_sql (sql): Released sql socket id: 0 expand: %{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{NAS-IP-Address}'} -> site_a ++[reply] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [sql] expand: %{User-Name} -> test [sql] sql_set_user escaped user --> 'test' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'test' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'site_a_admins' ORDER BY id rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group PAP {...} [pap] login attempt with password "radius" [pap] Using clear text password "radius" [pap] User authenticated successfully ++[pap] returns ok # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} [reply_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d -> /var/log/radius/radacct/192.168.56.2/reply-detail-20140911 [reply_log] /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.56.2/reply-detail-20140911 [reply_log] expand: %t -> Thu Sep 11 02:27:31 2014 ++[reply_log] returns ok Sending Access-Accept of id 170 to 192.168.56.2 port 55666 Juniper-Local-User-Name := "super-users" Finished request 2. Going to the next request Waking up in 4.9 seconds. Cleaning up request 2 ID 170 with timestamp +192 Ready to process requests. When I try to logon with the test2 user (which is not in the Huntgroup) I get the following: rad_recv: Access-Request packet from host 192.168.56.2 port 59531, id=109, length=64 User-Name = "test2" User-Password = "radius" NAS-Identifier = "TESTRN01701" NAS-IP-Address = 192.168.56.2 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok sql_xlat expand: %{User-Name} -> test2 sql_set_user escaped user --> 'test2' expand: SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{NAS-IP-Address}' -> SELECT groupname FROM radhuntgroup WHERE nasipaddress='192.168.56.2' rlm_sql (sql): Reserving sql socket id: 3 sql_xlat finished rlm_sql (sql): Released sql socket id: 3 expand: %{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{NAS-IP-Address}'} -> site_a ++[reply] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "test2", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [sql] expand: %{User-Name} -> test2 [sql] sql_set_user escaped user --> 'test2' rlm_sql (sql): Reserving sql socket id: 2 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test2' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test2' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'test2' ORDER BY priority rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group PAP {...} [pap] login attempt with password "radius" [pap] Using clear text password "radius" [pap] User authenticated successfully ++[pap] returns ok # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} [reply_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d -> /var/log/radius/radacct/192.168.56.2/reply-detail-20140911 [reply_log] /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.56.2/reply-detail-20140911 [reply_log] expand: %t -> Thu Sep 11 02:30:39 2014 ++[reply_log] returns ok Sending Access-Accept of id 109 to 192.168.56.2 port 59531 Finished request 3. Going to the next request Waking up in 4.9 seconds. Cleaning up request 3 ID 109 with timestamp +380 Ready to process requests. Thanks in advance! Kind regards, Jeroen Bosch *Design Driven Networking - Smarter, better, controllable networks * Jeroen Bosch | Developer Business Centre Leeuwenveldseweg 5n, 1382 LV Weesp, NL m: +31 6 22768473 | t: +31 20 894 3412 jeroen.bosch@netyce.com | www.netyce.com On Thu, Sep 11, 2014 at 5:39 PM, Alan DeKok <aland@deployingradius.com> wrote:
Jeroen Bosch wrote:
If I understand the guide correctly only the test user should be able to logon to site_a, however I am also granted access using my test2 user credentials: did I overlook something? Again, thanks in advance!
You also need to list the "sql" module in the "authorize" section.
And run the server in debugging mode to see what it's doing. Really.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html