Dear Alan,

Thank you for your response, I feel really bad bothering everybody on the list with these basic questions but for some reason it just doesn't work yet: 
I do have the "sql" module listed in the "authorize" section, when I login with the test user (which is in the Huntgroup) I get the following response:

rad_recv: Access-Request packet from host 192.168.56.2 port 55666, id=170, length=63
User-Name = "test"
User-Password = "radius"
NAS-Identifier = "TESTRN01701"
NAS-IP-Address = 192.168.56.2
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
sql_xlat
expand: %{User-Name} -> test
sql_set_user escaped user --> 'test'
expand: SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{NAS-IP-Address}' -> SELECT groupname FROM radhuntgroup WHERE nasipaddress='192.168.56.2'
rlm_sql (sql): Reserving sql socket id: 0
sql_xlat finished
rlm_sql (sql): Released sql socket id: 0
expand: %{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{NAS-IP-Address}'} -> site_a
++[reply] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[sql] expand: %{User-Name} -> test
[sql] sql_set_user escaped user --> 'test'
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = 'test'           ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = 'test'           ORDER BY id
[sql] expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = 'test'           ORDER BY priority
[sql] expand: SELECT id, groupname, attribute,           Value, op           FROM radgroupcheck           WHERE groupname = '%{Sql-Group}'           ORDER BY id -> SELECT id, groupname, attribute,           Value, op           FROM radgroupcheck           WHERE groupname = 'site_a_admins'           ORDER BY id
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "radius"
[pap] Using clear text password "radius"
[pap] User authenticated successfully
++[pap] returns ok
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
[reply_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d -> /var/log/radius/radacct/192.168.56.2/reply-detail-20140911
[reply_log] /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.56.2/reply-detail-20140911
[reply_log] expand: %t -> Thu Sep 11 02:27:31 2014
++[reply_log] returns ok
Sending Access-Accept of id 170 to 192.168.56.2 port 55666
Juniper-Local-User-Name := "super-users"
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 2 ID 170 with timestamp +192
Ready to process requests.

When I try to logon with the test2 user (which is not in the Huntgroup) I get the following:

rad_recv: Access-Request packet from host 192.168.56.2 port 59531, id=109, length=64
User-Name = "test2"
User-Password = "radius"
NAS-Identifier = "TESTRN01701"
NAS-IP-Address = 192.168.56.2
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
sql_xlat
expand: %{User-Name} -> test2
sql_set_user escaped user --> 'test2'
expand: SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{NAS-IP-Address}' -> SELECT groupname FROM radhuntgroup WHERE nasipaddress='192.168.56.2'
rlm_sql (sql): Reserving sql socket id: 3
sql_xlat finished
rlm_sql (sql): Released sql socket id: 3
expand: %{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{NAS-IP-Address}'} -> site_a
++[reply] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "test2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[sql] expand: %{User-Name} -> test2
[sql] sql_set_user escaped user --> 'test2'
rlm_sql (sql): Reserving sql socket id: 2
[sql] expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = 'test2'           ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = 'test2'           ORDER BY id
[sql] expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = 'test2'           ORDER BY priority
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "radius"
[pap] Using clear text password "radius"
[pap] User authenticated successfully
++[pap] returns ok
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
[reply_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d -> /var/log/radius/radacct/192.168.56.2/reply-detail-20140911
[reply_log] /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.56.2/reply-detail-20140911
[reply_log] expand: %t -> Thu Sep 11 02:30:39 2014
++[reply_log] returns ok
Sending Access-Accept of id 109 to 192.168.56.2 port 59531
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 3 ID 109 with timestamp +380
Ready to process requests.


Thanks in advance!


Kind regards,

Jeroen Bosch


Design Driven Networking - Smarter, better, controllable networks 

Jeroen Bosch | Developer
Business Centre Leeuwenveldseweg 5n, 1382 LV Weesp, NL

On Thu, Sep 11, 2014 at 5:39 PM, Alan DeKok <aland@deployingradius.com> wrote:
Jeroen Bosch wrote:
> If I understand the guide correctly only the test user should be able to
> logon to site_a, however I am also granted access using my test2 user
> credentials: did I overlook something? Again, thanks in advance!

  You also need to list the "sql" module in the "authorize" section.

  And run the server in debugging mode to see what it's doing.  Really.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html