I'm sorry if you received this twice. This was caught by my spam guard... not sure why and am not sure if it made it to everyone. I'm changing the subject... See below. --- Josh <josh2780@yahoo.com> wrote:
I have been successfully authenticating individual users between a PIX 515 VPN and FreeRadius server. I'm using mysql as the data storage on the radius server.
Recently I began changing the way I manage the ACLs on the PIX and began setting up user specific ACLs that get set after logging in via the VPN.
On the PIX: access-list myvpntest permit ip... and so forth
On radius (mysql): insert into radcheck (UserName,Attribute,op,Value) values ('josh','Filter-Id','=','myvpntest');
Now when I attempt to login with my VPN client I get denied. Here's a snippet of the debug:
------ BEGIN DEBUG ------ radius_xlat: 'josh' rlm_sql (sql): sql_set_user escaped user --> 'josh' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'josh' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'josh' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'josh' ORDER BY id' radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = 'josh' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): No matching entry in the database for request from user [josh] rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module "sql" returns notfound for request 0 modcall: group authorize returns ok for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Finished request 0 ------ END DEBUG ------
For reference, here's the debug info when I remove the Filter-Id for user 'josh':
------ BEGIN DEBUG ------ radius_xlat: 'josh' rlm_sql (sql): sql_set_user escaped user --> 'josh' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'josh' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 3 radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'josh' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'josh' ORDER BY id' radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = 'josh' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 3 modcall[authorize]: module "sql" returns ok for request 1 modcall: group authorize returns ok for request 1 rad_check_password: Found Auth-Type PAP auth: type "PAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 1 rlm_pap: login attempt by "josh" with password ******** rlm_pap: Using password "********" for user josh authentication. rlm_pap: Using MD5 encryption. rlm_pap: User authenticated succesfully modcall[authenticate]: module "pap" returns ok for request 1 modcall: group Auth-Type returns ok for request 1 Sending Access-Accept of id 119 to 10.5.0.1:1812 Finished request 1 ------ END DEBUG ------
Any ideas?
__________________________________ Start your day with Yahoo! - Make it your home page!
http://www.yahoo.com/r/hs - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__________________________________ Start your day with Yahoo! - Make it your home page! http://www.yahoo.com/r/hs