Changed back to =+ per Alan, still seeing the same error and resulting reject.

On 07/07/2014 03:40 PM, Tony DeMatteis wrote:
Thank you very much for your reply!


I changed my operator to ":=" but get the same reject/error.



mysql> select * from radgroupreply where groupname = 'NOC-Admin';
+----+-----------+----------------------------+----+-------------------------+
| id | groupname | attribute                  | op | value                   |
+----+-----------+----------------------------+----+-------------------------+
|  1 | NOC-Admin | Mikrotik-Group             | := | full                    |
|  7 | NOC-Admin | APC-Service-Type           | := | 1                       |
|  8 | NOC-Admin | APC-Outlets                | := | "1,2,3,4,5,6,7,8"       |
| 10 | NOC-Admin | DragonWave-Privilege-Level | := | DragonWave-Super-User   |
+----+-----------+----------------------------+----+-------------------------+
4 rows in set (0.00 sec)

mysql>


On 07/07/2014 11:45 AM, Mike Poole wrote:
Tony,
 
I'm replying at the top instead of inline.
 
Our FreeRADIUS SQL returns this for :

44418AS id
1-1-1 AS groupname
Mikrotik-Rate-Limit AS attribute
1000k/2001k 2000k/4000k 750k/1500k 1800/1800 7 AS value
AS op
 
I think your problem is with the op (operator).  It should be "" and I believe it should be at the end.

We use custom tables and stored procedures to do this.

For the "group" query all I return is a groupname, such as the package ID '1-1-1'
 
SELECT packageId as "groupname"; (I believe this is where you are having the trouble.

Let me know if it helps or if I can do anything else
 
Message: 2
Date: Mon, 07 Jul 2014 08:03:03 -0700
From: Tony DeMatteis <tonyd@commspeed.net>
To: freeradius-users@lists.freeradius.org
Subject: rlm_sql: Failed to create the pair: Unknown attribute
        "DragonWave-Privilege-Level"    requires a hex string, not
        "DragonWave-Super-User"
Message-ID: <53BAB6A7.2040309@commspeed.net>
Content-Type: text/plain; charset="iso-8859-1"; Format="flowed"
 
Greetings,
 
I am setting up/migrating to a new Radius server.  My current server is using flat files (users/clients).  Not a huge deployment, but now have designs to scale larger.  I've run into a problem with one reply attribute I can't seem to identify the problem.  I've searched the documentation (and Googled), and while probably in from of my eyes, I can't seem to find the cause/solution.  The same reply attributes work fine in my current/production server, but fail (and only when trying to include the "DragonWave-Privilege-Level" reply attribute).  Now one note, in my production server in my user stanza I use the "=" operator for each of the reply attributes.  However, in my new server, when using the "=" as the operator in the reply attribute I was receiving only one attribute upon authentication.  I then thought I understood from the documentation that I needed to use "+=" in my reply attributes.  After making that change, all the group attributes were returned.  One difference may be that I am specifying the "group" attributes under each "user" (current/production) vs in a "group" which is referenced (new server)?  I am in no way well versed in all the nuances of radius (but working that direction), so if I'm overlooking the obvious I would greatly appreciate a nudge in the right direction.
 
Thank you very much,
 
tony
 
 
 
#*************************
#
#// CURRENT SERVER
#
#*************************
 
#
# System information
#
admin@radius:/home/admin# uname -a
Linux radius 3.5.0-45-generic #68~precise1-Ubuntu SMP Wed Dec 4 16:18:46 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
 
admin@radius:/home/admin# cat /etc/issue Ubuntu 12.04.4 LTS \n \l
 
admin@radius:/home/admin# freeradius -v
freeradius: FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Feb 24 2014 at 15:16:50 Copyright (C) 1999-2010 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.
 
#
# /etc/freeradius/users
#
"testuser" ClearText-Password := "tester"
     Reply-Message = "Hello, %{User-Name}",
     Mikrotik-Group = "full",
     DragonWave-Privilege-Level = "DragonWave-Super-User",
     APC-Service-Type = 1,
     APC-Outlets = "1,2,3,4,5,6,7,8"
 
#
# radtest and result
#
admin@radius:/home/admin# radtest testuser tester localhost 10
testing123 0 10.10.0.120
Sending Access-Request of id 25 to 127.0.0.1 port 1812
     User-Name = "testuser"
     User-Password = "tester"
     NAS-IP-Address = 10.10.0.120
     NAS-Port = 10
     Framed-Protocol = PPP
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=25,
length=70
     Reply-Message = "Hello, testuser"
     Mikrotik-Group = "full"
     DragonWave-Privilege-Level = DragonWave-Super-User
     APC-Service-Type = Admin
APC-Outlets = "1,2,3,4,5,6,7,8"
 
 
 
#*************************
#
#// NEW SERVER
#
#*************************
admin@radius1:/home/admin# uname -a
Linux radius1.mydomain.net 2.6.32-431.20.3.el6.i686 #1 SMP Thu Jun 19
19:51:30 UTC 2014 i686 i686 i386 GNU/Linux
 
admin@radius1:/home/admin# cat /etc/issue CentOS release 6.5 (Final) Kernel \r on an \m
 
admin@radius1:/home/admin# radiusd -v
radiusd: FreeRADIUS Version 2.1.12, for host i386-redhat-linux-gnu, built on Oct  3 2012 at 01:20:08 Copyright (C) 1999-2011 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.
 
 
#*************************
#
#// radtest
#
#*************************
admin@radius1:/home/admin# radtest testuser tester 216.x.x.x 10
testing123 0 10.10.0.120
Sending Access-Request of id 119 to 216.x.x.x port 1812
     User-Name = "testuser"
     User-Password = "tester"
     NAS-IP-Address = 10.10.0.120
     NAS-Port = 10
     Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Reject packet from host 216.x.x.x port 1812, id=119,
length=20
 
 
#*************************
#
#// Partial debug output
#
#*************************
Ready to process requests.
rad_recv: Access-Request packet from host 216.x.x.x port 50707, id=119,
length=75
     User-Name = "testuser"
     User-Password = "tester"
     NAS-IP-Address = 10.10.0.120
     NAS-Port = 10
     Message-Authenticator = 0x17fec73c577cb5fd95d9dd3656c3a8db
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++- entering policy filter_username {...}
+++? if (User-Name =~ /^ /)
? Evaluating (User-Name =~ /^ /) -> FALSE
+++? if (User-Name =~ /^ /) -> FALSE
+++? if (User-Name =~ / $$/)
? Evaluating (User-Name =~ / $$/) -> FALSE
+++? if (User-Name =~ / $$/) -> FALSE
+++? if (User-Name != "%{tolower:%{User-Name}}")
     expand: %{User-Name} -> testuser
     expand: %{tolower:%{User-Name}} -> testuser
? Evaluating (User-Name != "%{tolower:%{User-Name}}") -> FALSE
+++? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
++- policy filter_username returns notfound
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[sql]     expand: %{User-Name} -> testuser
[sql] sql_set_user escaped user --> 'testuser'
rlm_sql (sql): Reserving sql socket id: 3
[sql]     expand: SELECT id, username, attribute, value, op          
FROM radcheck           WHERE username = '%{SQL-User-Name}'          
ORDER BY id -> SELECT id, username, attribute, value, op           FROM
radcheck WHERE username = 'testuser'           ORDER BY id
[sql] User found in radcheck table
[sql]     expand: SELECT id, username, attribute, value, op          
FROM radreply           WHERE username = '%{SQL-User-Name}'          
ORDER BY id -> SELECT id, username, attribute, value, op           FROM
radreply WHERE username = 'testuser'           ORDER BY id
[sql]     expand: SELECT groupname           FROM radusergroup          
WHERE username = '%{SQL-User-Name}'           ORDER BY priority ->
SELECT groupname           FROM radusergroup           WHERE username =
'testuser'           ORDER BY priority
[sql]     expand: SELECT id, groupname, attribute, Value, op          
FROM radgroupcheck           WHERE groupname = '%{Sql-Group}'          
ORDER BY id -> SELECT id, groupname, attribute,           Value,
op           FROM radgroupcheck           WHERE groupname = 'NOC-Admin'
ORDER BY id
[sql] User found in group NOC-Admin
[sql]     expand: SELECT id, groupname, attribute, value, op          
FROM radgroupreply           WHERE groupname = '%{Sql-Group}'          
ORDER BY id -> SELECT id, groupname, attribute,           value,
op           FROM radgroupreply           WHERE groupname = 'NOC-Admin'
ORDER BY id
rlm_sql: Failed to create the pair: Unknown attribute
"DragonWave-Privilege-Level" requires a hex string, not
"DragonWave-Super-User"
rlm_sql (sql): Error getting data from database
[sql] Error retrieving reply pairs for group NOC-Admin
[sql] Error processing groups; rejecting user
rlm_sql (sql): Released sql socket id: 3
++[sql] returns fail
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> testuser
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 119 to 216.x.x.x port 50707
Waking up in 4.9 seconds.
Cleaning up request 0 ID 119 with timestamp +54
Ready to process requests.
 
 
 
#*************************
#
#// Manual query based on radiusd -X debug output
#
#*************************
mysql> SELECT id, groupname, attribute,           value, op          
FROM radgroupreply           WHERE groupname = 'NOC-Admin'          
ORDER BY id;
+----+---------------------+----------------------------+-----------------------+----+
| id | groupname           | attribute                  |
value                 | op |
+----+---------------------+----------------------------+-----------------------+----+
|  1 | NOC-Admin           | Mikrotik-Group             |
full                  | += |
|  7 | NOC-Admin           | APC-Service-Type           |
1                     | += |
|  8 | NOC-Admin           | APC-Outlets                |
"1,2,3,4,5,6,7,8"     | += |
| 10 | NOC-Admin           | DragonWave-Privilege-Level |
DragonWave-Super-User | += |
+----+---------------------+----------------------------+-----------------------+----+
5 rows in set (0.00 sec)
 
mysql>
 
 
# /usr/share/freeradius/dictionary.dragonwave
#*************************
#
#// Dragonwave Dictionary Definition
#
#*************************
# -*- text -*-
#    http://www.dragonwaveinc.com
#
#    $Id$
#
VENDOR        DragonWave                    7262
 
BEGIN-VENDOR    DragonWave
 
# Used to determine the user login privilege level.
ATTRIBUTE    DragonWave-Privilege-Level        1    integer
 
#        Read-only access.
VALUE        DragonWave-Privilege-Level DragonWave-Admin-User        1
#         Limited read-write access.
VALUE        DragonWave-Privilege-Level DragonWave-NOC-User        2
#         Unlimited read-write access.
VALUE        DragonWave-Privilege-Level DragonWave-Super-User        3
 
END-VENDOR    DragonWave
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140707/88f8e297/attachment.html>
 
------------------------------
 
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
 
End of Freeradius-Users Digest, Vol 111, Issue 13
*************************************************
 


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html