After spending two days gettig a suitable virtual machine operational (!) I have finally managed to get back to what I was actually trying to do, namely come to grips with FreeRADIUS! At the moment, a simple user entry in my database works; when I add attributes, the entry stops working. I have a feeling I am missing something embarrassingly obvious... Details below; any ideas appreciated. Regards, K. Here is the first attempt, starting from an empty database (no data in any tables): mysql> insert into radcheck (username, attribute, op, value) value ("test1", "Cleartext-Password", ":=", "blather") ; Query OK, 1 row affected (0.00 sec) mysql> quit Bye kauer@ubuntu:/usr/local/etc/raddb$ radtest test1 blather 127.0.0.1 1812 testing123 Sending Access-Request of id 79 to 127.0.0.1 port 1812 User-Name = "test1" User-Password = "blather" NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=79, length=20 ******* that worked. Then I added a few reply attributes so that the user looked like this: mysql> select * from radcheck ; +----+----------+--------------------------+----+----------------------+ | id | username | attribute | op | value | +----+----------+--------------------------+----+----------------------+ | 1 | test1 | Cleartext-Password | := | blather | | 2 | test1 | Tunnel-Client-Endpoint:0 | = | 2406:a000::6:4 | | 3 | test1 | Tunnel-Server-Endpoint:0 | = | 2406:a000::6:5 | | 4 | test1 | Framed-IPv6-Prefix | = | 2406:a000:0:100::/64 | +----+----------+--------------------------+----+----------------------+ 4 rows in set (0.01 sec) mysql> quit Bye kauer@ubuntu:/usr/local/etc/raddb$ radtest test1 blather 127.0.0.1 1812 testing123 Sending Access-Request of id 220 to 127.0.0.1 port 1812 User-Name = "test1" User-Password = "blather" NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=220, length=20 ****************** That did not work. Here is the debug output from the first (successful) attempt: Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 59653, id=79, length=57 User-Name = "test1" User-Password = "blather" NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "test1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop [sql] expand: %{User-Name} -> test1 [sql] sql_set_user escaped user --> 'test1' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test1' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test1' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'test1' ORDER BY priority rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password "blather" [pap] Using clear text password "blather" [pap] User authenticated successfully ++[pap] returns ok +- entering group post-auth {...} [sql] expand: %{User-Name} -> test1 [sql] sql_set_user escaped user --> 'test1' [sql] expand: %{User-Password} -> blather [sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'test1', 'blather', 'Access-Accept', '2008-10-06 02:43:41') rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'test1', 'blather', 'Access-Accept', '2008-10-06 02:43:41') rlm_sql (sql): Reserving sql socket id: 3 rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok ++[exec] returns noop Sending Access-Accept of id 79 to 127.0.0.1 port 59653 Finished request 3. ************** Here is the debug output from the later (unsuccessful) attempt: Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 58059, id=220, length=57 User-Name = "test1" User-Password = "blather" NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "test1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop [sql] expand: %{User-Name} -> test1 [sql] sql_set_user escaped user --> 'test1' rlm_sql (sql): Reserving sql socket id: 0 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test1' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'test1' ORDER BY priority rlm_sql (sql): Released sql socket id: 0 [sql] User test1 not found ++[sql] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> test1 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 11 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 11 Sending Access-Reject of id 220 to 127.0.0.1 port 58059 Waking up in 4.9 seconds. Cleaning up request 11 ID 220 with timestamp +6643 Ready to process requests. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@biplane.com.au) +61-2-64957160 (h) http://www.biplane.com.au/~kauer/ +61-428-957160 (mob) GPG fingerprint: DD23 0DF3 2260 3060 7FEC 5CA8 1AF6 D9E3 CFEE 6B28