On 15/09/10 16:49, Fabien COMBERNOUS wrote:
On 15/09/2010 17:29, Phil Mayers wrote:
Please post the full debugging output.
Sigh. This is not the full debugging output. You're making it hard to help you.
+- entering group authorize {...} ++[preprocess] returns ok [chap] Setting 'Auth-Type := CHAP'
This is not macauth. This is CHAP. You can't authenticate unknown CHAP users, because you need their password (which you don't have if they are unknown)
++[chap] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "08-00-0f-44-c7-42", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound rlm_opendirectory: The SACL group "com.apple.access_radius" does not exist on this system. rlm_opendirectory: The host 10.2.2.230 does not have an access group. rlm_opendirectory: no access control groups, all users allowed. ++[opendirectory] returns ok ++- entering group redundant_sql {...} [sql1] expand: %{User-Name} -> 08-00-0f-44-c7-42 [sql1] sql_set_user escaped user --> '08-00-0f-44-c7-42' rlm_sql (sql1): Reserving sql socket id: 1 [sql1] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' [sql1] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY prior rlm_sql (sql1): Released sql socket id: 1 [sql1] User 08-00-0f-44-c7-42 not found +++[sql1] returns notfound ++- group redundant_sql returns notfound ++? if (notfound) ? Evaluating (notfound) -> TRUE ++? if (notfound) -> TRUE ++- entering if (notfound) {...} +++[reply] returns notfound ++- if (notfound) returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
See?
++[pap] returns noop Found Auth-Type = CHAP +- entering group CHAP {...} [chap] login attempt by "08-00-0f-44-c7-42" with CHAP password [chap] Cleartext-Password is required for authentication ++[chap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> 08-00-0f-44-c7-42 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated
This filter will remove the VLAN, because auth failed (and it wouldn't work anyway)