Mysql, Radreply attributes are not being merged.
Hello, I have added attributes in radreply table against the user, but they are not being merged in the Access-Accept Packet. Same i do with radtest utility they are being added. I am unable to figure out what is missing. actual Access-Request from NAS ========================================================== (0) Received Access-Request Id 92 from 10.0.0.11:1645 to 10.12.32.61:1812 length 179 (0) User-Name = "10.48.136.46" (0) Framed-IP-Address = 10.48.136.46 (0) Cisco-Account-Info = "S10.48.136.46" (0) User-Password = "cisco" (0) Calling-Station-Id = "0/0/0/103:00-00-00-00-00-00" (0) NAS-Port-Type = Virtual (0) NAS-Port = 0 (0) NAS-Port-Id = "0/0/0/103" (0) Service-Type = Outbound-User (0) NAS-IP-Address = 10.0.0.11 (0) NAS-Identifier = "IDC0100ISG02.nms.itcc.com.sa" (0) Event-Timestamp = "Apr 27 2017 02:05:39 EDT" (0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) lease_check: Executing: /usr/local/bin/leasequery %{User-Name}: (0) lease_check: EXPAND %{User-Name} (0) lease_check: --> 10.48.136.46 (0) lease_check: Program returned code (0) and output 'User-Name := 1/0A:D824BD511480' (0) lease_check: Program executed successfully (0) [lease_check] = ok (0) sql: EXPAND %{User-Name} (0) sql: --> 1/0A:D824BD511480 (0) sql: SQL-User-Name set to '1/0A:D824BD511480' rlm_sql (sql): Closing connection (0): Hit idle_timeout, was idle for 264 seconds rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (1): Hit idle_timeout, was idle for 264 seconds rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (2): Hit idle_timeout, was idle for 264 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (3): Hit idle_timeout, was idle for 264 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (4): Hit idle_timeout, was idle for 264 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): 0 of 0 connections in use. You may need to increase "spare" rlm_sql (sql): Opening additional connection (5), 1 of 32 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.5.52-MariaDB, protocol version 10 rlm_sql (sql): Reserved connection (5) (0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (0) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '1/0A:D824BD511480' ORDER BY id (0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '1/0A:D824BD511480' ORDER BY id (0) sql: User found in radcheck table (0) sql: Conditional check items matched, merging assignment check items (0) sql: Cleartext-Password := "cisco" (0) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (0) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = '1/0A:D824BD511480' ORDER BY id (0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = '1/0A:D824BD511480' ORDER BY id (0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (0) sql: --> SELECT groupname FROM radusergroup WHERE username = '1/0A:D824BD511480' ORDER BY priority (0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = '1/0A:D824BD511480' ORDER BY priority (0) sql: User not found in any groups rlm_sql (sql): Released connection (5) Need 2 more connections to reach min connections (3) rlm_sql (sql): Opening additional connection (6), 1 of 31 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.5.52-MariaDB, protocol version 10 (0) [sql] = ok (0) [expiration] = noop (0) [logintime] = noop (0) [pap] = updated (0) } # authorize = updated (0) Found Auth-Type = PAP (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (0) Auth-Type PAP { (0) pap: Login attempt with password (0) pap: Comparing with "known good" Cleartext-Password (0) pap: User authenticated successfully (0) [pap] = ok (0) } # Auth-Type PAP = ok (0) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default (0) post-auth { (0) update { (0) No attributes updated (0) } # update = noop (0) sql: EXPAND .query (0) sql: --> .query (0) sql: Using query template 'query' rlm_sql (sql): Reserved connection (5) (0) sql: EXPAND %{User-Name} (0) sql: --> 1/0A:D824BD511480 (0) sql: SQL-User-Name set to '1/0A:D824BD511480' (0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (0) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '1/0A:D824BD511480', 'cisco', 'Access-Accept', '2017-04-27 02:05:39.425995') (0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '1/0A:D824BD511480', 'cisco', 'Access-Accept', '2017-04-27 02:05:39.425995') (0) sql: SQL query returned: success (0) sql: 1 record(s) updated rlm_sql (sql): Released connection (5) (0) [sql] = ok (0) [exec] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # post-auth = ok (0) Sent Access-Accept Id 92 from 10.12.32.61:1812 to 10.0.0.11:1645 length 0 (0) Finished request Waking up in 4.9 seconds. (0) Cleaning up request packet ID 92 with timestamp +264 Ready to process requests =================================================================== radtest snippet ============================================================== Received Access-Request Id 120 from 127.0.0.1:39450 to 127.0.0.1:1812 length 82 (2) User-Name = "10.48.136.46" (2) User-Password = "cisco" (2) NAS-IP-Address = 10.12.32.61 (2) NAS-Port = 0 (2) Message-Authenticator = 0xbd6028760e9fe9fcd41666ca91f382af (2) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) lease_check: Executing: /usr/local/bin/leasequery %{User-Name}: (2) lease_check: EXPAND %{User-Name} (2) lease_check: --> 10.48.136.46 (2) lease_check: Program returned code (0) and output 'User-Name := 1/0A:D824BD511480' (2) lease_check: Program executed successfully (2) [lease_check] = ok (2) sql: EXPAND %{User-Name} (2) sql: --> 1/0A:D824BD511480 (2) sql: SQL-User-Name set to '1/0A:D824BD511480' rlm_sql (sql): Closing connection (8): Hit idle_timeout, was idle for 95 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (7): Hit idle_timeout, was idle for 95 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): 0 of 0 connections in use. You may need to increase "spare" rlm_sql (sql): Opening additional connection (9), 1 of 32 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.5.52-MariaDB, protocol version 10 rlm_sql (sql): Reserved connection (9) (2) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (2) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '1/0A:D824BD511480' ORDER BY id (2) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '1/0A:D824BD511480' ORDER BY id (2) sql: User found in radcheck table (2) sql: Conditional check items matched, merging assignment check items (2) sql: Cleartext-Password := "cisco" (2) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (2) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = '1/0A:D824BD511480' ORDER BY id (2) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = '1/0A:D824BD511480' ORDER BY id (2) sql: User found in radreply table, merging reply items (2) sql: Idle-Timeout := 600 (2) sql: Session-Timeout := 3600 (2) sql: Cisco-Account-Info := "ABB_business_basic_0_100_50" (2) sql: Cisco-AVPair := "accounting-list=ACCNT_LIST2" (2) sql: User-Name := "1/0A:D824BD511480" (2) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (2) sql: --> SELECT groupname FROM radusergroup WHERE username = '1/0A:D824BD511480' ORDER BY priority (2) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = '1/0A:D824BD511480' ORDER BY priority (2) sql: User not found in any groups rlm_sql (sql): Released connection (9) Need 2 more connections to reach min connections (3) rlm_sql (sql): Opening additional connection (10), 1 of 31 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.5.52-MariaDB, protocol version 10 (2) [sql] = ok (2) [expiration] = noop (2) [logintime] = noop (2) [pap] = updated (2) } # authorize = updated (2) Found Auth-Type = PAP (2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (2) Auth-Type PAP { (2) pap: Login attempt with password (2) pap: Comparing with "known good" Cleartext-Password (2) pap: User authenticated successfully (2) [pap] = ok (2) } # Auth-Type PAP = ok (2) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default (2) post-auth { (2) update { (2) No attributes updated (2) } # update = noop (2) sql: EXPAND .query (2) sql: --> .query (2) sql: Using query template 'query' rlm_sql (sql): Reserved connection (9) (2) sql: EXPAND %{User-Name} (2) sql: --> 1/0A:D824BD511480 (2) sql: SQL-User-Name set to '1/0A:D824BD511480' (2) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (2) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '1/0A:D824BD511480', 'cisco', 'Access-Accept', '2017-04-27 03:24:06.492079') (2) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '1/0A:D824BD511480', 'cisco', 'Access-Accept', '2017-04-27 03:24:06.492079') (2) sql: SQL query returned: success (2) sql: 1 record(s) updated rlm_sql (sql): Released connection (9) (2) [sql] = ok (2) [exec] = noop (2) policy remove_reply_message_if_eap { (2) if (&reply:EAP-Message && &reply:Reply-Message) { (2) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (2) else { (2) [noop] = noop (2) } # else = noop (2) } # policy remove_reply_message_if_eap = noop (2) } # post-auth = ok (2) Sent Access-Accept Id 120 from 127.0.0.1:1812 to 127.0.0.1:39450 length 0 (2) Idle-Timeout = 600 (2) Session-Timeout = 3600 (2) Cisco-Account-Info = "ABB_business_basic_0_100_50" (2) Cisco-AVPair = "accounting-list=ACCNT_LIST2" (2) User-Name = "1/0A:D824BD511480" (2) Finished request Waking up in 4.9 seconds. (2) Cleaning up request packet ID 120 with timestamp +4971 Ready to process request ========================================================== Waqas Toor
Any help? I am using the latest version. ---------- Forwarded message ---------- From: "Waqas Toor" <waqasnasirtoor@gmail.com> Date: Apr 27, 2017 11:12 AM Subject: Mysql, Radreply attributes are not being merged. To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Cc: Hello, I have added attributes in radreply table against the user, but they are not being merged in the Access-Accept Packet. Same i do with radtest utility they are being added. I am unable to figure out what is missing. actual Access-Request from NAS ========================================================== (0) Received Access-Request Id 92 from 10.0.0.11:1645 to 10.12.32.61:1812 length 179 (0) User-Name = "10.48.136.46" (0) Framed-IP-Address = 10.48.136.46 (0) Cisco-Account-Info = "S10.48.136.46" (0) User-Password = "cisco" (0) Calling-Station-Id = "0/0/0/103:00-00-00-00-00-00" (0) NAS-Port-Type = Virtual (0) NAS-Port = 0 (0) NAS-Port-Id = "0/0/0/103" (0) Service-Type = Outbound-User (0) NAS-IP-Address = 10.0.0.11 (0) NAS-Identifier = "IDC0100ISG02.nms.itcc.com.sa" (0) Event-Timestamp = "Apr 27 2017 02:05:39 EDT" (0) # Executing section authorize from file /usr/local/etc/raddb/sites- enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) lease_check: Executing: /usr/local/bin/leasequery %{User-Name}: (0) lease_check: EXPAND %{User-Name} (0) lease_check: --> 10.48.136.46 (0) lease_check: Program returned code (0) and output 'User-Name := 1/0A:D824BD511480' (0) lease_check: Program executed successfully (0) [lease_check] = ok (0) sql: EXPAND %{User-Name} (0) sql: --> 1/0A:D824BD511480 (0) sql: SQL-User-Name set to '1/0A:D824BD511480' rlm_sql (sql): Closing connection (0): Hit idle_timeout, was idle for 264 seconds rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (1): Hit idle_timeout, was idle for 264 seconds rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (2): Hit idle_timeout, was idle for 264 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (3): Hit idle_timeout, was idle for 264 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (4): Hit idle_timeout, was idle for 264 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): 0 of 0 connections in use. You may need to increase "spare" rlm_sql (sql): Opening additional connection (5), 1 of 32 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.5.52-MariaDB, protocol version 10 rlm_sql (sql): Reserved connection (5) (0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (0) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '1/0A:D824BD511480' ORDER BY id (0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '1/0A:D824BD511480' ORDER BY id (0) sql: User found in radcheck table (0) sql: Conditional check items matched, merging assignment check items (0) sql: Cleartext-Password := "cisco" (0) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (0) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = '1/0A:D824BD511480' ORDER BY id (0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = '1/0A:D824BD511480' ORDER BY id (0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (0) sql: --> SELECT groupname FROM radusergroup WHERE username = '1/0A:D824BD511480' ORDER BY priority (0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = '1/0A:D824BD511480' ORDER BY priority (0) sql: User not found in any groups rlm_sql (sql): Released connection (5) Need 2 more connections to reach min connections (3) rlm_sql (sql): Opening additional connection (6), 1 of 31 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.5.52-MariaDB, protocol version 10 (0) [sql] = ok (0) [expiration] = noop (0) [logintime] = noop (0) [pap] = updated (0) } # authorize = updated (0) Found Auth-Type = PAP (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (0) Auth-Type PAP { (0) pap: Login attempt with password (0) pap: Comparing with "known good" Cleartext-Password (0) pap: User authenticated successfully (0) [pap] = ok (0) } # Auth-Type PAP = ok (0) # Executing section post-auth from file /usr/local/etc/raddb/sites- enabled/default (0) post-auth { (0) update { (0) No attributes updated (0) } # update = noop (0) sql: EXPAND .query (0) sql: --> .query (0) sql: Using query template 'query' rlm_sql (sql): Reserved connection (5) (0) sql: EXPAND %{User-Name} (0) sql: --> 1/0A:D824BD511480 (0) sql: SQL-User-Name set to '1/0A:D824BD511480' (0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (0) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '1/0A:D824BD511480', 'cisco', 'Access-Accept', '2017-04-27 02:05:39.425995') (0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '1/0A:D824BD511480', 'cisco', 'Access-Accept', '2017-04-27 02:05:39.425995') (0) sql: SQL query returned: success (0) sql: 1 record(s) updated rlm_sql (sql): Released connection (5) (0) [sql] = ok (0) [exec] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # post-auth = ok (0) Sent Access-Accept Id 92 from 10.12.32.61:1812 to 10.0.0.11:1645 length 0 (0) Finished request Waking up in 4.9 seconds. (0) Cleaning up request packet ID 92 with timestamp +264 Ready to process requests =================================================================== radtest snippet ============================================================== Received Access-Request Id 120 from 127.0.0.1:39450 to 127.0.0.1:1812 length 82 (2) User-Name = "10.48.136.46" (2) User-Password = "cisco" (2) NAS-IP-Address = 10.12.32.61 (2) NAS-Port = 0 (2) Message-Authenticator = 0xbd6028760e9fe9fcd41666ca91f382af (2) # Executing section authorize from file /usr/local/etc/raddb/sites- enabled/default (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) lease_check: Executing: /usr/local/bin/leasequery %{User-Name}: (2) lease_check: EXPAND %{User-Name} (2) lease_check: --> 10.48.136.46 (2) lease_check: Program returned code (0) and output 'User-Name := 1/0A:D824BD511480' (2) lease_check: Program executed successfully (2) [lease_check] = ok (2) sql: EXPAND %{User-Name} (2) sql: --> 1/0A:D824BD511480 (2) sql: SQL-User-Name set to '1/0A:D824BD511480' rlm_sql (sql): Closing connection (8): Hit idle_timeout, was idle for 95 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (7): Hit idle_timeout, was idle for 95 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): 0 of 0 connections in use. You may need to increase "spare" rlm_sql (sql): Opening additional connection (9), 1 of 32 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.5.52-MariaDB, protocol version 10 rlm_sql (sql): Reserved connection (9) (2) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (2) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '1/0A:D824BD511480' ORDER BY id (2) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '1/0A:D824BD511480' ORDER BY id (2) sql: User found in radcheck table (2) sql: Conditional check items matched, merging assignment check items (2) sql: Cleartext-Password := "cisco" (2) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (2) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = '1/0A:D824BD511480' ORDER BY id (2) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = '1/0A:D824BD511480' ORDER BY id (2) sql: User found in radreply table, merging reply items (2) sql: Idle-Timeout := 600 (2) sql: Session-Timeout := 3600 (2) sql: Cisco-Account-Info := "ABB_business_basic_0_100_50" (2) sql: Cisco-AVPair := "accounting-list=ACCNT_LIST2" (2) sql: User-Name := "1/0A:D824BD511480" (2) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (2) sql: --> SELECT groupname FROM radusergroup WHERE username = '1/0A:D824BD511480' ORDER BY priority (2) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = '1/0A:D824BD511480' ORDER BY priority (2) sql: User not found in any groups rlm_sql (sql): Released connection (9) Need 2 more connections to reach min connections (3) rlm_sql (sql): Opening additional connection (10), 1 of 31 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.5.52-MariaDB, protocol version 10 (2) [sql] = ok (2) [expiration] = noop (2) [logintime] = noop (2) [pap] = updated (2) } # authorize = updated (2) Found Auth-Type = PAP (2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (2) Auth-Type PAP { (2) pap: Login attempt with password (2) pap: Comparing with "known good" Cleartext-Password (2) pap: User authenticated successfully (2) [pap] = ok (2) } # Auth-Type PAP = ok (2) # Executing section post-auth from file /usr/local/etc/raddb/sites- enabled/default (2) post-auth { (2) update { (2) No attributes updated (2) } # update = noop (2) sql: EXPAND .query (2) sql: --> .query (2) sql: Using query template 'query' rlm_sql (sql): Reserved connection (9) (2) sql: EXPAND %{User-Name} (2) sql: --> 1/0A:D824BD511480 (2) sql: SQL-User-Name set to '1/0A:D824BD511480' (2) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (2) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '1/0A:D824BD511480', 'cisco', 'Access-Accept', '2017-04-27 03:24:06.492079') (2) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '1/0A:D824BD511480', 'cisco', 'Access-Accept', '2017-04-27 03:24:06.492079') (2) sql: SQL query returned: success (2) sql: 1 record(s) updated rlm_sql (sql): Released connection (9) (2) [sql] = ok (2) [exec] = noop (2) policy remove_reply_message_if_eap { (2) if (&reply:EAP-Message && &reply:Reply-Message) { (2) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (2) else { (2) [noop] = noop (2) } # else = noop (2) } # policy remove_reply_message_if_eap = noop (2) } # post-auth = ok (2) Sent Access-Accept Id 120 from 127.0.0.1:1812 to 127.0.0.1:39450 length 0 (2) Idle-Timeout = 600 (2) Session-Timeout = 3600 (2) Cisco-Account-Info = "ABB_business_basic_0_100_50" (2) Cisco-AVPair = "accounting-list=ACCNT_LIST2" (2) User-Name = "1/0A:D824BD511480" (2) Finished request Waking up in 4.9 seconds. (2) Cleaning up request packet ID 120 with timestamp +4971 Ready to process request ========================================================== Waqas Toor
had a look - side by side diffs look pretty similar (barring a few SQL socket calls and the radreply (!) - so, do you have something else lurking in the config (e.g. in your sql dialup.conf/radgroup/radreply queries....or in that check_lease code ? alan On 27 April 2017 at 18:56, Waqas Toor <waqasnasirtoor@gmail.com> wrote:
Any help? I am using the latest version.
---------- Forwarded message ---------- From: "Waqas Toor" <waqasnasirtoor@gmail.com> Date: Apr 27, 2017 11:12 AM Subject: Mysql, Radreply attributes are not being merged. To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Cc:
Hello, I have added attributes in radreply table against the user, but they are not being merged in the Access-Accept Packet. Same i do with radtest utility they are being added. I am unable to figure out what is missing.
actual Access-Request from NAS ========================================================== (0) Received Access-Request Id 92 from 10.0.0.11:1645 to 10.12.32.61:1812 length 179 (0) User-Name = "10.48.136.46" (0) Framed-IP-Address = 10.48.136.46 (0) Cisco-Account-Info = "S10.48.136.46" (0) User-Password = "cisco" (0) Calling-Station-Id = "0/0/0/103:00-00-00-00-00-00" (0) NAS-Port-Type = Virtual (0) NAS-Port = 0 (0) NAS-Port-Id = "0/0/0/103" (0) Service-Type = Outbound-User (0) NAS-IP-Address = 10.0.0.11 (0) NAS-Identifier = "IDC0100ISG02.nms.itcc.com.sa" (0) Event-Timestamp = "Apr 27 2017 02:05:39 EDT" (0) # Executing section authorize from file /usr/local/etc/raddb/sites- enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) lease_check: Executing: /usr/local/bin/leasequery %{User-Name}: (0) lease_check: EXPAND %{User-Name} (0) lease_check: --> 10.48.136.46 (0) lease_check: Program returned code (0) and output 'User-Name := 1/0A:D824BD511480' (0) lease_check: Program executed successfully (0) [lease_check] = ok (0) sql: EXPAND %{User-Name} (0) sql: --> 1/0A:D824BD511480 (0) sql: SQL-User-Name set to '1/0A:D824BD511480' rlm_sql (sql): Closing connection (0): Hit idle_timeout, was idle for 264 seconds rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (1): Hit idle_timeout, was idle for 264 seconds rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (2): Hit idle_timeout, was idle for 264 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (3): Hit idle_timeout, was idle for 264 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (4): Hit idle_timeout, was idle for 264 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): 0 of 0 connections in use. You may need to increase "spare" rlm_sql (sql): Opening additional connection (5), 1 of 32 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.5.52-MariaDB, protocol version 10 rlm_sql (sql): Reserved connection (5) (0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (0) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '1/0A:D824BD511480' ORDER BY id (0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '1/0A:D824BD511480' ORDER BY id (0) sql: User found in radcheck table (0) sql: Conditional check items matched, merging assignment check items (0) sql: Cleartext-Password := "cisco" (0) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (0) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = '1/0A:D824BD511480' ORDER BY id (0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = '1/0A:D824BD511480' ORDER BY id (0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (0) sql: --> SELECT groupname FROM radusergroup WHERE username = '1/0A:D824BD511480' ORDER BY priority (0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = '1/0A:D824BD511480' ORDER BY priority (0) sql: User not found in any groups rlm_sql (sql): Released connection (5) Need 2 more connections to reach min connections (3) rlm_sql (sql): Opening additional connection (6), 1 of 31 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.5.52-MariaDB, protocol version 10 (0) [sql] = ok (0) [expiration] = noop (0) [logintime] = noop (0) [pap] = updated (0) } # authorize = updated (0) Found Auth-Type = PAP (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (0) Auth-Type PAP { (0) pap: Login attempt with password (0) pap: Comparing with "known good" Cleartext-Password (0) pap: User authenticated successfully (0) [pap] = ok (0) } # Auth-Type PAP = ok (0) # Executing section post-auth from file /usr/local/etc/raddb/sites- enabled/default (0) post-auth { (0) update { (0) No attributes updated (0) } # update = noop (0) sql: EXPAND .query (0) sql: --> .query (0) sql: Using query template 'query' rlm_sql (sql): Reserved connection (5) (0) sql: EXPAND %{User-Name} (0) sql: --> 1/0A:D824BD511480 (0) sql: SQL-User-Name set to '1/0A:D824BD511480' (0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (0) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '1/0A:D824BD511480', 'cisco', 'Access-Accept', '2017-04-27 02:05:39.425995') (0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '1/0A:D824BD511480', 'cisco', 'Access-Accept', '2017-04-27 02:05:39.425995') (0) sql: SQL query returned: success (0) sql: 1 record(s) updated rlm_sql (sql): Released connection (5) (0) [sql] = ok (0) [exec] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # post-auth = ok (0) Sent Access-Accept Id 92 from 10.12.32.61:1812 to 10.0.0.11:1645 length 0 (0) Finished request Waking up in 4.9 seconds. (0) Cleaning up request packet ID 92 with timestamp +264 Ready to process requests ===================================================================
radtest snippet ============================================================== Received Access-Request Id 120 from 127.0.0.1:39450 to 127.0.0.1:1812 length 82 (2) User-Name = "10.48.136.46" (2) User-Password = "cisco" (2) NAS-IP-Address = 10.12.32.61 (2) NAS-Port = 0 (2) Message-Authenticator = 0xbd6028760e9fe9fcd41666ca91f382af (2) # Executing section authorize from file /usr/local/etc/raddb/sites- enabled/default (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) lease_check: Executing: /usr/local/bin/leasequery %{User-Name}: (2) lease_check: EXPAND %{User-Name} (2) lease_check: --> 10.48.136.46 (2) lease_check: Program returned code (0) and output 'User-Name := 1/0A:D824BD511480' (2) lease_check: Program executed successfully (2) [lease_check] = ok (2) sql: EXPAND %{User-Name} (2) sql: --> 1/0A:D824BD511480 (2) sql: SQL-User-Name set to '1/0A:D824BD511480' rlm_sql (sql): Closing connection (8): Hit idle_timeout, was idle for 95 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (7): Hit idle_timeout, was idle for 95 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): 0 of 0 connections in use. You may need to increase "spare" rlm_sql (sql): Opening additional connection (9), 1 of 32 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.5.52-MariaDB, protocol version 10 rlm_sql (sql): Reserved connection (9) (2) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (2) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '1/0A:D824BD511480' ORDER BY id (2) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '1/0A:D824BD511480' ORDER BY id (2) sql: User found in radcheck table (2) sql: Conditional check items matched, merging assignment check items (2) sql: Cleartext-Password := "cisco" (2) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (2) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = '1/0A:D824BD511480' ORDER BY id (2) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = '1/0A:D824BD511480' ORDER BY id (2) sql: User found in radreply table, merging reply items (2) sql: Idle-Timeout := 600 (2) sql: Session-Timeout := 3600 (2) sql: Cisco-Account-Info := "ABB_business_basic_0_100_50" (2) sql: Cisco-AVPair := "accounting-list=ACCNT_LIST2" (2) sql: User-Name := "1/0A:D824BD511480" (2) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (2) sql: --> SELECT groupname FROM radusergroup WHERE username = '1/0A:D824BD511480' ORDER BY priority (2) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = '1/0A:D824BD511480' ORDER BY priority (2) sql: User not found in any groups rlm_sql (sql): Released connection (9) Need 2 more connections to reach min connections (3) rlm_sql (sql): Opening additional connection (10), 1 of 31 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.5.52-MariaDB, protocol version 10 (2) [sql] = ok (2) [expiration] = noop (2) [logintime] = noop (2) [pap] = updated (2) } # authorize = updated (2) Found Auth-Type = PAP (2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (2) Auth-Type PAP { (2) pap: Login attempt with password (2) pap: Comparing with "known good" Cleartext-Password (2) pap: User authenticated successfully (2) [pap] = ok (2) } # Auth-Type PAP = ok (2) # Executing section post-auth from file /usr/local/etc/raddb/sites- enabled/default (2) post-auth { (2) update { (2) No attributes updated (2) } # update = noop (2) sql: EXPAND .query (2) sql: --> .query (2) sql: Using query template 'query' rlm_sql (sql): Reserved connection (9) (2) sql: EXPAND %{User-Name} (2) sql: --> 1/0A:D824BD511480 (2) sql: SQL-User-Name set to '1/0A:D824BD511480' (2) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (2) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '1/0A:D824BD511480', 'cisco', 'Access-Accept', '2017-04-27 03:24:06.492079') (2) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '1/0A:D824BD511480', 'cisco', 'Access-Accept', '2017-04-27 03:24:06.492079') (2) sql: SQL query returned: success (2) sql: 1 record(s) updated rlm_sql (sql): Released connection (9) (2) [sql] = ok (2) [exec] = noop (2) policy remove_reply_message_if_eap { (2) if (&reply:EAP-Message && &reply:Reply-Message) { (2) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (2) else { (2) [noop] = noop (2) } # else = noop (2) } # policy remove_reply_message_if_eap = noop (2) } # post-auth = ok (2) Sent Access-Accept Id 120 from 127.0.0.1:1812 to 127.0.0.1:39450 length 0 (2) Idle-Timeout = 600 (2) Session-Timeout = 3600 (2) Cisco-Account-Info = "ABB_business_basic_0_100_50" (2) Cisco-AVPair = "accounting-list=ACCNT_LIST2" (2) User-Name = "1/0A:D824BD511480" (2) Finished request Waking up in 4.9 seconds. (2) Cleaning up request packet ID 120 with timestamp +4971 Ready to process request ==========================================================
Waqas Toor - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
had a look - side by side diffs look pretty similar (barring a few SQL
socket calls and the radreply (!) - so, do you have something else lurking in the config (e.g. in your sql dialup.conf/radgroup/radreply queries....or in that check_lease code ?
So far I cant think of anything ... One observation is that I have Nas type as cisco for my real scenario and Nas type as other for my radtest. check_lease is my custom binary to do dhcp lease query and update input paramters.
Right now clueless about it. DB inserts and reads are good.
alan
Any help? I am using the latest version.
---------- Forwarded message ---------- From: "Waqas Toor" <waqasnasirtoor@gmail.com> Date: Apr 27, 2017 11:12 AM Subject: Mysql, Radreply attributes are not being merged. To: "FreeRadius users mailing list" <freeradius-users@lists. freeradius.org> Cc:
Hello, I have added attributes in radreply table against the user, but they are not being merged in the Access-Accept Packet. Same i do with radtest utility they are being added. I am unable to figure out what is missing.
actual Access-Request from NAS ========================================================== (0) Received Access-Request Id 92 from 10.0.0.11:1645 to 10.12.32.61:1812 length 179 (0) User-Name = "10.48.136.46" (0) Framed-IP-Address = 10.48.136.46 (0) Cisco-Account-Info = "S10.48.136.46" (0) User-Password = "cisco" (0) Calling-Station-Id = "0/0/0/103:00-00-00-00-00-00" (0) NAS-Port-Type = Virtual (0) NAS-Port = 0 (0) NAS-Port-Id = "0/0/0/103" (0) Service-Type = Outbound-User (0) NAS-IP-Address = 10.0.0.11 (0) NAS-Identifier = "IDC0100ISG02.nms.itcc.com.sa" (0) Event-Timestamp = "Apr 27 2017 02:05:39 EDT" (0) # Executing section authorize from file /usr/local/etc/raddb/sites- enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) lease_check: Executing: /usr/local/bin/leasequery %{User-Name}: (0) lease_check: EXPAND %{User-Name} (0) lease_check: --> 10.48.136.46 (0) lease_check: Program returned code (0) and output 'User-Name := 1/0A:D824BD511480' (0) lease_check: Program executed successfully (0) [lease_check] = ok (0) sql: EXPAND %{User-Name} (0) sql: --> 1/0A:D824BD511480 (0) sql: SQL-User-Name set to '1/0A:D824BD511480' rlm_sql (sql): Closing connection (0): Hit idle_timeout, was idle for 264 seconds rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (1): Hit idle_timeout, was idle for 264 seconds rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (2): Hit idle_timeout, was idle for 264 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (3): Hit idle_timeout, was idle for 264 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (4): Hit idle_timeout, was idle for 264 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): 0 of 0 connections in use. You may need to increase "spare" rlm_sql (sql): Opening additional connection (5), 1 of 32 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.5.52-MariaDB, protocol version 10 rlm_sql (sql): Reserved connection (5) (0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (0) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '1/0A:D824BD511480' ORDER BY id (0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '1/0A:D824BD511480' ORDER BY id (0) sql: User found in radcheck table (0) sql: Conditional check items matched, merging assignment check items (0) sql: Cleartext-Password := "cisco" (0) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (0) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = '1/0A:D824BD511480' ORDER BY id (0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = '1/0A:D824BD511480' ORDER BY id (0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (0) sql: --> SELECT groupname FROM radusergroup WHERE username = '1/0A:D824BD511480' ORDER BY priority (0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = '1/0A:D824BD511480' ORDER BY priority (0) sql: User not found in any groups rlm_sql (sql): Released connection (5) Need 2 more connections to reach min connections (3) rlm_sql (sql): Opening additional connection (6), 1 of 31 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.5.52-MariaDB, protocol version 10 (0) [sql] = ok (0) [expiration] = noop (0) [logintime] = noop (0) [pap] = updated (0) } # authorize = updated (0) Found Auth-Type = PAP (0) # Executing group from file /usr/local/etc/raddb/sites- enabled/default (0) Auth-Type PAP { (0) pap: Login attempt with password (0) pap: Comparing with "known good" Cleartext-Password (0) pap: User authenticated successfully (0) [pap] = ok (0) } # Auth-Type PAP = ok (0) # Executing section post-auth from file /usr/local/etc/raddb/sites- enabled/default (0) post-auth { (0) update { (0) No attributes updated (0) } # update = noop (0) sql: EXPAND .query (0) sql: --> .query (0) sql: Using query template 'query' rlm_sql (sql): Reserved connection (5) (0) sql: EXPAND %{User-Name} (0) sql: --> 1/0A:D824BD511480 (0) sql: SQL-User-Name set to '1/0A:D824BD511480' (0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (0) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '1/0A:D824BD511480', 'cisco', 'Access-Accept', '2017-04-27 02:05:39.425995') (0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '1/0A:D824BD511480', 'cisco', 'Access-Accept', '2017-04-27 02:05:39.425995') (0) sql: SQL query returned: success (0) sql: 1 record(s) updated rlm_sql (sql): Released connection (5) (0) [sql] = ok (0) [exec] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # post-auth = ok (0) Sent Access-Accept Id 92 from 10.12.32.61:1812 to 10.0.0.11:1645 length 0 (0) Finished request Waking up in 4.9 seconds. (0) Cleaning up request packet ID 92 with timestamp +264 Ready to process requests ===================================================================
radtest snippet ============================================================== Received Access-Request Id 120 from 127.0.0.1:39450 to 127.0.0.1:1812 length 82 (2) User-Name = "10.48.136.46" (2) User-Password = "cisco" (2) NAS-IP-Address = 10.12.32.61 (2) NAS-Port = 0 (2) Message-Authenticator = 0xbd6028760e9fe9fcd41666ca91f382af (2) # Executing section authorize from file /usr/local/etc/raddb/sites- enabled/default (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) lease_check: Executing: /usr/local/bin/leasequery %{User-Name}: (2) lease_check: EXPAND %{User-Name} (2) lease_check: --> 10.48.136.46 (2) lease_check: Program returned code (0) and output 'User-Name := 1/0A:D824BD511480' (2) lease_check: Program executed successfully (2) [lease_check] = ok (2) sql: EXPAND %{User-Name} (2) sql: --> 1/0A:D824BD511480 (2) sql: SQL-User-Name set to '1/0A:D824BD511480' rlm_sql (sql): Closing connection (8): Hit idle_timeout, was idle for 95 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (7): Hit idle_timeout, was idle for 95 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): 0 of 0 connections in use. You may need to increase "spare" rlm_sql (sql): Opening additional connection (9), 1 of 32 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.5.52-MariaDB, protocol version 10 rlm_sql (sql): Reserved connection (9) (2) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (2) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '1/0A:D824BD511480' ORDER BY id (2) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '1/0A:D824BD511480' ORDER BY id (2) sql: User found in radcheck table (2) sql: Conditional check items matched, merging assignment check items (2) sql: Cleartext-Password := "cisco" (2) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (2) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = '1/0A:D824BD511480' ORDER BY id (2) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = '1/0A:D824BD511480' ORDER BY id (2) sql: User found in radreply table, merging reply items (2) sql: Idle-Timeout := 600 (2) sql: Session-Timeout := 3600 (2) sql: Cisco-Account-Info := "ABB_business_basic_0_100_50" (2) sql: Cisco-AVPair := "accounting-list=ACCNT_LIST2" (2) sql: User-Name := "1/0A:D824BD511480" (2) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (2) sql: --> SELECT groupname FROM radusergroup WHERE username = '1/0A:D824BD511480' ORDER BY priority (2) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = '1/0A:D824BD511480' ORDER BY priority (2) sql: User not found in any groups rlm_sql (sql): Released connection (9) Need 2 more connections to reach min connections (3) rlm_sql (sql): Opening additional connection (10), 1 of 31 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.5.52-MariaDB, protocol version 10 (2) [sql] = ok (2) [expiration] = noop (2) [logintime] = noop (2) [pap] = updated (2) } # authorize = updated (2) Found Auth-Type = PAP (2) # Executing group from file /usr/local/etc/raddb/sites- enabled/default (2) Auth-Type PAP { (2) pap: Login attempt with password (2) pap: Comparing with "known good" Cleartext-Password (2) pap: User authenticated successfully (2) [pap] = ok (2) } # Auth-Type PAP = ok (2) # Executing section post-auth from file /usr/local/etc/raddb/sites- enabled/default (2) post-auth { (2) update { (2) No attributes updated (2) } # update = noop (2) sql: EXPAND .query (2) sql: --> .query (2) sql: Using query template 'query' rlm_sql (sql): Reserved connection (9) (2) sql: EXPAND %{User-Name} (2) sql: --> 1/0A:D824BD511480 (2) sql: SQL-User-Name set to '1/0A:D824BD511480' (2) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (2) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '1/0A:D824BD511480', 'cisco', 'Access-Accept', '2017-04-27 03:24:06.492079') (2) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '1/0A:D824BD511480', 'cisco', 'Access-Accept', '2017-04-27 03:24:06.492079') (2) sql: SQL query returned: success (2) sql: 1 record(s) updated rlm_sql (sql): Released connection (9) (2) [sql] = ok (2) [exec] = noop (2) policy remove_reply_message_if_eap { (2) if (&reply:EAP-Message && &reply:Reply-Message) { (2) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (2) else { (2) [noop] = noop (2) } # else = noop (2) } # policy remove_reply_message_if_eap = noop (2) } # post-auth = ok (2) Sent Access-Accept Id 120 from 127.0.0.1:1812 to 127.0.0.1:39450 length 0 (2) Idle-Timeout = 600 (2) Session-Timeout = 3600 (2) Cisco-Account-Info = "ABB_business_basic_0_100_50" (2) Cisco-AVPair = "accounting-list=ACCNT_LIST2" (2) User-Name = "1/0A:D824BD511480" (2) Finished request Waking up in 4.9 seconds. (2) Cleaning up request packet ID 120 with timestamp +4971 Ready to process request ==========================================================
Waqas Toor - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
On 27 April 2017 at 18:56, Waqas Toor <waqasnasirtoor@gmail.com> wrote: - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
On Apr 27, 2017, at 3:02 PM, Waqas Toor <waqasnasirtoor@gmail.com> wrote:
Right now clueless about it. DB inserts and reads are good.
Run the SQL SELECTs manually and see what the difference is. As always, there's no magic here. The default configuration doesn't do this, so it's something you change in your local configuration. Alan DeKok.
On Apr 28, 2017 1:15 AM, "Alan DeKok" <aland@deployingradius.com> wrote: On Apr 27, 2017, at 3:02 PM, Waqas Toor <waqasnasirtoor@gmail.com> wrote:
Right now clueless about it. DB inserts and reads are good.
Run the SQL SELECTs manually and see what the difference is. As always, there's no magic here. The default configuration doesn't do this, so it's something you change in your local configuration. Alan DeKok. Manual selects are working fine. Even with root and radius users. Also the radtest is working fine. Same configuration but not merging in actual NAS based Access-Accept. I have tried multiple times with even changing the hostname/ip for the mysql (mariadb) server Waqas - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
On Apr 27, 2017, at 6:20 PM, Waqas Toor <waqasnasirtoor@gmail.com> wrote:
On Apr 28, 2017 1:15 AM, "Alan DeKok" <aland@deployingradius.com> wrote:
Run the SQL SELECTs manually and see what the difference is.
Manual selects are working fine.
That is not a good response. You should not be checking that the SELECTs "work". You should READ MY MESSAGE:
Run the SQL SELECTs manually and see what the difference is.
What part of that is unclear? When you cut & paste the two SELECT statements from the debug output, are the two outputs the same, or are they different?
. Even with root and radius users. Also the radtest is working fine. Same configuration but not merging in actual NAS based Access-Accept. I have tried multiple times with even changing the hostname/ip for the mysql (mariadb) server
Changing the hostname of the SQL server won't change anything. Again, *you* configured your local system to do something. Now, you're claiming you don't know what your system does. And, you want us to help you fix it. But you're not telling us what you did. So we can't really help you. Again, there is no magic here. FreeRADIUS does not magically return one set of attributes for one request, and a different set of attributes for a different request. If the attributes in the Access-Accept are different, it's because YOU TOLD THE SERVER TO DO THAT. Alan DeKok.
Hi Without the full radiusd -X output we are stumbling in the dark. That output would show us something obscure or such. For example, do you have older copies of virtual servers lurking around in sites-enabled directory or modules in mods-enabled ? alan
participants (3)
-
Alan Buxey -
Alan DeKok -
Waqas Toor