user group problems, my logic or freeradius limitation
I am trying to find a good way to limit who is able to login at specific NAS's. I know I could add all the allowed user names to the Huntgroups file, but this can get tedious as I must do it for each NAS. So I figured the best way was to use groups. The users are not account holders on the system, so I could not user the 'Group' option in huntgroups. I also do not have a database backend so wanted to uses a local file. So in looking I saw that I could do the following: 1. modules/etc_group - Define a local file with a group list 2. Created the group file referenced in etc_group 3. Added a dictionary item for the attribute 4. Add the desired NAS to a huntgroup 5. Set a policy in the users file to be based on the list. Where I am having a problem is if the user is assigned to more than one group. As you can see from the first debug output from below, if a user is a member of the group alone it works fine. But the second debug shows that if a user is a member of more than one group, even if one is the right one, it will not work because one of the groups does not match. The reason I need users in more than one group is if they are affiliated with more than one department. Also will need more than one affiliation for support to be able to troubleshoot connecting on each NAS. In case it matters, the back end authentication is Kerberos on our production service but for this test I just have some local accounts defined in the users file. So, is this a error in my logic/setup or is this a limitation I have with Freeradius. Is there some other way to do this? =============== /usr/local/etc/raddb/modules/etc_group passwd etc_group { filename = /usr/local/etc/raddb/group_file format = "~Etc-Group-Name:*,User-Name" hashsize = 150 ignorenislike = yes allowmultiplekeys = yes delimiter = ":" } ================ /usr/local/etc/raddb/group_file wilab:walt,walter wilab2:walter,walter01 nolab:walter01 ================= /usr/local/etc/raddb/dictionary ATTRIBUTE Etc-Group-Name 3000 string ================= /usr/local/etc/raddb/huntgroups ILAB NAS-IP-Address == 10.11.224.36 ================= /usr/local/etc/raddb/users (added line numbers for the debug) 102 DEFAULT Huntgroup-Name == ILAB, Etc-Group-Name != "wilab", Auth-Type := Reject 103 Fall-Through = no 104 105 walt Cleartext-Password := "walter01" 106 walter Cleartext-Password := "walter01" 107 walter01 Cleartext-Password := "walter01" ------------------------------- rad_recv: Access-Request packet from host 10.11.224.36 port 32783, id=111, length=131 User-Name = "walt" User-Password = "walter01" NAS-IP-Address = 10.11.224.36 Service-Type = Login-User Framed-IP-Address = 192.168.135.25 Called-Station-Id = "00:07:E9:D1:8F:C2" NAS-Identifier = "Bluesocket" Acct-Session-Id = "00:07:E9:D1:8F:C2:1225801477" NAS-Port-Type = Wireless-802.11 Tue Nov 4 07:09:21 2008 : Info: +- entering group authorize {...} Tue Nov 4 07:09:21 2008 : Info: ++[preprocess] returns ok Tue Nov 4 07:09:21 2008 : Info: ++[chap] returns noop Tue Nov 4 07:09:21 2008 : Info: ++[mschap] returns noop Tue Nov 4 07:09:21 2008 : Info: [suffix] No '@' in User-Name = "walt", looking up realm NULL Tue Nov 4 07:09:21 2008 : Info: [suffix] No such realm "NULL" Tue Nov 4 07:09:21 2008 : Info: ++[suffix] returns noop Tue Nov 4 07:09:21 2008 : Info: [eap] No EAP-Message, not doing EAP Tue Nov 4 07:09:21 2008 : Info: ++[eap] returns noop Tue Nov 4 07:09:21 2008 : Info: ++[unix] returns notfound Tue Nov 4 07:09:21 2008 : Info: [etc_group] Added Etc-Group-Name: 'wilab' to request_items Tue Nov 4 07:09:21 2008 : Info: ++[etc_group] returns ok Tue Nov 4 07:09:21 2008 : Info: [files] users: Matched entry walt at line 105 Tue Nov 4 07:09:21 2008 : Info: ++[files] returns ok Tue Nov 4 07:09:21 2008 : Info: ++[expiration] returns noop Tue Nov 4 07:09:21 2008 : Info: ++[logintime] returns noop Tue Nov 4 07:09:21 2008 : Info: ++[pap] returns updated Tue Nov 4 07:09:21 2008 : Info: Found Auth-Type = PAP Tue Nov 4 07:09:21 2008 : Info: +- entering group PAP {...} Tue Nov 4 07:09:21 2008 : Info: [pap] login attempt with password "walter01" Tue Nov 4 07:09:21 2008 : Info: [pap] Using clear text password "walter01" Tue Nov 4 07:09:21 2008 : Info: [pap] User authenticated successfully Tue Nov 4 07:09:21 2008 : Info: ++[pap] returns ok Tue Nov 4 07:09:21 2008 : Info: +- entering group post-auth {...} Tue Nov 4 07:09:21 2008 : Info: ++[exec] returns noop Sending Access-Accept of id 111 to 10.11.224.36 port 32783 Tue Nov 4 07:09:21 2008 : Info: Finished request 0. ======================= rad_recv: Access-Request packet from host 10.11.224.36 port 32783, id=112, length=133 User-Name = "walter" User-Password = "walter01" NAS-IP-Address = 10.11.224.36 Service-Type = Login-User Framed-IP-Address = 192.168.135.25 Called-Station-Id = "00:07:E9:D1:8F:C2" NAS-Identifier = "Bluesocket" Acct-Session-Id = "00:07:E9:D1:8F:C2:1225801505" NAS-Port-Type = Wireless-802.11 Tue Nov 4 07:09:49 2008 : Info: +- entering group authorize {...} Tue Nov 4 07:09:49 2008 : Info: ++[preprocess] returns ok Tue Nov 4 07:09:49 2008 : Info: ++[chap] returns noop Tue Nov 4 07:09:49 2008 : Info: ++[mschap] returns noop Tue Nov 4 07:09:49 2008 : Info: [suffix] No '@' in User-Name = "walter", looking up realm NULL Tue Nov 4 07:09:49 2008 : Info: [suffix] No such realm "NULL" Tue Nov 4 07:09:49 2008 : Info: ++[suffix] returns noop Tue Nov 4 07:09:49 2008 : Info: [eap] No EAP-Message, not doing EAP Tue Nov 4 07:09:49 2008 : Info: ++[eap] returns noop Tue Nov 4 07:09:49 2008 : Info: ++[unix] returns notfound Tue Nov 4 07:09:49 2008 : Info: [etc_group] Added Etc-Group-Name: 'wilab2' to request_items Tue Nov 4 07:09:49 2008 : Info: [etc_group] Added Etc-Group-Name: 'wilab' to request_items Tue Nov 4 07:09:49 2008 : Info: ++[etc_group] returns ok Tue Nov 4 07:09:49 2008 : Info: [files] users: Matched entry DEFAULT at line 102 Tue Nov 4 07:09:49 2008 : Info: ++[files] returns ok Tue Nov 4 07:09:49 2008 : Info: ++[expiration] returns noop Tue Nov 4 07:09:49 2008 : Info: ++[logintime] returns noop Tue Nov 4 07:09:49 2008 : Info: [pap] Found existing Auth-Type, not changing it. Tue Nov 4 07:09:49 2008 : Info: ++[pap] returns noop Tue Nov 4 07:09:49 2008 : Info: Found Auth-Type = Reject Tue Nov 4 07:09:49 2008 : Info: Auth-Type = Reject, rejecting user Tue Nov 4 07:09:49 2008 : Info: Failed to authenticate the user. Tue Nov 4 07:09:49 2008 : Info: Using Post-Auth-Type Reject Tue Nov 4 07:09:49 2008 : Info: +- entering group REJECT {...} Tue Nov 4 07:09:49 2008 : Info: [attr_filter.access_reject] expand: %{User-Name} -> walter Tue Nov 4 07:09:49 2008 : Debug: attr_filter: Matched entry DEFAULT at line 11 Tue Nov 4 07:09:49 2008 : Info: ++[attr_filter.access_reject] returns updated Tue Nov 4 07:09:49 2008 : Info: Delaying reject of request 1 for 1 seconds Tue Nov 4 07:09:49 2008 : Debug: Going to the next request Tue Nov 4 07:09:49 2008 : Debug: Waking up in 0.9 seconds. Tue Nov 4 07:09:50 2008 : Info: Sending delayed reject for request 1 Sending Access-Reject of id 112 to 10.11.224.36 port 32783 Tue Nov 4 07:09:50 2008 : Debug: Waking up in 4.9 seconds. Tue Nov 4 07:09:55 2008 : Info: Cleaning up request 1 ID 112 with timestamp +39 Tue Nov 4 07:09:55 2008 : Debug: Ready to process requests. -- Walt Reynolds Principal Systems Security Development Engineer Information Technology Central Services University of Michigan (734) 615-9438
/usr/local/etc/raddb/huntgroups
ILAB NAS-IP-Address == 10.11.224.36
Add the group(s) to huntgroup configuration: ILAB NAS-IP-Address == 10.11.12.13 Etc-Group-Name == "wilab" Members of other groups will not be able to connect. You can remove:
102 DEFAULT Huntgroup-Name == ILAB, Etc-Group-Name != "wilab", Auth-Type := Reject 103 Fall-Through = no
from the users file. Ivan Kalik Kalik Informatika ISP
Sorry, you have problem with users in multiple groups. What I posted will have no effect. You should create a different huntgroup - add every NAS that groups wilab2 and nolab are allowed to connect. Than remove that users file entry and add: DEFAULT Huntgroup-Name == "wilab2", Etc-Group-Name == "wilab2" Fall-Through = yes DEFAULT Huntgroup-Name == "nolab", Etc-Group-Name == "nolab" Fall-Through = yes Ivan Kalik Kalik Informatika ISP Dana 4/11/2008, "Reynolds, Walter" <waltr@umich.edu> piše:
I am trying to find a good way to limit who is able to login at specific NAS's. I know I could add all the allowed user names to the Huntgroups file, but this can get tedious as I must do it for each NAS. So I figured the best way was to use groups. The users are not account holders on the system, so I could not user the 'Group' option in huntgroups. I also do not have a database backend so wanted to uses a local file.
So in looking I saw that I could do the following:
1. modules/etc_group - Define a local file with a group list 2. Created the group file referenced in etc_group 3. Added a dictionary item for the attribute 4. Add the desired NAS to a huntgroup 5. Set a policy in the users file to be based on the list.
Where I am having a problem is if the user is assigned to more than one group. As you can see from the first debug output from below, if a user is a member of the group alone it works fine. But the second debug shows that if a user is a member of more than one group, even if one is the right one, it will not work because one of the groups does not match.
The reason I need users in more than one group is if they are affiliated with more than one department. Also will need more than one affiliation for support to be able to troubleshoot connecting on each NAS.
In case it matters, the back end authentication is Kerberos on our production service but for this test I just have some local accounts defined in the users file.
So, is this a error in my logic/setup or is this a limitation I have with Freeradius. Is there some other way to do this?
===============
/usr/local/etc/raddb/modules/etc_group
passwd etc_group { filename = /usr/local/etc/raddb/group_file format = "~Etc-Group-Name:*,User-Name" hashsize = 150 ignorenislike = yes allowmultiplekeys = yes delimiter = ":" }
================
/usr/local/etc/raddb/group_file
wilab:walt,walter wilab2:walter,walter01 nolab:walter01
=================
/usr/local/etc/raddb/dictionary
ATTRIBUTE Etc-Group-Name 3000 string
=================
/usr/local/etc/raddb/huntgroups
ILAB NAS-IP-Address == 10.11.224.36
=================
/usr/local/etc/raddb/users (added line numbers for the debug)
102 DEFAULT Huntgroup-Name == ILAB, Etc-Group-Name != "wilab", Auth-Type := Reject 103 Fall-Through = no 104 105 walt Cleartext-Password := "walter01" 106 walter Cleartext-Password := "walter01" 107 walter01 Cleartext-Password := "walter01"
-------------------------------
rad_recv: Access-Request packet from host 10.11.224.36 port 32783, id=111, length=131 User-Name = "walt" User-Password = "walter01" NAS-IP-Address = 10.11.224.36 Service-Type = Login-User Framed-IP-Address = 192.168.135.25 Called-Station-Id = "00:07:E9:D1:8F:C2" NAS-Identifier = "Bluesocket" Acct-Session-Id = "00:07:E9:D1:8F:C2:1225801477" NAS-Port-Type = Wireless-802.11 Tue Nov 4 07:09:21 2008 : Info: +- entering group authorize {...} Tue Nov 4 07:09:21 2008 : Info: ++[preprocess] returns ok Tue Nov 4 07:09:21 2008 : Info: ++[chap] returns noop Tue Nov 4 07:09:21 2008 : Info: ++[mschap] returns noop Tue Nov 4 07:09:21 2008 : Info: [suffix] No '@' in User-Name = "walt", looking up realm NULL Tue Nov 4 07:09:21 2008 : Info: [suffix] No such realm "NULL" Tue Nov 4 07:09:21 2008 : Info: ++[suffix] returns noop Tue Nov 4 07:09:21 2008 : Info: [eap] No EAP-Message, not doing EAP Tue Nov 4 07:09:21 2008 : Info: ++[eap] returns noop Tue Nov 4 07:09:21 2008 : Info: ++[unix] returns notfound Tue Nov 4 07:09:21 2008 : Info: [etc_group] Added Etc-Group-Name: 'wilab' to request_items Tue Nov 4 07:09:21 2008 : Info: ++[etc_group] returns ok Tue Nov 4 07:09:21 2008 : Info: [files] users: Matched entry walt at line 105 Tue Nov 4 07:09:21 2008 : Info: ++[files] returns ok Tue Nov 4 07:09:21 2008 : Info: ++[expiration] returns noop Tue Nov 4 07:09:21 2008 : Info: ++[logintime] returns noop Tue Nov 4 07:09:21 2008 : Info: ++[pap] returns updated Tue Nov 4 07:09:21 2008 : Info: Found Auth-Type = PAP Tue Nov 4 07:09:21 2008 : Info: +- entering group PAP {...} Tue Nov 4 07:09:21 2008 : Info: [pap] login attempt with password "walter01" Tue Nov 4 07:09:21 2008 : Info: [pap] Using clear text password "walter01" Tue Nov 4 07:09:21 2008 : Info: [pap] User authenticated successfully Tue Nov 4 07:09:21 2008 : Info: ++[pap] returns ok Tue Nov 4 07:09:21 2008 : Info: +- entering group post-auth {...} Tue Nov 4 07:09:21 2008 : Info: ++[exec] returns noop Sending Access-Accept of id 111 to 10.11.224.36 port 32783 Tue Nov 4 07:09:21 2008 : Info: Finished request 0.
======================= rad_recv: Access-Request packet from host 10.11.224.36 port 32783, id=112, length=133 User-Name = "walter" User-Password = "walter01" NAS-IP-Address = 10.11.224.36 Service-Type = Login-User Framed-IP-Address = 192.168.135.25 Called-Station-Id = "00:07:E9:D1:8F:C2" NAS-Identifier = "Bluesocket" Acct-Session-Id = "00:07:E9:D1:8F:C2:1225801505" NAS-Port-Type = Wireless-802.11 Tue Nov 4 07:09:49 2008 : Info: +- entering group authorize {...} Tue Nov 4 07:09:49 2008 : Info: ++[preprocess] returns ok Tue Nov 4 07:09:49 2008 : Info: ++[chap] returns noop Tue Nov 4 07:09:49 2008 : Info: ++[mschap] returns noop Tue Nov 4 07:09:49 2008 : Info: [suffix] No '@' in User-Name = "walter", looking up realm NULL Tue Nov 4 07:09:49 2008 : Info: [suffix] No such realm "NULL" Tue Nov 4 07:09:49 2008 : Info: ++[suffix] returns noop Tue Nov 4 07:09:49 2008 : Info: [eap] No EAP-Message, not doing EAP Tue Nov 4 07:09:49 2008 : Info: ++[eap] returns noop Tue Nov 4 07:09:49 2008 : Info: ++[unix] returns notfound Tue Nov 4 07:09:49 2008 : Info: [etc_group] Added Etc-Group-Name: 'wilab2' to request_items Tue Nov 4 07:09:49 2008 : Info: [etc_group] Added Etc-Group-Name: 'wilab' to request_items Tue Nov 4 07:09:49 2008 : Info: ++[etc_group] returns ok Tue Nov 4 07:09:49 2008 : Info: [files] users: Matched entry DEFAULT at line 102 Tue Nov 4 07:09:49 2008 : Info: ++[files] returns ok Tue Nov 4 07:09:49 2008 : Info: ++[expiration] returns noop Tue Nov 4 07:09:49 2008 : Info: ++[logintime] returns noop Tue Nov 4 07:09:49 2008 : Info: [pap] Found existing Auth-Type, not changing it. Tue Nov 4 07:09:49 2008 : Info: ++[pap] returns noop Tue Nov 4 07:09:49 2008 : Info: Found Auth-Type = Reject Tue Nov 4 07:09:49 2008 : Info: Auth-Type = Reject, rejecting user Tue Nov 4 07:09:49 2008 : Info: Failed to authenticate the user. Tue Nov 4 07:09:49 2008 : Info: Using Post-Auth-Type Reject Tue Nov 4 07:09:49 2008 : Info: +- entering group REJECT {...} Tue Nov 4 07:09:49 2008 : Info: [attr_filter.access_reject] expand: %{User-Name} -> walter Tue Nov 4 07:09:49 2008 : Debug: attr_filter: Matched entry DEFAULT at line 11 Tue Nov 4 07:09:49 2008 : Info: ++[attr_filter.access_reject] returns updated Tue Nov 4 07:09:49 2008 : Info: Delaying reject of request 1 for 1 seconds Tue Nov 4 07:09:49 2008 : Debug: Going to the next request Tue Nov 4 07:09:49 2008 : Debug: Waking up in 0.9 seconds. Tue Nov 4 07:09:50 2008 : Info: Sending delayed reject for request 1 Sending Access-Reject of id 112 to 10.11.224.36 port 32783 Tue Nov 4 07:09:50 2008 : Debug: Waking up in 4.9 seconds. Tue Nov 4 07:09:55 2008 : Info: Cleaning up request 1 ID 112 with timestamp +39 Tue Nov 4 07:09:55 2008 : Debug: Ready to process requests.
-- Walt Reynolds Principal Systems Security Development Engineer Information Technology Central Services University of Michigan (734) 615-9438
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sorry, my brain is like sieve today. Not DEFAULT but user entries (as I said in the text): walt password, hutgroup, group fall-through walt bpassword, huntgroup, group Ivan Kalik Kalik Informatika ISP Dana 4/11/2008, "Reynolds, Walter" <waltr@umich.edu> piše:
I am trying to find a good way to limit who is able to login at specific NAS's. I know I could add all the allowed user names to the Huntgroups file, but this can get tedious as I must do it for each NAS. So I figured the best way was to use groups. The users are not account holders on the system, so I could not user the 'Group' option in huntgroups. I also do not have a database backend so wanted to uses a local file.
So in looking I saw that I could do the following:
1. modules/etc_group - Define a local file with a group list 2. Created the group file referenced in etc_group 3. Added a dictionary item for the attribute 4. Add the desired NAS to a huntgroup 5. Set a policy in the users file to be based on the list.
Where I am having a problem is if the user is assigned to more than one group. As you can see from the first debug output from below, if a user is a member of the group alone it works fine. But the second debug shows that if a user is a member of more than one group, even if one is the right one, it will not work because one of the groups does not match.
The reason I need users in more than one group is if they are affiliated with more than one department. Also will need more than one affiliation for support to be able to troubleshoot connecting on each NAS.
In case it matters, the back end authentication is Kerberos on our production service but for this test I just have some local accounts defined in the users file.
So, is this a error in my logic/setup or is this a limitation I have with Freeradius. Is there some other way to do this?
===============
/usr/local/etc/raddb/modules/etc_group
passwd etc_group { filename = /usr/local/etc/raddb/group_file format = "~Etc-Group-Name:*,User-Name" hashsize = 150 ignorenislike = yes allowmultiplekeys = yes delimiter = ":" }
================
/usr/local/etc/raddb/group_file
wilab:walt,walter wilab2:walter,walter01 nolab:walter01
=================
/usr/local/etc/raddb/dictionary
ATTRIBUTE Etc-Group-Name 3000 string
=================
/usr/local/etc/raddb/huntgroups
ILAB NAS-IP-Address == 10.11.224.36
=================
/usr/local/etc/raddb/users (added line numbers for the debug)
102 DEFAULT Huntgroup-Name == ILAB, Etc-Group-Name != "wilab", Auth-Type := Reject 103 Fall-Through = no 104 105 walt Cleartext-Password := "walter01" 106 walter Cleartext-Password := "walter01" 107 walter01 Cleartext-Password := "walter01"
-------------------------------
rad_recv: Access-Request packet from host 10.11.224.36 port 32783, id=111, length=131 User-Name = "walt" User-Password = "walter01" NAS-IP-Address = 10.11.224.36 Service-Type = Login-User Framed-IP-Address = 192.168.135.25 Called-Station-Id = "00:07:E9:D1:8F:C2" NAS-Identifier = "Bluesocket" Acct-Session-Id = "00:07:E9:D1:8F:C2:1225801477" NAS-Port-Type = Wireless-802.11 Tue Nov 4 07:09:21 2008 : Info: +- entering group authorize {...} Tue Nov 4 07:09:21 2008 : Info: ++[preprocess] returns ok Tue Nov 4 07:09:21 2008 : Info: ++[chap] returns noop Tue Nov 4 07:09:21 2008 : Info: ++[mschap] returns noop Tue Nov 4 07:09:21 2008 : Info: [suffix] No '@' in User-Name = "walt", looking up realm NULL Tue Nov 4 07:09:21 2008 : Info: [suffix] No such realm "NULL" Tue Nov 4 07:09:21 2008 : Info: ++[suffix] returns noop Tue Nov 4 07:09:21 2008 : Info: [eap] No EAP-Message, not doing EAP Tue Nov 4 07:09:21 2008 : Info: ++[eap] returns noop Tue Nov 4 07:09:21 2008 : Info: ++[unix] returns notfound Tue Nov 4 07:09:21 2008 : Info: [etc_group] Added Etc-Group-Name: 'wilab' to request_items Tue Nov 4 07:09:21 2008 : Info: ++[etc_group] returns ok Tue Nov 4 07:09:21 2008 : Info: [files] users: Matched entry walt at line 105 Tue Nov 4 07:09:21 2008 : Info: ++[files] returns ok Tue Nov 4 07:09:21 2008 : Info: ++[expiration] returns noop Tue Nov 4 07:09:21 2008 : Info: ++[logintime] returns noop Tue Nov 4 07:09:21 2008 : Info: ++[pap] returns updated Tue Nov 4 07:09:21 2008 : Info: Found Auth-Type = PAP Tue Nov 4 07:09:21 2008 : Info: +- entering group PAP {...} Tue Nov 4 07:09:21 2008 : Info: [pap] login attempt with password "walter01" Tue Nov 4 07:09:21 2008 : Info: [pap] Using clear text password "walter01" Tue Nov 4 07:09:21 2008 : Info: [pap] User authenticated successfully Tue Nov 4 07:09:21 2008 : Info: ++[pap] returns ok Tue Nov 4 07:09:21 2008 : Info: +- entering group post-auth {...} Tue Nov 4 07:09:21 2008 : Info: ++[exec] returns noop Sending Access-Accept of id 111 to 10.11.224.36 port 32783 Tue Nov 4 07:09:21 2008 : Info: Finished request 0.
======================= rad_recv: Access-Request packet from host 10.11.224.36 port 32783, id=112, length=133 User-Name = "walter" User-Password = "walter01" NAS-IP-Address = 10.11.224.36 Service-Type = Login-User Framed-IP-Address = 192.168.135.25 Called-Station-Id = "00:07:E9:D1:8F:C2" NAS-Identifier = "Bluesocket" Acct-Session-Id = "00:07:E9:D1:8F:C2:1225801505" NAS-Port-Type = Wireless-802.11 Tue Nov 4 07:09:49 2008 : Info: +- entering group authorize {...} Tue Nov 4 07:09:49 2008 : Info: ++[preprocess] returns ok Tue Nov 4 07:09:49 2008 : Info: ++[chap] returns noop Tue Nov 4 07:09:49 2008 : Info: ++[mschap] returns noop Tue Nov 4 07:09:49 2008 : Info: [suffix] No '@' in User-Name = "walter", looking up realm NULL Tue Nov 4 07:09:49 2008 : Info: [suffix] No such realm "NULL" Tue Nov 4 07:09:49 2008 : Info: ++[suffix] returns noop Tue Nov 4 07:09:49 2008 : Info: [eap] No EAP-Message, not doing EAP Tue Nov 4 07:09:49 2008 : Info: ++[eap] returns noop Tue Nov 4 07:09:49 2008 : Info: ++[unix] returns notfound Tue Nov 4 07:09:49 2008 : Info: [etc_group] Added Etc-Group-Name: 'wilab2' to request_items Tue Nov 4 07:09:49 2008 : Info: [etc_group] Added Etc-Group-Name: 'wilab' to request_items Tue Nov 4 07:09:49 2008 : Info: ++[etc_group] returns ok Tue Nov 4 07:09:49 2008 : Info: [files] users: Matched entry DEFAULT at line 102 Tue Nov 4 07:09:49 2008 : Info: ++[files] returns ok Tue Nov 4 07:09:49 2008 : Info: ++[expiration] returns noop Tue Nov 4 07:09:49 2008 : Info: ++[logintime] returns noop Tue Nov 4 07:09:49 2008 : Info: [pap] Found existing Auth-Type, not changing it. Tue Nov 4 07:09:49 2008 : Info: ++[pap] returns noop Tue Nov 4 07:09:49 2008 : Info: Found Auth-Type = Reject Tue Nov 4 07:09:49 2008 : Info: Auth-Type = Reject, rejecting user Tue Nov 4 07:09:49 2008 : Info: Failed to authenticate the user. Tue Nov 4 07:09:49 2008 : Info: Using Post-Auth-Type Reject Tue Nov 4 07:09:49 2008 : Info: +- entering group REJECT {...} Tue Nov 4 07:09:49 2008 : Info: [attr_filter.access_reject] expand: %{User-Name} -> walter Tue Nov 4 07:09:49 2008 : Debug: attr_filter: Matched entry DEFAULT at line 11 Tue Nov 4 07:09:49 2008 : Info: ++[attr_filter.access_reject] returns updated Tue Nov 4 07:09:49 2008 : Info: Delaying reject of request 1 for 1 seconds Tue Nov 4 07:09:49 2008 : Debug: Going to the next request Tue Nov 4 07:09:49 2008 : Debug: Waking up in 0.9 seconds. Tue Nov 4 07:09:50 2008 : Info: Sending delayed reject for request 1 Sending Access-Reject of id 112 to 10.11.224.36 port 32783 Tue Nov 4 07:09:50 2008 : Debug: Waking up in 4.9 seconds. Tue Nov 4 07:09:55 2008 : Info: Cleaning up request 1 ID 112 with timestamp +39 Tue Nov 4 07:09:55 2008 : Debug: Ready to process requests.
-- Walt Reynolds Principal Systems Security Development Engineer Information Technology Central Services University of Michigan (734) 615-9438
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Reynolds, Walter -
tnt@kalik.net