Filter-Id denying access
Josh
josh2780 at yahoo.com
Mon Dec 5 19:37:03 CET 2005
I have been successfully authenticating individual
users between a PIX 515 VPN and FreeRadius server.
I'm using mysql as the data storage on the radius
server.
Recently I began changing the way I manage the ACLs on
the PIX and began setting up user specific ACLs that
get set after logging in via the VPN.
On the PIX:
access-list myvpntest permit ip... and so forth
On radius (mysql):
insert into radcheck (UserName,Attribute,op,Value)
values ('josh','Filter-Id','=','myvpntest');
Now when I attempt to login with my VPN client I get
denied. Here's a snippet of the debug:
------ BEGIN DEBUG ------
radius_xlat: 'josh'
rlm_sql (sql): sql_set_user escaped user --> 'josh'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op
FROM radcheck WHERE Username = 'josh' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 4
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username
= 'josh' AND usergroup.GroupName =
radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op
FROM radreply WHERE Username = 'josh' ORDER BY id'
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username
= 'josh' AND usergroup.GroupName =
radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): No matching entry in the database for
request from user [josh]
rlm_sql (sql): Released sql socket id: 4
modcall[authorize]: module "sql" returns notfound
for request 0
modcall: group authorize returns ok for request 0
auth: No authenticate method (Auth-Type) configuration
found for the request: Rejecting the user
auth: Failed to validate the user.
Finished request 0
------ END DEBUG ------
For reference, here's the debug info when I remove the
Filter-Id for user 'josh':
------ BEGIN DEBUG ------
radius_xlat: 'josh'
rlm_sql (sql): sql_set_user escaped user --> 'josh'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op
FROM radcheck WHERE Username = 'josh' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 3
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username
= 'josh' AND usergroup.GroupName =
radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op
FROM radreply WHERE Username = 'josh' ORDER BY id'
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username
= 'josh' AND usergroup.GroupName =
radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): Released sql socket id: 3
modcall[authorize]: module "sql" returns ok for
request 1
modcall: group authorize returns ok for request 1
rad_check_password: Found Auth-Type PAP
auth: type "PAP"
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 1
rlm_pap: login attempt by "josh" with password
********
rlm_pap: Using password "********" for user josh
authentication.
rlm_pap: Using MD5 encryption.
rlm_pap: User authenticated succesfully
modcall[authenticate]: module "pap" returns ok for
request 1
modcall: group Auth-Type returns ok for request 1
Sending Access-Accept of id 119 to 10.5.0.1:1812
Finished request 1
------ END DEBUG ------
Any ideas?
__________________________________
Start your day with Yahoo! - Make it your home page!
http://www.yahoo.com/r/hs
More information about the Freeradius-Users
mailing list