Attribute and authorization problem

Josh josh2780 at yahoo.com
Mon Dec 5 21:05:44 CET 2005


I'm sorry if you received this twice. This was caught
by my spam guard... not sure why and am not sure if it
made it to everyone.  I'm changing the subject...

See below.

--- Josh <josh2780 at yahoo.com> wrote:

> I have been successfully authenticating individual
> users between a PIX 515 VPN and FreeRadius server. 
> I'm using mysql as the data storage on the radius
> server.
> 
> Recently I began changing the way I manage the ACLs
> on
> the PIX and began setting up user specific ACLs that
> get set after logging in via the VPN.
> 
> On the PIX:
> access-list myvpntest permit ip... and so forth
> 
> On radius (mysql):
> insert into radcheck (UserName,Attribute,op,Value)
> values ('josh','Filter-Id','=','myvpntest');
> 
> Now when I attempt to login with my VPN client I get
> denied.  Here's a snippet of the debug:
> 
> ------ BEGIN DEBUG ------
> radius_xlat:  'josh'
> rlm_sql (sql): sql_set_user escaped user --> 'josh'
> radius_xlat:  'SELECT id,UserName,Attribute,Value,op
> FROM radcheck WHERE Username = 'josh' ORDER BY id'
> rlm_sql (sql): Reserving sql socket id: 4
> radius_xlat:  'SELECT
>
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
>  FROM radgroupcheck,usergroup WHERE
> usergroup.Username
> = 'josh' AND usergroup.GroupName =
> radgroupcheck.GroupName ORDER BY radgroupcheck.id'
> radius_xlat:  'SELECT id,UserName,Attribute,Value,op
> FROM radreply WHERE Username = 'josh' ORDER BY id'
> radius_xlat:  'SELECT
>
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
>  FROM radgroupreply,usergroup WHERE
> usergroup.Username
> = 'josh' AND usergroup.GroupName =
> radgroupreply.GroupName ORDER BY radgroupreply.id'
> rlm_sql (sql): No matching entry in the database for
> request from user [josh]
> rlm_sql (sql): Released sql socket id: 4
>   modcall[authorize]: module "sql" returns notfound
> for request 0
> modcall: group authorize returns ok for request 0
> auth: No authenticate method (Auth-Type)
> configuration
> found for the request: Rejecting the user
> auth: Failed to validate the user.
> Finished request 0
> ------ END DEBUG ------
> 
> 
> For reference, here's the debug info when I remove
> the
> Filter-Id for user 'josh':
> 
> ------ BEGIN DEBUG ------
> radius_xlat:  'josh'
> rlm_sql (sql): sql_set_user escaped user --> 'josh'
> radius_xlat:  'SELECT id,UserName,Attribute,Value,op
> FROM radcheck WHERE Username = 'josh' ORDER BY id'
> rlm_sql (sql): Reserving sql socket id: 3
> radius_xlat:  'SELECT
>
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
>  FROM radgroupcheck,usergroup WHERE
> usergroup.Username
> = 'josh' AND usergroup.GroupName =
> radgroupcheck.GroupName ORDER BY radgroupcheck.id'
> radius_xlat:  'SELECT id,UserName,Attribute,Value,op
> FROM radreply WHERE Username = 'josh' ORDER BY id'
> radius_xlat:  'SELECT
>
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
>  FROM radgroupreply,usergroup WHERE
> usergroup.Username
> = 'josh' AND usergroup.GroupName =
> radgroupreply.GroupName ORDER BY radgroupreply.id'
> rlm_sql (sql): Released sql socket id: 3
>   modcall[authorize]: module "sql" returns ok for
> request 1
> modcall: group authorize returns ok for request 1
>   rad_check_password:  Found Auth-Type PAP
> auth: type "PAP"
>   Processing the authenticate section of
> radiusd.conf
> modcall: entering group Auth-Type for request 1
> rlm_pap: login attempt by "josh" with password
> ********
> rlm_pap: Using password "********" for user josh
> authentication.
> rlm_pap: Using MD5 encryption.
> rlm_pap: User authenticated succesfully
>   modcall[authenticate]: module "pap" returns ok for
> request 1
> modcall: group Auth-Type returns ok for request 1
> Sending Access-Accept of id 119 to 10.5.0.1:1812
> Finished request 1
> ------ END DEBUG ------
> 
> Any ideas?
> 
> 
> 		
> __________________________________ 
> Start your day with Yahoo! - Make it your home page!
> 
> http://www.yahoo.com/r/hs
> - 
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 



		
__________________________________ 
Start your day with Yahoo! - Make it your home page! 
http://www.yahoo.com/r/hs



More information about the Freeradius-Users mailing list