User in Multiple Groups

Thu Apr 6 14:22:39 CEST 2006

Scott Reed wrote:
> I have searched the archive and came close to figuring this out, but I have not 

Don't start your query as part of another thread please.

> 
> Configuration tables:
>       1 USERGROUP
>       2 80      sreed   MS1-AP1
>       3 76      treed   MS1-AP1
>       4 78      sreed   Router-Admin
>       5 79      treed   Router-Admin
>       6 81      dreed   Router-Admin
>       7
>       8 RADCHECK
>       9 331     dreed   User-Password   ==      password
>      10 269     treed   User-Password   ==      password
>      11 267     sreed   User-Password   ==      password

This should be ":=" for User-Password. If the match is failing, that may 
be the issue.

>      12
>      13 RADGROUPCHECK
>      14 31      Router-Admin    Service-Type    ==      Login-User
>      15 28      MS1-AP1          Service-Type    ==      Framed-User
>      16
>      17 RADREPLY
>      18 33      sreed   Fall-Through    =       yes
>      19 43      treed   Fall-Through    =       yes
>      20
>      21 RADGROUPREPLY
>      22 33      MS1-AP1          Port-Limit        =       128k    15
>      23 34      Router-Admin    Mikrotik-Group  =       full    10
>      24 39      Router-Admin    Fall-Through     =      Yes     10
>      25 37      MS1-AP1          Fall-Through     =      Yes     15

I don't think Fall-Through does anything in rlm_sql. What are you 
expecting it to do?

> rad_recv: Access-Request packet from host 192.168.100.13:1201, id=166, length=83
>         Service-Type = Login-User
>         User-Name = "treed"
>         User-Password = "password"
>         Calling-Station-Id = "192.168.100.240"
>         NAS-Identifier = "HotSpot"
>         NAS-IP-Address = 192.168.100.13
>   Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 1
>   modcall[authorize]: module "preprocess" returns ok for request 1
>   modcall[authorize]: module "chap" returns noop for request 1
>   modcall[authorize]: module "mschap" returns noop for request 1
>     rlm_realm: No '@' in User-Name = "treed", looking up realm NULL
>     rlm_realm: No such realm "NULL"
>   modcall[authorize]: module "suffix" returns noop for request 1
> radius_xlat:  'treed'
> rlm_sql (sql): sql_set_user escaped user --> 'treed'
> rlm_sql_mysql: query:  SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE 
> Username = 'treed' ORDER BY id
> rlm_sql_mysql: query:  SELECT 
> radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op  
> FROM radgroupcheck,usergroup WHERE usergroup.Username = 'treed' AND 
> usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id

What is the result of this query if you execute it directly against the 
database?

> rlm_sql_mysql: query:  SELECT id,UserName,Attribute,Value,op FROM radreply WHERE 
> Username = 'treed' ORDER BY id

> rlm_sql_mysql: query:  SELECT 
> radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op  
> FROM radgroupreply,usergroup WHERE usergroup.Username = 'treed' AND 
> usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.prio

Again, what does this query give against the database?

> rlm_sql (sql): No matching entry in the database for request from user [treed]

This error code is returned if the check items don't match the request.

Possibly take a look in:

src/modules/rlm_sql/rlm_sql.c

...around line 860 (depending on the version you're running) and 
uncomment these lines:

/*
  * Uncomment these lines for debugging
  * Recompile, and run 'radiusd -X'
  */

/*
DEBUG2("rlm_sql:  check items");
vp_listdebug(check_tmp);
DEBUG2("rlm_sql:  reply items");
vp_listdebug(reply_tmp);
*/

...then recompile and run again.