User in Multiple Groups

Scott Reed sreed at nwwnet.net
Fri Apr 7 01:07:33 CEST 2006 

Someone posted that many readers of this list don't have HTML mail readers, so
I cleaned up the spacing on the tables and am reposting this in text so all
can read it.

Scott Reed 
 Owner 
 NewWays 
 Wireless Networking 
 Network Design, Installation and Administration 
 www.nwwnet.net

---------- Original Message ----------- 
 From: "Scott Reed" <sreed at nwwnet.net> 
 To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org> 
 Sent: Thu, 6 Apr 2006 07:54:08 -0500 
 Subject: Re: User in Multiple Groups

> I did not usurp a thread, I reposted my own. 
> 
> I changed radcheck to have := instead of ==. No change. 
> 
> First query returns: 
> +----+--------------+--------------+-------------+----+ 
> | id | GroupName    | Attribute    | Value       | op | 
> +----+--------------+--------------+-------------+----+ 
> | 28 | MS1-AP1      | Service-Type | Framed-User | == | 
> | 31 | Router-Admin | Service-Type | Login-User  | == | 
> +----+--------------+--------------+-------------+----+ 
> Second query returns 
> +----+--------------+-------------------+-------+----+ 
> | id | GroupName    | Attribute         | Value | op | 
> +----+--------------+-------------------+-------+----+ 
> | 34 | Router-Admin | Mikrotik-Group    | full  | =  | 
> | 39 | Router-Admin | Fall-Through      | Yes   | =  | 
> | 37 | MS1-AP1      | Fall-Through      | Yes   | =  | 
> | 33 | MS1-AP1      | Port-Limit        | 128k  | =  | 
> +----+--------------+-------------------+-------+----+ 
> 
> I have a document from the FreeRadius WIKI (rlm_sql) that says, "Processing
continues to the next group IF: 
> There was not a match for the last group's check items OR 
> Fall-Through was set in the last group's reply items. 
> If the user logs into a router, the request is for Login-User and they
should get the Router-Admin replies. If they log in to an AP, the request is
Framed-User and they should get the AP replies. 
> 
> Scott Reed 
> Owner 
> NewWays 
> Wireless Networking 
> Network Design, Installation and Administration 
> www.nwwnet.net 
> 
> ---------- Original Message ----------- 
> From: Phil Mayers <p.mayers at imperial.ac.uk> 
> To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org> 
> Sent: Thu, 06 Apr 2006 13:22:39 +0100 
> Subject: Re: User in Multiple Groups 
> 
> > Scott Reed wrote: 
> > > I have searched the archive and came close to figuring this out, but I
have not 
> > 
> > Don't start your query as part of another thread please. 
> > 
> > > 
> > > Configuration tables: 
> > > 1 USERGROUP 
> > > 2 80 sreed MS1-AP1 
> > > 3 76 treed MS1-AP1 
> > > 4 78 sreed Router-Admin 
> > > 5 79 treed Router-Admin 
> > > 6 81 dreed Router-Admin 
> > > 7 
> > > 8 RADCHECK 
> > > 9 331 dreed User-Password == password 
> > > 10 269 treed User-Password == password 
> > > 11 267 sreed User-Password == password 
> > 
> > This should be ":=" for User-Password. If the match is failing, that may 
> > be the issue. 
> > 
> > > 12 
> > > 13 RADGROUPCHECK 
> > > 14 31 Router-Admin Service-Type == Login-User 
> > > 15 28 MS1-AP1 Service-Type == Framed-User 
> > > 16 
> > > 17 RADREPLY 
> > > 18 33 sreed Fall-Through = yes 
> > > 19 43 treed Fall-Through = yes 
> > > 20 
> > > 21 RADGROUPREPLY 
> > > 22 33 MS1-AP1 Port-Limit = 128k 15 
> > > 23 34 Router-Admin Mikrotik-Group = full 10 
> > > 24 39 Router-Admin Fall-Through = Yes 10 
> > > 25 37 MS1-AP1 Fall-Through = Yes 15 
> > 
> > I don't think Fall-Through does anything in rlm_sql. What are you 
> > expecting it to do? 
> > 
> > > rad_recv: Access-Request packet from host 192.168.100.13:1201, id=166,
length=83 
> > > Service-Type = Login-User 
> > > User-Name = "treed" 
> > > User-Password = "password" 
> > > Calling-Station-Id = "192.168.100.240" 
> > > NAS-Identifier = "HotSpot" 
> > > NAS-IP-Address = 192.168.100.13 
> > > Processing the authorize section of radiusd.conf 
> > > modcall: entering group authorize for request 1 
> > > modcall[authorize]: module "preprocess" returns ok for request 1 
> > > modcall[authorize]: module "chap" returns noop for request 1 
> > > modcall[authorize]: module "mschap" returns noop for request 1 
> > > rlm_realm: No '@' in User-Name = "treed", looking up realm NULL 
> > > rlm_realm: No such realm "NULL" 
> > > modcall[authorize]: module "suffix" returns noop for request 1 
> > > radius_xlat: 'treed' 
> > > rlm_sql (sql): sql_set_user escaped user --> 'treed' 
> > > rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM
radcheck WHERE 
> > > Username = 'treed' ORDER BY id 
> > > rlm_sql_mysql: query: SELECT 
> > >
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op

> > > FROM radgroupcheck,usergroup WHERE usergroup.Username = 'treed' AND 
> > > usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id 
> > 
> > What is the result of this query if you execute it directly against the 
> > database? 
> > 
> > > rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM
radreply WHERE 
> > > Username = 'treed' ORDER BY id 
> > 
> > > rlm_sql_mysql: query: SELECT 
> > >
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op

> > > FROM radgroupreply,usergroup WHERE usergroup.Username = 'treed' AND 
> > > usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.prio 
> > 
> > Again, what does this query give against the database? 
> > 
> > > rlm_sql (sql): No matching entry in the database for request from user
[treed] 
> > 
> > This error code is returned if the check items don't match the request. 
> > 
> > Possibly take a look in: 
> > 
> > src/modules/rlm_sql/rlm_sql.c 
> > 
> > ...around line 860 (depending on the version you're running) and 
> > uncomment these lines: 
> > 
> > /* 
> > * Uncomment these lines for debugging 
> > * Recompile, and run 'radiusd -X' 
> > */ 
> > 
> > /* 
> > DEBUG2("rlm_sql: check items"); 
> > vp_listdebug(check_tmp); 
> > DEBUG2("rlm_sql: reply items"); 
> > vp_listdebug(reply_tmp); 
> > */ 
> > 
> > ...then recompile and run again. 
> > - 
> > List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html 
> ------- End of Original Message ------- 
>  
------- End of Original Message -------

More information about the Freeradius-Users mailing list