Huntgroups, Realms, MySQL

Brad McAllister bmcallister at noc.dls.net
Thu Oct 5 22:19:39 CEST 2006 

Sorry if this has already been addressed. I has been searching all  
day and haven't found the solution to my problem. I am attempting to  
setup multiple huntgroups to limit the types of connections that  
clients can make. Along with this I have a list of realms that are  
authenticated locally and others that are directed to remote radius  
servers. All of the user and group information is stored in a mysql  
db. I am having problems authenticating users with realms that are  
not passed to a remote server.

Below is an example of a test without a realm:

radtest test blah123 127.0.0.1 0 testing123Sending Access-Request of  
id 215 to 127.0.0.1:1812
         User-Name = "test"
         User-Password = "blah123"
         NAS-IP-Address = localhost.localdomain
         NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=215,  
length=272
         Framed-Protocol = PPP
         Framed-Routing = Broadcast
         Framed-Compression = None
         Framed-MTU = 1500
         Idle-Timeout = 0
         Cisco-AVPair = "lcp:interface-config=rate-limit input 256000  
32000 32000 conform-action transmit exceed-action drop"
         Cisco-AVPair = "lcp:interface-config=rate-limit output  
4500000 32000 32000 conform-action transmit exceed-action drop"
         Service-Type = Framed-User

With a realm:
radtest test at dls.net blah123 127.0.0.1 0 testing123
Sending Access-Request of id 223 to 127.0.0.1:1812
         User-Name = "test at dls.net"
         User-Password = "blah123"
         NAS-IP-Address = localhost.localdomain
         NAS-Port = 0
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=223,  
length=20

Output from the server:
rad_recv: Access-Request packet from host 127.0.0.1:32770, id=223,  
length=77
         User-Name = "test at dls.net"
         User-Password = "blah123"
         NAS-IP-Address = 255.255.255.255
         NAS-Port = 0
   Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
rlm_sql (sql): - sql_groupcmp
radius_xlat:  'test at dls.net'
rlm_sql (sql): sql_set_user escaped user --> 'test at dls.net'
radius_xlat:  'SELECT GroupName FROM usergroup WHERE  
UserName='test at dls.net''
rlm_sql (sql): Reserving sql socket id: 0
rlm_sql (sql): Released sql socket id: 0
rlm_sql (sql): - sql_groupcmp finished: User does not belong in group  
3072BY256
No huntgroup access: [test at dls.net] (from client localhost port 0)
   modcall[authorize]: module "preprocess" returns reject for request 2
modcall: group authorize returns reject for request 2

If I removed the huntgroups out of the picture, is works fine. The  
problem seems to be that the realm is not being stripped off of the  
username when it checks it against the usergroup table. If more  
information is needed, please let me know. I would really like to get  
this working.

Thanks!

- Brad

More information about the Freeradius-Users mailing list