multiple usergroups failing; freeradius 2.1.10 + Cisco-AVPairs

michael at jarrett.id.au michael at jarrett.id.au
Thu Dec 16 07:10:31 CET 2010 

SQL log attached:
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql_mysql: query:  SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = 'test at realm'           ORDER BY id
rlm_sql_mysql: query:  SELECT id, username, attribute, value, op           FROM radreply           WHERE username = 'test at realm'           ORDER BY id
rlm_sql_mysql: query:  SELECT groupname           FROM usergroup           WHERE username = 'test at realm'           ORDER BY priority
rlm_sql_mysql: query:  SELECT id, groupname, attribute,           Value, op           FROM radgroupcheck           WHERE groupname = 'VRF-TEST'           ORDER BY id
rlm_sql_mysql: query:  SELECT id, groupname, attribute,           value, op           FROM radgroupreply           WHERE groupname = 'VRF-TEST'           ORDER BY id
rlm_sql (sql): Released sql socket id: 4

If I run the 3rd query manually, it does pickup VRF-TEST and QOS-PROFILE usergroups, however looking at the above groupcheck/groupreply query, it is only running it for the first instance. bug perhaps in rlm_sql_mysql?
-Michael

On Thu, 16 Dec 2010 11:33:46 +1100, <michael at jarrett.id.au> wrote:
> Hi,
>  During a rebuild of our Radius servers from an old freeradius 1.x install
> to 2.1.10, we've lost ability to push multiple usergroups to our Cisco LNS:
> MySQL:
> radcheck:
> id 	UserName 	Attribute 	op 	Value
> 9791 	test at realm 	Password 	:= 	{clear}somepass
> 
> radgroupreply:
> id 	GroupName 	Attribute 	op 	Value
> 161 	VRF-TEST 	Cisco-AVPair 	+= 	ip:vrf-id=TEST
> 162 	VRF-TEST 	Cisco-AVPair 	+= 	ip:ip-unnumbered=loopback25
> 2211 	QOS-PROFILE 	Cisco-AVPair 	+=
> 	ip:sub-qos-policy-out=TEST-QOS-PROFILE
> 
> radreply:
> id 	UserName 	Attribute 	op 	Value
> 124561 	test at realm 	Framed-IP-Netmask 	= 	255.255.255.255
> 124571 	test at realm 	Framed-IP-Address 	= 	1.1.1.1
> 
> usergroup:
> UserName 	GroupName 	priority
> test at realm 	VRF-TEST 	1
> test at realm 	QOS-PROFILE 	2
> 
> debugging Radius on the Cisco shows (amongst other things):
> RADIUS:  Vendor, Cisco       [26]  21
> RADIUS:   Cisco AVpair       [1]   15  "ip:vrf-id=TEST"
> RADIUS:  Vendor, Cisco       [26]  35
> RADIUS:   Cisco AVpair       [1]   29  "ip:ip-unnumbered=loopback25"
> 
> If you set QOS-PROFILE to priority 0 for example, it will then only pick
> up the QOS-PROFILE usergroup, not both. Setting both usergroups to same
> priority yeilds the same results; only applying the first, never both.
> 
> To rule out the Cisco i've performed a tcpdump on Radius itself; I can
> only see freeradius sending one usergroup in the Access-Accept response.
> This is also a fresh freeradius install via FreeBSD ports; no
> configuration was carried over from the previous install except for MySQL
> DB credentials.
> 
> Thoughts?
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list