unidentified users and vlan assignment

Fabien COMBERNOUS fcombernous at kezia.com
Wed Sep 15 17:49:34 CEST 2010


  On 15/09/2010 17:29, Phil Mayers wrote:
>
>
> Please post the full debugging output.

+- entering group authorize {...}
++[preprocess] returns ok
[chap] Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "08-00-0f-44-c7-42", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
rlm_opendirectory: The SACL group "com.apple.access_radius" does not 
exist on this system.
rlm_opendirectory: The host 10.2.2.230 does not have an access group.
rlm_opendirectory: no access control groups, all users allowed.
++[opendirectory] returns ok
++- entering group redundant_sql {...}
[sql1]     expand: %{User-Name} -> 08-00-0f-44-c7-42
[sql1] sql_set_user escaped user --> '08-00-0f-44-c7-42'
rlm_sql (sql1): Reserving sql socket id: 1
[sql1]     expand: SELECT id, username, attribute, value, op           
FROM radcheck           WHERE username = '%{SQL-User-Name}'
[sql1]     expand: SELECT groupname           FROM 
radusergroup           WHERE username = '%{SQL-User-Name}'           
ORDER BY prior
rlm_sql (sql1): Released sql socket id: 1
[sql1] User 08-00-0f-44-c7-42 not found
+++[sql1] returns notfound
++- group redundant_sql returns notfound
++? if (notfound)
? Evaluating (notfound) -> TRUE
++? if (notfound) -> TRUE
++- entering if (notfound) {...}
+++[reply] returns notfound
++- if (notfound) returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = CHAP
+- entering group CHAP {...}
[chap] login attempt by "08-00-0f-44-c7-42" with CHAP password
[chap] Cleartext-Password is required for authentication
++[chap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> 08-00-0f-44-c7-42
  attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 2 for 1 seconds
>
> Have you tested this? With radclient/radtest? It should work, from 
> what I can see.

no. I didn't tested.

Thank you for your help.
-- 
*Fabien COMBERNOUS*
/unix system engineer/
www.kezia.com <http://www.kezia.com/>
*Tel: +33 (0) 467 992 986*
Kezia Group
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100915/262d9d3a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 19589 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100915/262d9d3a/attachment.jpg>


More information about the Freeradius-Users mailing list