Checking MAC address with rlm_sql
Glen Harris
astfgl at iamnota.org
Wed Apr 4 11:38:51 CEST 2012
On 04/04/12 18:00, Alan DeKok wrote:
> Glen Harris wrote:
>>> Can you paste the debug log? I'm guessing that the request to the
>>> inner tunnel probably don't have Calling-Station-Id attribute.
>>>
>> Here it is:
> Did you read it? There's a lot of stuff, but it's pretty obvious
> what's going on:
>
>> [sql] expand: %{User-Name} -> user01
>> [sql] sql_set_user escaped user --> 'user01'
>> rlm_sql (sql): Reserving sql socket id: 3
>> [sql] expand: SELECT id, username, attribute, value, op
>> FROM radcheck WHERE username = '%{SQL-User-Name}'
>> ORDER BY id -> SELECT id, username, attribute, value, op FROM
>> radcheck WHERE username = 'user01' ORDER BY id
>> [sql] expand: SELECT groupname FROM radusergroup
>> WHERE username = '%{SQL-User-Name}' ORDER BY priority ->
>> SELECT groupname FROM radusergroup WHERE username =
>> 'user01' ORDER BY priority
>> rlm_sql (sql): Released sql socket id: 3
>> [sql] User user01 not found
>> ++[sql] returns notfound
> What does that look like?
>
It looks like the user 'user01' does not exist in the database, or
possibly that rows for the username 'user01' do exist but my
Calling-Station-Id check item is wrong and the user is not being matched
because of that. OK, from what Fajar has said, make that probably.
There are two rows in the radcheck table with that username
(Cleartext-Password and Calling-Station-Id), and both are being returned
when I replay the above SQL manually from the msql client. rlm_sql
handles the evaluation of check item conditions. In that case, a failure
of the Calling-Station-Id match would result in the user not being found.
There's no details from rlm_sql in the debug to show the evaluation of
the check items, but I assume that it has access to Calling-Station-Id
to do the comparison. Big assumption, but it's there as an attribute
both earlier and later in the debug log. Is there a way to see what
values are being comparing inside the module?
I had assumed that this example:
user01 Cleartext-Password := pass01, Calling-Station-Id ==
"98-4B-4A-F5-BF-40"
would translate to the radcheck table as:
+----+----------+--------------------+-------------------+----+
| id | username | attribute | value | op |
+----+----------+--------------------+-------------------+----+
| 1 | user01 | Cleartext-Password | pass01 | := |
| 2 | user01 | Calling-Station-Id | 98-4B-4A-F5-BF-40 | == |
+----+----------+--------------------+-------------------+----+
I'm sorry, I know I'm being a pain, but I honestly can't see where I'm
going wrong. Fajar has suggested that I use radclient to do my testing
as well as some other ideas. I'm in Australia, so it's well after work
now but I'll try first thing tomorrow morning. I'll also try with the
users file, again I should have validated my check item syntax with that
first.
Regards, glen.
More information about the Freeradius-Users
mailing list