Checking MAC address with rlm_sql

Wed Apr 4 11:38:51 CEST 2012

On 04/04/12 18:00, Alan DeKok wrote:
> Glen Harris wrote:
>>> Can you paste the debug log? I'm guessing that the request to the
>>> inner tunnel probably don't have Calling-Station-Id attribute.
>>>
>> Here it is:
>    Did you read it?  There's a lot of stuff, but it's pretty obvious
> what's going on:
>
>> [sql]     expand: %{User-Name} ->  user01
>> [sql] sql_set_user escaped user -->  'user01'
>> rlm_sql (sql): Reserving sql socket id: 3
>> [sql]     expand: SELECT id, username, attribute, value, op
>> FROM radcheck           WHERE username = '%{SQL-User-Name}'
>> ORDER BY id ->  SELECT id, username, attribute, value, op           FROM
>> radcheck           WHERE username = 'user01'           ORDER BY id
>> [sql]     expand: SELECT groupname           FROM radusergroup
>> WHERE username = '%{SQL-User-Name}'           ORDER BY priority ->
>> SELECT groupname           FROM radusergroup           WHERE username =
>> 'user01'           ORDER BY priority
>> rlm_sql (sql): Released sql socket id: 3
>> [sql] User user01 not found
>> ++[sql] returns notfound
>    What does that look like?
>

It looks like the user 'user01' does not exist in the database, or 
possibly that rows for the username 'user01' do exist but my 
Calling-Station-Id check item is wrong and the user is not being matched 
because of that. OK, from what Fajar has said, make that probably.

There are two rows in the radcheck table with that username 
(Cleartext-Password and Calling-Station-Id), and both are being returned 
when I replay the above SQL manually from the msql client. rlm_sql 
handles the evaluation of check item conditions. In that case, a failure 
of the Calling-Station-Id match would result in the user not being found.

There's no details from rlm_sql in the debug to show the evaluation of 
the check items, but I assume that it has access to Calling-Station-Id 
to do the comparison. Big assumption, but it's there as an attribute 
both earlier and later in the debug log. Is there a way to see what 
values are being comparing inside the module?

I had assumed that this example:

user01 Cleartext-Password := pass01, Calling-Station-Id == 
"98-4B-4A-F5-BF-40"

would translate to the radcheck table as:

+----+----------+--------------------+-------------------+----+
| id | username | attribute          | value             | op |
+----+----------+--------------------+-------------------+----+
|  1 | user01   | Cleartext-Password | pass01            | := |
|  2 | user01   | Calling-Station-Id | 98-4B-4A-F5-BF-40 | == |
+----+----------+--------------------+-------------------+----+

I'm sorry, I know I'm being a pain, but I honestly can't see where I'm 
going wrong. Fajar has suggested that I use radclient to do my testing 
as well as some other ideas. I'm in Australia, so it's well after work 
now but I'll try first thing tomorrow morning. I'll also try with the 
users file, again I should have validated my check item syntax with that 
first.

Regards, glen.