radiusd -X SQL suggests "not found" however user attributes are in the radcheck table?

Kaya Saman kayasaman at gmail.com
Wed Aug 1 12:46:34 CEST 2012

On Wed, Aug 1, 2012 at 4:52 AM, Fajar A. Nugraha <list at fajar.net> wrote:
> On Wed, Aug 1, 2012 at 5:03 AM, Kaya Saman <kayasaman at gmail.com> wrote:
>> From what I can see it's quite non-complex config though one needs to
>> understand the process of how RADIUS works and additionally the 'radius' way
>> of doing things rather then say, a corporate network vendor way.
> This helps: http://wiki.freeradius.org/Concepts
>> For now I have all the pieces to my jigsaw puzzle, minus defining a VLAN
>> (tunnel ID) of last resort so if FR doesn't recognize the L2 address of a
>> machine it should give it a specific tunnel-ID (VLAN).
> There should be many ways to do that. If you assume that "normal"
> users would always have ONE Tunnel-Private-Group-Id reply attribute
> (in radreply), then you should be able to use unlang:
> http://freeradius.org/radiusd/man/unlang.html
> You would then need to do something like this:
> - have "sql" module active in authorize block (you should already have
> that), which would populate reply attributes from rad(group)reply
> table
> - under that, have an unlang block that says "if there's no
> Tunnel-Private-Group-Id attribute in the reply, then add one".
> Something like (untested)
> update reply {
>     Tunnel-Private-Group-Id = 10
> }
> Replace the "10" there with whatever your Tunnel-Private-Group-Id for
> unknown users is, and the "=" operator will "Add the attribute to the
> list, if and only if an attribute of the same name is not already
> present in that list" (see unlang man page).
> --
> Fajar
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Thanks a lot Fajar for that!!

Unfortunately your suggestion didn't work and reading through the
UNLANG doc you sent I came up with this:

...under Authorize section:

	#if (User-Name !== "") {
	if %{User-Name}:-{
	update reply {
		Tunnel-Private-Group-Id = 80
		Tunnel-Type = VLAN
		Tunnel-Medium-Type = IEEE-802
		Tunnel-Preference = 0x000000

Which to my understanding should evaluate the %{User-Name} field and
IF there is information in there return with the values provided

I'm almost there as I do get that in the response:

rlm_sql (sql): Released sql socket id: 3
[sql] User 0015c5537baa not found
++[sql] returns notfound
++? if %
 Evaluating (%) -> TRUE
++? if % -> TRUE
++- entering if % {...}
+++[reply] returns notfound
++- if % returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request:
Rejecting the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
++- group REJECT returns noop
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 142 to port 1645
	Tunnel-Private-Group-Id:0 = "80"
	Tunnel-Type:0 = VLAN
	Tunnel-Medium-Type:0 = IEEE-802
	Tunnel-Preference:0 = 0
Waking up in 4.9 seconds.
Cleaning up request 0 ID 142 with timestamp +16
Ready to process requests.

But unfortunately the user is getting an Access-Reject ID :-(

Could it be that I have failed to include something??


update reply {

Access = Accept




More information about the Freeradius-Users mailing list