Subject: rlm_sql: Failed to create the pair: Unknown attribute
Tony DeMatteis
tonyd at commspeed.net
Tue Jul 8 00:40:52 CEST 2014
Thank you very much for your reply!
I changed my operator to ":=" but get the same reject/error.
mysql> select * from radgroupreply where groupname = 'NOC-Admin';
+----+-----------+----------------------------+----+-------------------------+
| id | groupname | attribute | op |
value |
+----+-----------+----------------------------+----+-------------------------+
| 1 | NOC-Admin | Mikrotik-Group | := |
full |
| 7 | NOC-Admin | APC-Service-Type | := |
1 |
| 8 | NOC-Admin | APC-Outlets | := |
"1,2,3,4,5,6,7,8" |
| 10 | NOC-Admin | DragonWave-Privilege-Level | := |
DragonWave-Super-User |
+----+-----------+----------------------------+----+-------------------------+
4 rows in set (0.00 sec)
mysql>
On 07/07/2014 11:45 AM, Mike Poole wrote:
> Tony,
> I'm replying at the top instead of inline.
> Our FreeRADIUS SQL returns this for :
>
> 44418AS id
> 1-1-1 AS groupname
> Mikrotik-Rate-Limit AS attribute
> 1000k/2001k 2000k/4000k 750k/1500k 1800/1800 7 AS value
> ?AS op
> I think your problem is with the op (operator). It should be "?" and
> I believe it should be at the end.
>
> We use custom tables and stored procedures to do this.
>
> For the "group" query all I return is a groupname, such as the package
> ID '1-1-1'
> SELECT packageId as "groupname"; (I believe this is where you are
> having the trouble.
>
> Let me know if it helps or if I can do anything else
> Message: 2
> Date: Mon, 07 Jul 2014 08:03:03 -0700
> From: Tony DeMatteis <tonyd at commspeed.net <mailto:tonyd at commspeed.net>>
> To: freeradius-users at lists.freeradius.org
> <mailto:freeradius-users at lists.freeradius.org>
> Subject: rlm_sql: Failed to create the pair: Unknown attribute
> "DragonWave-Privilege-Level" requires a hex string, not
> "DragonWave-Super-User"
> Message-ID: <53BAB6A7.2040309 at commspeed.net
> <mailto:53BAB6A7.2040309 at commspeed.net>>
> Content-Type: text/plain; charset="iso-8859-1"; Format="flowed"
> Greetings,
> I am setting up/migrating to a new Radius server. My current server
> is using flat files (users/clients). Not a huge deployment, but now
> have designs to scale larger. I've run into a problem with one reply
> attribute I can't seem to identify the problem. I've searched the
> documentation (and Googled), and while probably in from of my eyes, I
> can't seem to find the cause/solution. The same reply attributes work
> fine in my current/production server, but fail (and only when trying
> to include the "DragonWave-Privilege-Level" reply attribute). Now one
> note, in my production server in my user stanza I use the "=" operator
> for each of the reply attributes. However, in my new server, when
> using the "=" as the operator in the reply attribute I was receiving
> only one attribute upon authentication. I then thought I understood
> from the documentation that I needed to use "+=" in my reply
> attributes. After making that change, all the group attributes were
> returned. One difference may be that I am specifying the "group"
> attributes under each "user" (current/production) vs in a "group"
> which is referenced (new server)? I am in no way well versed in all
> the nuances of radius (but working that direction), so if I'm
> overlooking the obvious I would greatly appreciate a nudge in the
> right direction.
> Thank you very much,
> tony
> #*************************
> #
> #// CURRENT SERVER
> #
> #*************************
> #
> # System information
> #
> admin at radius:/home/admin# uname -a
> Linux radius 3.5.0-45-generic #68~precise1-Ubuntu SMP Wed Dec 4
> 16:18:46 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
> admin at radius:/home/admin# cat /etc/issue Ubuntu 12.04.4 LTS \n \l
> admin at radius:/home/admin# freeradius -v
> freeradius: FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu,
> built on Feb 24 2014 at 15:16:50 Copyright (C) 1999-2010 The
> FreeRADIUS server project and contributors.
> There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
> PARTICULAR PURPOSE.
> You may redistribute copies of FreeRADIUS under the terms of the GNU
> General Public License.
> For more information about these matters, see the file named COPYRIGHT.
> #
> # /etc/freeradius/users
> #
> "testuser" ClearText-Password := "tester"
> Reply-Message = "Hello, %{User-Name}",
> Mikrotik-Group = "full",
> DragonWave-Privilege-Level = "DragonWave-Super-User",
> APC-Service-Type = 1,
> APC-Outlets = "1,2,3,4,5,6,7,8"
> #
> # radtest and result
> #
> admin at radius:/home/admin# radtest testuser tester localhost 10
> testing123 0 10.10.0.120
> Sending Access-Request of id 25 to 127.0.0.1 port 1812
> User-Name = "testuser"
> User-Password = "tester"
> NAS-IP-Address = 10.10.0.120
> NAS-Port = 10
> Framed-Protocol = PPP
> rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=25,
> length=70
> Reply-Message = "Hello, testuser"
> Mikrotik-Group = "full"
> DragonWave-Privilege-Level = DragonWave-Super-User
> APC-Service-Type = Admin
> APC-Outlets = "1,2,3,4,5,6,7,8"
> #*************************
> #
> #// NEW SERVER
> #
> #*************************
> admin at radius1:/home/admin# uname -a
> Linux radius1.mydomain.net 2.6.32-431.20.3.el6.i686 #1 SMP Thu Jun 19
> 19:51:30 UTC 2014 i686 i686 i386 GNU/Linux
> admin at radius1:/home/admin# cat /etc/issue CentOS release 6.5 (Final)
> Kernel \r on an \m
> admin at radius1:/home/admin# radiusd -v
> radiusd: FreeRADIUS Version 2.1.12, for host i386-redhat-linux-gnu,
> built on Oct 3 2012 at 01:20:08 Copyright (C) 1999-2011 The
> FreeRADIUS server project and contributors.
> There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
> PARTICULAR PURPOSE.
> You may redistribute copies of FreeRADIUS under the terms of the GNU
> General Public License.
> For more information about these matters, see the file named COPYRIGHT.
> #*************************
> #
> #// radtest
> #
> #*************************
> admin at radius1:/home/admin# radtest testuser tester 216.x.x.x 10
> testing123 0 10.10.0.120
> Sending Access-Request of id 119 to 216.x.x.x port 1812
> User-Name = "testuser"
> User-Password = "tester"
> NAS-IP-Address = 10.10.0.120
> NAS-Port = 10
> Message-Authenticator = 0x00000000000000000000000000000000
> rad_recv: Access-Reject packet from host 216.x.x.x port 1812, id=119,
> length=20
> #*************************
> #
> #// Partial debug output
> #
> #*************************
> Ready to process requests.
> rad_recv: Access-Request packet from host 216.x.x.x port 50707, id=119,
> length=75
> User-Name = "testuser"
> User-Password = "tester"
> NAS-IP-Address = 10.10.0.120
> NAS-Port = 10
> Message-Authenticator = 0x17fec73c577cb5fd95d9dd3656c3a8db
> # Executing section authorize from file /etc/raddb/sites-enabled/default
> +- entering group authorize {...}
> ++- entering policy filter_username {...}
> +++? if (User-Name =~ /^ /)
> ? Evaluating (User-Name =~ /^ /) -> FALSE
> +++? if (User-Name =~ /^ /) -> FALSE
> +++? if (User-Name =~ / $$/)
> ? Evaluating (User-Name =~ / $$/) -> FALSE
> +++? if (User-Name =~ / $$/) -> FALSE
> +++? if (User-Name != "%{tolower:%{User-Name}}")
> expand: %{User-Name} -> testuser
> expand: %{tolower:%{User-Name}} -> testuser
> ? Evaluating (User-Name != "%{tolower:%{User-Name}}") -> FALSE
> +++? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
> ++- policy filter_username returns notfound
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "testuser", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] No EAP-Message, not doing EAP
> ++[eap] returns noop
> [sql] expand: %{User-Name} -> testuser
> [sql] sql_set_user escaped user --> 'testuser'
> rlm_sql (sql): Reserving sql socket id: 3
> [sql] expand: SELECT id, username, attribute, value, op
> FROM radcheck WHERE username = '%{SQL-User-Name}'
> ORDER BY id -> SELECT id, username, attribute, value, op FROM
> radcheck WHERE username = 'testuser' ORDER BY id
> [sql] User found in radcheck table
> [sql] expand: SELECT id, username, attribute, value, op
> FROM radreply WHERE username = '%{SQL-User-Name}'
> ORDER BY id -> SELECT id, username, attribute, value, op FROM
> radreply WHERE username = 'testuser' ORDER BY id
> [sql] expand: SELECT groupname FROM radusergroup
> WHERE username = '%{SQL-User-Name}' ORDER BY priority ->
> SELECT groupname FROM radusergroup WHERE username =
> 'testuser' ORDER BY priority
> [sql] expand: SELECT id, groupname, attribute, Value, op
> FROM radgroupcheck WHERE groupname = '%{Sql-Group}'
> ORDER BY id -> SELECT id, groupname, attribute, Value,
> op FROM radgroupcheck WHERE groupname = 'NOC-Admin'
> ORDER BY id
> [sql] User found in group NOC-Admin
> [sql] expand: SELECT id, groupname, attribute, value, op
> FROM radgroupreply WHERE groupname = '%{Sql-Group}'
> ORDER BY id -> SELECT id, groupname, attribute, value,
> op FROM radgroupreply WHERE groupname = 'NOC-Admin'
> ORDER BY id
> rlm_sql: Failed to create the pair: Unknown attribute
> "DragonWave-Privilege-Level" requires a hex string, not
> "DragonWave-Super-User"
> rlm_sql (sql): Error getting data from database
> [sql] Error retrieving reply pairs for group NOC-Admin
> [sql] Error processing groups; rejecting user
> rlm_sql (sql): Released sql socket id: 3
> ++[sql] returns fail
> Using Post-Auth-Type Reject
> # Executing group from file /etc/raddb/sites-enabled/default
> +- entering group REJECT {...}
> [attr_filter.access_reject] expand: %{User-Name} -> testuser
> attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] returns updated
> Delaying reject of request 0 for 1 seconds
> Going to the next request
> Waking up in 0.9 seconds.
> Sending delayed reject for request 0
> Sending Access-Reject of id 119 to 216.x.x.x port 50707
> Waking up in 4.9 seconds.
> Cleaning up request 0 ID 119 with timestamp +54
> Ready to process requests.
> #*************************
> #
> #// Manual query based on radiusd -X debug output
> #
> #*************************
> mysql> SELECT id, groupname, attribute, value, op
> FROM radgroupreply WHERE groupname = 'NOC-Admin'
> ORDER BY id;
> +----+---------------------+----------------------------+-----------------------+----+
> | id | groupname | attribute |
> value | op |
> +----+---------------------+----------------------------+-----------------------+----+
> | 1 | NOC-Admin | Mikrotik-Group |
> full | += |
> | 7 | NOC-Admin | APC-Service-Type |
> 1 | += |
> | 8 | NOC-Admin | APC-Outlets |
> "1,2,3,4,5,6,7,8" | += |
> | 10 | NOC-Admin | DragonWave-Privilege-Level |
> DragonWave-Super-User | += |
> +----+---------------------+----------------------------+-----------------------+----+
> 5 rows in set (0.00 sec)
> mysql>
> # /usr/share/freeradius/dictionary.dragonwave
> #*************************
> #
> #// Dragonwave Dictionary Definition
> #
> #*************************
> # -*- text -*-
> # http://www.dragonwaveinc.com
> #
> # $Id$
> #
> VENDOR DragonWave 7262
> BEGIN-VENDOR DragonWave
> # Used to determine the user login privilege level.
> ATTRIBUTE DragonWave-Privilege-Level 1 integer
> # Read-only access.
> VALUE DragonWave-Privilege-Level DragonWave-Admin-User 1
> # Limited read-write access.
> VALUE DragonWave-Privilege-Level DragonWave-NOC-User 2
> # Unlimited read-write access.
> VALUE DragonWave-Privilege-Level DragonWave-Super-User 3
> END-VENDOR DragonWave
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140707/88f8e297/attachment.html>
> ------------------------------
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> End of Freeradius-Users Digest, Vol 111, Issue 13
> *************************************************
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140707/b36d5bfe/attachment-0001.html>
More information about the Freeradius-Users
mailing list