Radius and MYSQL

Alan DeKok aland at deployingradius.com
Tue Sep 8 17:24:06 CEST 2015

On Sep 8, 2015, at 11:15 AM, Alexandre Vilarinho <vilarinhomail-dev at yahoo.com.br> wrote:
> I've read the documentation, but is not clear for me.
> For example:
> in the Radacct database there is no configuration.

  Because that table is populated by the server when it receives accounting packets.

> in the radchack database i've added the following configuration:
>     username - rafael
>     attribute - Cleartext-Password
>     op - :=
>     value - teste
> I think that is this case, I configuring a user and specifying the password right?


> In the radgroupcheck database i've added the following configuration:
>     1st row    groupname - privilegio_15
>     Attribute - Service-Type
>     op = Nas-Prompt-User

  That's wrong.  The "op" is the same field as "op" from radcheck.   It should be "==" for comparisons.

  The "value" should be set to NAS-Prompt-User.  The "value" field has the same meaning as the value field for radcheck.

>     2nd row
>     groupname - privilegio_15
>     Attribute - Cisco_AVPair
>     op = shell:priv-lvl=15

  You've made the same mistake here.  See my previous comments.

  And the "radgroupcheck" table has the same functionality as "radcheck".  Only that it operates on groups, not users.

  Are you SURE you want to check for "Service-Type == NAS-Prompt-User"?  Or do you want to send this attribute in a reply?

> In the radgroupreply database there is no configuration

   So... you don't want to REPLY to the NAS with any attributes?

> in the radpostauth database there is no configuration

  Because that table is populated by the server when it sends an Access-Accept.

> in the radrepy database    1st row
>     username - rafael
>     attribute - Fall-Through
>     op - =
>     Value - Yes

  That looks good.

> in the radusergrupo database    username - rafael
>     groupname - privilegio_15
>     priority - 1

  That looks good.

> in the radusergroup database there is no option to delete, edit or any thing. Is this correct?

  Yes.  It just lists users, and the groups that user is a member of.

> with this configuration added I tried to authenticate the radius user:
> Follow the command and the reply
> root at Radius-LDAP-Server:~# /etc/init.d/freeradius stop * Stopping FreeRADIUS daemon freeradius                                         * /var/run/freeradius/freeradius.pid not found...                       [ OK ] root at Radius-LDAP-Server:~# /etc/init.d/freeradius start * Starting FreeRADIUS daemon freeradius                                 [ OK ] 

  <sigh>  Formatting helps.  Posting randomly formatted crap is annoying.

  And run the server in debug mode as suggested in the FAQ, "man" page, web pages, and daily on this list.  REALLY.

  There is NO EXCUSE for failing to run the server in debugging mode.

> root at Radius-LDAP-Server:~# radtest rafael teste localhost 1812 testing123
> Sending Access-Request of id 190 to port 1812 User-Name = "rafael" User-Password = "teste" NAS-IP-Address = NAS-Port = 1812 Message-Authenticator = 0x00000000000000000000000000000000rad_recv: Access-Reject packet from host port 1812, id=190, length=20
> root at Radius-LDAP-Server:~# 
> There authentication failed. I presume there is something wrong this my configuration.
> Can you help me and explain what i'm doing wrong?

  Fix your SQL tables, and *RUN THE SERVER IN DEBUGGING MODE*.

  Alan DeKok.

More information about the Freeradius-Users mailing list