[RADIATOR] group DEFAULT. No matching AuthorizeGroup rule

Murat Bilal murat.bilal at ericsson.com
Mon Nov 19 02:13:19 CST 2012

Hi all,

I have very simple conf as below:

        Key somekey
      AddToRequest NAS-Identifier=TACACS
        GroupMemberAttr OSC-AVPAIR
         AuthorizeGroup group1 permit service=shell cmd=show cmd-arg=.*
        AuthorizeGroup group1 permit service=shell cmd\* {autocmd="telnet"}
        AuthorizeGroup group1 permit service=ppp protocol=ip {inacl=101 outacl=102}
        AuthorizeGroupAttr permit service=shell cmd\* {priv-lvl=15}
        AuthorizeGroupAttr permit service=shell  cmd\* {priv-lvl=1}
        AuthorizeGroupAttr permit .* {}

        <AuthBy SQL>
             Identifier SQLTAC
                # See the reference manual. You will also have to
                # change the one in <SessionDatabse SQL> below
                # so its the same
                DBSource        dbi:mysql:radius:localhost
                DBUsername      raduser
                DBAuth          raduser
#        AuthSelect select PASSWORD 'Auth-Type=AuthSQL from SUBSCRIBERS where USERNAME=%0 in 'GroupList="group1 group2 group3 group8"'
#         AuthSelect select PASSWORD 'Auth-Type=AuthSQL from SUBSCRIBERS where USERNAME=%0 in ($GroupMembershipQuery)
        # You can customise the SQL query used to get user details with the
        # AuthSelect parameter:
        #  AuthSelect select PASSWORD from SUBSCRIBERS where USERNAME=%0
        # You can use statement caching and bound variables with AuthSelectParam:
        #  AuthSelect select PASSWORD from SUBSCRIBERS where USERNAME=?
        #  AuthSelectParam %u
        # You can control what is done with each field returned from the
        #  AuthSelect query with the AuthColumnDef parameter:
          AuthColumnDef 1, OSC-Group-Identifier, reply

        # You may want to tailor these for your ACCOUNTING table
        # You can add your own columns to store whatever you like
        AccountingTable ACCOUNTING
        AcctColumnDef   USERNAME,User-Name
        AcctColumnDef   TIME_STAMP,Timestamp,integer
        AcctColumnDef   ACCTSTATUSTYPE,Acct-Status-Type
        AcctColumnDef   ACCTDELAYTIME,Acct-Delay-Time,integer
        AcctColumnDef   ACCTINPUTOCTETS,Acct-Input-Octets,integer
        AcctColumnDef   ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
        AcctColumnDef   ACCTSESSIONID,Acct-Session-Id
        AcctColumnDef   ACCTSESSIONTIME,Acct-Session-Time,integer
        AcctColumnDef   ACCTTERMINATECAUSE,Acct-Terminate-Cause
        AcctColumnDef   NASIDENTIFIER,NAS-Identifier
        AcctColumnDef   NASPORT,NAS-Port,integer
        AcctColumnDef   FRAMEDIPADDRESS,Framed-IP-Address
         GroupMembershipQuery select GROUPNAME from GROUPS where USERNAME=%0 and GROUPNAME=%1

#        GroupMembershipQueryParam %0
#        GroupMembershipQueryParam %1


This conf works very well with AuthBy FILE.When I try AuthBy SQL I got the group DEFAULT. No matching AuthorizeGroup rule error,and cannot make TACACS authorization.

In the reference manual it says GroupMembershipQuery checks to validate both the username and appropriate group membership. But as I can see it cannot do that and cannot return a reply for group identifier.

Please help.I check the refence manuel but nothing to find.

Services Engineer

Ericsson Turkey
CU Customer Support
Cyber Plaza C Blok Kat:1 No:146
Cyberpark 6800 Bilkent/Ankara
Mobile +90 554 898 98 43
murat.bilal at ericsson.com<mailto:murat.bilal at ericsson.com>

[cid:image001.png at 01CDC63D.7B2BB8A0]<http://www.ericsson.com/>

This Communication is Confidential. We only send and receive email on the basis of the terms set out at www.ericsson.com/email_disclaimer<http://www.ericsson.com/email_disclaimer>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20121119/419dae2c/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 2127 bytes
Desc: image001.png
Url : http://www.open.com.au/pipermail/radiator/attachments/20121119/419dae2c/attachment.png 

More information about the radiator mailing list