[RADIATOR] group DEFAULT. No matching AuthorizeGroup rule

Murat Bilal murat.bilal at ericsson.com
Tue Nov 20 01:55:48 CST 2012 

After changing my schema.I insert a user murat with passw murat and  TACACSGROUPID group3.Debug gets crazy.Endless loop as shown below:

Radius::AuthSQL REJECT: Bad Password: DEFAULT4303 [murat]
Tue Nov 20 09:52:31 2012: DEBUG: Query to 'dbi:mysql:radius:localhost': 'select PASSWORD,TACACSGROUPID from SUBSCRIBERS': 
Tue Nov 20 09:52:31 2012: DEBUG: Radius::AuthSQL looks for match with DEFAULT4304 [murat]
Tue Nov 20 09:52:31 2012: DEBUG: Radius::AuthSQL REJECT: Bad Password: DEFAULT4304 [murat]
Tue Nov 20 09:52:31 2012: DEBUG: Query to 'dbi:mysql:radius:localhost': 'select PASSWORD,TACACSGROUPID from SUBSCRIBERS': 
Tue Nov 20 09:52:31 2012: DEBUG: Radius::AuthSQL looks for match with DEFAULT4305 [murat]
Tue Nov 20 09:52:31 2012: DEBUG: Radius::AuthSQL REJECT: Bad Password: DEFAULT4305 [murat]
Tue Nov 20 09:52:31 2012: DEBUG: Query to 'dbi:mysql:radius:localhost': 'select PASSWORD,TACACSGROUPID from SUBSCRIBERS': 
Tue Nov 20 09:52:31 2012: DEBUG: Radius::AuthSQL looks for match with DEFAULT4306 [murat]
Tue Nov 20 09:52:31 2012: DEBUG: Radius::AuthSQL REJECT: Bad Password: DEFAULT4306 [murat]
Tue Nov 20 09:52:31 2012: DEBUG: Query to 'dbi:mysql:radius:localhost': 'select PASSWORD,TACACSGROUPID from SUBSCRIBERS': 
Tue Nov 20 09:52:31 2012: DEBUG: Radius::AuthSQL looks for match with DEFAULT4307 [murat]
Tue Nov 20 09:52:31 2012: DEBUG: Radius::AuthSQL REJECT: Bad Password: DEFAULT4307 [murat]
Tue Nov 20 09:52:31 2012: DEBUG: Query to 'dbi:mysql:radius:localhost': 'select PASSWORD,TACACSGROUPID from SUBSCRIBERS': 
Tue Nov 20 09:52:31 2012: DEBUG: Radius::AuthSQL looks for match with DEFAULT4308 [murat]
Tue Nov 20 09:52:31 2012: DEBUG: Radius::AuthSQL REJECT: Bad Password: DEFAULT4308 [murat]^C

-----Original Message-----
From: Heikki Vatiainen [mailto:hvn at open.com.au] 
Sent: 20 Kasım 2012 Salı 09:21
To: Murat Bilal
Cc: radiator at open.com.au
Subject: Re: [RADIATOR] group DEFAULT. No matching AuthorizeGroup rule

On 11/20/2012 09:18 AM, Murat Bilal wrote:

> AuthSelect select PASSWORD,TACACSGROUPID from SUBSCRIBERS and define
>   AuthColumnDef 0, User-Password, check
>   AuthColumnDef 1, OSC-Group-Identifier, reply
> 
> I got ERR: Execute failed for 'select PASSWORD,TACACSGROUPID from SUBSCRIBERS': Unknown column 'TACACSGROUPID' in 'field list'
> 
> In my Subscribers table there is no column like this.Do I need to change mysql schema ?

Yes. That was just a configuration example of how to get values to reply attributes from SQL. Your DB table needs to have the appropriate columns too.

Thanks,
Heikki


> -----Original Message-----
> From: radiator-bounces at open.com.au 
> [mailto:radiator-bounces at open.com.au] On Behalf Of Heikki Vatiainen
> Sent: 19 Kasım 2012 Pazartesi 23:33
> To: radiator at open.com.au
> Subject: Re: [RADIATOR] group DEFAULT. No matching AuthorizeGroup rule
> 
> On 11/19/2012 10:13 AM, Murat Bilal wrote:
> 
>> <ServerTACACSPLUS>
> 
>>         GroupMemberAttr OSC-AVPAIR
> 
> Hello Murat,
> 
> note that you have set GroupMemberAttr to OSC-AVPAIR here.
> 
>> <Handler>
>>         <AuthBy SQL>
> 
>>           AuthColumnDef 1, OSC-Group-Identifier, reply
> 
> Here you are adding OSC-Group-Identifier to the reply. Maybe this should be OSC-AVPAIR or alternatively you should have GropMemberAttr set to OSC-Group-Identifier in ServerTACACSPLUS.
> 
> Also, since you have not changed AuthSelect from the default, you 
> should select it to something like
> 
>   AuthSelect select PASSWORD,TACACSGROUPID from SUBSCRIBERS
> 
> and define
>   AuthColumnDef 0, User-Password, check
>   AuthColumnDef 1, OSC-Group-Identifier, reply
> 
> This will check the request password and and the desired group name to reply if password check succeeds.
> 
> Thanks,
> Heikki
> 
> --
> Heikki Vatiainen <hvn at open.com.au>
> 
> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
> 


--
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.

More information about the radiator mailing list