Hi all,
I have a server with RouterOS 2.9.24 using PPPoE and another server with FreeRADIUS and MySQL.
All the setup in RouterOS 2.9.24 (24hrs limit) using PPPoE is OK.
I have the following setting in the MySQL db: -
mysql> select * from radcheck;
+----+------------+---------------+----+----------+
| id | UserName | Attribute | op | Value |
+----+------------+---------------+----+----------+
| 1 | testuser | user-password | == | testpass |
+----+------------+---------------+----+----------+
When I run a test using the radtest utility, it is OK.
[me@wgw01 me]$ radtest testuser testpass 127.0.0.1 10 test2005
Sending Access-Request of id 87 to 127.0.0.1 port 1812
User-Name = "testuser"
User-Password = "testpass"
NAS-IP-Address = 255.255.255.255
NAS-Port = 10
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=87, length=20
Next, when I try to insert other Radius attribute into the MySQL...I am facing problem.
The next attribute I inserted is: -
mysql> select * from usergroup;
+----+----------+-----------+
| id | UserName | GroupName |
+----+----------+-----------+
| 1 | testuser | home128k |
+----+----------+-----------+
[me@wgw01 me]$ radtest testuser testpass 127.0.0.1 10 test2005
Sending Access-Request of id 136 to 127.0.0.1 port 1812
User-Name = "testuser"
User-Password = "testpass"
NAS-IP-Address = 255.255.255.255
NAS-Port = 10
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=136, length=20
The next attribute I inserted is: -
mysql> select * from radgroupreply;
+----+-----------+--------------+----+-------+------+
| id | GroupName | Attribute | op | Value | prio |
+----+-----------+--------------+----+-------+------+
| 1 | home128k | Idle-Timeout | = | 300 | 0 |
+----+-----------+--------------+----+-------+------+
[me@wgw01 me]$ radtest testuser testpass 127.0.0.1 10 test2005
Sending Access-Request of id 173 to 127.0.0.1 port 1812
User-Name = "testuser"
User-Password = "testpass"
NAS-IP-Address = 255.255.255.255
NAS-Port = 10
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=173, length=26
Idle-Timeout = 300
The next attribute I inserted is: -
mysql> select * from radgroupreply;
+----+-----------+---------------------+----+----------+------+
| id | GroupName | Attribute | op | Value | prio |
+----+-----------+---------------------+----+----------+------+
| 1 | home128k | Idle-Timeout | = | 300 | 0 |
| 2 | home128k | Mikrotik-Rate-Limit | = | 64k/128k | 0 |
+----+-----------+---------------------+----+----------+------+
[me@wgw01 me]$ radtest testuser testpass 127.0.0.1 10 test2005
Sending Access-Request of id 193 to 127.0.0.1 port 1812
User-Name = "testuser"
User-Password = "testpass"
NAS-IP-Address = 255.255.255.255
NAS-Port = 10
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=193, length=42
Idle-Timeout = 300
Mikrotik-Rate-Limit = "64k/128k"
The next attribute I inserted is: -
mysql> select * from radgroupcheck;
+----+-----------+------------------+----+-------+
| id | GroupName | Attribute | op | Value |
+----+-----------+------------------+----+-------+
| 1 | home128k | Simultaneous-Use | == | 1 |
+----+-----------+------------------+----+-------+
[me@wgw01 me]$ radtest testuser testpass 127.0.0.1 10 test2005
Sending Access-Request of id 18 to 127.0.0.1 port 1812
User-Name = "testuser"
User-Password = "testpass"
NAS-IP-Address = 255.255.255.255
NAS-Port = 10
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=18, length=20
I can't valid the username and password after adding the Simultaneous-Use...
Below is the "radiusd -X" : -
rad_recv: Access-Request packet from host 127.0.0.1:32796, id=18, length=60
User-Name = "testuser"
User-Password = "testpass"
NAS-IP-Address = 255.255.255.255
NAS-Port = 10
rad_lowerpair: User-Name now 'testuser'
rad_lowerpair: User-Password now 'testpass'
rad_rmspace_pair: User-Name now 'testuser'
rad_rmspace_pair: User-Password now 'testpass'
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 36
modcall[authorize]: module "preprocess" returns ok for request 36
modcall[authorize]: module "chap" returns noop for request 36
modcall[authorize]: module "mschap" returns noop for request 36
rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 36
radius_xlat: 'testuser'
rlm_sql (sql): sql_set_user escaped user --> 'testuser'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'testuser' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 4
radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'testuser' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'testuser' ORDER BY id'
radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'testuser' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): Released sql socket id: 4
rlm_sql (sql): No matching entry in the database for request from user [testuser]
modcall[authorize]: module "sql" returns notfound for request 36
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
modcall[authorize]: module "noresetcounter" returns noop for request 36
modcall: leaving group authorize (returns ok) for request 36
auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
auth: Failed to validate the user.
Login incorrect: [testuser/testpass] (from client localhost port 10)
Delaying request 36 for 1 seconds
Finished request 36
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 18 to 127.0.0.1 port 32796
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 36 ID 18 with timestamp 4475208c
Nothing to do. Sleeping until we see a request.
So, I try changing the attribute to: -
mysql> select * from radgroupcheck;
+----+-----------+------------------+----+-------+
| id | GroupName | Attribute | op | Value |
+----+-----------+------------------+----+-------+
| 1 | home128k | Simultaneous-Use | := | 1 |
+----+-----------+------------------+----+-------+
[me@wgw01 me]$ radtest testuser testpass 127.0.0.1 10 test2005
Sending Access-Request of id 55 to 127.0.0.1 port 1812
User-Name = "testuser"
User-Password = "testpass"
NAS-IP-Address = 255.255.255.255
NAS-Port = 10
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=55, length=42
Idle-Timeout = 300
Mikrotik-Rate-Limit = "64k/128k"
Manage to login...so, which is the correct one?
mysql> select * from radgroupcheck;
+----+-----------+------------------+----+-------+
| id | GroupName | Attribute | op | Value |
+----+-----------+------------------+----+-------+
| 1 | home128k | Simultaneous-Use | == | 1 |
+----+-----------+------------------+----+-------+
Or
mysql> select * from radgroupcheck;
+----+-----------+------------------+----+-------+
| id | GroupName | Attribute | op | Value |
+----+-----------+------------------+----+-------+
| 1 | home128k | Simultaneous-Use | := | 1 |
+----+-----------+------------------+----+-------+
Which "op" code is correct? == or :=
Look freeradius doc directory rlm_sql sample configuration explain operators.
:= "Attribute := Value"
Always matches as a check item, and replaces in the
configuration items any attribute of the same name. If no
attribute of that name appears in the request, then this
attribute is added.
As a reply item, it has an identical meaning, but for the
reply items, instead of the request items.
== "Attribute == Value"
As a check item, it matches if the named attribute is present
in the request, AND has the given value.
Not allowed as a reply item.
devrim
:= "Attribute := Value"
Always matches as a check item, and replaces in the
configuration items any attribute of the same name. If no
attribute of that name appears in the request, then this
attribute is added.
As a reply item, it has an identical meaning, but for the
reply items, instead of the request items.
== "Attribute == Value"
As a check item, it matches if the named attribute is present
in the request, AND has the given value.
Not allowed as a reply item.
devrim