I have three radius servers all with identical configuration files.
I use Ascend-Data-Filter to send an access list back to my users, I do this via the default_profile setting in the ldap {} block. This has been working in previous versions, and still works on one of my servers: radiusd: FreeRADIUS Version 0.4, for host i686-pc-linux-gnu, built on Jan 15 2002 at 10:21:11 However, My two production servers are not working, they are: radiusd: FreeRADIUS Version 0.5, for host i686-pc-linux-gnu, built on Feb 5 2002 at 07:03:51 and: radiusd: FreeRADIUS Version 0.5, for host i686-pc-linux-gnu, built on Feb 18 2002 at 13:36:58 I will attach a radiusd -X. It looks like: rlm_ldap: performing search in uid=radprofileascend, ou=radius, dc=mydomain, dc=com, with filter (objectclass=radiusprofile) ber_dump: buf=0x080cc9a0 ptr=0x080cc9a4 end=0x080ccccc len=808 is where the problem begins. another note, it's not mapping the attributes from ldap when I first start the server, like my older server does. Any help is apreciated. --JST
radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/clients.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no read_config_files: reading dictionary read_config_files: reading clients read_config_files: reading realms read_config_files: reading naslist main: max_request_time = 5 main: cleanup_delay = 3 main: max_requests = 9000 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_auth = yes main: log_auth_badpass = no main: log_auth_goodpass = yes main: pidfile = "/usr/local/var/run/radiusd.pid" main: user = "nobody" main: group = "nobody" main: usercollide = no main: lower_user = "yes" main: lower_pass = "yes" main: nospace_user = "no" main: nospace_pass = "no" main: proxy_requests = no main: debug_level = 0 read_config_files: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded LDAP ldap: server = "ldap1.mydomain.com" ldap: port = 389 ldap: net_timeout = 2 ldap: timeout = 8 ldap: timelimit = 6 ldap: ldap_cache_timeout = 120 ldap: ldap_cache_size = 0 ldap: identity = "cn=Manager, dc=mydomain, dc=com" ldap: start_tls = no ldap: password = "HEHEHEH" ldap: basedn = "ou=radius, dc=mydomain, dc=com" ldap: filter = "(uid=%u)" ldap: default_profile = "uid=radprofileascend, ou=radius, dc=mydomain, dc=com" ldap: profile_attribute = "(null)" ldap: access_group = "(null)" ldap: password_header = "(null)" ldap: password_attribute = "userpassword" ldap: access_attr = "(null)" ldap: groupname_attribute = "cn" ldap: groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" ldap: dictionary_mapping = "/etc/raddb/ldap.attrmap" ldap: ldap_debug = 40 ldap: ldap_connections_number = 5 ldap: authtype = "(null)" conns: (nil) rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP simultaneous-use mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP ascend-data-filter mapped to RADIUS Ascend-Data-Filter rlm_ldap: LDAP cisco-avpair mapped to RADIUS Cisco-AVPair rlm_ldap: LDAP service-type mapped to RADIUS Service-Type rlm_ldap: LDAP framed-protocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP framed-ip-address mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP framed-ip-netmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP framed-route mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP session-timeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP idle-timeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP port-limit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port conns: 0x80b8b98 Module: Instantiated ldap (VISP1) ldap: server = "ldap1.mydomain.com" ldap: port = 389 ldap: net_timeout = 2 ldap: timeout = 8 ldap: timelimit = 6 ldap: ldap_cache_timeout = 120 ldap: ldap_cache_size = 0 ldap: identity = "cn=Manager, dc=mydomain, dc=com" ldap: start_tls = no ldap: password = "HEHHEEH" ldap: basedn = "ou=visp, dc=mydomain, dc=com" ldap: filter = "(uid=%u)" ldap: default_profile = "uid=radprofileascend, radius, dc=mydomain, dc=com" ldap: profile_attribute = "(null)" ldap: access_group = "(null)" ldap: password_header = "(null)" ldap: password_attribute = "userPassword" ldap: access_attr = "(null)" ldap: groupname_attribute = "cn" ldap: groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" ldap: dictionary_mapping = "/etc/raddb/ldap.attrmap" ldap: ldap_debug = 40 ldap: ldap_connections_number = 5 ldap: authtype = "(null)" conns: (nil) rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP simultaneous-use mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP ascend-data-filter mapped to RADIUS Ascend-Data-Filter rlm_ldap: LDAP cisco-avpair mapped to RADIUS Cisco-AVPair rlm_ldap: LDAP service-type mapped to RADIUS Service-Type rlm_ldap: LDAP framed-protocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP framed-ip-address mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP framed-ip-netmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP framed-route mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP session-timeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP idle-timeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP port-limit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port conns: 0x80b9a50 Module: Instantiated ldap (VISP) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded preprocess preprocess: huntgroups = "/etc/raddb/huntgroups" preprocess: hints = "/etc/raddb/hints" preprocess: with_ascend_hack = yes preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded files files: usersfile = "/etc/raddb/users" files: acctusersfile = "/etc/raddb/acct_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" Module: Instantiated realm (suffix) Module: Loaded detail detail: detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail" detail: detailperm = 384 detail: dirperm = 493 Module: Instantiated detail (detail) Module: Loaded System unix: cache = no unix: passwd = "/etc/passwd" unix: shadow = "(null)" unix: group = "/etc/group" unix: radwtmp = "/usr/local/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded radutmp radutmp: filename = "/usr/local/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: perm = 384 radutmp: callerid = no Module: Instantiated radutmp (radutmp) Listening on IP address *, ports 1645/udp and 1646/udp. Ready to process requests. rad_recv: Accounting-Request packet from host 11.111.111.1:1646, id=213, length=303 User-Name = "[EMAIL PROTECTED]" NAS-IP-Address = 11.111.111.1 Acct-Status-Type = Stop Acct-Session-Id = "67306443" Acct-Delay-Time = 0 Acct-Authentic = RADIUS Service-Type = Framed-User NAS-Port-Type = Async NAS-Port = 1028 USR-Modem-Training-Time = 18 USR-Interface-Index = 2284 USR-Chassis-Call-Slot = 5 USR-Chassis-Call-Span = 1 USR-Chassis-Call-Channel = 4 USR-Unauthenticated-Time = 0 Calling-Station-Id = "1111111111" Called-Station-Id = "1098" USR-Modulation-Type = v90Digital USR-Simplified-MNP-Levels = ccittV42 USR-Simplified-V42bis-Usage = ccittV42bis USR-Connect-Speed = 50666-BPS Framed-Protocol = PPP Framed-IP-Address = 11.111.111.11 Acct-Session-Time = 556 Acct-Terminate-Cause = User-Request Acct-Input-Octets = 207615 Acct-Output-Octets = 902369 Acct-Input-Packets = 2232 Acct-Output-Packets = 2933 modcall: entering group preacct modcall[preacct]: module "suffix" returns ok modcall[preacct]: module "files" returns noop modcall[preacct]: module "preprocess" returns noop modcall: group preacct returns ok modcall: entering group accounting radius_xlat: '/usr/local/var/log/radius/radacct/11.111.111.1/detail' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail expands to /usr/local/var/log/radius/radacct/11.111.111.1/detail modcall[accounting]: module "detail" returns ok modcall[accounting]: module "unix" returns ok radius_xlat: '[EMAIL PROTECTED]' Accounting: logout: login entry for NAS nashville port 1028 not found modcall[accounting]: module "radutmp" returns ok modcall: group accounting returns ok Sending Accounting-Response of id 213 to 11.111.111.8:1646 Finished request 0 Going to the next request --- Walking the entire request list --- Cleaning up request 0 ID 213 with timestamp 3c740f8d Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 11.111.111.111:38142, id=138, length=57 User-Name = "[EMAIL PROTECTED]" Password = "encrypted pls. thx." modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok users: Matched DEFAULT at 151 modcall[authorize]: module "files" returns ok modcall: entering group redundant rlm_ldap: - authorize rlm_ldap: performing user authorization for [EMAIL PROTECTED] radius_xlat: '([EMAIL PROTECTED])' radius_xlat: 'ou=visp, dc=mydomain, dc=com' ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap1.mydomain.com:389, authentication 0 rlm_ldap: bind as cn=Manager, dc=mydomain, dc=com/HEHEHEHE rlm_ldap: waiting for bind result ... request 1 done rlm_ldap: performing search in ou=visp, dc=mydomain, dc=com, with filter ([EMAIL PROTECTED]) request 2 done rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed ldap_release_conn: Release Id: 0 modcall[authorize]: module "VISP" returns notfound modcall: group redundant returns notfound modcall: entering group redundant rlm_ldap: - authorize rlm_ldap: performing user authorization for [EMAIL PROTECTED] radius_xlat: '([EMAIL PROTECTED])' radius_xlat: 'ou=radius, dc=mydomain, dc=com' ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap1.mydomain.com:389, authentication 0 rlm_ldap: bind as cn=Manager, dc=mydomain, dc=com/HEHEHEHEH rlm_ldap: waiting for bind result ... request 1 done rlm_ldap: performing search in ou=radius, dc=mydomain, dc=com, with filter ([EMAIL PROTECTED]) request 2 done rlm_ldap: performing search in uid=radprofileascend, ou=radius, dc=mydomain, dc=com, with filter (objectclass=radiusprofile) ber_dump: buf=0x080cc9a0 ptr=0x080cc9a4 end=0x080ccccc len=808 0000: 02 01 03 63 82 03 21 04 35 75 69 64 3d 72 61 64 ...c..!.5uid=rad 0010: 70 72 6f 66 69 6c 65 61 73 63 65 6e 64 2c 20 6f profileascend, o 0020: 75 3d 72 61 64 69 75 73 2c 20 64 63 3d 69 6e 74 u=radius, dc=int 0030: 65 67 72 69 74 79 2c 20 64 63 3d 63 6f 6d 0a 01 egrity, dc=com.. 0040: 00 0a 01 00 02 01 00 02 01 06 01 01 00 a3 1c 04 ................ 0050: 0b 6f 62 6a 65 63 74 63 6c 61 73 73 04 0d 72 61 .objectclass..ra 0060: 64 69 75 73 70 72 6f 66 69 6c 65 30 82 02 b9 04 diusprofile0.... 0070: 16 72 61 64 69 75 73 43 61 6c 6c 69 6e 67 53 74 .radiusCallingSt 0080: 61 74 69 6f 6e 49 64 04 15 72 61 64 69 75 73 43 ationId..radiusC 0090: 61 6c 6c 65 64 53 74 61 74 69 6f 6e 49 64 04 10 alledStationId.. 00a0: 73 69 6d 75 6c 74 61 6e 65 6f 75 73 2d 75 73 65 simultaneous-use 00b0: 04 0e 72 61 64 69 75 73 41 75 74 68 54 79 70 65 ..radiusAuthType 00c0: 04 0f 72 61 64 69 75 73 43 68 65 63 6b 49 74 65 ..radiusCheckIte 00d0: 6d 04 12 72 61 64 69 75 73 4c 6f 67 69 6e 4c 41 m..radiusLoginLA 00e0: 54 50 6f 72 74 04 0a 70 6f 72 74 2d 6c 69 6d 69 TPort..port-limi 00f0: 74 04 19 72 61 64 69 75 73 46 72 61 6d 65 64 41 t..radiusFramedA 0100: 70 70 6c 65 54 61 6c 6b 5a 6f 6e 65 04 1c 72 61 ppleTalkZone..ra 0110: 64 69 75 73 46 72 61 6d 65 64 41 70 70 6c 65 54 diusFramedAppleT 0120: 61 6c 6b 4e 65 74 77 6f 72 6b 04 19 72 61 64 69 alkNetwork..radi 0130: 75 73 46 72 61 6d 65 64 41 70 70 6c 65 54 61 6c usFramedAppleTal 0140: 6b 4c 69 6e 6b 04 13 72 61 64 69 75 73 4c 6f 67 kLink..radiusLog 0150: 69 6e 4c 41 54 47 72 6f 75 70 04 12 72 61 64 69 inLATGroup..radi 0160: 75 73 4c 6f 67 69 6e 4c 41 54 4e 6f 64 65 04 15 usLoginLATNode.. 0170: 72 61 64 69 75 73 4c 6f 67 69 6e 4c 41 54 53 65 radiusLoginLATSe 0180: 72 76 69 63 65 04 17 72 61 64 69 75 73 54 65 72 rvice..radiusTer 0190: 6d 69 6e 61 74 69 6f 6e 41 63 74 69 6f 6e 04 0c minationAction.. 01a0: 69 64 6c 65 2d 74 69 6d 65 6f 75 74 04 0f 73 65 idle-timeout..se 01b0: 73 73 69 6f 6e 2d 74 69 6d 65 6f 75 74 04 0b 72 ssion-timeout..r 01c0: 61 64 69 75 73 43 6c 61 73 73 04 16 72 61 64 69 adiusClass..radi 01d0: 75 73 46 72 61 6d 65 64 49 50 58 4e 65 74 77 6f usFramedIPXNetwo 01e0: 72 6b 04 10 72 61 64 69 75 73 43 61 6c 6c 62 61 rk..radiusCallba 01f0: 63 6b 49 64 04 14 72 61 64 69 75 73 43 61 6c 6c ckId..radiusCall 0200: 62 61 63 6b 4e 75 6d 62 65 72 04 12 72 61 64 69 backNumber..radi 0210: 75 73 4c 6f 67 69 6e 54 43 50 50 6f 72 74 04 12 usLoginTCPPort.. 0220: 72 61 64 69 75 73 4c 6f 67 69 6e 53 65 72 76 69 radiusLoginServi 0230: 63 65 04 11 72 61 64 69 75 73 4c 6f 67 69 6e 49 ce..radiusLoginI 0240: 50 48 6f 73 74 04 17 72 61 64 69 75 73 46 72 61 PHost..radiusFra 0250: 6d 65 64 43 6f 6d 70 72 65 73 73 69 6f 6e 04 0f medCompression.. 0260: 72 61 64 69 75 73 46 72 61 6d 65 64 4d 54 55 04 radiusFramedMTU. 0270: 0e 72 61 64 69 75 73 46 69 6c 74 65 72 49 64 04 .radiusFilterId. 0280: 13 72 61 64 69 75 73 46 72 61 6d 65 64 52 6f 75 .radiusFramedRou 0290: 74 69 6e 67 04 0c 66 72 61 6d 65 64 2d 72 6f 75 ting..framed-rou 02a0: 74 65 04 11 66 72 61 6d 65 64 2d 69 70 2d 6e 65 te..framed-ip-ne 02b0: 74 6d 61 73 6b 04 11 66 72 61 6d 65 64 2d 69 70 tmask..framed-ip 02c0: 2d 61 64 64 72 65 73 73 04 0f 66 72 61 6d 65 64 -address..framed 02d0: 2d 70 72 6f 74 6f 63 6f 6c 04 0c 73 65 72 76 69 -protocol..servi 02e0: 63 65 2d 74 79 70 65 04 0c 63 69 73 63 6f 2d 61 ce-type..cisco-a 02f0: 76 70 61 69 72 04 12 61 73 63 65 6e 64 2d 64 61 vpair..ascend-da 0300: 74 61 2d 66 69 6c 74 65 72 04 0f 72 61 64 69 75 ta-filter..radiu 0310: 73 52 65 70 6c 79 49 74 65 6d 04 0c 75 73 65 72 sReplyItem..user 0320: 70 61 73 73 77 6f 72 64 password request 3 done rlm_ldap: object not found or got ambiguous search result rlm_ldap: default_profile/user-profile search failed rlm_ldap: Added password redblue in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user [EMAIL PROTECTED] authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module "VISP1" returns ok modcall: group redundant returns ok rlm_chap: Could not find proper Chap-Password attribute in request modcall[authorize]: module "chap" returns noop modcall: group authorize returns ok rad_check_password: Found Auth-Type LDAP auth: type "Ldap" modcall: entering group authtype modcall: entering group redundant rlm_ldap: - authenticate rlm_ldap: login attempt by "[EMAIL PROTECTED]" with password "HEHEHEHE" rlm_ldap: user DN: [EMAIL PROTECTED], ou=radius, dc=mydomain, dc=com rlm_ldap: (re)connect to ldap1.mydomain.com:389, authentication 1 rlm_ldap: bind as [EMAIL PROTECTED], ou=radius, dc=mydomain, dc=com/HEHEHEHE rlm_ldap: waiting for bind result ... request 1 done rlm_ldap: user [EMAIL PROTECTED] authenticated succesfully modcall[authenticate]: module "VISP1" returns ok modcall: group redundant returns ok modcall: group authtype returns ok Login OK: [[EMAIL PROTECTED]/redblue] (from nas JST port 0) Sending Access-Accept of id 138 to 11.111.111.111:38142 Service-Type = Framed-User Framed-Protocol = PPP Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 4 seconds...