I do an eap/tls authentication and after that an ad search. This works so far. But when setting the groupmembership in the ldap1 section, there are problems. I do not see the usual eap messages flying around, but nevertheless radius sends an Access-Accept:

rlm_ldap::ldap_groupcmp: User found in group 515^M
rlm_ldap: ldap_release_conn: Release Id: 0^M
   users: Matched entry DEFAULT at line 25^M
 modcall[authorize]: module "files" returns ok for request 0^M
modcall: leaving group authorize (returns updated) for request 0^M
 rad_check_password:  Found Auth-Type Accept^M
 rad_check_password: Auth-Type = Accept, accepting the user^M
Sending Access-Accept of id 0 to 149.246.133.44 port 32770^M
       Tunnel-Type:0 = VLAN^M
       Tunnel-Medium-Type:0 = 802^M
       Tunnel-Private-Group-Id:0 = "Core1"^M
Finished request 0^M

On the client side, where I have eapol_test, I get an error:

STA 00:00:00:00:00:02: Received RADIUS packet matched with a pending request, round trip time 0.24 sec
No Message-Authenticator attribute found
Incoming RADIUS packet did not have correct Message-Authenticator - dropped
STA 00:00:00:00:00:02: No RADIUS RX handler found (type=0 code=2 id=0) - dropping packet
This is from my radiusd.conf:

When it is there, radius  sends an Access-Accept.
ldap ldap1 {
               server = "globalcatalogue"
               port = 3268     #global catalogue server
               identity = "[EMAIL PROTECTED]"
               password = "mypass"
             basedn = "dc=MYDOM,dc=NET"
filter = "(&(servicePrincipalName=%{Stripped-User-Name:-%{User-Name}})(objectClass=computer)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"
              ldap_debug= 0xFFFF
              timeout = 40
              timelimit = 30
              net_timeout = 10
              tls {
                      start_tls = no
              }
               dictionary_mapping = ${raddbdir}/ldap.attrmap
              groupmembership_attribute = "primaryGroupID"
              }

authorize {
      preprocess
      eap
      ldap1 {
              notfound = reject
              }
       files
}
The complete output of radius -AX is lengthy and therefore nor included. It can be found at:
http://www.wegener-net.de/fr/bad-group , where the error occurs,
http://www.wegener-net.de/fr/ok-nogroup , where the authentication works as expected. As mentioned above, the only difference in the configuration is the use of groupmembership.

Any hints are really appreciated.
Thanks
Norbert Wegener

- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to