Hi
I tried to update freeradius from 1.1.6 to 1.1.7 on my 2 servers, but
i had great problems: some of the ldap instances i configured do not
set auth-type even if they find the user in the ldap directory.
Of the ldap instances described below only the macbypass ones do not
set Auth-Type, the others 2 do the correct thing: the aaa modules set
Auth-Type to the module name while the 802x instances set Auth-Type
to eap (since objects in that part of the ldap tree authenticate with
eap-mschapv2)
What's wrong? did i misconfigured something (but i doubt, since the
configuration didn't change between the 2 versions) or i incurred in
some kind of bug?
This is my setup (only the relevant parts)
ldap aaa1 {
server = "XXXX.ifom-ieo-campus.it"
port = 636
basedn = XXXXXXXX
identity = XXXXXXXX
password = XXXX
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
groupmembership_filter = "(memberuid=%{User-Name})"
timeout =3
timelimit = 5
net_timeout = 5
}
ldap aaa2 {
server = "XXXX.ifom-ieo-campus.it"
port = 636
basedn = XXXXXXXX
identity = XXXXXXXX
password = XXXX
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
groupmembership_filter = "(memberuid=%{User-Name})"
timeout = 3
timelimit = 5
net_timeout = 5
}
ldap macbypass1 {
server = "XXXX.ifom-ieo-campus.it"
port = 636
basedn =XXXXXX
filter = "(macAddress=%{User-Name})"
base_filter = "(objectclass=radiusprofile)"
password_attribute = macAddress
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout =3
timelimit = 5
net_timeout = 5
}
ldap macbypass2 {
server = "XXXX.ifom-ieo-campus.it"
port = 636
basedn = XXXXXX
filter = "(macAddress=%{User-Name})"
base_filter = "(objectclass=radiusprofile)"
password_attribute = macAddress
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout =3
timelimit = 5
net_timeout = 5
}
ldap 8021x1 {
server = "XXXX.ifom-ieo-campus.it"
port = 636
basedn = XXXXXXXX
identity = XXXXXXXX
password = XXXX
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
groupmembership_filter = "(memberuid=%{User-Name})"
timeout =3
timelimit = 5
net_timeout = 5
}
ldap 8021x2 {
server = "XXXX.ifom-ieo-campus.it"
port = 636
basedn = XXXXXXXX
identity = XXXXXXXX
password = XXXX
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
groupmembership_filter = "(memberuid=%{User-Name})"
timeout =3
timelimit = 5
net_timeout = 5
}
attr_rewrite UserNameNormalize {
attribute = User-Name
searchin = packet
searchfor = "(..)(..)(..)(..)(..)(..)"
replacewith = "%{1}:%{2}:%{3}:%{4}:%{5}:%{6}"
ignore_case = no
new_attribute = no
max_matches = 10
append = no
}
preprocess {
huntgroups = ${confdir}/huntgroups
}
files {
usersfile = ${confdir}/users
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
perl {
module = "/ofb/freeradius/bin/getVlan.pl"
}
}
authorize {
perl
UserNameNormalize
redundant {
macbypass1
macbypass2
}
redundant {
aaa1
aaa2
}
redundant {
8021x1
8021x2
}
chap
mschap
eap
files
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
Auth-Type macbypass1 {
ok
}
Auth-Type macbypass2 {
ok
}
Auth-Type aaa1 {
aaa1
}
Auth-Type aaa2 {
aaa2
}
Auth-Type 8021x1 {
8021x1
}
Auth-Type 8021x2 {
8021x2
}
Auth-Type perl {
ok
}
eap
}
This is the dump of a successful authentication, with version 1.1.6:
rad_recv: Access-Request packet from host XXX.XXX.XXX.XXX:1645,
id=16, length=167
User-Name = "000a95deba4a"
User-Password = "000a95deba4a"
Service-Type = Call-Check
Framed-MTU = 1520
Called-Station-Id = "00-18-B9-EB-A6-93"
Calling-Station-Id = "00-0A-95-DE-BA-4A"
Message-Authenticator = 0x43b095f8f280648759c3cea2bf92b2bb
NAS-Port-Type = Ethernet
NAS-Port = 50017
NAS-IP-Address = XXX.XXX.XXX.XXX
NAS-Identifier = "0c13.igp.ifom-ieo-campus.it"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
Using perl at 0x66f180
Use of uninitialized value in string eq at /ofb/freeradius/bin/
getVlan.pl line 340, <DATA> line 228.
rlm_perl: ___ macAddr=000a95deba4a switch=XXX.XXX.XXX.XXX port=50017
exit-value=SUCCESS vlan=180
rlm_perl: Added pair Tunnel-Type = VLAN
rlm_perl: Added pair Tunnel-Medium-Type = IEEE-802
rlm_perl: Added pair Tunnel-Private-Group-Id = 180
modcall[authorize]: module "perl" returns ok for request 0
radius_xlat: '(..)(..)(..)(..)(..)(..)'
radius_xlat: '00:0a:95:de:ba:4a'
rlm_attr_rewrite: Changed value for attribute User-Name from
'000a95deba4a' to '00:0a:95:de:ba:4a'
modcall[authorize]: module "UserNameNormalize" returns ok for
request 0
modcall: entering group redundant for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for 00:0a:95:de:ba:4a
radius_xlat: '(macAddress=00:0a:95:de:ba:4a)'
radius_xlat: 'ou=Network,dc=ifom-ieo-campus,dc=it'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to XXXX.ifom-ieo-campus.it:636, authentication 0
rlm_ldap: setting TLS mode to 1
rlm_ldap: bind as / to XXXX.ifom-ieo-campus.it:636
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=Network,dc=ifom-ieo-campus,dc=it,
with filter (macAddress=00:0a:95:de:ba:4a)
rlm_ldap: Added password 00:0a:95:de:ba:4a in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: Setting Auth-Type = macbypass1
rlm_ldap: user 00:0a:95:de:ba:4a authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "macbypass1" returns ok for request 0
modcall: leaving group redundant (returns ok) for request 0
modcall: entering group redundant for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for 00:0a:95:de:ba:4a
radius_xlat: '(uid=00:0a:95:de:ba:4a)'
radius_xlat: 'ou=Admins,ou=People,ou=Accounts,dc=ifom-ieo-campus,dc=it'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to XXXX.ifom-ieo-campus.it:636, authentication 0
rlm_ldap: setting TLS mode to 1
rlm_ldap: bind as XXXXXXX to XXXX.ifom-ieo-campus.it:636
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in
ou=Admins,ou=People,ou=Accounts,dc=ifom-ieo-campus,dc=it, with filter
(uid=00:0a:95:de:ba:4a)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "aaa1" returns notfound for request 0
modcall: leaving group redundant (returns notfound) for request 0
modcall: entering group redundant for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for 00:0a:95:de:ba:4a
radius_xlat: '(uid=00:0a:95:de:ba:4a)'
radius_xlat: 'ou=Users,ou=People,ou=Accounts,dc=ifom-ieo-campus,dc=it'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to XXXX.ifom-ieo-campus.it:636, authentication 0
rlm_ldap: setting TLS mode to 1
rlm_ldap: bind as XXXXXX to XXXX.ifom-ieo-campus.it:636
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=Users,ou=People,ou=Accounts,dc=ifom-
ieo-campus,dc=it, with filter (uid=00:0a:95:de:ba:4a)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "8021x1" returns notfound for request 0
modcall: leaving group redundant (returns notfound) for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 0
modcall[authorize]: module "files" returns notfound for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type macbypass1
auth: type "macbypass1"
Processing the authenticate section of radiusd.conf
modcall: entering group macbypass1 for request 0
modcall[authenticate]: module "ok" returns ok for request 0
modcall: leaving group macbypass1 (returns ok) for request 0
Sending Access-Accept of id 16 to XXX.XXX.XXX.XXX port 1645
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "180"
Finished request 0
While this is the dump of a similar request after the upgrade:
rad_recv: Access-Request packet from host XXX.XXX.XXX.XXX:1645,
id=230, length=166
User-Name = "0017f2f52bda"
User-Password = "0017f2f52bda"
Service-Type = Call-Check
Framed-MTU = 1520
Called-Station-Id = "00-18-73-84-4C-95"
Calling-Station-Id = "00-17-F2-F5-2B-DA"
Message-Authenticator = 0xbf1846c5bbc8ef89556c34df53cddb72
NAS-Port-Type = Ethernet
NAS-Port = 50019
NAS-IP-Address = XXX.XXX.XXX.XXX
NAS-Identifier = "3a1.igp.ifom-ieo-campus.it"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
Using perl at 0x653fc0
rlm_perl: ___ macAddr=0017f2f52bda switch=XXX.XXX.XXX.XXX port=50019
exit-value=SUCCESS vlan=554
rlm_perl: Added pair Tunnel-Type = VLAN
rlm_perl: Added pair Tunnel-Medium-Type = IEEE-802
rlm_perl: Added pair Tunnel-Private-Group-Id = 554
modcall[authorize]: module "perl" returns ok for request 4
radius_xlat: '(..)(..)(..)(..)(..)(..)'
radius_xlat: '00:17:f2:f5:2b:da'
rlm_attr_rewrite: Changed value for attribute User-Name from
'0017f2f52bda' to '00:17:f2:f5:2b:da'
modcall[authorize]: module "UserNameNormalize" returns ok for
request 4
modcall: entering group redundant for request 4
rlm_ldap: - authorize
rlm_ldap: performing user authorization for 00:17:f2:f5:2b:da
radius_xlat: '(macAddress=00:17:f2:f5:2b:da)'
radius_xlat: 'ou=Network,dc=ifom-ieo-campus,dc=it'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=Network,dc=ifom-ieo-campus,dc=it,
with filter (macAddress=00:17:f2:f5:2b:da)
rlm_ldap: Added password 00:17:f2:f5:2b:da in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user 00:17:f2:f5:2b:da authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "macbypass1" returns ok for request 4
modcall: leaving group redundant (returns ok) for request 4
modcall: entering group redundant for request 4
rlm_ldap: - authorize
rlm_ldap: performing user authorization for 00:17:f2:f5:2b:da
radius_xlat: '(uid=00:17:f2:f5:2b:da)'
radius_xlat: 'ou=Admins,ou=People,ou=Accounts,dc=ifom-ieo-campus,dc=it'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in
ou=Admins,ou=People,ou=Accounts,dc=ifom-ieo-campus,dc=it, with filter
(uid=00:17:f2:f5:2b:da)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "aaa1" returns notfound for request 4
modcall: leaving group redundant (returns notfound) for request 4
modcall: entering group redundant for request 4
rlm_ldap: - authorize
rlm_ldap: performing user authorization for 00:17:f2:f5:2b:da
radius_xlat: '(uid=00:17:f2:f5:2b:da)'
radius_xlat: 'ou=Users,ou=People,ou=Accounts,dc=ifom-ieo-campus,dc=it'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=Users,ou=People,ou=Accounts,dc=ifom-
ieo-campus,dc=it, with filter (uid=00:17:f2:f5:2b:da)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "8021x1" returns notfound for request 4
modcall: leaving group redundant (returns notfound) for request 4
modcall[authorize]: module "chap" returns noop for request 4
modcall[authorize]: module "mschap" returns noop for request 4
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 4
modcall[authorize]: module "files" returns notfound for request 4
modcall: leaving group authorize (returns ok) for request 4
auth: type Local
auth: user supplied User-Password does NOT match local User-Password
auth: Failed to validate the user.
Delaying request 4 for 1 seconds
Finished request 4
Going to the next request
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
