Hi all:
I am running Freeradius 1.1.0 and am trying to get Ldap-Groups to work
with EAP/PEAP/MSCHAPv2, but have been running into issues. I'm trying to
permit authentication to a wireless SSID based on an LDAP group. Here is my
configuration:
Radiusd.conf:
authorize{
preprocess
auth_log
files {
notfound = return
}
eap
redundant-load-balance {
ldap1
ldap2
}
authenticate {
Auth-Type LDAP {
redundant-load-balance {
ldap1
ldap2
}
Auth-Type EAP {
eap
}
hints:
DEFAULT Called-Station-Id =~ ".*:ssid"
Called-Station-Id := "ssid"
huntgroups:
restrict Called-Station-Id == ssid
all NAS-IP-Address == xxx
users:
DEFAULT Huntgroup-Name == restrict, Ldap-group ==
"cn=something,ou=something"
DEFAULT Huntgroup-Name == all
When I try to authenticate, the radius server receives about 7
Access-requests. Each time it receives one, the Radius server checks the LDAP
store to verify that the user exists in the ldap group (is this normal? can
this be reduced? 7 LDAP binds per authentication attempt seems high), and each
module returns OK. On the 6th attempt though, it attempts to decode the EAP
tunnel, and this happens:
rlm_dap::ldap_groupcmp: User found in group cn=something,ou=something
blah blah blah
Processing the authenticate section
blah blah blah
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Identity - XXX
rlm_eap_peap: Tunneled data is valid
PEAP: Got tunneled identity of XXX
PEAP: Setting default EAP type for tunneled EAP session
PEAP: Setting User-Name to XXX
Processing the authorize section
modcall[authorize]: module "preprocess" returns ok for request 6
blah blah blah
modcall[authorize]: module "auth_log" returns ok for request 6
modcall[authorize]: module "files" returns notfound for request 6
Notice that there is no additional call to ldap_group between the
authorize and the resulting failure in the files module. Since I have set
"files { notfound = return}," the user fails to authenticate despite being
accepted 5 times previously with ldap_group. If I remove "notfound = return",
the user can authenticate REGARDLESS of the ldap-group I set, even when
ldap_group returns notfound.
Is there something i'm missing in the configuration file?
____________________________________________________________________________________
Looking for last minute shopping deals?
Find them fast with Yahoo! Search.
http://tools.search.yahoo.com/newsearch/category.php?category=shopping-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
