Dear freeradius users,
maybe you can help me with a - probably simple - problem in authorizing wlan
users. I am using freeradius 1.1.7 (on SLES 10sp4).
My working configuration is able to authorize users with modules dbm and ldap.
Dbm is used for mac-authentication, ldap for 802.1x-authentication. For some
reason I need to reduce the number of requests our ldap server(s) gets. The
actual configuration checks a mac address against dbm at first and then against
ldap. I want mac-addresses exclusively checked against dbm.
I can detect mac-authentication requests using the following hint:
DEFAULT Colubris-AVPair == "ssid=tsunami"
Hint = "DBM"
Also I inserted a new DEFAULT entry in users:
DEFAULT Hint == DBM
Fall-Through = 0
Sending the following Radius-Request:
User-Name = 001e52c90573
User-Password = 001e52c90573
Colubris-AVPair = "ssid=tsunami"
results in the attached debug output. As you can see, rlm_dbm is used first
(with success) but after that, rlm_ldap is used, too. Is it possible to
configure radius so that mac-address authorizations are checked against dbm
only (whether successful or not)?
--
Kind regards
Christoph
rad_recv: Access-Request packet from host 141.26.71.252:42454, id=114, length=72
User-Name = "001e52c90573"
User-Password = "001e52c90573"
Colubris-AVPair = "ssid=tsunami"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
hints: Matched DEFAULT at 36
modcall[authorize]: module "preprocess" returns ok for request 3
modcall[authorize]: module "chap" returns noop for request 3
modcall[authorize]: module "mschap" returns noop for request 3
rlm_realm: No '@' in User-Name = "001e52c90573", looking up realm NULL
rlm_realm: Found realm "NULL"
rlm_realm: Adding Stripped-User-Name = "001e52c90573"
rlm_realm: Proxying request from user 001e52c90573 to realm NULL
rlm_realm: Adding Realm = "NULL"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "suffix" returns noop for request 3
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 3
users: Matched entry DEFAULT at line 149
users: Matched entry DEFAULT at line 160
modcall[authorize]: module "files" returns ok for request 3
rlm_dbm: try open database file: /etc/raddb/wlan
rlm_dbm: Call parse_user:
sm_parse_user.c: check for loops
Add 001e52c90573 to user list
sm_parse_user: start parsing: user: 001e52c90573
parse buffer: <<Auth-Type := Local, User-Password == "001e52c90573">>
rlm_dbm: recod parsed
process pattern
rlm_dbm: Pattern matched, look for request
parse buffer: <<Service-Type = Login-User>>
rlm_dbm: recod parsed
rlm_dbm: Reply found
Remove 001e52c90573 from user list
modcall[authorize]: module "dbm" returns ok for request 3
rlm_ldap: - authorize
rlm_ldap: performing user authorization for 001e52c90573
radius_xlat: '(uid=001e52c90573)'
radius_xlat: 'dc=uni-koblenz,dc=de'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=uni-koblenz,dc=de, with filter
(uid=001e52c90573)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns notfound for request 3
modcall: leaving group authorize (returns ok) for request 3
rad_check_password: Found Auth-Type Local
auth: type Local
auth: user supplied User-Password matches local User-Password
Login OK: [001e52c90573] (from client test port 0)
_________________________________________
Christoph Litauer
Uni Koblenz, Computing Centre, Office A 022
Postfach 201602, 56016 Koblenz
Fon: +49 261 287-1311, Fax: -100 1311
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
