Re: Problems with EAP and LDAP replyItems (2.0.2)
Original-Message
Datum: Tue, 19 Aug 2008 17:37:34 +0200
Von: [EMAIL PROTECTED]
An: freeradius-users@lists.freeradius.org
Betreff: Problems with EAP and LDAP replyItems (2.0.2)
Hi Guys,
Since freeradius2 has some major improvements I try to upgrade from 1.1.4.
Unfortunately there are a few problems i encounter:
cause of some weird reason the server isn't sending back my LDAP
replyItems back to the NAS along the Access-Accept packet.
In short i want to authenticate using EAP/PEAP against the server, which
itself checks against our LDAP Server. Additionally the server should also
send back a specific replyItem stored in our LDAP.
configuration looks like:
authorize {
preprocess
eap {
ok = return
}
ldap1
}
authenticate {
Auth-Type MS-CHAP {
mschap
}
eap
}
in ldap.attrmap the following is configured:
replyItem Airespace-Interface-NameradiusCallingStationId
so LDAP-Attribute radiusCallingStationId should be transformed to an
attribute called Airespace-Interface-Name and sent back to the NAS.
As you can see in the following debug-output, at the beginning the server
sends the attribute back as supposed, but for some weird reason in the
access-accept packet the attribute isnt sent along.
whats wrong here?
Thanks in advance!
debug-output: [cutted]
Noone has any clue, why this doesnt work? I really wanted to deploy the server
tonight.
Any help is welcome!
thanks,
Peter
--
Pt! Schon das coole Video vom GMX MultiMessenger gesehen?
Der Eine für Alle: http://www.gmx.net/de/go/messenger03
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems with EAP and LDAP replyItems (2.0.2)
Hi Guys,
Since freeradius2 has some major improvements I try to upgrade from 1.1.4.
Unfortunately there are a few problems i encounter:
cause of some weird reason the server isn't sending back my LDAP replyItems
back to the NAS along the Access-Accept packet.
In short i want to authenticate using EAP/PEAP against the server, which itself
checks against our LDAP Server. Additionally the server should also send back a
specific replyItem stored in our LDAP.
configuration looks like:
authorize {
preprocess
eap {
ok = return
}
ldap1
}
authenticate {
Auth-Type MS-CHAP {
mschap
}
eap
}
in ldap.attrmap the following is configured:
replyItem Airespace-Interface-NameradiusCallingStationId
so LDAP-Attribute radiusCallingStationId should be transformed to an attribute
called Airespace-Interface-Name and sent back to the NAS.
As you can see in the following debug-output, at the beginning the server sends
the attribute back as supposed, but for some weird reason in the access-accept
packet the attribute isnt sent along.
whats wrong here?
Thanks in advance!
debug-output:
rad_recv: Access-Request packet from host 10.110.101.4 port 32770, id=237,
length=182
User-Name = testuser
Calling-Station-Id = 00-0E-35-AE-DB-DF
Called-Station-Id = 00-1A-30-2E-C9-60:wlan-test
NAS-Port = 29
NAS-IP-Address = 10.110.101.4
NAS-Identifier = WiSM-2
Airespace-Wlan-Id = 7
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = 995
EAP-Message = 0x0202000d0173737065726c3232
Message-Authenticator = 0x1c08d8491b0ebb2a032ab1ebb8f7ee59
+- entering group authorize
++[preprocess] returns ok
rlm_eap: EAP packet type response id 2 length 13
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
rlm_ldap: - authorize
rlm_ldap: performing user authorization for testuser
expand: (|(uid=%u)(uid=%U)) - (|(uid=testuser)(uid=_))
expand: dc=mydomain,dc=ac,dc=at - dc=mydomain,dc=ac,dc=at
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap.mydomain.com:389, authentication 0
rlm_ldap: bind as uid=service-user,ou=services,dc=mydomain,dc=ac,dc=at/passme
to ldap.mydomain.com:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=mydomain,dc=ac,dc=at, with filter
(|(uid=testuser)(uid=_))
rlm_ldap: Added User-Password = testpwd in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: LDAP attribute radiusCallingStationId as RADIUS attribute
Airespace-Interface-Name = 599
rlm_ldap: user testuser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap1] returns ok
rad_check_password: Found Auth-Type EAP
!!!
!!!Replacing User-Password in config items with Cleartext-Password. !!!
!!!
!!! Please update your configuration so that the known good !!!
!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!!
auth: type EAP
+- entering group authenticate
rlm_eap: EAP Identity
rlm_eap: processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 237 to 10.110.101.4 port 32770
Airespace-Interface-Name = 599
EAP-Message = 0x0103001604104f56bcec8ceb0ba608af483ccb4111c9
Message-Authenticator = 0x
State = 0x33b5046233b6000c0bb076d000b26f5e
Finished request 0.
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 10.110.101.4 port 32770, id=238,
length=193
User-Name = testuser
Calling-Station-Id = 00-0E-35-AE-DB-DF
Called-Station-Id = 00-1A-30-2E-C9-60:wlan-test
NAS-Port = 29
NAS-IP-Address = 10.110.101.4
NAS-Identifier = WiSM-2
Airespace-Wlan-Id = 7
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = 995
EAP-Message = 0x020300060319
State = 0x33b5046233b6000c0bb076d000b26f5e
Message-Authenticator = 0xae7227a437741cee122a96438eb2b8c6
+- entering group authorize
++[preprocess] returns ok
rlm_eap: EAP packet type response id 3 length 6
rlm_eap: No
Re: override ldap reply attribute
Kostas Kalevras wrote
O/H [EMAIL PROTECTED] έγραψε:
Here is the full debug-log.
Airespace-Interface-Name
value in ldap: 310
vlaue in users-file: 777
as you can see, it doesnt override :-(
users-file line 54, which matches:
DEFAULT Called-Station-Id == 00-1A-30-2E-C9-60:Test99,
Airespace-Interface-Name := 777
Airespace-Interface-Name is a reply item while you are seting it as a
check item. Correct way:
DEFAULT Called-Station-Id == 00-1A-30-2E-C9-60:Test99
Airespace-Interface-Name := 777
IT WORKS! thanks a LOT :-)
radiusd.conf authorize section:
authorize {
preprocess
eap
ldap_wlan
files
}
as you can see, its wlan-authentication with EAP on SSID:Test99
dont know what i can try else :-(
thanks in advance for your help!
--
Kostas Kalevras - Network Operations Center
National Technical University of Athens
http://kkalev.wordpress.com
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Feel free - 10 GB Mailbox, 100 FreeSMS/Monat ...
Jetzt GMX TopMail testen: http://www.gmx.net/de/go/topmail
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
IP-Address assignment - NAS Pool if value is empty in LDAP
I am running freeradius-1.0.2-5.5 and need a solution for the following problem: we want to achieve that freeradius sends back an IP-Address if there is one for that user in LDAP. If the value is empty freeradius shouldnt send back an IP-Address and the NAS should choose one from his own ip-pool. is this possible to realize? greetings, Stefan -- DSL-Aktion wegen großer Nachfrage bis 28.2.2006 verlängert: GMX DSL-Flatrate 1 Jahr kostenlos* http://www.gmx.net/de/go/dsl - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
authorization depending on authentication (ldap)
Hi guys,
First sorry for my bad english i am from austria ;-)
i am running freeradius-1.0.2-5.5
i have a big problem here and cant solve it alone:
there are 3 ldap instances:
ldap1,ldap2,ldap3.
and authenticate them all after another in the authentication section like
this:
authenticate {
ldap1
ldap2
ldap3
}
same in authorize-section:
authorize {
ldap1
ldap2
ldap3
}
now my problem is, that if the user x is authenticated at ldap2 for instance
the authorization fails cause the user isnt found at ldap1 (freeradius
doesnt seem to try authorizing on ldap2 or ldap3)
what i need would be a solution how to realize the following needs:
if authentication runs over ldap1 authorize on ldap1
if authentication runs over ldap1 authorize on ldap2
if authentication runs over ldap1 authorize on ldap3
how can i do that?
hope you guys can help me, i am searching for a solution for 3 days now and
i havent got any ideo how to solve that :-(
thanks and greetings from snowy austria!
--
DSL-Aktion wegen großer Nachfrage bis 28.2.2006 verlängert:
GMX DSL-Flatrate 1 Jahr kostenlos* http://www.gmx.net/de/go/dsl
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorization depending on authentication (ldap)
I assume you meant
if authentication runs over ldap1 authorize on ldap1
if authentication runs over ldap2 authorize on ldap2
if authentication runs over ldap3 authorize on ldap3
sorry my fault - should check my copy-paste better ;-)
The authenticate processing should set Auth-Type to an unique value
for each instance. If you're using the default schema, then you can
do that by adding a radiusAuthType ldap attribute to each user. Or
maybe better: Use a default profile to set the appropriate
radiusAuthType for each ldap instance.
E.g. add something like this to the directories:
ldap1:
dn: cn=radprofile,ou=dialup,o=My Org,c=UA
radiusAuthType: LDAP1
ldap2:
dn: cn=radprofile,ou=dialup,o=My Org,c=UA
radiusAuthType: LDAP2
ldap3:
dn: cn=radprofile,ou=dialup,o=My Org,c=UA
radiusAuthType: LDAP3
hm, i dont understand where i should add this kind of lines. i guess they
should be in the users file as an default entry.
can you give a complete working sample for such an entry? sorry if this
would be base-knowledge but i dont know how to check ldap-settings in the
users file.
thanks in advance
Stefan
--- Ursprüngliche Nachricht ---
Von: Bjørn Mork [EMAIL PROTECTED]
An: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Betreff: Re: authorization depending on authentication (ldap)
Datum: Thu, 05 Jan 2006 11:56:33 +0100
[EMAIL PROTECTED] writes:
i am running freeradius-1.0.2-5.5
there are 3 ldap instances:
ldap1,ldap2,ldap3.
and authenticate them all after another in the authentication section
like
this:
authenticate {
ldap1
ldap2
ldap3
}
same in authorize-section:
authorize {
ldap1
ldap2
ldap3
}
now my problem is, that if the user x is authenticated at ldap2 for
instance
the authorization fails cause the user isnt found at ldap1 (freeradius
doesnt seem to try authorizing on ldap2 or ldap3)
what i need would be a solution how to realize the following needs:
if authentication runs over ldap1 authorize on ldap1
if authentication runs over ldap1 authorize on ldap2
if authentication runs over ldap1 authorize on ldap3
how can i do that?
I assume you meant
if authentication runs over ldap1 authorize on ldap1
if authentication runs over ldap2 authorize on ldap2
if authentication runs over ldap3 authorize on ldap3
The authenticate processing should set Auth-Type to an unique value
for each instance. If you're using the default schema, then you can
do that by adding a radiusAuthType ldap attribute to each user. Or
maybe better: Use a default profile to set the appropriate
radiusAuthType for each ldap instance.
E.g. add something like this to the directories:
ldap1:
dn: cn=radprofile,ou=dialup,o=My Org,c=UA
radiusAuthType: LDAP1
ldap2:
dn: cn=radprofile,ou=dialup,o=My Org,c=UA
radiusAuthType: LDAP2
ldap3:
dn: cn=radprofile,ou=dialup,o=My Org,c=UA
radiusAuthType: LDAP3
And then in radiusd.conf:
modules {
..
ldap ldap1 {
..
default_profile = cn=radprofile,ou=dialup,o=My Org,c=UA
..
}
ldap ldap2 {
..
default_profile = cn=radprofile,ou=dialup,o=My Org,c=UA
..
}
ldap ldap3 {
..
default_profile = cn=radprofile,ou=dialup,o=My Org,c=UA
..
}
}
..
authorize {
Auth-Type LDAP1 {
ldap1
}
Auth-Type LDAP2 {
ldap2
}
Auth-Type LDAP3 {
ldap3
}
}
Note: This would be a lot easier with freeradius-1.1, where I believe
something like this would have been sufficient since rlm_ldap now sets
Auth-Type to the instance name by default:
authorize {
Auth-Type ldap1 {
ldap1
}
Auth-Type ldap2 {
ldap2
}
Auth-Type ldap3 {
ldap3
}
}
Bjørn
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Telefonieren Sie schon oder sparen Sie noch?
NEU: GMX Phone_Flat http://www.gmx.net/de/go/telefonie
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorization depending on authentication (ldap)
I assume you meant
if authentication runs over ldap1 authorize on ldap1
if authentication runs over ldap2 authorize on ldap2
if authentication runs over ldap3 authorize on ldap3
sorry my fault - should check my copy-paste better ;-)
The authenticate processing should set Auth-Type to an unique value
for each instance. If you're using the default schema, then you can
do that by adding a radiusAuthType ldap attribute to each user. Or
maybe better: Use a default profile to set the appropriate
radiusAuthType for each ldap instance.
E.g. add something like this to the directories:
ldap1:
dn: cn=radprofile,ou=dialup,o=My Org,c=UA
radiusAuthType: LDAP1
ldap2:
dn: cn=radprofile,ou=dialup,o=My Org,c=UA
radiusAuthType: LDAP2
ldap3:
dn: cn=radprofile,ou=dialup,o=My Org,c=UA
radiusAuthType: LDAP3
hm, i dont understand where i should add this kind of lines. i guess they
should be in the users file as an default entry.
can you give a complete working sample for such an entry? sorry if this
would be base-knowledge but i dont know how to check ldap-settings in the
users file.
thanks in advance
Stefan
--- Ursprüngliche Nachricht ---
Von: Bjørn Mork [EMAIL PROTECTED]
An: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Betreff: Re: authorization depending on authentication (ldap)
Datum: Thu, 05 Jan 2006 11:56:33 +0100
[EMAIL PROTECTED] writes:
i am running freeradius-1.0.2-5.5
there are 3 ldap instances:
ldap1,ldap2,ldap3.
and authenticate them all after another in the authentication section
like
this:
authenticate {
ldap1
ldap2
ldap3
}
same in authorize-section:
authorize {
ldap1
ldap2
ldap3
}
now my problem is, that if the user x is authenticated at ldap2 for
instance
the authorization fails cause the user isnt found at ldap1 (freeradius
doesnt seem to try authorizing on ldap2 or ldap3)
what i need would be a solution how to realize the following needs:
if authentication runs over ldap1 authorize on ldap1
if authentication runs over ldap1 authorize on ldap2
if authentication runs over ldap1 authorize on ldap3
how can i do that?
I assume you meant
if authentication runs over ldap1 authorize on ldap1
if authentication runs over ldap2 authorize on ldap2
if authentication runs over ldap3 authorize on ldap3
The authenticate processing should set Auth-Type to an unique value
for each instance. If you're using the default schema, then you can
do that by adding a radiusAuthType ldap attribute to each user. Or
maybe better: Use a default profile to set the appropriate
radiusAuthType for each ldap instance.
E.g. add something like this to the directories:
ldap1:
dn: cn=radprofile,ou=dialup,o=My Org,c=UA
radiusAuthType: LDAP1
ldap2:
dn: cn=radprofile,ou=dialup,o=My Org,c=UA
radiusAuthType: LDAP2
ldap3:
dn: cn=radprofile,ou=dialup,o=My Org,c=UA
radiusAuthType: LDAP3
And then in radiusd.conf:
modules {
..
ldap ldap1 {
..
default_profile = cn=radprofile,ou=dialup,o=My Org,c=UA
..
}
ldap ldap2 {
..
default_profile = cn=radprofile,ou=dialup,o=My Org,c=UA
..
}
ldap ldap3 {
..
default_profile = cn=radprofile,ou=dialup,o=My Org,c=UA
..
}
}
..
authorize {
Auth-Type LDAP1 {
ldap1
}
Auth-Type LDAP2 {
ldap2
}
Auth-Type LDAP3 {
ldap3
}
}
Note: This would be a lot easier with freeradius-1.1, where I believe
something like this would have been sufficient since rlm_ldap now sets
Auth-Type to the instance name by default:
authorize {
Auth-Type ldap1 {
ldap1
}
Auth-Type ldap2 {
ldap2
}
Auth-Type ldap3 {
ldap3
}
}
Bjørn
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Telefonieren Sie schon oder sparen Sie noch?
NEU: GMX Phone_Flat http://www.gmx.net/de/go/telefonie
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorization depending on authentication (ldap)
sorry, now i understand what you meant with that:
ldap1:
dn: cn=radprofile,ou=dialup,o=My Org,c=UA
radiusAuthType: LDAP1
ldap2:
dn: cn=radprofile,ou=dialup,o=My Org,c=UA
radiusAuthType: LDAP2
ldap3:
dn: cn=radprofile,ou=dialup,o=My Org,c=UA
radiusAuthType: LDAP3
i should chance the ldap-directory. isnt it possible to make it fit my needs
without changing the ldap-directory? without freeradius-1.1?
--- Ursprüngliche Nachricht ---
Von: [EMAIL PROTECTED]
An: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Betreff: Re: authorization depending on authentication (ldap)
Datum: Thu, 5 Jan 2006 13:30:16 +0100 (MET)
I assume you meant
if authentication runs over ldap1 authorize on ldap1
if authentication runs over ldap2 authorize on ldap2
if authentication runs over ldap3 authorize on ldap3
sorry my fault - should check my copy-paste better ;-)
The authenticate processing should set Auth-Type to an unique value
for each instance. If you're using the default schema, then you can
do that by adding a radiusAuthType ldap attribute to each user. Or
maybe better: Use a default profile to set the appropriate
radiusAuthType for each ldap instance.
E.g. add something like this to the directories:
ldap1:
dn: cn=radprofile,ou=dialup,o=My Org,c=UA
radiusAuthType: LDAP1
ldap2:
dn: cn=radprofile,ou=dialup,o=My Org,c=UA
radiusAuthType: LDAP2
ldap3:
dn: cn=radprofile,ou=dialup,o=My Org,c=UA
radiusAuthType: LDAP3
hm, i dont understand where i should add this kind of lines. i guess they
should be in the users file as an default entry.
can you give a complete working sample for such an entry? sorry if this
would be base-knowledge but i dont know how to check ldap-settings in the
users file.
thanks in advance
Stefan
--- Ursprüngliche Nachricht ---
Von: Bjørn Mork [EMAIL PROTECTED]
An: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Betreff: Re: authorization depending on authentication (ldap)
Datum: Thu, 05 Jan 2006 11:56:33 +0100
[EMAIL PROTECTED] writes:
i am running freeradius-1.0.2-5.5
there are 3 ldap instances:
ldap1,ldap2,ldap3.
and authenticate them all after another in the authentication section
like
this:
authenticate {
ldap1
ldap2
ldap3
}
same in authorize-section:
authorize {
ldap1
ldap2
ldap3
}
now my problem is, that if the user x is authenticated at ldap2 for
instance
the authorization fails cause the user isnt found at ldap1 (freeradius
doesnt seem to try authorizing on ldap2 or ldap3)
what i need would be a solution how to realize the following needs:
if authentication runs over ldap1 authorize on ldap1
if authentication runs over ldap1 authorize on ldap2
if authentication runs over ldap1 authorize on ldap3
how can i do that?
I assume you meant
if authentication runs over ldap1 authorize on ldap1
if authentication runs over ldap2 authorize on ldap2
if authentication runs over ldap3 authorize on ldap3
The authenticate processing should set Auth-Type to an unique value
for each instance. If you're using the default schema, then you can
do that by adding a radiusAuthType ldap attribute to each user. Or
maybe better: Use a default profile to set the appropriate
radiusAuthType for each ldap instance.
E.g. add something like this to the directories:
ldap1:
dn: cn=radprofile,ou=dialup,o=My Org,c=UA
radiusAuthType: LDAP1
ldap2:
dn: cn=radprofile,ou=dialup,o=My Org,c=UA
radiusAuthType: LDAP2
ldap3:
dn: cn=radprofile,ou=dialup,o=My Org,c=UA
radiusAuthType: LDAP3
And then in radiusd.conf:
modules {
..
ldap ldap1 {
..
default_profile = cn=radprofile,ou=dialup,o=My
Org,c=UA
..
}
ldap ldap2 {
..
default_profile = cn=radprofile,ou=dialup,o=My
Org,c=UA
..
}
ldap ldap3 {
..
default_profile = cn=radprofile,ou=dialup,o=My
Org,c=UA
..
}
}
..
authorize {
Auth-Type LDAP1 {
ldap1
}
Auth-Type LDAP2 {
ldap2
}
Auth-Type LDAP3 {
ldap3
}
}
Note: This would be a lot easier with freeradius-1.1, where I believe
something like this would have been sufficient since rlm_ldap now sets
Auth-Type to the instance name by default:
authorize {
Auth-Type ldap1 {
