Re: Problems with EAP and LDAP replyItems (2.0.2)
Original-Message Datum: Tue, 19 Aug 2008 17:37:34 +0200 Von: [EMAIL PROTECTED] An: freeradius-users@lists.freeradius.org Betreff: Problems with EAP and LDAP replyItems (2.0.2) Hi Guys, Since freeradius2 has some major improvements I try to upgrade from 1.1.4. Unfortunately there are a few problems i encounter: cause of some weird reason the server isn't sending back my LDAP replyItems back to the NAS along the Access-Accept packet. In short i want to authenticate using EAP/PEAP against the server, which itself checks against our LDAP Server. Additionally the server should also send back a specific replyItem stored in our LDAP. configuration looks like: authorize { preprocess eap { ok = return } ldap1 } authenticate { Auth-Type MS-CHAP { mschap } eap } in ldap.attrmap the following is configured: replyItem Airespace-Interface-NameradiusCallingStationId so LDAP-Attribute radiusCallingStationId should be transformed to an attribute called Airespace-Interface-Name and sent back to the NAS. As you can see in the following debug-output, at the beginning the server sends the attribute back as supposed, but for some weird reason in the access-accept packet the attribute isnt sent along. whats wrong here? Thanks in advance! debug-output: [cutted] Noone has any clue, why this doesnt work? I really wanted to deploy the server tonight. Any help is welcome! thanks, Peter -- Pt! Schon das coole Video vom GMX MultiMessenger gesehen? Der Eine für Alle: http://www.gmx.net/de/go/messenger03 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems with EAP and LDAP replyItems (2.0.2)
Hi Guys, Since freeradius2 has some major improvements I try to upgrade from 1.1.4. Unfortunately there are a few problems i encounter: cause of some weird reason the server isn't sending back my LDAP replyItems back to the NAS along the Access-Accept packet. In short i want to authenticate using EAP/PEAP against the server, which itself checks against our LDAP Server. Additionally the server should also send back a specific replyItem stored in our LDAP. configuration looks like: authorize { preprocess eap { ok = return } ldap1 } authenticate { Auth-Type MS-CHAP { mschap } eap } in ldap.attrmap the following is configured: replyItem Airespace-Interface-NameradiusCallingStationId so LDAP-Attribute radiusCallingStationId should be transformed to an attribute called Airespace-Interface-Name and sent back to the NAS. As you can see in the following debug-output, at the beginning the server sends the attribute back as supposed, but for some weird reason in the access-accept packet the attribute isnt sent along. whats wrong here? Thanks in advance! debug-output: rad_recv: Access-Request packet from host 10.110.101.4 port 32770, id=237, length=182 User-Name = testuser Calling-Station-Id = 00-0E-35-AE-DB-DF Called-Station-Id = 00-1A-30-2E-C9-60:wlan-test NAS-Port = 29 NAS-IP-Address = 10.110.101.4 NAS-Identifier = WiSM-2 Airespace-Wlan-Id = 7 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 995 EAP-Message = 0x0202000d0173737065726c3232 Message-Authenticator = 0x1c08d8491b0ebb2a032ab1ebb8f7ee59 +- entering group authorize ++[preprocess] returns ok rlm_eap: EAP packet type response id 2 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated rlm_ldap: - authorize rlm_ldap: performing user authorization for testuser expand: (|(uid=%u)(uid=%U)) - (|(uid=testuser)(uid=_)) expand: dc=mydomain,dc=ac,dc=at - dc=mydomain,dc=ac,dc=at rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap.mydomain.com:389, authentication 0 rlm_ldap: bind as uid=service-user,ou=services,dc=mydomain,dc=ac,dc=at/passme to ldap.mydomain.com:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=mydomain,dc=ac,dc=at, with filter (|(uid=testuser)(uid=_)) rlm_ldap: Added User-Password = testpwd in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: LDAP attribute radiusCallingStationId as RADIUS attribute Airespace-Interface-Name = 599 rlm_ldap: user testuser authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap1] returns ok rad_check_password: Found Auth-Type EAP !!! !!!Replacing User-Password in config items with Cleartext-Password. !!! !!! !!! Please update your configuration so that the known good !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!! auth: type EAP +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 237 to 10.110.101.4 port 32770 Airespace-Interface-Name = 599 EAP-Message = 0x0103001604104f56bcec8ceb0ba608af483ccb4111c9 Message-Authenticator = 0x State = 0x33b5046233b6000c0bb076d000b26f5e Finished request 0. Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 10.110.101.4 port 32770, id=238, length=193 User-Name = testuser Calling-Station-Id = 00-0E-35-AE-DB-DF Called-Station-Id = 00-1A-30-2E-C9-60:wlan-test NAS-Port = 29 NAS-IP-Address = 10.110.101.4 NAS-Identifier = WiSM-2 Airespace-Wlan-Id = 7 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 995 EAP-Message = 0x020300060319 State = 0x33b5046233b6000c0bb076d000b26f5e Message-Authenticator = 0xae7227a437741cee122a96438eb2b8c6 +- entering group authorize ++[preprocess] returns ok rlm_eap: EAP packet type response id 3 length 6 rlm_eap: No
Re: override ldap reply attribute
Kostas Kalevras wrote O/H [EMAIL PROTECTED] έγραψε: Here is the full debug-log. Airespace-Interface-Name value in ldap: 310 vlaue in users-file: 777 as you can see, it doesnt override :-( users-file line 54, which matches: DEFAULT Called-Station-Id == 00-1A-30-2E-C9-60:Test99, Airespace-Interface-Name := 777 Airespace-Interface-Name is a reply item while you are seting it as a check item. Correct way: DEFAULT Called-Station-Id == 00-1A-30-2E-C9-60:Test99 Airespace-Interface-Name := 777 IT WORKS! thanks a LOT :-) radiusd.conf authorize section: authorize { preprocess eap ldap_wlan files } as you can see, its wlan-authentication with EAP on SSID:Test99 dont know what i can try else :-( thanks in advance for your help! -- Kostas Kalevras - Network Operations Center National Technical University of Athens http://kkalev.wordpress.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Feel free - 10 GB Mailbox, 100 FreeSMS/Monat ... Jetzt GMX TopMail testen: http://www.gmx.net/de/go/topmail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
IP-Address assignment - NAS Pool if value is empty in LDAP
I am running freeradius-1.0.2-5.5 and need a solution for the following problem: we want to achieve that freeradius sends back an IP-Address if there is one for that user in LDAP. If the value is empty freeradius shouldnt send back an IP-Address and the NAS should choose one from his own ip-pool. is this possible to realize? greetings, Stefan -- DSL-Aktion wegen großer Nachfrage bis 28.2.2006 verlängert: GMX DSL-Flatrate 1 Jahr kostenlos* http://www.gmx.net/de/go/dsl - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
authorization depending on authentication (ldap)
Hi guys, First sorry for my bad english i am from austria ;-) i am running freeradius-1.0.2-5.5 i have a big problem here and cant solve it alone: there are 3 ldap instances: ldap1,ldap2,ldap3. and authenticate them all after another in the authentication section like this: authenticate { ldap1 ldap2 ldap3 } same in authorize-section: authorize { ldap1 ldap2 ldap3 } now my problem is, that if the user x is authenticated at ldap2 for instance the authorization fails cause the user isnt found at ldap1 (freeradius doesnt seem to try authorizing on ldap2 or ldap3) what i need would be a solution how to realize the following needs: if authentication runs over ldap1 authorize on ldap1 if authentication runs over ldap1 authorize on ldap2 if authentication runs over ldap1 authorize on ldap3 how can i do that? hope you guys can help me, i am searching for a solution for 3 days now and i havent got any ideo how to solve that :-( thanks and greetings from snowy austria! -- DSL-Aktion wegen großer Nachfrage bis 28.2.2006 verlängert: GMX DSL-Flatrate 1 Jahr kostenlos* http://www.gmx.net/de/go/dsl - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorization depending on authentication (ldap)
I assume you meant if authentication runs over ldap1 authorize on ldap1 if authentication runs over ldap2 authorize on ldap2 if authentication runs over ldap3 authorize on ldap3 sorry my fault - should check my copy-paste better ;-) The authenticate processing should set Auth-Type to an unique value for each instance. If you're using the default schema, then you can do that by adding a radiusAuthType ldap attribute to each user. Or maybe better: Use a default profile to set the appropriate radiusAuthType for each ldap instance. E.g. add something like this to the directories: ldap1: dn: cn=radprofile,ou=dialup,o=My Org,c=UA radiusAuthType: LDAP1 ldap2: dn: cn=radprofile,ou=dialup,o=My Org,c=UA radiusAuthType: LDAP2 ldap3: dn: cn=radprofile,ou=dialup,o=My Org,c=UA radiusAuthType: LDAP3 hm, i dont understand where i should add this kind of lines. i guess they should be in the users file as an default entry. can you give a complete working sample for such an entry? sorry if this would be base-knowledge but i dont know how to check ldap-settings in the users file. thanks in advance Stefan --- Ursprüngliche Nachricht --- Von: Bjørn Mork [EMAIL PROTECTED] An: FreeRadius users mailing list freeradius-users@lists.freeradius.org Betreff: Re: authorization depending on authentication (ldap) Datum: Thu, 05 Jan 2006 11:56:33 +0100 [EMAIL PROTECTED] writes: i am running freeradius-1.0.2-5.5 there are 3 ldap instances: ldap1,ldap2,ldap3. and authenticate them all after another in the authentication section like this: authenticate { ldap1 ldap2 ldap3 } same in authorize-section: authorize { ldap1 ldap2 ldap3 } now my problem is, that if the user x is authenticated at ldap2 for instance the authorization fails cause the user isnt found at ldap1 (freeradius doesnt seem to try authorizing on ldap2 or ldap3) what i need would be a solution how to realize the following needs: if authentication runs over ldap1 authorize on ldap1 if authentication runs over ldap1 authorize on ldap2 if authentication runs over ldap1 authorize on ldap3 how can i do that? I assume you meant if authentication runs over ldap1 authorize on ldap1 if authentication runs over ldap2 authorize on ldap2 if authentication runs over ldap3 authorize on ldap3 The authenticate processing should set Auth-Type to an unique value for each instance. If you're using the default schema, then you can do that by adding a radiusAuthType ldap attribute to each user. Or maybe better: Use a default profile to set the appropriate radiusAuthType for each ldap instance. E.g. add something like this to the directories: ldap1: dn: cn=radprofile,ou=dialup,o=My Org,c=UA radiusAuthType: LDAP1 ldap2: dn: cn=radprofile,ou=dialup,o=My Org,c=UA radiusAuthType: LDAP2 ldap3: dn: cn=radprofile,ou=dialup,o=My Org,c=UA radiusAuthType: LDAP3 And then in radiusd.conf: modules { .. ldap ldap1 { .. default_profile = cn=radprofile,ou=dialup,o=My Org,c=UA .. } ldap ldap2 { .. default_profile = cn=radprofile,ou=dialup,o=My Org,c=UA .. } ldap ldap3 { .. default_profile = cn=radprofile,ou=dialup,o=My Org,c=UA .. } } .. authorize { Auth-Type LDAP1 { ldap1 } Auth-Type LDAP2 { ldap2 } Auth-Type LDAP3 { ldap3 } } Note: This would be a lot easier with freeradius-1.1, where I believe something like this would have been sufficient since rlm_ldap now sets Auth-Type to the instance name by default: authorize { Auth-Type ldap1 { ldap1 } Auth-Type ldap2 { ldap2 } Auth-Type ldap3 { ldap3 } } Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Telefonieren Sie schon oder sparen Sie noch? NEU: GMX Phone_Flat http://www.gmx.net/de/go/telefonie - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorization depending on authentication (ldap)
I assume you meant if authentication runs over ldap1 authorize on ldap1 if authentication runs over ldap2 authorize on ldap2 if authentication runs over ldap3 authorize on ldap3 sorry my fault - should check my copy-paste better ;-) The authenticate processing should set Auth-Type to an unique value for each instance. If you're using the default schema, then you can do that by adding a radiusAuthType ldap attribute to each user. Or maybe better: Use a default profile to set the appropriate radiusAuthType for each ldap instance. E.g. add something like this to the directories: ldap1: dn: cn=radprofile,ou=dialup,o=My Org,c=UA radiusAuthType: LDAP1 ldap2: dn: cn=radprofile,ou=dialup,o=My Org,c=UA radiusAuthType: LDAP2 ldap3: dn: cn=radprofile,ou=dialup,o=My Org,c=UA radiusAuthType: LDAP3 hm, i dont understand where i should add this kind of lines. i guess they should be in the users file as an default entry. can you give a complete working sample for such an entry? sorry if this would be base-knowledge but i dont know how to check ldap-settings in the users file. thanks in advance Stefan --- Ursprüngliche Nachricht --- Von: Bjørn Mork [EMAIL PROTECTED] An: FreeRadius users mailing list freeradius-users@lists.freeradius.org Betreff: Re: authorization depending on authentication (ldap) Datum: Thu, 05 Jan 2006 11:56:33 +0100 [EMAIL PROTECTED] writes: i am running freeradius-1.0.2-5.5 there are 3 ldap instances: ldap1,ldap2,ldap3. and authenticate them all after another in the authentication section like this: authenticate { ldap1 ldap2 ldap3 } same in authorize-section: authorize { ldap1 ldap2 ldap3 } now my problem is, that if the user x is authenticated at ldap2 for instance the authorization fails cause the user isnt found at ldap1 (freeradius doesnt seem to try authorizing on ldap2 or ldap3) what i need would be a solution how to realize the following needs: if authentication runs over ldap1 authorize on ldap1 if authentication runs over ldap1 authorize on ldap2 if authentication runs over ldap1 authorize on ldap3 how can i do that? I assume you meant if authentication runs over ldap1 authorize on ldap1 if authentication runs over ldap2 authorize on ldap2 if authentication runs over ldap3 authorize on ldap3 The authenticate processing should set Auth-Type to an unique value for each instance. If you're using the default schema, then you can do that by adding a radiusAuthType ldap attribute to each user. Or maybe better: Use a default profile to set the appropriate radiusAuthType for each ldap instance. E.g. add something like this to the directories: ldap1: dn: cn=radprofile,ou=dialup,o=My Org,c=UA radiusAuthType: LDAP1 ldap2: dn: cn=radprofile,ou=dialup,o=My Org,c=UA radiusAuthType: LDAP2 ldap3: dn: cn=radprofile,ou=dialup,o=My Org,c=UA radiusAuthType: LDAP3 And then in radiusd.conf: modules { .. ldap ldap1 { .. default_profile = cn=radprofile,ou=dialup,o=My Org,c=UA .. } ldap ldap2 { .. default_profile = cn=radprofile,ou=dialup,o=My Org,c=UA .. } ldap ldap3 { .. default_profile = cn=radprofile,ou=dialup,o=My Org,c=UA .. } } .. authorize { Auth-Type LDAP1 { ldap1 } Auth-Type LDAP2 { ldap2 } Auth-Type LDAP3 { ldap3 } } Note: This would be a lot easier with freeradius-1.1, where I believe something like this would have been sufficient since rlm_ldap now sets Auth-Type to the instance name by default: authorize { Auth-Type ldap1 { ldap1 } Auth-Type ldap2 { ldap2 } Auth-Type ldap3 { ldap3 } } Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Telefonieren Sie schon oder sparen Sie noch? NEU: GMX Phone_Flat http://www.gmx.net/de/go/telefonie - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorization depending on authentication (ldap)
sorry, now i understand what you meant with that: ldap1: dn: cn=radprofile,ou=dialup,o=My Org,c=UA radiusAuthType: LDAP1 ldap2: dn: cn=radprofile,ou=dialup,o=My Org,c=UA radiusAuthType: LDAP2 ldap3: dn: cn=radprofile,ou=dialup,o=My Org,c=UA radiusAuthType: LDAP3 i should chance the ldap-directory. isnt it possible to make it fit my needs without changing the ldap-directory? without freeradius-1.1? --- Ursprüngliche Nachricht --- Von: [EMAIL PROTECTED] An: FreeRadius users mailing list freeradius-users@lists.freeradius.org Betreff: Re: authorization depending on authentication (ldap) Datum: Thu, 5 Jan 2006 13:30:16 +0100 (MET) I assume you meant if authentication runs over ldap1 authorize on ldap1 if authentication runs over ldap2 authorize on ldap2 if authentication runs over ldap3 authorize on ldap3 sorry my fault - should check my copy-paste better ;-) The authenticate processing should set Auth-Type to an unique value for each instance. If you're using the default schema, then you can do that by adding a radiusAuthType ldap attribute to each user. Or maybe better: Use a default profile to set the appropriate radiusAuthType for each ldap instance. E.g. add something like this to the directories: ldap1: dn: cn=radprofile,ou=dialup,o=My Org,c=UA radiusAuthType: LDAP1 ldap2: dn: cn=radprofile,ou=dialup,o=My Org,c=UA radiusAuthType: LDAP2 ldap3: dn: cn=radprofile,ou=dialup,o=My Org,c=UA radiusAuthType: LDAP3 hm, i dont understand where i should add this kind of lines. i guess they should be in the users file as an default entry. can you give a complete working sample for such an entry? sorry if this would be base-knowledge but i dont know how to check ldap-settings in the users file. thanks in advance Stefan --- Ursprüngliche Nachricht --- Von: Bjørn Mork [EMAIL PROTECTED] An: FreeRadius users mailing list freeradius-users@lists.freeradius.org Betreff: Re: authorization depending on authentication (ldap) Datum: Thu, 05 Jan 2006 11:56:33 +0100 [EMAIL PROTECTED] writes: i am running freeradius-1.0.2-5.5 there are 3 ldap instances: ldap1,ldap2,ldap3. and authenticate them all after another in the authentication section like this: authenticate { ldap1 ldap2 ldap3 } same in authorize-section: authorize { ldap1 ldap2 ldap3 } now my problem is, that if the user x is authenticated at ldap2 for instance the authorization fails cause the user isnt found at ldap1 (freeradius doesnt seem to try authorizing on ldap2 or ldap3) what i need would be a solution how to realize the following needs: if authentication runs over ldap1 authorize on ldap1 if authentication runs over ldap1 authorize on ldap2 if authentication runs over ldap1 authorize on ldap3 how can i do that? I assume you meant if authentication runs over ldap1 authorize on ldap1 if authentication runs over ldap2 authorize on ldap2 if authentication runs over ldap3 authorize on ldap3 The authenticate processing should set Auth-Type to an unique value for each instance. If you're using the default schema, then you can do that by adding a radiusAuthType ldap attribute to each user. Or maybe better: Use a default profile to set the appropriate radiusAuthType for each ldap instance. E.g. add something like this to the directories: ldap1: dn: cn=radprofile,ou=dialup,o=My Org,c=UA radiusAuthType: LDAP1 ldap2: dn: cn=radprofile,ou=dialup,o=My Org,c=UA radiusAuthType: LDAP2 ldap3: dn: cn=radprofile,ou=dialup,o=My Org,c=UA radiusAuthType: LDAP3 And then in radiusd.conf: modules { .. ldap ldap1 { .. default_profile = cn=radprofile,ou=dialup,o=My Org,c=UA .. } ldap ldap2 { .. default_profile = cn=radprofile,ou=dialup,o=My Org,c=UA .. } ldap ldap3 { .. default_profile = cn=radprofile,ou=dialup,o=My Org,c=UA .. } } .. authorize { Auth-Type LDAP1 { ldap1 } Auth-Type LDAP2 { ldap2 } Auth-Type LDAP3 { ldap3 } } Note: This would be a lot easier with freeradius-1.1, where I believe something like this would have been sufficient since rlm_ldap now sets Auth-Type to the instance name by default: authorize { Auth-Type ldap1 {