Re: Problems with EAP and LDAP replyItems (2.0.2)
Original-Message
Datum: Wed, 20 Aug 2008 09:18:57 +0100
Von: Ivan Kalik [EMAIL PROTECTED]
An: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Betreff: Re: Problems with EAP and LDAP replyItems (2.0.2)
radiusCallingStationId is already mapped as Calling-Sattion-Id. Use
another ldap attribute name for this.
Ivan Kalik
Kalik Informatika ISP
I commented the original line containing the mapping between Calling-station-id
and radiusCallingStationId out. So there shouldnt be any complications.
By the way, its independent from the attribute-name, so even if i change the
source-ldap-attribute, the problem still occurs.
Dana 20/8/2008, [EMAIL PROTECTED] [EMAIL PROTECTED] piše:
Original-Message
Datum: Tue, 19 Aug 2008 17:37:34 +0200
Von: [EMAIL PROTECTED]
An: freeradius-users@lists.freeradius.org
Betreff: Problems with EAP and LDAP replyItems (2.0.2)
Hi Guys,
Since freeradius2 has some major improvements I try to upgrade from
1.1.4.
Unfortunately there are a few problems i encounter:
cause of some weird reason the server isn't sending back my LDAP
replyItems back to the NAS along the Access-Accept packet.
In short i want to authenticate using EAP/PEAP against the server,
which
itself checks against our LDAP Server. Additionally the server should
also
send back a specific replyItem stored in our LDAP.
configuration looks like:
authorize {
preprocess
eap {
ok = return
}
ldap1
}
authenticate {
Auth-Type MS-CHAP {
mschap
}
eap
}
in ldap.attrmap the following is configured:
replyItem Airespace-Interface-NameradiusCallingStationId
so LDAP-Attribute radiusCallingStationId should be transformed to an
attribute called Airespace-Interface-Name and sent back to the NAS.
As you can see in the following debug-output, at the beginning the
server
sends the attribute back as supposed, but for some weird reason in the
access-accept packet the attribute isnt sent along.
whats wrong here?
Thanks in advance!
debug-output: [cutted]
Noone has any clue, why this doesnt work? I really wanted to deploy the
server tonight.
Any help is welcome!
thanks,
Peter
--
Pt! Schon das coole Video vom GMX MultiMessenger gesehen?
Der Eine für Alle: http://www.gmx.net/de/go/messenger03
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Pt! Schon das coole Video vom GMX MultiMessenger gesehen?
Der Eine für Alle: http://www.gmx.net/de/go/messenger03
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: override ldap reply attribute
Kostas Kalevras wrote: O/H [EMAIL PROTECTED] έγραψε: Hi Guys, I have maybe a quite simple question: is there any way to override the default ldap-reply attribute with an other value than there is in ldap. i.e.: users-file: Default Called-Station-Id = 00-1A-30-2F-11-50:Test, Airespace-Interface-Name := 777 ldap.attrmap: replyItem Airespace-Interface-NameradiusCallingStationId wanted result: if the users-file doesnt match, use vlaue of ldap-attribute: radiusCallingStationId, otherwise use vlaue: 777 in this type of configuration it seems i cant override the ldap-reply attribute-value with the users-file. Check the order in which the files and ldap module appear in the authorize section. If you want to override an ldap value then you need to have the files moduel after the ldap module. unfortunately the problem still persists, also if i change the order :-( any other ideas? is there any possible way to do this? thanks in advance :-) freeradiusver: 1.1.4 -- Kostas Kalevras - Network Operations Center National Technical University of Athens http://kkalev.wordpress.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Feel free - 10 GB Mailbox, 100 FreeSMS/Monat ... Jetzt GMX TopMail testen: http://www.gmx.net/de/go/topmail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorization depending on authentication (ldap)
i managed it, there is one attribute in our ldap where i can exactly define
where the user should be authorized.
With the radiusAuthType Attribute it works now perfectly.
thanks a lot for this litte hint :-)
Stefan
--- Ursprüngliche Nachricht ---
Von: [EMAIL PROTECTED]
An: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Betreff: Re: authorization depending on authentication (ldap)
Datum: Thu, 5 Jan 2006 13:56:35 +0100 (MET)
sorry, now i understand what you meant with that:
ldap1:
dn: cn=radprofile,ou=dialup,o=My Org,c=UA
radiusAuthType: LDAP1
ldap2:
dn: cn=radprofile,ou=dialup,o=My Org,c=UA
radiusAuthType: LDAP2
ldap3:
dn: cn=radprofile,ou=dialup,o=My Org,c=UA
radiusAuthType: LDAP3
i should chance the ldap-directory. isnt it possible to make it fit my
needs
without changing the ldap-directory? without freeradius-1.1?
--- Ursprüngliche Nachricht ---
Von: [EMAIL PROTECTED]
An: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Betreff: Re: authorization depending on authentication (ldap)
Datum: Thu, 5 Jan 2006 13:30:16 +0100 (MET)
I assume you meant
if authentication runs over ldap1 authorize on ldap1
if authentication runs over ldap2 authorize on ldap2
if authentication runs over ldap3 authorize on ldap3
sorry my fault - should check my copy-paste better ;-)
The authenticate processing should set Auth-Type to an unique value
for each instance. If you're using the default schema, then you can
do that by adding a radiusAuthType ldap attribute to each user. Or
maybe better: Use a default profile to set the appropriate
radiusAuthType for each ldap instance.
E.g. add something like this to the directories:
ldap1:
dn: cn=radprofile,ou=dialup,o=My Org,c=UA
radiusAuthType: LDAP1
ldap2:
dn: cn=radprofile,ou=dialup,o=My Org,c=UA
radiusAuthType: LDAP2
ldap3:
dn: cn=radprofile,ou=dialup,o=My Org,c=UA
radiusAuthType: LDAP3
hm, i dont understand where i should add this kind of lines. i guess
they
should be in the users file as an default entry.
can you give a complete working sample for such an entry? sorry if this
would be base-knowledge but i dont know how to check ldap-settings in
the
users file.
thanks in advance
Stefan
--- Ursprüngliche Nachricht ---
Von: Bjørn Mork [EMAIL PROTECTED]
An: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Betreff: Re: authorization depending on authentication (ldap)
Datum: Thu, 05 Jan 2006 11:56:33 +0100
[EMAIL PROTECTED] writes:
i am running freeradius-1.0.2-5.5
there are 3 ldap instances:
ldap1,ldap2,ldap3.
and authenticate them all after another in the authentication
section
like
this:
authenticate {
ldap1
ldap2
ldap3
}
same in authorize-section:
authorize {
ldap1
ldap2
ldap3
}
now my problem is, that if the user x is authenticated at ldap2 for
instance
the authorization fails cause the user isnt found at ldap1
(freeradius
doesnt seem to try authorizing on ldap2 or ldap3)
what i need would be a solution how to realize the following needs:
if authentication runs over ldap1 authorize on ldap1
if authentication runs over ldap1 authorize on ldap2
if authentication runs over ldap1 authorize on ldap3
how can i do that?
I assume you meant
if authentication runs over ldap1 authorize on ldap1
if authentication runs over ldap2 authorize on ldap2
if authentication runs over ldap3 authorize on ldap3
The authenticate processing should set Auth-Type to an unique value
for each instance. If you're using the default schema, then you can
do that by adding a radiusAuthType ldap attribute to each user. Or
maybe better: Use a default profile to set the appropriate
radiusAuthType for each ldap instance.
E.g. add something like this to the directories:
ldap1:
dn: cn=radprofile,ou=dialup,o=My Org,c=UA
radiusAuthType: LDAP1
ldap2:
dn: cn=radprofile,ou=dialup,o=My Org,c=UA
radiusAuthType: LDAP2
ldap3:
dn: cn=radprofile,ou=dialup,o=My Org,c=UA
radiusAuthType: LDAP3
And then in radiusd.conf:
modules {
..
ldap ldap1 {
..
default_profile = cn=radprofile,ou=dialup,o=My
Org,c=UA
..
}
ldap ldap2 {
..
default_profile = cn=radprofile,ou=dialup,o=My
Org,c=UA
..
}
ldap ldap3 {
