Allowing Access based on Group Membership
Jay Lee
jlee at pbu.edu
Wed Feb 15 18:02:26 CET 2006
After a bit of effort I have managed to get Wireless with WPA encryption
working with FreeRadius and an eDirectory LDAP Backend (using Universal
password). My last task is to allow Wireless authentication only to
members of a given LDAP Group. I seem to be having some issues though.
Here is my ldap config in /etc/raddb/radiusd.conf:
ldap {
server = "ldap.pbu.edu"
identity = "cn=admin,o=PBU"
password = "password"
basedn = "o=PBU"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
base_filter = "(objectclass=radiusprofile)"
start_tls = yes
tls_cacertfile = /etc/raddb/certs/rootder.b64
access_attr = "cn"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
password_attribute = nspmPassword
edir_account_policy_check=yes
groupname_attribute = cn
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
groupmembership_attribute = radiusGroupName
timeout = 4
timelimit = 3
net_timeout = 1
}
If I empty out /etc/raddb/users completely, authentication works. If I
put the following in users:
DEFAULT LDAP-Group == "Wireless", Auth-Type := Accept
Fall-Through = No
DEFAULT Auth-Type := Reject
and start freeradius with "radiusd -X -A" I get:
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'o=PBU'
radius_xlat: '(uid=jlee)'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=PBU, with filter (uid=jlee)
rlm_ldap: ldap_release_conn: Release Id: 0
radius_xlat:
'(|(&(objectClass=GroupOfNames)(member=cn=jlee,o=PBU))(&(objectCla
ss=GroupOfUniqueNames)(uniquemember=cn=jlee,o=PBU)))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=PBU, with filter
(&(cn=Wireless)(|(&(objectClas
s=GroupOfNames)(member=cn=jlee,o=PBU))(&(objectClass=GroupOfUniqueNames)(uniquem
ember=cn=jlee,o=PBU))))
rlm_ldap::ldap_groupcmp: User found in group Wireless
rlm_ldap: ldap_release_conn: Release Id: 0
users: Matched entry DEFAULT at line 1
modcall[authorize]: module "files" returns ok for request 1
rlm_ldap: - authorize
rlm_ldap: performing user authorization for jlee
radius_xlat: '(uid=jlee)'
radius_xlat: 'o=PBU'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=PBU, with filter (uid=jlee)
rlm_ldap: checking if remote access for jlee is allowed by cn
rlm_ldap: Added the eDirectory password in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user jlee authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 1
modcall: group authorize returns updated for request 1
rad_check_password: Found Auth-Type Accept
rad_check_password: Auth-Type = Accept, accepting the user
Processing the post-auth section of radiusd.conf
modcall: entering group post-auth for request 1
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[post-auth]: module "ldap" returns ok for request 1
modcall: group post-auth returns ok for request 1
Sending Access-Accept of id 194 to 10.1.1.44:32769
Finished request 1
However, the wireless client never quite seems to finish associating. Any
ideas what I'm doing wrong here? What should the users file look like to
allow anyone who is a member of the Wireless LDAP group and deny everyone
else?
Jay Lee
--
Jay Lee
Network / Systems Administrator
Information Technology Dept.
Philadelphia Biblical University
--
More information about the Freeradius-Users
mailing list