MACAddress silent authentication in LDAP using freeradius2.0.2

Eric Martell workoutexcite at yahoo.com
Tue Mar 25 20:24:47 CET 2008


Hi Ivan,
   Sorry to get back to you early as I did not had ldap access :(

After adding radiusAuthType on ONE uid it is working fine now. 
But now the issue is, I have some cases where the MAC address are stored multiple times in Ldap. Thus the ldap query is failing.
Please check the log below. Can you please suggest me any workaround? Will really appreciate.

Thanks and Regards.

Test Case 1 :: 1 UID
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '@' in User-Name = "0014F846C199", looking up realm NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for 0014F846C199
        expand: %{Stripped-User-Name} -> 
        expand: %{User-Name} -> 0014F846C199
        expand: (&(did=%{%{Stripped-User-Name}:-%{User-Name}})) -> (&(did=0014F846C199))
        expand: ou=roles,o=entitlement -> ou=roles,o=entitlement
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=roles,o=entitlement, with filter (&(did=0014F846C199))
rlm_ldap: looking for check items in directory...
rlm_ldap: LDAP attribute radiusAuthType as RADIUS attribute Auth-Type == Accept
rlm_ldap: looking for reply items in directory...
rlm_ldap: LDAP attribute roleid as RADIUS attribute rCidx = "111111"
WARNING: No "known good" password was found in LDAP.  Are you sure that the user is configured correctly?
rlm_ldap: user 0014F846C199 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
  rad_check_password:  Found Auth-Type Accept
  rad_check_password: Auth-Type = Accept, accepting the user
Login OK: [0014F846C199/<via Auth-Type = Accept>] (from client samir port 0)
Sending Access-Accept of id 39 to 216.2.193.1 port 38625
Finished request 3.






Test Case 2 :: Multiple UIDs

rad_recv: Access-Request packet from host 216.2.193.1 port 37788, id=38, length=34
        User-Name = "0014F846C199"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '@' in User-Name = "0014F846C199", looking up realm NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for 0014F846C199
        expand: %{Stripped-User-Name} -> 
        expand: %{User-Name} -> 0014F846C199
        expand: (&(uid=%{%{Stripped-User-Name}:-%{User-Name}})) -> (&(uid=0014F846C199))
        expand: ou=roles,o=entitlement -> ou=roles,o=entitlement
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=roles,o=entitlement, with filter (&(uid=0014F846C199))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns notfound
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
auth: Failed to validate the user.
Login incorrect (rlm_ldap: User not found): [0014F846C199/<no User-Password attribute>] (from client samir port 0)
  Found Post-Auth-Type Reject
+- entering group REJECT
        expand: %{User-Name} -> 0014F846C199
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 2 for 1 seconds



----- Original Message ----
From: Ivan Kalik <tnt at kalik.net>
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Sent: Thursday, March 20, 2008 1:01:11 PM
Subject: Re: MACAddress silent authentication in LDAP using freeradius2.0.2

>    Bit confusing..do you want me to create entries in
>ldap as, 
>

No:

uid = 001122334455
radiusAuthType = Accept

Forget about the device entries. radius authenticates users. Have a look
at the filter configured in ldap section of radiusd.conf

>If yes, what additional changes I have to do in
>freeradius and how I can return devicename along the
>freeradius reply?

And what would you do with that? Groups? Than create a group entries for
them and use memberof in (mac) user entry.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





      ____________________________________________________________________________________
Be a better friend, newshound, and 
know-it-all with Yahoo! Mobile.  Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080325/ad455040/attachment.html>


More information about the Freeradius-Users mailing list