Need some help with Access-Reject messages in upgrade from FreeRadius1.1.0 to FreeRadius 2.0.5

Fri Oct 24 03:01:36 CEST 2008

tnt at kalik.net wrote:
>
>> Admittedly, the configuration file for the 2.0.5 server is a mixture of
>> 1.1.0 config style, and 2.0.5 config style, leaning more towards the
>> 1.1.0 style, so it could simply be a result of old style getting in the
>> way of the new, but I have gone through both configs, and I can't find
>> out where my access-reject message in my users file is being either
>> a)overwritten, or b) ignored outright.
>>
>> I've gone through the docs, and the wiki, but haven't found out what I'm
>> missing. I'm running RADIUS 2.0.5 in  debug mode (-XXX), but haven't
>> found anything pointing out what I'm doing wrong.    I can comment out
>> the entries in ldap.attrmap, but that also means they don't get sent
>> when the authentication succeeds.
>>
>> Here's the last line of my users file, below all other local users, and
>> default entries:
>>
>> DEFAULT Auth-Type := Reject
>>        Reply-Message = "Please, call the help desk."
>>
>>     
>
> Post the debug. It's extremly likely that something before this entry
> matched but didn't have Fall-Through at the end.
>
> Ivan Kalik
> Kalik Informatika ISP
>   

I decided it would be easier (in the long run) to simply start with a
default freeRadius 2.0.5 config file, and then adjust it to match our
setup. This has so far been going well, except now I've run into a
problem where variables in my users file are not being expanded.

Example from the user's file:
DEFAULT Huntgroup-Name == dsl, serveriron-Ldap-Group == dsl10m,
User-Profile := "uid=dsl10m,ou
=profiles,ou=radius,dc=mtaonline,dc=net", Ldap-UserDN :=
`uid=%{User-Name},ou=dsl,dc=domain
,dc=com`
        Fall-Through = no

I have an ldap server named "serveriron"; if I remove the "serveriron-"
from the Ldap-Group, my profiles aren't processed at all. 
With the serveriron-Ldap-Group, it will search through the profiles,
find the right profile, and then attempt to authenticate the user. This
is what debug shows:

Thu Oct 23 17:55:50 2008 : Debug: rlm_ldap: login attempt by "testuser"
with password "thisisnotapass"
Thu Oct 23 17:55:50 2008 : Debug: rlm_ldap: user DN:
uid=%{User-Name},ou=dsl,dc=domain,dc=com
Thu Oct 23 17:55:50 2008 : Debug: rlm_ldap: (re)connect to x.x.x.x:389,
authentication 1
Thu Oct 23 17:55:50 2008 : Debug: rlm_ldap: bind as
uid=%{User-Name},ou=dsl,dc=mtaonline,dc=net/thisisnotapass to x.x.x.x:389

So, it's not actually turning the %{User-Name} into "testuser" - it's
trying to authenticate with a uid of "%{User-Name}", which isn't right.
I've read through the docs online, and using either backticks or
double-quotes is supposed to turn the variable name into the value of
the variable.      It is worth noting that if I take the line in the
users file for that profile and replace %{User-Name} with testuser, the
user can authenticate fine, so the users file isn't being processed,
having the variables replaced with the values...

If I solve that, things will likely start working completely. I do have
another question, though: If I have multiple LDAP servers, do I need
multiple DEFAULTs in the users file, one for each LDAP server, for
Ldap-Group?  I'm unclear on that.   I haven't tested a failure of the
serveriron ldap server, so I don't know if that fails, if the next
server down the line will have no Ldap-Group defined for it, and be
unable to locate the profile. 

Adam