separating Users?

freeradius at corwyn.net freeradius at corwyn.net
Tue Dec 1 01:56:05 CET 2009 

At 06:12 PM 11/30/2009, tnt at kalik.net wrote:
> > You need to set fall-through so that you still do per user processing.
> > This is documented in the raddb/users file and you should also read
> > doc/processing_users_file
>
>Or just add Auth-Type := ntlm_auth to the first line (ie. instead of
>Accept). Fall-Through is more elegant since you don't have to add
>Auth-Type to every DEFAULT entry.

Yup, both of those work, and I'm to the point I understand why!

What I think is my final problem.  I'm now working to authenticate 
VPN users in the same scenario, using the l2tp client in 
windows.   Looks like everything automatically picks up that it's a 
MSCHAP request.

Using a similar logic:
DEFAULT         Huntgroup-Name == VPN_Huntgroup, Ldap-Group == "VPN_Users"

The only problem is that it appears to ignore my LDAP group, and just 
authenticate ANY user (with a valid User ID/ Password) regardless of 
LDAP group.

rad_recv: Access-Request packet from host 10.4.1.2 port 1924, id=55, length=129
         User-Name = "notvpnuser"
         MS-CHAP-Challenge = 0x85e6507f219630664491c4e1bbeee67b
         MS-CHAP2-Response = 
0x0100cc49a55de60f33a16e0afd73fb10d7dd0000000000000000eb6a17be2a61ce216acf7f23fce99bd216afceacc6f81ba4
         NAS-IP-Address = 10.4.1.2
         NAS-Port = 0
server server_vpn {
+- entering group authorize {...}
++[preprocess] returns ok
[mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
++[mschap] returns ok
rlm_ldap: Entering ldap_groupcmp()
[files]         expand: OU=Enterprise,DC=int,DC=example,DC=com -> 
OU=Enterprise,DC=int,DC=example,DC=com
[files] WARNING: Deprecated conditional expansion ":-".  See "man 
unlang" for details
[files]         expand: 
(&(sAMAccountname=%{Stripped-User-Name:-%{User-Name}})(objectClass=person)) 
-> (&(sAMAccountname=notvpnuser)(objectClass=person))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to int.example.com:389, authentication 0
rlm_ldap: bind as CN=_sonicwall,OU=Service Accounts,OU=Special User 
Accounts,OU=Enterprise,DC=int,DC=example,DC=com/wvyjCHCd2LJHcNrmpr0I 
to int.example.com:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in 
OU=Enterprise,DC=int,DC=example,DC=com, with filter 
(&(sAMAccountname=notvpnuser)(objectClass=person))
rlm_ldap: ldap_release_conn: Release Id: 0
[files]         expand: 
(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) 
-> (|(&(objectClass=GroupOfNames)(member=CN\3dcisco 
rsteeves\2cOU\3dIS\2cOU\3dUsers\2cOU\3dEnterprise\2cDC\3dint\2cDC\3dexample\2cDC\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dcisco 
rsteeves\2cOU\3dIS\2cOU\3dUsers\2cOU\3dEnterprise\2cDC\3dint\2cDC\3dexample\2cDC\3dcom)))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in 
OU=Enterprise,DC=int,DC=example,DC=com, with filter 
(&(cn=VPN_Users)(|(&(objectClass=GroupOfNames)(member=CN\3dcisco 
rsteeves\2cOU\3dIS\2cOU\3dUsers\2cOU\3dEnterprise\2cDC\3dint\2cDC\3dexample\2cDC\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dcisco 
rsteeves\2cOU\3dIS\2cOU\3dUsers\2cOU\3dEnterprise\2cDC\3dint\2cDC\3dexample\2cDC\3dcom))))
rlm_ldap: object not found
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in CN=cisco 
rsteeves,OU=IS,OU=Users,OU=Enterprise,DC=int,DC=example,DC=com, with 
filter (objectclass=*)
rlm_ldap: performing search in CN=Infrastructure,OU=Security 
Groups,OU=Enterprise,DC=int,DC=example,DC=com, with filter (cn=VPN_Users)
rlm_ldap: object not found
rlm_ldap::groupcmp: Group VPN_Users not found or user not a member
rlm_ldap: ldap_release_conn: Release Id: 0
++[files] returns noop
[ldap] performing user authorization for notvpnuser
[ldap] WARNING: Deprecated conditional expansion ":-".  See "man 
unlang" for details
[ldap]  expand: 
(&(sAMAccountname=%{Stripped-User-Name:-%{User-Name}})(objectClass=person)) 
-> (&(sAMAccountname=notvpnuser)(objectClass=person))
[ldap]  expand: OU=Enterprise,DC=int,DC=example,DC=com -> 
OU=Enterprise,DC=int,DC=example,DC=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in 
OU=Enterprise,DC=int,DC=example,DC=com, with filter 
(&(sAMAccountname=notvpnuser)(objectClass=person))
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure 
that the user is configured correctly?
[ldap] user notvpnuser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
Found Auth-Type = MSCHAP
+- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv2 for notvpnuser with NT-Password
[mschap]        expand: --username=%{mschap:User-Name} -> --username=notvpnuser
[mschap] No NT-Domain was found in the User-Name.
[mschap]        expand: --domain=%{mschap:NT-Domain:-int.example.com} 
-> --domain=int.example.com
[mschap]  mschap2: 85
[mschap]        expand: --challenge=%{mschap:Challenge:-00} -> 
--challenge=902a16bba035658e
[mschap]        expand: --nt-response=%{mschap:NT-Response:-00} -> 
--nt-response=eb6a17be2a61ce216acf7f23fce99bd216afceacc6f81ba4
Exec-Program output: NT_KEY: 4E1F254C4B27DD3C7F78BB1C5513887C
Exec-Program-Wait: plaintext: NT_KEY: 4E1F254C4B27DD3C7F78BB1C5513887C
Exec-Program: returned: 0
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
Login OK: [notvpnuser] (from client VPN port 0)
+- entering group post-auth {...}
++[exec] returns noop
} # server server_vpn
Sending Access-Accept of id 55 to 10.4.1.2 port 1924
         MS-CHAP2-Success = 
0x01533d38304631424142374345463745433336454431353636444636413932383044334131463237314437
         MS-MPPE-Recv-Key = 0xdb66e88cd170cf5f5a59034267079b9e
         MS-MPPE-Send-Key = 0x660d90f211a1efa06e81e612eb08f3fa
         MS-MPPE-Encryption-Policy = 0x00000001
         MS-MPPE-Encryption-Types = 0x00000006
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 55 with timestamp +13
Ready to process requests.






>Ivan Kalik
>
>Ivan Kalik
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list