User not being rejected...

qrt qrt at sunrise.ch
Tue Jan 20 14:03:00 CET 2009


Hello,

I don't get it.

Maybe someone sees my mistake...

I have freeraradius on macos x.

My Users file has these entries:

/private/raddb/users

> #-------------------------------------------------------------------------------------------------
> # Allow members of group 'schueler' to WLAN-45
>
> DEFAULT	Ldap-Group == "schueler", Airespace-Wlan-Id == 4
> 	Auth-Type := opendirectory,
> 	Service-Type = Login-User,
> 	Reply-Message = "Schueler: WLAN-45 accept",
> 	Fall-Through = 0
>
> #-------------------------------------------------------------------------------------------------
> # Reject members of group 'schueler' from any other than  WLAN-45
>
> DEFAULT	Ldap-Group == "schueler", Airespace-Wlan-Id != 4
> 	Auth-Type := Reject,
> 	Reply-Message = "Schueler: Wrong WLAN!!!",
>
> #-------------------------------------------------------------------------------------------------
> # Allow members of group 'schuladministration' to WLAN-47
>
> DEFAULT	Ldap-Group == "schuladministration", Airespace-Wlan-Id == 6
> 	Auth-Type := opendirectory,
> 	Service-Type = Login-User,
> 	Reply-Message = "schuladministration: WLAN-47 accept",
> 	Fall-Through = 0
>
> #-------------------------------------------------------------------------------------------------
> # Reject all others
>
> DEFAULT Auth-Type := Reject
> 	Reply-Message = "Access denied."
>
> #-------------------------------------------------------------------------------------------------


In the log file I see this:

> rad_recv: Access-Request packet from host 192.168.95.10:32768,  
> id=151, length=197
> 	User-Name = "w45user"
> 	Calling-Station-Id = "00-17-F2-E8-74-76"
> 	Called-Station-Id = "00-1D-70-93-05-C0:WLAN-44"
> 	NAS-Port = 29
> 	NAS-IP-Address = 192.168.95.10
> 	NAS-Identifier = "KSHP-UG-SRV-WLC-04"
> 	Airespace-Wlan-Id = 3
> 	Service-Type = Framed-User
> 	Framed-MTU = 1300
> 	NAS-Port-Type = Wireless-802.11
> 	Tunnel-Type:0 = VLAN
> 	Tunnel-Medium-Type:0 = IEEE-802
> 	Tunnel-Private-Group-Id:0 = "44"
> 	EAP-Message = 0x020300061500
> 	State = 0xe56af3902cf86936b5da18867203a336
> 	Message-Authenticator = 0x0b2df96b7f01043f6296236014935512
>   Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 43
>   modcall[authorize]: module "preprocess" returns ok for request 43
>   modcall[authorize]: module "chap" returns noop for request 43
>   modcall[authorize]: module "mschap" returns noop for request 43
>     rlm_realm: No '@' in User-Name = "w45user", looking up realm NULL
>     rlm_realm: No such realm "NULL"
>   modcall[authorize]: module "suffix" returns noop for request 43
>   rlm_eap: EAP packet type response id 3 length 6
>   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>   modcall[authorize]: module "eap" returns updated for request 43
> rlm_ldap: Entering ldap_groupcmp()
> radius_xlat:  'dc=ldap,dc=ksoe,dc=edu'
> radius_xlat:  '(uid=w45user)'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in dc=ldap,dc=ksoe,dc=edu, with filter  
> (uid=w45user)
> rlm_ldap: ldap_release_conn: Release Id: 0
> radius_xlat:  '(&(objectClass=posixGroup)(memberUid=w45user))'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in dc=ldap,dc=ksoe,dc=edu, with filter  
> (&(cn=wlan_test)(&(objectClass=posixGroup)(memberUid=w45user)))
> rlm_ldap: object not found or got ambiguous search result
> rlm_ldap: ldap_release_conn: Release Id: 0
> rlm_ldap::ldap_groupcmp: Group wlan_test not found or user is not a  
> member.
> rlm_ldap: Entering ldap_groupcmp()
> radius_xlat:  'dc=ldap,dc=ksoe,dc=edu'
> radius_xlat:  '(&(objectClass=posixGroup)(memberUid=w45user))'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in dc=ldap,dc=ksoe,dc=edu, with filter  
> (&(cn=vpn_users)(&(objectClass=posixGroup)(memberUid=w45user)))
> rlm_ldap: object not found or got ambiguous search result
> rlm_ldap: ldap_release_conn: Release Id: 0
> rlm_ldap::ldap_groupcmp: Group vpn_users not found or user is not a  
> member.
> rlm_ldap: Entering ldap_groupcmp()
> radius_xlat:  'dc=ldap,dc=ksoe,dc=edu'
> radius_xlat:  '(&(objectClass=posixGroup)(memberUid=w45user))'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in dc=ldap,dc=ksoe,dc=edu, with filter  
> (&(cn=angestellte)(&(objectClass=posixGroup)(memberUid=w45user)))
> rlm_ldap: object not found or got ambiguous search result
> rlm_ldap: ldap_release_conn: Release Id: 0
> rlm_ldap::ldap_groupcmp: Group angestellte not found or user is not  
> a member.
> rlm_ldap: Entering ldap_groupcmp()
> radius_xlat:  'dc=ldap,dc=ksoe,dc=edu'
> radius_xlat:  '(&(objectClass=posixGroup)(memberUid=w45user))'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in dc=ldap,dc=ksoe,dc=edu, with filter  
> (&(cn=lehrer)(&(objectClass=posixGroup)(memberUid=w45user)))
> rlm_ldap: object not found or got ambiguous search result
> rlm_ldap: ldap_release_conn: Release Id: 0
> rlm_ldap::ldap_groupcmp: Group lehrer not found or user is not a  
> member.
> rlm_ldap: Entering ldap_groupcmp()
> radius_xlat:  'dc=ldap,dc=ksoe,dc=edu'
> radius_xlat:  '(&(objectClass=posixGroup)(memberUid=w45user))'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in dc=ldap,dc=ksoe,dc=edu, with filter  
> (&(cn=lehrer)(&(objectClass=posixGroup)(memberUid=w45user)))
> rlm_ldap: object not found or got ambiguous search result
> rlm_ldap: ldap_release_conn: Release Id: 0
> rlm_ldap::ldap_groupcmp: Group lehrer not found or user is not a  
> member.
> rlm_ldap: Entering ldap_groupcmp()
> radius_xlat:  'dc=ldap,dc=ksoe,dc=edu'
> radius_xlat:  '(&(objectClass=posixGroup)(memberUid=w45user))'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in dc=ldap,dc=ksoe,dc=edu, with filter  
> (&(cn=schueler)(&(objectClass=posixGroup)(memberUid=w45user)))
> rlm_ldap::ldap_groupcmp: User found in group schueler
> rlm_ldap: ldap_release_conn: Release Id: 0
> rlm_ldap: Entering ldap_groupcmp()
> radius_xlat:  'dc=ldap,dc=ksoe,dc=edu'
> radius_xlat:  '(&(objectClass=posixGroup)(memberUid=w45user))'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in dc=ldap,dc=ksoe,dc=edu, with filter  
> (&(cn=schueler)(&(objectClass=posixGroup)(memberUid=w45user)))
> rlm_ldap::ldap_groupcmp: User found in group schueler
> rlm_ldap: ldap_release_conn: Release Id: 0
>     users: Matched entry DEFAULT at line 260
>   modcall[authorize]: module "files" returns ok for request 43
> modcall: leaving group authorize (returns updated) for request 43
>   rad_check_password:  Found Auth-Type EAP
> auth: type "EAP"
>   Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 43
>   rlm_eap: Request found, released from the list
>   rlm_eap: EAP/ttls
>   rlm_eap: processing type ttls
>   rlm_eap_ttls: Authenticate
>   rlm_eap_tls: processing TLS
> rlm_eap_tls: Received EAP-TLS ACK message
>   rlm_eap_tls: ack handshake fragment handler
>   eaptls_verify returned 1
>   eaptls_process returned 13
>   modcall[authenticate]: module "eap" returns handled for request 43
> modcall: leaving group authenticate (returns handled) for request 43
> Sending Access-Challenge of id 151 to 192.168.95.10 port 32768
> 	Reply-Message = "Schueler: Wrong WLAN!!!"
> 	EAP-Message =  
> 0x01040323158000000719010405003081ce310b3009060355040613025a41311530130603550408130c5765737465726e204361706531123010060355040713094361706520546f776e311d301b060355040a131454686177746520436f6e73756c74696e6720636331283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e3121301f06035504031318546861777465205072656d69756d205365727665722043413128302606092a864886f70d01090116197072656d69756d2d736572766572407468617774652e636f6d301e170d3936303830313030303030305a170d3230313233313233353935
> 	EAP-Message =  
> 0x395a3081ce310b3009060355040613025a41311530130603550408130c5765737465726e204361706531123010060355040713094361706520546f776e311d301b060355040a131454686177746520436f6e73756c74696e6720636331283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e3121301f06035504031318546861777465205072656d69756d205365727665722043413128302606092a864886f70d01090116197072656d69756d2d736572766572407468617774652e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100d236366a8bd7c25b9eda814162
> 	EAP-Message =  
> 0x8f38ee490455d6d0ef1c1b951647ef1848353a52f42b6a068f3b2fea56e3af868d9e17f79eb46575024defcb09a22151d89bd067d0ba0d92061473d493cb972a009c5c4e0cbcfa1552fcf2446eda114a6e089f2f2de3f9aa3a8673b6465358c88905bd8311b8733faa078df4424de7409d1c370203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010405000381810026482c16c258fae816740caaaa5f543ff2d7c978605e5e6e37632277367eb217c434b9f50885fcc90138ff4dbef2164243e7bb5a46fbc1c6111ff14ab02846c9c3c4427dbcfaab596ed5b7518811e3a485196b824ca40c12ade9a4ae3f
> 	EAP-Message =  
> 0xf1c349659a8cc5c83e25b79499bb92327107f0865eed5027a60da623f9bbcba607144216030100040e000000
> 	Message-Authenticator = 0x00000000000000000000000000000000
> 	State = 0x287a38ce7b69dbc51126c71ef1bd49f3
> Finished request 43
> Going to the next request
> Waking up in 6 seconds...

As far as I can tell, I see this line:
>     users: Matched entry DEFAULT at line 260
>
This is the line containing 'DEFAULT	Ldap-Group == "schueler",  
Airespace-Wlan-Id != 4'
which is correct.

So if this works (I can also read the '	Reply-Message = "Schueler:  
Wrong WLAN!!!"', why does this user get an access?

Why does the line 'Auth-Type := Reject,' not work?

What do I have to do to have him beeing rejected?

Any ideas

Thanks

Kurt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090120/c4393156/attachment.html>


More information about the Freeradius-Users mailing list