User not being rejected...

Luciano Afranllie listas.luafran at gmail.com
Tue Jan 20 14:27:04 CET 2009


On Tue, Jan 20, 2009 at 11:03 AM, qrt <qrt at sunrise.ch> wrote:
> Hello,
> I don't get it.
> Maybe someone sees my mistake...
> I have freeraradius on macos x.
> My Users file has these entries:
> /private/raddb/users
>
> #-------------------------------------------------------------------------------------------------
> # Allow members of group 'schueler' to WLAN-45
> DEFAULT Ldap-Group == "schueler", Airespace-Wlan-Id == 4
> Auth-Type := opendirectory,
> Service-Type = Login-User,
> Reply-Message = "Schueler: WLAN-45 accept",
> Fall-Through = 0
> #-------------------------------------------------------------------------------------------------
> # Reject members of group 'schueler' from any other than  WLAN-45
> DEFAULT Ldap-Group == "schueler", Airespace-Wlan-Id != 4
> Auth-Type := Reject,
> Reply-Message = "Schueler: Wrong WLAN!!!",
> #-------------------------------------------------------------------------------------------------
> # Allow members of group 'schuladministration' to WLAN-47
> DEFAULT Ldap-Group == "schuladministration", Airespace-Wlan-Id == 6
> Auth-Type := opendirectory,
> Service-Type = Login-User,
> Reply-Message = "schuladministration: WLAN-47 accept",
> Fall-Through = 0
> #-------------------------------------------------------------------------------------------------
> # Reject all others
> DEFAULT Auth-Type := Reject
> Reply-Message = "Access denied."
> #-------------------------------------------------------------------------------------------------
>
> In the log file I see this:
>
> rad_recv: Access-Request packet from host 192.168.95.10:32768, id=151,
> length=197
> User-Name = "w45user"
> Calling-Station-Id = "00-17-F2-E8-74-76"
> Called-Station-Id = "00-1D-70-93-05-C0:WLAN-44"
> NAS-Port = 29
> NAS-IP-Address = 192.168.95.10
> NAS-Identifier = "KSHP-UG-SRV-WLC-04"
> Airespace-Wlan-Id = 3
> Service-Type = Framed-User
> Framed-MTU = 1300
> NAS-Port-Type = Wireless-802.11
> Tunnel-Type:0 = VLAN
> Tunnel-Medium-Type:0 = IEEE-802
> Tunnel-Private-Group-Id:0 = "44"
> EAP-Message = 0x020300061500
> State = 0xe56af3902cf86936b5da18867203a336
> Message-Authenticator = 0x0b2df96b7f01043f6296236014935512
>   Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 43
>   modcall[authorize]: module "preprocess" returns ok for request 43
>   modcall[authorize]: module "chap" returns noop for request 43
>   modcall[authorize]: module "mschap" returns noop for request 43
>     rlm_realm: No '@' in User-Name = "w45user", looking up realm NULL
>     rlm_realm: No such realm "NULL"
>   modcall[authorize]: module "suffix" returns noop for request 43
>   rlm_eap: EAP packet type response id 3 length 6
>   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>   modcall[authorize]: module "eap" returns updated for request 43
> rlm_ldap: Entering ldap_groupcmp()
> radius_xlat:  'dc=ldap,dc=ksoe,dc=edu'
> radius_xlat:  '(uid=w45user)'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in dc=ldap,dc=ksoe,dc=edu, with filter
> (uid=w45user)
> rlm_ldap: ldap_release_conn: Release Id: 0
> radius_xlat:  '(&(objectClass=posixGroup)(memberUid=w45user))'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in dc=ldap,dc=ksoe,dc=edu, with filter
> (&(cn=wlan_test)(&(objectClass=posixGroup)(memberUid=w45user)))
> rlm_ldap: object not found or got ambiguous search result
> rlm_ldap: ldap_release_conn: Release Id: 0
> rlm_ldap::ldap_groupcmp: Group wlan_test not found or user is not a member.
> rlm_ldap: Entering ldap_groupcmp()
> radius_xlat:  'dc=ldap,dc=ksoe,dc=edu'
> radius_xlat:  '(&(objectClass=posixGroup)(memberUid=w45user))'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in dc=ldap,dc=ksoe,dc=edu, with filter
> (&(cn=vpn_users)(&(objectClass=posixGroup)(memberUid=w45user)))
> rlm_ldap: object not found or got ambiguous search result
> rlm_ldap: ldap_release_conn: Release Id: 0
> rlm_ldap::ldap_groupcmp: Group vpn_users not found or user is not a member.
> rlm_ldap: Entering ldap_groupcmp()
> radius_xlat:  'dc=ldap,dc=ksoe,dc=edu'
> radius_xlat:  '(&(objectClass=posixGroup)(memberUid=w45user))'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in dc=ldap,dc=ksoe,dc=edu, with filter
> (&(cn=angestellte)(&(objectClass=posixGroup)(memberUid=w45user)))
> rlm_ldap: object not found or got ambiguous search result
> rlm_ldap: ldap_release_conn: Release Id: 0
> rlm_ldap::ldap_groupcmp: Group angestellte not found or user is not a
> member.
> rlm_ldap: Entering ldap_groupcmp()
> radius_xlat:  'dc=ldap,dc=ksoe,dc=edu'
> radius_xlat:  '(&(objectClass=posixGroup)(memberUid=w45user))'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in dc=ldap,dc=ksoe,dc=edu, with filter
> (&(cn=lehrer)(&(objectClass=posixGroup)(memberUid=w45user)))
> rlm_ldap: object not found or got ambiguous search result
> rlm_ldap: ldap_release_conn: Release Id: 0
> rlm_ldap::ldap_groupcmp: Group lehrer not found or user is not a member.
> rlm_ldap: Entering ldap_groupcmp()
> radius_xlat:  'dc=ldap,dc=ksoe,dc=edu'
> radius_xlat:  '(&(objectClass=posixGroup)(memberUid=w45user))'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in dc=ldap,dc=ksoe,dc=edu, with filter
> (&(cn=lehrer)(&(objectClass=posixGroup)(memberUid=w45user)))
> rlm_ldap: object not found or got ambiguous search result
> rlm_ldap: ldap_release_conn: Release Id: 0
> rlm_ldap::ldap_groupcmp: Group lehrer not found or user is not a member.
> rlm_ldap: Entering ldap_groupcmp()
> radius_xlat:  'dc=ldap,dc=ksoe,dc=edu'
> radius_xlat:  '(&(objectClass=posixGroup)(memberUid=w45user))'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in dc=ldap,dc=ksoe,dc=edu, with filter
> (&(cn=schueler)(&(objectClass=posixGroup)(memberUid=w45user)))
> rlm_ldap::ldap_groupcmp: User found in group schueler
> rlm_ldap: ldap_release_conn: Release Id: 0
> rlm_ldap: Entering ldap_groupcmp()
> radius_xlat:  'dc=ldap,dc=ksoe,dc=edu'
> radius_xlat:  '(&(objectClass=posixGroup)(memberUid=w45user))'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in dc=ldap,dc=ksoe,dc=edu, with filter
> (&(cn=schueler)(&(objectClass=posixGroup)(memberUid=w45user)))
> rlm_ldap::ldap_groupcmp: User found in group schueler
> rlm_ldap: ldap_release_conn: Release Id: 0
>     users: Matched entry DEFAULT at line 260
>   modcall[authorize]: module "files" returns ok for request 43
> modcall: leaving group authorize (returns updated) for request 43
>   rad_check_password:  Found Auth-Type EAP
> auth: type "EAP"
>   Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 43
>   rlm_eap: Request found, released from the list
>   rlm_eap: EAP/ttls
>   rlm_eap: processing type ttls
>   rlm_eap_ttls: Authenticate
>   rlm_eap_tls: processing TLS
> rlm_eap_tls: Received EAP-TLS ACK message
>   rlm_eap_tls: ack handshake fragment handler
>   eaptls_verify returned 1
>   eaptls_process returned 13
>   modcall[authenticate]: module "eap" returns handled for request 43
> modcall: leaving group authenticate (returns handled) for request 43
> Sending Access-Challenge of id 151 to 192.168.95.10 port 32768
> Reply-Message = "Schueler: Wrong WLAN!!!"
> EAP-Message =
> 0x01040323158000000719010405003081ce310b3009060355040613025a41311530130603550408130c5765737465726e204361706531123010060355040713094361706520546f776e311d301b060355040a131454686177746520436f6e73756c74696e6720636331283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e3121301f06035504031318546861777465205072656d69756d205365727665722043413128302606092a864886f70d01090116197072656d69756d2d736572766572407468617774652e636f6d301e170d3936303830313030303030305a170d3230313233313233353935
> EAP-Message =
> 0x395a3081ce310b3009060355040613025a41311530130603550408130c5765737465726e204361706531123010060355040713094361706520546f776e311d301b060355040a131454686177746520436f6e73756c74696e6720636331283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e3121301f06035504031318546861777465205072656d69756d205365727665722043413128302606092a864886f70d01090116197072656d69756d2d736572766572407468617774652e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100d236366a8bd7c25b9eda814162
> EAP-Message =
> 0x8f38ee490455d6d0ef1c1b951647ef1848353a52f42b6a068f3b2fea56e3af868d9e17f79eb46575024defcb09a22151d89bd067d0ba0d92061473d493cb972a009c5c4e0cbcfa1552fcf2446eda114a6e089f2f2de3f9aa3a8673b6465358c88905bd8311b8733faa078df4424de7409d1c370203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010405000381810026482c16c258fae816740caaaa5f543ff2d7c978605e5e6e37632277367eb217c434b9f50885fcc90138ff4dbef2164243e7bb5a46fbc1c6111ff14ab02846c9c3c4427dbcfaab596ed5b7518811e3a485196b824ca40c12ade9a4ae3f
> EAP-Message =
> 0xf1c349659a8cc5c83e25b79499bb92327107f0865eed5027a60da623f9bbcba607144216030100040e000000
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x287a38ce7b69dbc51126c71ef1bd49f3
> Finished request 43
> Going to the next request
> Waking up in 6 seconds...
>
> As far as I can tell, I see this line:
>
>     users: Matched entry DEFAULT at line 260
>
> This is the line containing 'DEFAULT Ldap-Group == "schueler",
> Airespace-Wlan-Id != 4'
> which is correct.
> So if this works (I can also read the ' Reply-Message = "Schueler: Wrong
> WLAN!!!"', why does this user get an access?
> Why does the line 'Auth-Type := Reject,' not work?
> What do I have to do to have him beeing rejected?
> Any ideas
> Thanks
> Kurt
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>

I think the problem is you have

> DEFAULT Ldap-Group == "schueler", Airespace-Wlan-Id != 4
> Auth-Type := Reject,
> Reply-Message = "Schueler: Wrong WLAN!!!",

But it should be

DEFAULT Ldap-Group == "schueler", Airespace-Wlan-Id != 4, Auth-Type := Reject
    Reply-Message = "Schueler: Wrong WLAN!!!"


Regards
Luciano




More information about the Freeradius-Users mailing list