Unlang to switch between ldaps
Diego Martín Capello
diego at ccc.uba.ar
Tue Jun 2 15:49:13 CEST 2009
Hello everyone,
I'm using freeradius 2.0.4 with a ldap server as a backend for
authentication of users to our wireless network. I've defined two ldap
"servers" in the radiusd.conf file:
.....
ldap ldap_uba {
server = "ldap_server"
basedn = "dc=uba,dc=ar"
filter =
"(&(description=wireless)(mail=%{Stripped-User-Name:-%{User-Name}}))"
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
}
dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = no
}
ldap ldap_ccc {
server = "ldap_server"
basedn = "ou=CCC,dc=uba,dc=ar"
filter =
"(&(description=wireless)(mail=%{Stripped-User-Name:-%{User-Name}}))"
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
}
dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = no
}
..............
I want to switch between them based on the NAS-IP-Address of the arriving
request, so I've used unlang in the authorize section:
authorize {
unix
mschap
eap {
ok = return
}
files
switch "%{NAS-IP-Address}" {
case 192.168.168.11 {
ldap_ccc
}
case {
ldap_uba
}
}
expiration
logintime
auth_log
pap
}
Well, my problem is that freeradius doesn't assign or expand the
NAS-IP-Address attribute with the correct value of the NAS IP which is
requesting for authentication, could anyone help me with this little
issue?
POST of the debug mode of freeradius:
rad_recv: Access-Request packet from host 192.168.168.11 port 1041, id=6,
length=279
Message-Authenticator = 0x341f20c2e434d8cbd92d85defa321b38
Service-Type = Framed-User
User-Name = "diego at ccc.uba.ar\000"
Framed-MTU = 1488
State = 0x12b38bc817b592297c4cea524b70e440
Called-Station-Id = "00-13-46-7A-DB-63:REDI-UBA VLAN12"
Calling-Station-Id = "00-02-72-78-90-5B"
NAS-Identifier = "D-Link Access Point"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message =
0x0206003b1900170301003091d34cda32a72417c4e5e093d71f2d82fc67e0f1f3dc1483aec15e433d54c5c950e88c2f64c3fd6d8ddf656af63496d1
NAS-IP-Address = 192.168.168.11
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: Looking up realm "ccc.uba.ar" for User-Name =
"diego at ccc.uba.ar"
rlm_realm: No such realm "ccc.uba.ar"
++[suffix] returns noop
rlm_eap: EAP packet type response id 6 length 59
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Identity - diego at ccc.uba.ar
PEAP: Got tunneled EAP-Message
EAP-Message = 0x0206001501646965676f406363632e7562612e6172
PEAP: Got tunneled identity of diego at ccc.uba.ar
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Setting User-Name to diego at ccc.uba.ar
PEAP: Sending tunneled request
EAP-Message = 0x0206001501646965676f406363632e7562612e6172
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "diego at ccc.uba.ar"
server inner-tunnel {
+- entering group authorize
++[unix] returns notfound
++[mschap] returns noop
rlm_eap: EAP packet type response id 6 length 21
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
expand: %{NAS-IP-Address} ->
++- entering switch %{NAS-IP-Address}
+++- entering case
rlm_ldap: - authorize
rlm_ldap: performing user authorization for diego at ccc.uba.ar
WARNING: Deprecated conditional expansion ":-". See "man unlang" for details
expand:
(&(description=wireless)(mail=%{Stripped-User-Name:-%{User-Name}}))
-> (&(description=wireless)(mail=diego at ccc.uba.ar))
expand: dc=uba,dc=ar -> dc=uba,dc=ar
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap.ccc.uba.ar:389, authentication 0
rlm_ldap: bind as / to ldap.ccc.uba.ar:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=uba,dc=ar, with filter
(&(description=wireless)(mail=diego at ccc.uba.ar))
rlm_ldap: No default NMAS login sequence
rlm_ldap: looking for check items in directory...
rlm_ldap: LDAP attribute userPassword as RADIUS attribute
Cleartext-Password == "pepe1234"
rlm_ldap: looking for reply items in directory...
rlm_ldap: user diego at ccc.uba.ar authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++++[ldap_uba] returns ok
+++- case returns ok
++- switch %{NAS-IP-Address} returns ok
++[expiration] returns noop
++[logintime] returns noop
expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
-> /var/log/freeradius/radacct/192.168.168.11/auth-detail-20090528
rlm_detail:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/192.168.168.11/auth-detail-20090528
expand: %t -> Thu May 28 12:33:26 2009
++[auth_log] returns ok
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: EAP Identity
rlm_eap: processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
PEAP: Got tunneled reply RADIUS code 11
EAP-Message =
0x0107002a1a0107002510a707e4f41d139b10e7d9860e8e17a80e646965676f406363632e7562612e6172
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x48fe8ac948f9909b9915b8554a615778
PEAP: Processing from tunneled session code 0x8623f78 11
EAP-Message =
0x0107002a1a0107002510a707e4f41d139b10e7d9860e8e17a80e646965676f406363632e7562612e6172
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x48fe8ac948f9909b9915b8554a615778
PEAP: Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 6 to 192.168.168.11 port 1041
EAP-Message =
0x0107004b190017030100409a85d96e6b404149561fbe6dfb464b692f986263d5215ec98e2d84f3c1961a462dbd097150d5bba0e0f8b29fe80e038f691dee73f0352576d1cec4fe36d9a3eb
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x12b38bc814b492297c4cea524b70e440
Finished request 6.
After making some test, debugging and drink lot of coffee I've solved the
problem usign this fragment of code:
switch "%{Client-IP-Address}" {
case 192.168.168.11 {
ldap_ccc
}
case {
ldap_uba
}
}
Freeradius does expand the Client-IP-Address attribute, however, I would
like to know why it doesn't expand the NAS-IP-Adress attribute.
Sorry for my english and lot of thanks.........
--
Diego Martín Capello
Administrador RedUBA
Centro de Comunicación Científica
Universidad de Buenos Aires
More information about the Freeradius-Users
mailing list