Moving to Virtual Servers

Cory Johnson cjohnson at commspeed.net
Fri Aug 6 02:45:51 CEST 2010 

Greetings,

I've been using the documentation here: 
http://wiki.freeradius.org/Virtual_server attempting to create 2 virtual 
servers on the same socket each associated with a client.

I have already configured the ldap module, as well as added some lines 
to the users file. Before "virtualizing" I am able to authenticate my 
ldap users via radtest.

Here's the config that works against LDAP, before trying to add to a 
virtual server:
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct
name = freeradius
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}
db_dir = ${raddbdir}
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/${name}.pid
user = freerad
group = freerad
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
listen {
     type = auth
     ipaddr = *
     port = 1812
}
listen {
     ipaddr = *
     port = 1813
     type = acct
}
client 192.168.1.0/24 {
     secret = testing123
}

hostname_lookups = no
allow_core_dumps = no
regular_expressions    = yes
extended_expressions    = yes
log {
     destination = files
     file = ${logdir}/radius.log
     syslog_facility = daemon
     stripped_names = yes
     auth = yes
     auth_badpass = yes
     auth_goodpass = no
     msg_goodpass = "Great Success!"
     msg_badpass = "I'm sorry but you appear to have entered a incorrect 
password or you may not be authorized to access this equipment"
}
checkrad = ${sbindir}/checkrad
security {
     max_attributes = 200
     reject_delay = 1
     status_server = yes
}
proxy_requests  = yes
$INCLUDE proxy.conf
thread pool {
     start_servers = 5
     max_servers = 32
     min_spare_servers = 3
     max_spare_servers = 10
     max_requests_per_server = 0
}
modules {
     $INCLUDE ${confdir}/modules/
     $INCLUDE eap.conf
}
instantiate {
     exec
     expr
     expiration
     logintime
}
$INCLUDE policy.conf
$INCLUDE sites-enabled/

...And the output from a test in debug mode (edited out passwords and 
password hashes):

   [ldap] Entering ldap_groupcmp()
   [ldap] ldap_get_conn: Checking Id: 0
   [ldap] ldap_get_conn: Got Id: 0
   [ldap] ldap_release_conn: Release Id: 0
   [ldap] ldap_get_conn: Checking Id: 0
   [ldap] ldap_get_conn: Got Id: 0
rlm_ldap::ldap_groupcmp: User found in group NOC
   [ldap] ldap_release_conn: Release Id: 0
[ldap] performing user authorization for cjohnson
   [ldap] ldap_get_conn: Checking Id: 0
   [ldap] ldap_get_conn: Got Id: 0
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
   [ldap] sambaNtPassword -> NT-Password == 
0xXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
   [ldap] sambaLmPassword -> LM-Password == 
0xXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
[ldap] looking for reply items in directory...
[ldap] Setting Auth-Type = LDAP
[ldap] user cjohnson authorized to use remote access
   [ldap] ldap_release_conn: Release Id: 0
[ldap] login attempt by "cjohnson" with password "s3cret"
[ldap] user DN: uid=cjohnson,ou=Users,dc=corp,dc=example,dc=com
   [ldap] (re)connect to 192.168.1.99:389, authentication 1
   [ldap] bind as uid=cjohnson,ou=Users,dc=corp,dc=example,dc=com/s3cret 
to 192.168.1.99:389
   [ldap] waiting for bind result ...
   [ldap] Bind was successful
[ldap] user cjohnson authenticated succesfully
Login OK: [cjohnson] (from client 192.168.1.0/24 port 0) Great Success!
Waking up in 4.0 seconds.

Here's the changes I made to the config, attempting to add current setup 
to virtual server "server_one":

...
listen {
     type = auth
     ipaddr = *
     port = 1812
}
listen {
     ipaddr = *
     port = 1813
     type = acct
}
client 192.168.1.0/24 {
     virtual_server = server_one
     secret = testing123
}
server server_one {
}
...

The rest of the config is the same. The server will start, but now I 
can't see my LDAP users, heres the log entry:
server server_one {
Login incorrect: [cjohnson/s3cret] (from client 192.168.1.0/24 port 0) 
I'm sorry but you appear to have entered a incorrect password or you may 
not be authorized to access this equipment
} # server server_one

Is there something I need to put within server section? It's as if the 
ldap module and the users file aren't being referenced anymore.

Any tips or references to complete examples where virtual servers are 
set up in this way? If someone could take a moment to point me in the 
right direction I would certainly appreciate it.


Cory J

More information about the Freeradius-Users mailing list