Authenticating users checking Huntgroup-Name in unlang

suggestme IT suggest_me at hotmail.com
Wed Dec 5 16:27:34 CET 2012


Hi,
 
I have set FreeRadius 2.1.12 Server, and configured it to authorize and authenticate users that are in Active Directory and users file. I have tested in real wireless environment to authenticate users from Active Directory & users file and it is successful. But according to our organization's requirement I need to authenticate users to allow or reject users for wireless or VPN access checking huntgroups and attribute in AD or users file accordingly so, I have configured huntgroup name in huntgroups  "wirelesstest" and have configured my NAS-IP-Address as: (Some names & IP Address are edited for privacy)
 
/usr/local/etc/raddb/huntgroups
 
wirelesstest        NAS-IP-Address == IP Address
wirelesstest        NAS-IP-Address == IP Address
wirelesstest        NAS-IP-Address == IP Address
 
Clients are configured in clients.conf file as:
 
/usr/local/etc/raddb/clients.conf
 
client Primary_controller{
        ipaddr = IP Address
        secret = password
        shortname = primary
        nastype = enterasys
}
 
In default & inner_tunnel files configurations, unlang conditional checking are done under ldap & files sub-sections of "authorize" section
 
/usr/local/etc/raddb/sites-enabled/default  and  /usr/local/etc/raddb/sites-enabled/inner-tunnel
 
 
authorize {
.............
............
 
ldap
    
    if ("%{Huntgroup-Name}" == "wirelesstest"){
              if (control:Connect-Type == wireless){
        update control {
         Auth-Type := "Accept"
         }
     }
     else {
        update control {
         Auth-Type := "Reject"
        }
     }
 }
 

files
 if ("%{Huntgroup-Name}" == "wirelesstest"){
    if (control:Connect-Type == wireless){
    update control {
     Auth-Type := "Accept"
    }
  }
   else {
     update control {
      Auth-Type := "Reject"
     }
   }
}
 
While testing through radtest it works as expected. Unlang condition is checked, and attribute is also checked against Active Directory or users file and authenticate users if it matches and it rejects if it doesn't match.
 
But in Real wireless environment testing I don't get any response at Client side, and after long time it says can't connect. But while checking at debug log doing radiusd -X it shows it is checking the condition and sending Access-Accept or Access-Reject accordingly.
 
I tried different conditional checkings in unlang; checking against shortname as:
 
if ("%{client:shortname}" =~ /^primary/){
 
checking against huntgroup as:
 
if ("%{client:huntgroup}" == "wireless"){
 
But any of these setting gives me no response at client side although my debug log shows the condition is being checked and Access-Accept ot Access-Reject is sent.
 
 
Part of debug log is as follows:
 

Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] eaptls_process returned 7
[ttls] Session established.  Proceeding to decode tunneled attributes.
[ttls] Got tunneled request
        User-Name = "test"
        User-Password = "password"
        FreeRADIUS-Proxied-To = 127.0.0.1
[ttls] Sending tunneled request
        User-Name = "test"
        User-Password = "password"
        FreeRADIUS-Proxied-To = 127.0.0.1
        NAS-IP-Address = IP Address
        NAS-Port = 116
        Framed-MTU = 1400
        Called-Station-Id = "00:1e:35:7f:ec:35"
        Calling-Station-Id = "00:35:5c:68:c0:08"
        NAS-Port-Type = Wireless-802.11
        NAS-Identifier = "Wireless_Test"
        Service-Type = Framed-User
        Siemens-AP-Serial = "0600010084050956"
        Siemens-AP-Name = "TEST"
        Siemens-VNS-Name = "Wireless_Test"
        Siemens-SSID = "Wireless_Test"
        Siemens-BSS-MAC = "00:1e:35:7f:ec:35"
server inner-tunnel {
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[mschap] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[ldap] performing user authorization for test
[ldap]  expand: %{Stripped-User-Name} ->
[ldap]  ... expanding second conditional
[ldap]  expand: %{User-Name} -> test
[ldap]  expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=test)
[ldap]  expand: dc=example,dc=com -> dc=example,dc=com
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in dc=example,dc=com, with filter (sAMAccountName=test)
[ldap] looking for check items in directory...
  [ldap] extensionAttribute15 -> Connect-Type == "wireless"
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that the user is configured correctly?
[ldap] Setting Auth-Type = LDAP
[ldap] user test authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++? if ("%{Huntgroup-Name}" == "wirelesstest")
        expand: %{Huntgroup-Name} ->
? Evaluating ("%{Huntgroup-Name}" == "wirelesstest") -> TRUE
++? if ("%{Huntgroup-Name}" == "wirelesstest") -> TRUE
++- entering if ("%{Huntgroup-Name}" == wirelesstest) {...}
+++? if (control:Connect-Type == wireless)
? Evaluating (control:Connect-Type == wireless) -> TRUE
+++? if (control:Connect-Type == wireless) -> TRUE
+++- entering if (control:Connect-Type == wireless) {...}
++++[control] returns ok
+++- if (control:Connect-Type == wireless) returns ok
+++ ... skipping else for request 1: Preceding "if" was taken
++- if ("%{Huntgroup-Name}" == wirelesstest) returns ok
++? if (control:Ldap-UserDN =~ /^[^,]+,OU=([^,]+),/)
? Evaluating (control:Ldap-UserDN =~ /^[^,]+,OU=([^,]+),/) -> TRUE
++? if (control:Ldap-UserDN =~ /^[^,]+,OU=([^,]+),/) -> TRUE
++- entering if (control:Ldap-UserDN =~ /^[^,]+,OU=([^,]+),/) {...}
        expand: %{1} -> Staff
+++[control] returns ok
++- if (control:Ldap-UserDN =~ /^[^,]+,OU=([^,]+),/) returns ok
[files] users: Matched entry DEFAULT at line 16
[files]         expand: Enterasys:version=1:policy=%{control:Tmp-String-1} -> Enterasys:version=1:policy=Staff
++[files] returns ok
++? if ("%{Huntgroup-Name}" == "wirelesstest")
        expand: %{Huntgroup-Name} ->
? Evaluating ("%{Huntgroup-Name}" == "wirelesstest") -> TRUE
++? if ("%{Huntgroup-Name}" == "wirelesstest") -> TRUE
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = LDAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
+- entering group LDAP {...}
[ldap] login attempt by "test" with password "password"
[ldap] user DN: CN=test,OU=Staff,OU=Employees,OU=Users,DC=example,DC=com
  [ldap] (re)connect to example.com:389, authentication 1
  [ldap] bind as CN=test,OU=Staff,OU=Employees,OU=Users,DC=example,DC=com/test to example.com:389
  [ldap] waiting for bind result ...
  [ldap] Bind was successful
[ldap] user test authenticated succesfully
++[ldap] returns ok
Login OK: [test] (from client Primary_controller port 116 cli 00:1e:35:7f:ec:35 via TLS tunnel)
# Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
+- entering group post-auth {...}
[reply_log]     expand: /usr/local/var/log/radius/radacct/reply-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/reply-detail-20121204
[reply_log] /usr/local/var/log/radius/radacct/reply-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/reply-detail-20121204
[reply_log]     expand: %t -> Tue Dec  4 13:50:45 2012
++[reply_log] returns ok
} # server inner-tunnel
[ttls] Got tunneled reply code 2
        Filter-Id := "Enterasys:version=1:policy=Staff"
[ttls] Got tunneled Access-Accept
[eap] Freeing handler
++[eap] returns ok
Login OK: [test] (from client Primary_controller port 116 cli 00:1e:35:7f:ec:35)
# Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 239 to IP Address port 57700
        Filter-Id := "Enterasys:version=1:policy=Staff"
        MS-MPPE-Recv-Key = 0xfc711ebb1ff8ea41b4f0d9bf76e424796aca3d9b7518154f00ab6f1e4d0cc474
        MS-MPPE-Send-Key = 0x9fb92d6b82ec067b31dacae9e16e63ff86d702501266713701a377f220e4cbbb
        EAP-Message = 0x03060004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "test"
Finished request 5.
Going to the next request
Waking up in 2.4 seconds.
Cleaning up request 0 ID 231 with timestamp +5
Waking up in 1.0 seconds.
Cleaning up request 1 ID 252 with timestamp +6
Cleaning up request 2 ID 86 with timestamp +7
Cleaning up request 3 ID 227 with timestamp +7
Waking up in 0.3 seconds.
Cleaning up request 4 ID 169 with timestamp +7
Waking up in 1.0 seconds.
Cleaning up request 5 ID 239 with timestamp +7
Ready to process requests.
 
In /usr/local/var/log/radius/radius.log I see log message as:
 
Tue Dec  4 15:02:56 2012 : Auth: Login OK: [test] (from client Primary_controller port 116 cli 00:1e:35:7f:ec:35)
 
I don't get log as "Login OK via TLS tunnel".
 
But any of these setting gives me no response at client side although my debug log shows the condition is being checked and Access-Accept ot Access-Reject is sent. Any Idea if I am missing something in my configuration that is preventing me to get response at Client side? I am using SecureW2 supplicant with EAP-PAP.
 

  		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20121205/f6384f3b/attachment-0001.html>


More information about the Freeradius-Users mailing list