Freeradius + Ldap - Authorise OK but NO dynamic VLANs

Matthew Pulis mpulis at gmail.com
Tue Aug 16 11:14:35 CEST 2016


Hi all,

I am trying to have dynamic VLAN assignment on Freeradius based on LDAP.
The connection between Freeradius and LDAP works fine. If I test with a
user I get the Authorise packet but not the dynamic VLAN assignment. We
will be testing using this LDAP user:

# ttester, SeminaryAdmin, SeminaryOU, seminary.local
dn: cn=ttester,cn=SeminaryAdmin,ou=SeminaryOU,dc=seminary,dc=local
cn: ttester
givenName: Test
gidNumber: 505
homeDirectory: /home/users/ttester
sn: Tester
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
uidNumber: 1002
uid: ttester


This is the received reply:
radius at daloradius:~$ radtest -x ttester openldap localhost 1812 testing456
     Sending Access-Request of id 30 to 127.0.0.1 port 1812
        User-Name = "ttester"
        User-Password = "openldap"
        NAS-IP-Address = 127.0.1.1
        NAS-Port = 1812
        Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=30,
length=20

Freeradius version:
FreeRADIUS Version 2.1.12, for host x86_64-pc-linux-gnu, built on Feb 27
2015 at 12:38:34

This is an extract of the Freeradius debug:


Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 38281, id=59,
length=77
        User-Name = "ttester"
        User-Password = "openldap"
        NAS-IP-Address = 127.0.1.1
        NAS-Port = 1812
        Message-Authenticator = 0xbe303901f2b855fb146f2f1fda9cd3fd
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "ttester", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[ldap] performing user authorization for ttester
[ldap]  expand: %{Stripped-User-Name} ->
[ldap]  ... expanding second conditional
[ldap]  expand: %{User-Name} -> ttester
[ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=ttester)
[ldap]  expand: ou=SeminaryOU,dc=seminary,dc=local ->
ou=SeminaryOU,dc=seminary,dc=local
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] attempting LDAP reconnection
  [ldap] (re)connect to seminary.local:389, authentication 0
  [ldap] bind as cn=admin,dc=seminary,dc=local/FalseBINDINGPASS to
seminary.local:389
  [ldap] waiting for bind result ...
  [ldap] Bind was successful
*  [ldap] performing search in ou=SeminaryOU,dc=seminary,dc=local, with
filter (uid=ttester)*
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
  [ldap] userPassword -> Password-With-Header ==
"{SSHA}T4sU9zSLN/Auop+ImthH4nLyLG/rPU0R"
[ldap] looking for reply items in directory...
[ldap] user ttester authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "openldap"
[pap] Using SSHA encryption.
[pap] Normalizing SSHA1-Password from base64 encoding
[pap] User authenticated successfully
++[pap] returns ok
Login OK: [ttester] (from client localhost port 1812)
# Executing section post-auth from file
/etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 59 to 127.0.0.1 port 38281
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 59 with timestamp +5
Ready to process requests.


In any tutorials I am following this line:   [ldap] performing search in
ou=SeminaryOU,dc=seminary,dc=local, with filter (uid=ttester) .... should
have the filter but in mine this is not coming.

I am following this tutorial mainly:
https://system-eng.blogspot.com.mt/2015/12/setting-up-freeradius-in-debian-with_28.html?showComment=1470925094566

My config files:

/etc/freeradius/modules/ldap : http://paste.ubuntu.com/23060929/
/etc/freeradius/sites-available/inner-tunnel  :
http://paste.ubuntu.com/23060930/
/etc/freeradius/sites-available/default : http://paste.ubuntu.com/23060931/
/etc/freeradius/users : http://paste.ubuntu.com/23060935/

Any idea where I should start looking at the problem please?

Thanks and best regards

Matthew


Matthew Pulis
web:   www.matthewpulis.info
mob:   +356 79539404


More information about the Freeradius-Users mailing list