Freeradius + Ldap - Authorise OK but NO dynamic VLANs
Matthew Pulis
mpulis at gmail.com
Wed Aug 17 10:29:43 CEST 2016
Dear Alan
Thanks again for your help and guidance. I forgot to paste the /users
config file. This is it:
DEFAULT Ldap-Group == "cn=Management,ou=SeminaryOU,dc=seminary,dc=local"
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = "1"
#Reply-Message = "You are Accepted"
DEFAULT Ldap-Group == "cn=Formators,ou=SeminaryOU,dc=seminary,dc=local"
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = "10"
#Reply-Message = "You are Accepted"
DEFAULT Ldap-Group == "cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local"
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = "11"
#Reply-Message = "You are Accepted"
DEFAULT Ldap-Group == "cn=SeminaryAdmin,ou=SeminaryOU,dc=seminary,dc=local"
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = "12"
DEFAULT Ldap-Group == "cn=Staff,ou=SeminaryOU,dc=seminary,dc=local"
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = "13"
#Reply-Message = "You are Accepted"
DEFAULT Ldap-Group == "cn=Guests1,ou=SeminaryOU,dc=seminary,dc=local"
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = "20"
#Reply-Message = "You are Accepted"
DEFAULT Ldap-Group == "cn=Guests2,ou=SeminaryOU,dc=seminary,dc=local"
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = "30"
#Reply-Message = "You are Accepted"
DEFAULT Ldap-Group == "cn=School,ou=SeminaryOU,dc=seminary,dc=local"
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = "50"
#Reply-Message = "You are Accepted"
DEFAULT Auth-Type := Reject
and the /ldap configuration:
ldap {
#
# Note that this needs to match the name in the LDAP
# server certificate, if you're using ldaps.
server = "seminary.local"
identity = "cn=admin,dc=seminary,dc=local"
password = PASSOFADMIN
basedn = "ou=SeminaryOU,dc=seminary,dc=local"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
#base_filter = "(objectclass=radiusprofile)"
#access_attr = "uid"
# authtype = ldap
# password_attribute = userPassword
groupname_attribute = cn
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
groupmembership_attribute = radiusGroupName
# How many connections to keep open to the LDAP server.
# This saves time over opening a new LDAP socket for
# every authentication request.
ldap_connections_number = 5
# seconds to wait for LDAP query to finish. default: 20
timeout = 4
# seconds LDAP server has to process the query (server-side
# time limit). default: 20
#
# LDAP_OPT_TIMELIMIT is set to this value.
timelimit = 3
Is that what you suggested in your reply? This should be the translation no?
Matthew Pulis
web: www.matthewpulis.info
mob: +356 79539404
On Tue, Aug 16, 2016 at 8:36 PM, Matthew Pulis <mpulis at gmail.com> wrote:
> Dear Buxley,
>
> Thanks for your reply.
>
> I want to assign the VLAN according to which cn in LDAP is the user
> assigned. So ttester since he is in cn=SeminaryAdmin,ou=
> SeminaryOU,dc=seminary,dc=local he should get VLAN ID 12.
>
> I only have one virtual-server so I guess the default should work no?
>
> I took your advice to upgrade and this is the new version: freeradius:
> FreeRADIUS Version 2.2.8, for host x86_64-pc-linux-gnu, built on Apr 5 2016
> at 13:40:43
>
> which shows not a single sign of policy to set the VLAN <- this is why I am so lost as to why it is not working :S
>
>
> Some configs which I guess you might find useful to help me please:
>
>
> radiusd: #### Loading Virtual Servers ####
> server { # from file /etc/freeradius/radiusd.conf
> modules {
> Module: Creating Auth-Type = digest
> Module: Checking authenticate {...} for more modules to load
> Module: Linked to module rlm_pap
> Module: Instantiating module "pap" from file /etc/freeradius/modules/pap
> pap {
> encryption_scheme = "auto"
> auto_header = no
> }
> Module: Linked to module rlm_chap
> Module: Instantiating module "chap" from file /etc/freeradius/modules/chap
> Module: Linked to module rlm_mschap
> Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap
> mschap {
> use_mppe = yes
> require_encryption = no
> require_strong = no
> with_ntdomain_hack = no
> allow_retry = yes
> }
> Module: Linked to module rlm_digest
> Module: Instantiating module "digest" from file /etc/freeradius/modules/digest
> Module: Linked to module rlm_unix
> Module: Instantiating module "unix" from file /etc/freeradius/modules/unix
> unix {
> radwtmp = "/var/log/freeradius/radwtmp"
> }
> Module: Linked to module rlm_eap
> Module: Instantiating module "eap" from file /etc/freeradius/eap.conf
> eap {
> default_eap_type = "peap"
> timer_expire = 60
> ignore_unknown_eap_types = no
> cisco_accounting_username_bug = no
> max_sessions = 4096
> }
>
> Module: Instantiating eap-peap
> peap {
> default_eap_type = "mschapv2"
> copy_request_to_tunnel = no
> use_tunneled_reply = no
> proxy_tunneled_request_as_eap = yes
> virtual_server = "inner-tunnel"
> soh = no
> }
>
> Module: Linked to module rlm_ldap
> Module: Instantiating module "ldap" from file /etc/freeradius/modules/ldap
> ldap {
> server = "seminary.local"
> port = 389
> password = "FAKEPASS"
> expect_password = yes
> identity = "cn=admin,dc=seminary,dc=local"
> net_timeout = 1
> timeout = 4
> timelimit = 3
> max_uses = 0
> tls_mode = no
> start_tls = no
> tls_require_cert = "allow"
> tls {
> start_tls = no
> require_cert = "allow"
> }
> basedn = "ou=SeminaryOU,dc=seminary,dc=local"
> filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
> base_filter = "(objectclass=radiusprofile)"
> auto_header = no
> access_attr_used_for_allow = yes
> groupname_attribute = "cn"
> groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{
> control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(
> uniquemember=%{control:Ldap-UserDn})))"
> groupmembership_attribute = "radiusGroupName"
> dictionary_mapping = "/etc/freeradius/ldap.attrmap"
> ldap_debug = 0
> ldap_connections_number = 5
> compare_check_items = no
> do_xlat = yes
> edir_account_policy_check = no
> set_auth_type = yes
> keepalive {
> idle = 60
> probes = 3
> interval = 3
> }
> }
>
> Thanks for your support :)
>
>
>
>
> Matthew Pulis
> web: www.matthewpulis.info
> mob: +356 79539404
>
> On Tue, Aug 16, 2016 at 11:14 AM, Matthew Pulis <mpulis at gmail.com> wrote:
>
>> Hi all,
>>
>> I am trying to have dynamic VLAN assignment on Freeradius based on LDAP.
>> The connection between Freeradius and LDAP works fine. If I test with a
>> user I get the Authorise packet but not the dynamic VLAN assignment. We
>> will be testing using this LDAP user:
>>
>> # ttester, SeminaryAdmin, SeminaryOU, seminary.local
>> dn: cn=ttester,cn=SeminaryAdmin,ou=SeminaryOU,dc=seminary,dc=local
>> cn: ttester
>> givenName: Test
>> gidNumber: 505
>> homeDirectory: /home/users/ttester
>> sn: Tester
>> objectClass: inetOrgPerson
>> objectClass: posixAccount
>> objectClass: top
>> uidNumber: 1002
>> uid: ttester
>>
>>
>> This is the received reply:
>> radius at daloradius:~$ radtest -x ttester openldap localhost 1812
>> testing456 Sending Access-Request of id 30 to 127.0.0.1 port 1812
>> User-Name = "ttester"
>> User-Password = "openldap"
>> NAS-IP-Address = 127.0.1.1
>> NAS-Port = 1812
>> Message-Authenticator = 0x00000000000000000000000000000000
>> rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=30,
>> length=20
>>
>> Freeradius version:
>> FreeRADIUS Version 2.1.12, for host x86_64-pc-linux-gnu, built on Feb 27
>> 2015 at 12:38:34
>>
>> This is an extract of the Freeradius debug:
>>
>>
>> Ready to process requests.
>> rad_recv: Access-Request packet from host 127.0.0.1 port 38281, id=59,
>> length=77
>> User-Name = "ttester"
>> User-Password = "openldap"
>> NAS-IP-Address = 127.0.1.1
>> NAS-Port = 1812
>> Message-Authenticator = 0xbe303901f2b855fb146f2f1fda9cd3fd
>> # Executing section authorize from file /etc/freeradius/sites-enabled/
>> default
>> +- entering group authorize {...}
>> ++[preprocess] returns ok
>> ++[chap] returns noop
>> ++[mschap] returns noop
>> ++[digest] returns noop
>> [suffix] No '@' in User-Name = "ttester", looking up realm NULL
>> [suffix] No such realm "NULL"
>> ++[suffix] returns noop
>> [eap] No EAP-Message, not doing EAP
>> ++[eap] returns noop
>> [ldap] performing user authorization for ttester
>> [ldap] expand: %{Stripped-User-Name} ->
>> [ldap] ... expanding second conditional
>> [ldap] expand: %{User-Name} -> ttester
>> [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
>> (uid=ttester)
>> [ldap] expand: ou=SeminaryOU,dc=seminary,dc=local ->
>> ou=SeminaryOU,dc=seminary,dc=local
>> [ldap] ldap_get_conn: Checking Id: 0
>> [ldap] ldap_get_conn: Got Id: 0
>> [ldap] attempting LDAP reconnection
>> [ldap] (re)connect to seminary.local:389, authentication 0
>> [ldap] bind as cn=admin,dc=seminary,dc=local/FalseBINDINGPASS to
>> seminary.local:389
>> [ldap] waiting for bind result ...
>> [ldap] Bind was successful
>> * [ldap] performing search in ou=SeminaryOU,dc=seminary,dc=local, with
>> filter (uid=ttester)*
>> [ldap] No default NMAS login sequence
>> [ldap] looking for check items in directory...
>> [ldap] userPassword -> Password-With-Header ==
>> "{SSHA}T4sU9zSLN/Auop+ImthH4nLyLG/rPU0R"
>> [ldap] looking for reply items in directory...
>> [ldap] user ttester authorized to use remote access
>> [ldap] ldap_release_conn: Release Id: 0
>> ++[ldap] returns ok
>> ++[expiration] returns noop
>> ++[logintime] returns noop
>> ++[pap] returns updated
>> Found Auth-Type = PAP
>> # Executing group from file /etc/freeradius/sites-enabled/default
>> +- entering group PAP {...}
>> [pap] login attempt with password "openldap"
>> [pap] Using SSHA encryption.
>> [pap] Normalizing SSHA1-Password from base64 encoding
>> [pap] User authenticated successfully
>> ++[pap] returns ok
>> Login OK: [ttester] (from client localhost port 1812)
>> # Executing section post-auth from file /etc/freeradius/sites-enabled/
>> default
>> +- entering group post-auth {...}
>> ++[exec] returns noop
>> Sending Access-Accept of id 59 to 127.0.0.1 port 38281
>> Finished request 0.
>> Going to the next request
>> Waking up in 4.9 seconds.
>> Cleaning up request 0 ID 59 with timestamp +5
>> Ready to process requests.
>>
>>
>> In any tutorials I am following this line: [ldap] performing search in
>> ou=SeminaryOU,dc=seminary,dc=local, with filter (uid=ttester) ....
>> should have the filter but in mine this is not coming.
>>
>> I am following this tutorial mainly: https://system-eng.blogspot.co
>> m.mt/2015/12/setting-up-freeradius-in-debian-with_28.html?
>> showComment=1470925094566
>>
>> My config files:
>>
>> /etc/freeradius/modules/ldap : http://paste.ubuntu.com/23060929/
>> /etc/freeradius/sites-available/inner-tunnel :
>> http://paste.ubuntu.com/23060930/
>> /etc/freeradius/sites-available/default : http://paste.ubuntu.com/230609
>> 31/
>> /etc/freeradius/users : http://paste.ubuntu.com/23060935/
>>
>> Any idea where I should start looking at the problem please?
>>
>> Thanks and best regards
>>
>> Matthew
>>
>>
>> Matthew Pulis
>> web: www.matthewpulis.info
>> mob: +356 79539404
>>
>
>
More information about the Freeradius-Users
mailing list