FR V3 returns no attribute Cisco-AVPAir, Framed-IP-Adress
Stephane Branchoux
stephane.branchoux at univ-perp.fr
Wed Mar 23 15:09:58 CET 2016
Hello,
I would like to upgrade my FR V2 to V3.
I installed a new FR V3 and just modified
/etc/raddb/sites-available/default file to test ldap connectivity
I read docs, man pages, wiki ...
# diff /etc/raddb/sites-available/default
/etc/raddb/sites-available/default.orig
382,389c382
< #-ldap
< ldap
< if ((ok || updated) && User-Password) {
< update {
< control:Auth-Type := ldap
< }
< }
<
---
> -ldap
495,497c488,490
< Auth-Type LDAP {
< ldap
< }
---
> # Auth-Type LDAP {
> # ldap
> # }
671c664
< #cui
---
> # cui
677c670
< reply_log
---
> # reply_log
695c688
< ldap
---
> # ldap
diff /etc/raddb/mods-available/ldap.orig /etc/raddb/mods-available/ldap
12c12,13
< server = "ldap.rrdns.example.org ldap.rrdns.example.org
ldap.example.org"
---
> # server = "ldap.rrdns.example.org ldap.rrdns.example.org
ldap.example.org"
> server = "ldapmaster.univ-perp.fr ldapmaster1.univ-perp.fr"
20a22,24
> #
> identity = "cn=Manager,dc=univ-perp,dc=fr"
> password = ZZZZZ
24a29
> base_dn = "dc=univ-perp,dc=fr"
74,78c79,83
< # control:NT-Password := 'ntPassword'
< # reply:Reply-Message := 'radiusReplyMessage'
< # reply:Tunnel-Type := 'radiusTunnelType'
< # reply:Tunnel-Medium-Type := 'radiusTunnelMediumType'
< # reply:Tunnel-Private-Group-ID :=
'radiusTunnelPrivategroupId'
---
> control:NT-Password := 'ntPassword'
> reply:Reply-Message := 'radiusReplyMessage'
> reply:Tunnel-Type := 'radiusTunnelType'
> reply:Tunnel-Medium-Type := 'radiusTunnelMediumType'
> reply:Tunnel-Private-Group-ID :=
'radiusTunnelPrivategroupId'
84,85c89,90
< # control: += 'radiusCheckAttributes'
< # reply: += 'radiusReplyAttributes'
---
> #control: += 'radiusCheckAttributes'
> #reply: += 'radiusReplyAttributes'
95c100
< # edir_autz = no
---
> edir_autz = no
117c122,124
< filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
---
> #filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
> filter = "(|(uid=%{%{Stripped-User-Name}:-%{User-Name}})
(mail=%{%{Stripped-User-Name}:-%{User-Name}}))"
> #filter = "(|(uid=%{Stripped-User-Name:-%{User-Name}})
(mail=%{Stripped-User-Name:-%{User-Name}}))"
125c132
< # access_attribute = "dialupAccess"
---
> # access_attribute = "dialupAccess"
181c188,189
< membership_attribute = "memberOf"
---
> #membership_attribute = "memberOf"
> membership_attribute = "eduPersonPrimaryAffiliation"
Authentication again LDAP in ok :
radtest -x stephane xxxxxxxxx localhost 10 testing123
Sending Access-Request Id 157 from 0.0.0.0:41822 to 127.0.0.1:1812
User-Name = 'YYYYYYYY'
User-Password = 'XXXXXXX'
NAS-IP-Address = 194.167.137.68
NAS-Port = 10
Message-Authenticator = 0x00
Received Access-Accept Id 157 from 127.0.0.1:1812 to 127.0.0.1:41822
length 20
debug is :
Received Access-Request Id 247 from 127.0.0.1:41643 to 127.0.0.1:1812
length 78
User-Name = 'stephane'
User-Password = 'sssssssssssss'
NAS-IP-Address = 194.167.137.xx
NAS-Port = 10
Message-Authenticator = 0x32e138a8b8b22a81acf0e74bd6e8cd13
(0) Received Access-Request packet from host 127.0.0.1 port 41643,
id=247, length=78
(0) User-Name = 'stephane'
(0) User-Password = 'YYYYYYYYYYYY'
(0) NAS-IP-Address = 194.167.137.xx
(0) NAS-Port = 10
(0) Message-Authenticator = 0x32e138a8b8b22a81acf0e74bd6e8cd13
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0) authorize {
(0) filter_username filter_username {
(0) if (!&User-Name)
(0) if (!&User-Name) -> FALSE
(0) if (&User-Name =~ / /)
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@.*@/ )
(0) if (&User-Name =~ /@.*@/ ) -> FALSE
(0) if (&User-Name =~ /\\.\\./ )
(0) if (&User-Name =~ /\\.\\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) ->
FALSE
(0) if (&User-Name =~ /\\.$/)
(0) if (&User-Name =~ /\\.$/) -> FALSE
(0) if (&User-Name =~ /@\\./)
(0) if (&User-Name =~ /@\\./) -> FALSE
(0) } # filter_username filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix : Checking for suffix after "@"
(0) suffix : No '@' in User-Name = "stephane", looking up realm NULL
(0) suffix : No such realm "NULL"
(0) [suffix] = noop
(0) eap : No EAP-Message, not doing EAP
(0) [eap] = noop
(0) [files] = noop
rlm_ldap (ldap): Reserved connection (4)
(0) ldap : EXPAND (|(uid=%{%{Stripped-User-Name}:-%{User-Name}})
(mail=%{%{Stripped-User-Name}:-%{User-Name}}))
(0) ldap : --> (|(uid=stephane) (mail=stephane))
(0) ldap : EXPAND dc=univ-perp,dc=fr
(0) ldap : --> dc=univ-perp,dc=fr
(0) ldap : Performing search in 'dc=univ-perp,dc=fr' with filter
'(|(uid=stephane) (mail=stephane))', scope 'sub'
(0) ldap : Waiting for search result...
(0) ldap : User object found at DN
"uid=stephane,ou=people,dc=univ-perp,dc=fr"
(0) ldap : Processing user attributes
(0) ldap : control:Password-With-Header += '{SSHA}UUUUUUUUUJ'
rlm_ldap (ldap): Released connection (4)
(0) [ldap] = ok
(0) if ((ok || updated) && User-Password)
(0) if ((ok || updated) && User-Password) -> TRUE
(0) if ((ok || updated) && User-Password) {
(0) update {
(0) control:Auth-Type := LDAP
(0) } # update = noop
(0) } # if ((ok || updated) && User-Password) = noop
(0) [expiration] = noop
(0) [logintime] = noop
(0) pap : Normalizing SSHA1-Password from base64 encoding, 32 bytes ->
24 bytes
(0) WARNING: pap : Auth-Type already set. Not setting to PAP
(0) [pap] = noop
(0) } # authorize = ok
(0) Found Auth-Type = LDAP
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) Auth-Type LDAP {
(0) ldap : Login attempt by "stephane"
rlm_ldap (ldap): Reserved connection (4)
(0) ldap : Using user DN from request
"uid=stephane,ou=people,dc=univ-perp,dc=fr"
(0) ldap : Waiting for bind result...
(0) ldap : Bind successful
(0) ldap : Bind as user "uid=stephane,ou=people,dc=univ-perp,dc=fr" was
successful
rlm_ldap (ldap): Released connection (4)
(0) [ldap] = ok
(0) } # Auth-Type LDAP = ok
(0) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(0) post-auth {
(0) reply_log : EXPAND
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
(0) reply_log : -->
/var/log/radius/radacct/127.0.0.1/reply-detail-20160323
(0) reply_log :
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
expands to /var/log/radius/radacct/127.0.0.1/reply-detail-20160323
(0) reply_log : EXPAND %t
(0) reply_log : --> Wed Mar 23 14:48:32 2016
(0) [reply_log] = ok
(0) ldap : EXPAND .
(0) ldap : --> .
(0) ldap : EXPAND Authenticated at %S
(0) ldap : --> Authenticated at 2016-03-23 14:48:32
rlm_ldap (ldap): Reserved connection (4)
(0) ldap : Using user DN from request
"uid=stephane,ou=people,dc=univ-perp,dc=fr"
(0) ldap : Waiting for bind result...
(0) ldap : Bind successful
(0) ldap : Modifying object with DN
"uid=stephane,ou=people,dc=univ-perp,dc=fr"
(0) ldap : Waiting for modify result...
rlm_ldap (ldap): Released connection (4)
(0) [ldap] = ok
(0) [exec] = noop
(0) remove_reply_message_if_eap remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message)
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else else {
(0) [noop] = noop
(0) } # else else = noop
(0) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(0) } # post-auth = ok
(0) Sending Access-Accept packet to host 127.0.0.1 port 41643, id=247,
length=0
Sending Access-Accept Id 247 from 127.0.0.1:1812 to 127.0.0.1:41643
(0) Finished request
Waking up in 0.3 seconds.
Waking up in 4.6 seconds.
The problem is that FR returns access-accept but no ldap attributes
Cisco-AVPAir, Framed-IP-Adress ....
Where is my mistake ?
Many thanks in advance
The same radtest on my FR V2 returns :
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=172,
length=86
Framed-IP-Address = 10.100.0.254
Cisco-AVPair = "shell:priv-lvl=15"
Tunnel-Type:1 = VLAN
Tunnel-Medium-Type:1 = IEEE-802
Tunnel-Private-Group-Id:1 = "5"
Service-Type = Login-User
Brocade-Auth-Role = "admin"
--
stephane BRANCHOUX
Centre de Ressources Informatiques de l'Université de Perpignan.
Systèmes/Réseaux - RSSI
mailto:stephane.branchoux at univ-perp.fr
04 68 66 21 24 / 07 60 73 38 42
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3775 bytes
Desc: Signature cryptographique S/MIME
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20160323/772da468/attachment-0001.bin>
More information about the Freeradius-Users
mailing list