VLAN Post Auth

Richard Laing richard.laing at armourcomms.com
Wed Apr 19 18:07:49 CEST 2017 

Hi Alan thank you for taking a look at the output for me on the last
message.

1. Never said it doesn't work, said no VLAN on application of more than
one group.

2. I will update to a newer version as the standard one in the repos is
a little out of date.

3. You ignored the following output, if I use an incorrect password then
I will get a fail. I looking for the user have its request authorized
and have the VLAN assigned over to that user correctly.

WARNING: pap : Authentication will fail unless a "known good" password
is available
(0)   [pap] = noop
(0)  } #  authorize = ok
(0) Found Auth-Type = LDAP
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0)  Auth-Type LDAP {
(0)  ldap : Login attempt by "richardl"
rlm_ldap (ldap): Reserved connection (4)
(0)  ldap : Using user DN from request
"uid=richardl,cn=users,cn=compat,dc=acskype,dc=com"
(0)  ldap : Waiting for bind result...
(0)  ldap : Bind successful
(0)  ldap : Bind as user
"uid=richardl,cn=users,cn=compat,dc=acskype,dc=com" was successful
rlm_ldap (ldap): Released connection (4)
(0)   [ldap] = ok
(0)  } # Auth-Type LDAP = ok
(0) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(0)   post-auth {
(0)   [exec] = noop
(0)   remove_reply_message_if_eap remove_reply_message_if_eap {
(0)     if (&reply:EAP-Message && &reply:Reply-Message)
(0)     if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)    else else {
(0)     [noop] = noop
(0)    } # else else = noop
(0)   } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(0)  } #  post-auth = noop
(0) Sending Access-Accept packet to host 192.168.10.8 port 53461,
id=114, length=0
Sending Access-Accept Id 114 from 192.168.10.2:1812 to 192.168.10.8:53461
(0) Finished request


Also if I run radtest the user seems to work just not on the group
memberships

radtest richardl 'Testing 101' ipa01.acskype.com 1812 testing101
Sending Access-Request Id 198 from 0.0.0.0:41248 to 192.168.10.2:1812
    User-Name = 'richardl'
    User-Password = 'Testing 101'
    NAS-IP-Address = 192.168.10.2
    NAS-Port = 1812
    Message-Authenticator = 0x00
Received Access-Accept Id 198 from 192.168.10.2:1812 to
192.168.10.2:41248 length 20

4. I will update into the latest version and hopeful have a follow up
soon, would interested in hearing your ideas on the best method of
securing free-radius & LDAP together

More information about the Freeradius-Users mailing list