a few things
1) (0) files : Performing unfiltered search in
'uid=richardl,cn=users,cn=compat,dc=acskype,dc=com',
scope 'base'
(0) files : Waiting for search result...
(0) files : No group membership attribute(s) found in user object
no group membership found there
2) you dont have Fallthrough set to yes in the first entry you have, thus
the server WONT proceed any further in the
users file (ie your second check item is never hit.... so maybe set a fall
through for that check item (see examples provided with server)
finally, dont use the users file for this, use unlang and put a nice
trivial LDAP check into the post-auth section which then sets the relevant
VLAN to drop the user onto.....eg, as a quick'n'dirty example
if (
"%{master_ldap:ldaps:///dc=my,dc=example,dc=com?distinguishedName?sub?(&(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})(memberOf=CN=FreeRADIUS,OU=admin,DC=my,DC=example,DC=com))}"
) {
update reply {
&Tunnel-Medium-Type := "IEEE-802"
&Tunnel-Type := "VLAN"
&Termination-Action := "RADIUS-Request"
&Tunnel-Private-Group-Id := "666"
}
}
On 19 April 2017 at 17:36, Alan DeKok <aland at deployingradius.com> wrote:
> On Apr 19, 2017, at 12:07 PM, Richard Laing <richard.laing at armourcomms.com>
> wrote:
> >
> > Hi Alan thank you for taking a look at the output for me on the last
> > message.
> >
> > 1. Never said it doesn't work, said no VLAN on application of more than
> > one group.
>
> What do you mean by "application of more than one group"?
>
> I explained how the "users" file works. I pointed you to
> documentation. If you put more than one DEFAULT in, it will only match the
> first one. Unless you follow the documentation.
>
> > 3. You ignored the following output, if I use an incorrect password then
> > I will get a fail. I looking for the user have its request authorized
> > and have the VLAN assigned over to that user correctly.
>
> So you want users with bad passwords to be put into a different VLAN?
>
> The debug log you attached showed a *successful* authentication.
>
> > Also if I run radtest the user seems to work just not on the group
> > memberships
>
> See the FAQ for "it doesn't work"
>
> Again, you're asking questions which are poorly phrased, and don't
> contain enough information for me to help you.
>
> > radtest richardl 'Testing 101' ipa01.acskype.com 1812 testing101
> > Sending Access-Request Id 198 from 0.0.0.0:41248 to 192.168.10.2:1812
> > User-Name = 'richardl'
> > User-Password = 'Testing 101'
> > NAS-IP-Address = 192.168.10.2
> > NAS-Port = 1812
> > Message-Authenticator = 0x00
> > Received Access-Accept Id 198 from 192.168.10.2:1812 to
> > 192.168.10.2:41248 length 20
>
> We never ask for the output from radclient. We ALWAYS ask for the
> output of the server.
>
> Again... please follow instructions. When you don't follow
> instructions, you don't get the problem fixed.
>
> > 4. I will update into the latest version and hopeful have a follow up
> > soon, would interested in hearing your ideas on the best method of
> > securing free-radius & LDAP together
>
> If only I understood what you were doing, and what *exactly* was going
> wrong, and what you expected to happen.
>
> I already asked that, and your response here was still fairly vague. "I
> tried stuff, and it didn't work".
>
> Ask a bad question, get a bad answer.
>
> Ask a good question, get a good answer.
>
> It's up to you.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>