FreeRADIUS 3.0.12 + openLDAP + Apple access point?

Matthew Newton mcn at freeradius.org
Thu Dec 7 12:16:33 CET 2017


On Thu, 2017-12-07 at 08:47 +0000, Tobias Balle-Petersen wrote:
> It seems like the problem is with my huntgroup.

Yes

> In users:
> 
> This will allow me to log in from the access point:
> DEFAULT Ldap-Group == "wifi-cph"
> 
> With this definition I am rejected:
> DEFAULT Ldap-Group == "wifi-cph", Huntgroup-Name == "accesspoints-
> lan"

You can see in the debug output that the user was found in one of the
LDAP searches, so the only logical conclusion here is that any other
checks with it are failing. 


> The huntgroup from the huntgroups file
> # Group of accesspoint. Login from those, and you needi
> # to be a member of the wifi-copenhagen group (LDAP)
> accesspoints-lan        NAS-IP-Address == 172.22.33.11
> accesspoints-lan        NAS-IP-Address == 172.22.33.22
> accesspoints-lan        NAS-IP-Address == 172.22.33.30
> accesspoints-lan        NAS-IP-Address == 172.22.33.33
> accesspoints-lan        NAS-IP-Address == 172.22.33.34
> 
> This is what I get when the access point connects:
> Thu Dec  7 09:28:15 2017 : Debug: (11)   User-Name = "***"
> Thu Dec  7 09:28:15 2017 : Debug: (11)   NAS-IP-Address =
> 172.22.33.33
> 
> Maybe the NAS-IP-Address is not available in the inner tunnel?

The debug output shows you what attributes are available in the inner
tunnel...

You need to copy the attribute from the outer to the inner so that you
can use it. Either use the old (deprecated) method of setting
'copy_request_to_tunnel' in the eap configuration, or the current way
of just copying the attribute you need, so

  update request {
    Huntgroup-Name := &outer.Huntgroup-Name
  }

before calling 'files' in the inner tunnel should do it.

-- 
Matthew



More information about the Freeradius-Users mailing list