Radius not giving VLAN after reconnect
Matthew Pulis
mpulis at gmail.com
Tue Sep 26 16:56:37 CEST 2017
Dear Alan
Thanks for your prompt reply. Much appreciated.
What I am trying to do is dynamically assigning users to the VLAN based on
their LDAP OU. So if a user, such as test user abc is in the OU:
cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local, he gets VLAN 11
dynamically. As explained this works the first time, but the second time
the authentication is accepted but the Tunnel-Private-Group is not given,
thus no VLAN is assigned.
Quoting from you:
If so "search returned no results" explains why it's not working.
I think here lies the issue, however I am not sure how to go about fixing it.
This is my /etc/freeradius/mods-enabled/eap file:
radius at radius:/etc/freeradius/mods-enabled$ cat eap | sed 's/^[ \t]*//;s/[
\t]*$//' | sed -e '/^#/d' | sed '/^\s*$/d'
eap {
default_eap_type = ttls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = ${max_requests}
md5 {
}
leap {
}
gtc {
auth_type = PAP
}
tls-config tls-common {
private_key_password = whatever
private_key_file = ${certdir}/server.pem
certificate_file = ${certdir}/server.pem
ca_file = ${cadir}/ca.pem
dh_file = ${certdir}/dh
random_file = /dev/urandom
ca_path = ${cadir}
cipher_list = "DEFAULT"
ecdh_curve = "prime256v1"
cache {
enable = yes
lifetime = 24 # hours
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
}
}
tls {
tls = tls-common
}
ttls {
tls = tls-common
default_eap_type = md5
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
}
peap {
tls = tls-common
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
}
mschapv2 {
}
}
My sites-enabled/default file:
radius at radius:/etc/freeradius/sites-enabled$ cat default | sed 's/^[
\t]*//;s/[ \t]*$//' | sed -e '/^#/d' | sed '/^\s*$/d'
server default {
listen {
type = auth
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
ipaddr = *
port = 0
type = acct
limit {
}
}
listen {
type = auth
ipv6addr = :: # any. ::1 == localhost
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
ipv6addr = ::
port = 0
type = acct
limit {
}
}
authorize {
filter_username
preprocess
chap
mschap
ntdomain
eap {
ok = return
}
files
-ldap
-adldap #ACTIVEDIRECTORY-backldap
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
ldap #skond ic ciniz
adldap #ACTIVEDIRECTORY
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
Auth-Type LDAP {
ldap
}
eap
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
unix
exec
attr_filter.accounting_response
}
session {
}
post-auth {
update {
&reply: += &session-state:
}
if (Ldap-Group == "cn=Teachers,ou=School,dc=seminary,dc=ad") {
update reply {
Tunnel-Type = 13,
Tunnel-Medium-Type = 6,
Tunnel-Private-Group-ID = "50"
}
}
if (Ldap-Group == "cn=SeminaryAdmin,ou=SeminaryOU,dc=seminary,dc=local") {
update reply {
Tunnel-Type = 13,
Tunnel-Medium-Type = 6,
Tunnel-Private-Group-ID = "12"
}
}
if (Ldap-Group == "cn=Formators,ou=SeminaryOU,dc=seminary,dc=local") {
update reply {
Tunnel-Type = 13,
Tunnel-Medium-Type = 6,
Tunnel-Private-Group-ID = "10"
}
}
if (Ldap-Group == "cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local") {
update reply {
Tunnel-Type = 13,
Tunnel-Medium-Type = 6,
Tunnel-Private-Group-ID = "11"
}
}
if (Ldap-Group == "cn=Staff,ou=SeminaryOU,dc=seminary,dc=local") {
update reply {
Tunnel-Type = 13,
Tunnel-Medium-Type = 6,
Tunnel-Private-Group-ID = "13"
}
}
if (Ldap-Group == "cn=School,ou=SeminaryOU,dc=seminary,dc=local") {
update reply {
Tunnel-Type = 13,
Tunnel-Medium-Type = 6,
Tunnel-Private-Group-ID := "50"
}
}
ldap
exec
remove_reply_message_if_eap
Post-Auth-Type REJECT {
-sql
attr_filter.access_reject
eap
remove_reply_message_if_eap
}
}
pre-proxy {
}
post-proxy {
eap
}
}
my inner-tunnel (not sure this is needed but pasting just in case.
radius at radius:/etc/freeradius/sites-enabled$ cat inner-tunnel | sed 's/^[
\t]*//;s/[ \t]*$//' | sed -e '/^#/d' | sed '/^\s*$/d'
server inner-tunnel {
listen {
ipaddr = 127.0.0.1
port = 18120
type = auth
}
authorize {
filter_username
chap
mschap
ntdomain
update control {
&Proxy-To-Realm := LOCAL
}
eap {
ok = return
}
files
ldap
adldap #ACTIVE DIRECTORY
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
Auth-Type LDAP {
ldap
}
eap
}
session {
radutmp
}
post-auth {
-sql
-ldap
Post-Auth-Type REJECT {
-sql
attr_filter.access_reject
update outer.session-state {
&Module-Failure-Message := &request:Module-Failure-Message
}
}
}
pre-proxy {
}
post-proxy {
eap
}
} # inner-tunnel server block
This is the server log of when the client gets assigned correctly to VLAN
11.
Waking up in 4.2 seconds.
(36) Received Access-Request Id 134 from 192.168.100.112:43578 to
192.168.100.201:1812 length 238
(36) User-Name = "abc"
(36) NAS-IP-Address = 10.0.152.66
(36) NAS-Identifier = "802aa84654f2"
(36) NAS-Port = 0
(36) Called-Station-Id = "80-2A-A8-47-54-F2:SeminaryWiFi"
(36) Calling-Station-Id = "08-11-96-10-3E-14"
(36) Framed-MTU = 1400
(36) NAS-Port-Type = Wireless-802.11
(36) Connect-Info = "CONNECT 0Mbps 802.11b"
(36) EAP-Message =
0x02f3003f1580000000351703030030000000000000000188d6f04ed73463104a8a627456c7e888d8b95d71a34a21aab4724d66d06b041bdd7edbcdd4621d4b
(36) State = 0xa61de71ea2eef24e8e3c6f3ed559ee72
(36) Message-Authenticator = 0x1b19bc1f2f655c8f332822c15cd5f3a7
(36) session-state: No cached attributes
(36) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(36) authorize {
(36) policy filter_username {
(36) if (&User-Name) {
(36) if (&User-Name) -> TRUE
(36) if (&User-Name) {
(36) if (&User-Name =~ /@[^@]*@/ ) {
(36) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(36) if (&User-Name =~ /\.\./ ) {
(36) if (&User-Name =~ /\.\./ ) -> FALSE
(36) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(36) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(36) if (&User-Name =~ /\.$/) {
(36) if (&User-Name =~ /\.$/) -> FALSE
(36) if (&User-Name =~ /@\./) {
(36) if (&User-Name =~ /@\./) -> FALSE
(36) } # if (&User-Name) = notfound
(36) } # policy filter_username = notfound
(36) [preprocess] = ok
(36) [chap] = noop
(36) [mschap] = noop
(36) ntdomain: Checking for prefix before "\"
(36) ntdomain: No '\' in User-Name = "abc", looking up realm NULL
(36) ntdomain: No such realm "NULL"
(36) [ntdomain] = noop
(36) eap: Peer sent EAP Response (code 2) ID 243 length 63
(36) eap: Continuing tunnel setup
(36) [eap] = ok
(36) } # authorize = ok
(36) Found Auth-Type = eap
(36) # Executing group from file /etc/freeradius/sites-enabled/default
(36) authenticate {
(36) eap: Expiring EAP session with state 0xa61de71ea2eef24e
(36) eap: Finished EAP session with state 0xa61de71ea2eef24e
(36) eap: Previous EAP request found for state 0xa61de71ea2eef24e, released
from the list
(36) eap: Peer sent packet with method EAP TTLS (21)
(36) eap: Calling submodule eap_ttls to process data
(36) eap_ttls: Authenticate
(36) eap_ttls: Continuing EAP-TLS
(36) eap_ttls: Peer indicated complete TLS record size will be 53 bytes
(36) eap_ttls: Got complete TLS record (53 bytes)
(36) eap_ttls: [eaptls verify] = length included
(36) eap_ttls: [eaptls process] = ok
(36) eap_ttls: Session established. Proceeding to decode tunneled
attributes
(36) eap_ttls: Got tunneled request
(36) eap_ttls: User-Name = "abc"
(36) eap_ttls: User-Password = "abcd"
(36) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1
(36) eap_ttls: Sending tunneled request
(36) Virtual server inner-tunnel received request
(36) User-Name = "abc"
(36) User-Password = "abcd"
(36) FreeRADIUS-Proxied-To = 127.0.0.1
(36) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(36) server inner-tunnel {
(36) # Executing section authorize from file
/etc/freeradius/sites-enabled/inner-tunnel
(36) authorize {
(36) policy filter_username {
(36) if (&User-Name) {
(36) if (&User-Name) -> TRUE
(36) if (&User-Name) {
(36) if (&User-Name =~ /@[^@]*@/ ) {
(36) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(36) if (&User-Name =~ /\.\./ ) {
(36) if (&User-Name =~ /\.\./ ) -> FALSE
(36) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(36) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(36) if (&User-Name =~ /\.$/) {
(36) if (&User-Name =~ /\.$/) -> FALSE
(36) if (&User-Name =~ /@\./) {
(36) if (&User-Name =~ /@\./) -> FALSE
(36) } # if (&User-Name) = notfound
(36) } # policy filter_username = notfound
(36) [chap] = noop
(36) [mschap] = noop
(36) ntdomain: Checking for prefix before "\"
(36) ntdomain: No '\' in User-Name = "abc", looking up realm NULL
(36) ntdomain: No such realm "NULL"
(36) [ntdomain] = noop
(36) update control {
(36) &Proxy-To-Realm := LOCAL
(36) } # update control = noop
(36) eap: No EAP-Message, not doing EAP
(36) [eap] = noop
(36) [files] = noop
rlm_ldap (ldap): Reserved connection (1)
(36) ldap: EXPAND (cn=%{%{Stripped-User-Name}:-%{User-Name}})
(36) ldap: --> (cn=abc)
(36) ldap: Performing search in "ou=SeminaryOU,dc=seminary,dc=local" with
filter "(cn=abc)", scope "sub"
(36) ldap: Waiting for search result...
(36) ldap: User object found at DN
"cn=abc,cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local"
(36) ldap: Processing user attributes
(36) ldap: control:Password-With-Header +=
'{ssha}dYlL9kdAZTjsDzkBHYg5bEJ6J+w6tm5V4pSR+A=='
(36) ldap: control:Password-With-Header += 'abcd'
rlm_ldap (ldap): Released connection (1)
Need 2 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (8), 1 of 24 pending slots
used
rlm_ldap (ldap): Connecting to ldap://localhost:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(36) [ldap] = updated
rlm_ldap (adldap): Reserved connection (0)
(36) adldap: EXPAND (cn=%{%{Stripped-User-Name}:-%{User-Name}})
(36) adldap: --> (cn=abc)
(36) adldap: Performing search in "ou=School,dc=seminary,dc=ad" with filter
"(cn=abc)", scope "sub"
(36) adldap: Waiting for search result...
(36) adldap: The specified DN wasn't found
(36) adldap: Search returned no results
rlm_ldap (adldap): Released connection (0)
Need 2 more connections to reach 10 spares
rlm_ldap (adldap): Opening additional connection (8), 1 of 24 pending slots
used
rlm_ldap (adldap): Connecting to ldap://localhost:389
rlm_ldap (adldap): Waiting for bind result...
rlm_ldap (adldap): Bind successful
(36) [adldap] = notfound
(36) [expiration] = noop
(36) [logintime] = noop
(36) pap: Converted: &control:Password-With-Header ->
&control:SSHA1-Password
(36) pap: Removing &control:Password-With-Header
(36) pap: No {...} in Password-With-Header, re-writing to Cleartext-Password
(36) pap: Removing &control:Password-With-Header
(36) pap: Normalizing SSHA1-Password from base64 encoding, 40 bytes -> 28
bytes
(36) [pap] = updated
(36) } # authorize = updated
(36) Found Auth-Type = PAP
(36) # Executing group from file
/etc/freeradius/sites-enabled/inner-tunnel
(36) Auth-Type PAP {
(36) pap: Login attempt with password
(36) pap: Comparing with "known-good" SSHA-Password
(36) pap: User authenticated successfully
(36) [pap] = ok
(36) } # Auth-Type PAP = ok
(36) # Executing section post-auth from file
/etc/freeradius/sites-enabled/inner-tunnel
(36) post-auth {
(36) ldap: EXPAND .
(36) ldap: --> .
(36) ldap: EXPAND Authenticated at %S
(36) ldap: --> Authenticated at 2017-09-25 17:31:28
rlm_ldap (ldap): Reserved connection (2)
(36) ldap: Using user DN from request
"cn=abc,cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local"
(36) ldap: Modifying object with DN
"cn=abc,cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local"
(36) ldap: Waiting for modify result...
rlm_ldap (ldap): Released connection (2)
(36) [ldap] = ok
(36) } # post-auth = ok
(36) } # server inner-tunnel
(36) Virtual server sending reply
(36) eap_ttls: Got tunneled Access-Accept
(36) eap_ttls: No information to cache: session caching will be disabled
for session 2e7aac7106dabc6b230c2e692645fa699f7f7c6d5757c770ea48340202308f5b
(36) eap: Sending EAP Success (code 3) ID 243 length 4
(36) eap: Freeing handler
(36) [eap] = ok
(36) } # authenticate = ok
(36) # Executing section post-auth from file
/etc/freeradius/sites-enabled/default
(36) post-auth {
(36) update {
(36) No attributes updated
(36) } # update = noop
(36) if (Ldap-Group == "cn=Teachers,ou=School,dc=seminary,dc=ad") {
(36) Searching for user in group
"cn=Teachers,ou=School,dc=seminary,dc=ad"
rlm_ldap (ldap): Reserved connection (3)
(36) EXPAND (cn=%{%{Stripped-User-Name}:-%{User-Name}})
(36) --> (cn=abc)
(36) Performing search in "ou=SeminaryOU,dc=seminary,dc=local" with
filter "(cn=abc)", scope "sub"
(36) Waiting for search result...
(36) User object found at DN
"cn=abc,cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local"
(36) Checking user object's memberOf attributes
(36) Performing unfiltered search in
"cn=abc,cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local", scope "base"
(36) Waiting for search result...
(36) Processing memberOf value
"cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local" as a DN
rlm_ldap (ldap): Released connection (3)
(36) User is not a member of "cn=Teachers,ou=School,dc=seminary,dc=ad"
(36) if (Ldap-Group == "cn=Teachers,ou=School,dc=seminary,dc=ad") ->
FALSE
(36) if (Ldap-Group ==
"cn=SeminaryAdmin,ou=SeminaryOU,dc=seminary,dc=local") {
(36) Searching for user in group
"cn=SeminaryAdmin,ou=SeminaryOU,dc=seminary,dc=local"
rlm_ldap (ldap): Reserved connection (4)
(36) Using user DN from request
"cn=abc,cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local"
(36) Checking user object's memberOf attributes
(36) Performing unfiltered search in
"cn=abc,cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local", scope "base"
(36) Waiting for search result...
(36) Processing memberOf value
"cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local" as a DN
rlm_ldap (ldap): Released connection (4)
(36) User is not a member of
"cn=SeminaryAdmin,ou=SeminaryOU,dc=seminary,dc=local"
(36) if (Ldap-Group ==
"cn=SeminaryAdmin,ou=SeminaryOU,dc=seminary,dc=local") -> FALSE
(36) if (Ldap-Group ==
"cn=Formators,ou=SeminaryOU,dc=seminary,dc=local") {
(36) Searching for user in group
"cn=Formators,ou=SeminaryOU,dc=seminary,dc=local"
rlm_ldap (ldap): Reserved connection (0)
(36) Using user DN from request
"cn=abc,cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local"
(36) Checking user object's memberOf attributes
(36) Performing unfiltered search in
"cn=abc,cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local", scope "base"
(36) Waiting for search result...
(36) Processing memberOf value
"cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local" as a DN
rlm_ldap (ldap): Released connection (0)
(36) User is not a member of
"cn=Formators,ou=SeminaryOU,dc=seminary,dc=local"
(36) if (Ldap-Group ==
"cn=Formators,ou=SeminaryOU,dc=seminary,dc=local") -> FALSE
(36) if (Ldap-Group ==
"cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local") {
(36) Searching for user in group
"cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local"
rlm_ldap (ldap): Reserved connection (6)
(36) Using user DN from request
"cn=abc,cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local"
(36) Checking user object's memberOf attributes
(36) Performing unfiltered search in
"cn=abc,cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local", scope "base"
(36) Waiting for search result...
(36) Processing memberOf value
"cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local" as a DN
(36) User found in group DN
"cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local". Comparison between
membership: dn, check: dn
rlm_ldap (ldap): Released connection (6)
(36) if (Ldap-Group ==
"cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local") -> TRUE
(36) if (Ldap-Group ==
"cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local") {
(36) update reply {
(36) Tunnel-Type = VLAN
(36) Tunnel-Medium-Type = IEEE-802
(36) Tunnel-Private-Group-ID = "11"
(36) } # update reply = noop
(36) } # if (Ldap-Group ==
"cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local") = noop
(36) if (Ldap-Group == "cn=Staff,ou=SeminaryOU,dc=seminary,dc=local") {
(36) Searching for user in group
"cn=Staff,ou=SeminaryOU,dc=seminary,dc=local"
rlm_ldap (ldap): Reserved connection (5)
(36) Using user DN from request
"cn=abc,cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local"
(36) Checking user object's memberOf attributes
(36) Performing unfiltered search in
"cn=abc,cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local", scope "base"
(36) Waiting for search result...
(36) Processing memberOf value
"cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local" as a DN
rlm_ldap (ldap): Released connection (5)
(36) User is not a member of
"cn=Staff,ou=SeminaryOU,dc=seminary,dc=local"
(36) if (Ldap-Group == "cn=Staff,ou=SeminaryOU,dc=seminary,dc=local")
-> FALSE
(36) if (Ldap-Group == "cn=School,ou=SeminaryOU,dc=seminary,dc=local") {
(36) Searching for user in group
"cn=School,ou=SeminaryOU,dc=seminary,dc=local"
rlm_ldap (ldap): Reserved connection (7)
(36) Using user DN from request
"cn=abc,cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local"
(36) Checking user object's memberOf attributes
(36) Performing unfiltered search in
"cn=abc,cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local", scope "base"
(36) Waiting for search result...
(36) Processing memberOf value
"cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local" as a DN
rlm_ldap (ldap): Released connection (7)
(36) User is not a member of
"cn=School,ou=SeminaryOU,dc=seminary,dc=local"
(36) if (Ldap-Group == "cn=School,ou=SeminaryOU,dc=seminary,dc=local")
-> FALSE
(36) ldap: EXPAND .
(36) ldap: --> .
(36) ldap: EXPAND Authenticated at %S
(36) ldap: --> Authenticated at 2017-09-25 17:31:28
rlm_ldap (ldap): Reserved connection (1)
(36) ldap: Using user DN from request
"cn=abc,cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local"
(36) ldap: Modifying object with DN
"cn=abc,cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local"
(36) ldap: Waiting for modify result...
rlm_ldap (ldap): Released connection (1)
(36) [ldap] = ok
(36) [exec] = noop
(36) policy remove_reply_message_if_eap {
(36) if (&reply:EAP-Message && &reply:Reply-Message) {
(36) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(36) else {
(36) [noop] = noop
(36) } # else = noop
(36) } # policy remove_reply_message_if_eap = noop
(36) } # post-auth = ok
(36) Sent Access-Accept Id 134 from 192.168.100.201:1812 to
192.168.100.112:43578 length 0
(36) MS-MPPE-Recv-Key =
0x1f09c87d9c6e4761e1e2c4ae95c1773d9eaabb1020e146b71648faef7be7f449
(36) MS-MPPE-Send-Key =
0xd82966c83116ad0ab06a985ffe7a4a24704fe3bbfc772c8a547f0df9b67cc765
(36) EAP-Message = 0x03f30004
(36) Message-Authenticator = 0x00000000000000000000000000000000
(36) User-Name = "abc"
(36) Tunnel-Type = VLAN
(36) Tunnel-Medium-Type = IEEE-802
(36) Tunnel-Private-Group-Id = "11"
(36) Finished request
More information about the Freeradius-Users
mailing list