Error while authenticating users on Wifi.

Alan Buxey alan.buxey at gmail.com
Fri May 25 10:26:04 CEST 2018


for 3.x you need to use the new config - you cant just cut and paste v2
ldap config onto a v3 server



On 25 May 2018 at 06:48, Saurabh Lahoti <saurabh.astronomy at gmail.com> wrote:

> Dear Alan,
>
> As per your recommendation, have configured ldap module for wifi, users to
> be allowed through clients.conf & wifi virtual server.
>
> While testing a user over wifi, authentication fails due to LDAP search
> criteria missing into ldap server config.
>
> Error:
> rlm_ldap (ldapwifi): Waiting for bind result...
> rlm_ldap (ldapwifi): Bind successful
> (0)       [ldapwifi] = ok
> (0)       if ((ok || updated) && User-Password) {
> (0)       if ((ok || updated) && User-Password)  -> TRUE
> (0)       if ((ok || updated) && User-Password)  {
> (0)         update {
> (0)           control:Auth-Type := LDAP
> (0)         } # update = noop
> (0)       } # if ((ok || updated) && User-Password)  = noop
> (0)     } # elsif ( Airespace-Wlan-Id == 2 )  = ok
> (0)     [expiration] = noop
> (0)     [logintime] = noop
> (0)   } # authorize = ok
> (0) Found Auth-Type = LDAP
> (0) # Executing group from file
> /usr/app/radius-new2/prod-corp-internal/etc/raddb/sites-enabled/wifi
> (0)   Auth-Type LDAP {
> rlm_ldap (ldapwifi): Reserved connection (1)
> (0) ldapwifi: Login attempt by "u5496622"
> (0) ldapwifi: Using user DN from request
> "uid=u5496622,ou=Wifiusers,ou=Partners,o=mydomain.com"
> (0) ldapwifi: Waiting for bind result...
> (0) ldapwifi: Bind successful
> (0) ldapwifi: Bind as user "uid=u5496622, ou=Wifiusers,ou=Partners,o=
> mydomain.com" was successful
> rlm_ldap (ldapwifi): Released connection (1)
> (0)     [ldapwifi] = ok
> (0)   } # Auth-Type LDAP = ok
> (0) # Executing section post-auth from file
> /usr/app/radius-new2/prod-corp-internal/etc/raddb/sites-enabled/wifi
> (0)   post-auth {
> (0)     if ( Airespace-Wlan-Id == 2 ) {
> (0)     if ( Airespace-Wlan-Id == 2 )  -> TRUE
> (0)     if ( Airespace-Wlan-Id == 2 )  {
> (0)       if ( "%{control:LDAP-UserDN}" =~ /ou=guest,ou=wifi,o=mydomain.
> com$/i
> ) {
> (0)       EXPAND %{control:LDAP-UserDN}
> (0)          --> uid=u5496622,ou=Wifiusers,ou=Partners,o=mydomain.com
> (0)       if ( "%{control:LDAP-UserDN}" =~ /ou=guest,ou=wifi,o=
> mydomain.com$/i
> )  -> FALSE
> (0)       elsif ( LDAP_Group == "cn=WiFiGuestPartners,ou=RADIUS
> Groups,ou=Groups,ou=staff,o=mydomain.com" ) {
> (0)       elsif ( LDAP_Group == "cn=WiFiGuestPartners,ou=RADIUS
> Groups,ou=Groups,ou=staff,o=mydomain.com" )  -> FALSE
> (0)       else {
> (0)         [reject] = reject
> (0)       } # else = reject
> (0)     } # if ( Airespace-Wlan-Id == 2 )  = reject
> (0)   } # post-auth = reject
> (0) Using Post-Auth-Type Reject
> (0) Post-Auth-Type sub-section not found.  Ignoring.
> (0) # Executing group from file
> /usr/app/radius-new2/prod-corp-internal/etc/raddb/sites-enabled/wifi
> (0) Rejected in post-auth: [u5496622] (from client WLC1 port 13 cli
> 00-28-f8-10-56-35)
> (0) Login incorrect: [u5496622] (from client WLC1 port 13 cli
> 00-28-f8-10-56-35)
> (0) Delaying response for 1.000000 seconds
> Waking up in 0.3 seconds.
> Waking up in 0.6 seconds.
> (0) Sending delayed response
> (0) Sent Access-Reject Id 16 from 192.168.154.96:1812 to
> 172.18.40.40:32774
> length 20
> Waking up in 3.9 seconds.
> (0) Cleaning up request packet ID 16 with timestamp +27
>
>
> For existing working access:
> # Executing section post-auth from file
> /usr/app/radius/prod-corp-internal//sites-enabled/wifi
> +group post-auth {
> ++? if (Airespace-Wlan-Id == 2 )
> ? Evaluating (Airespace-Wlan-Id == 2 ) -> TRUE
> ++? if (Airespace-Wlan-Id == 2 ) -> TRUE
> ++if (Airespace-Wlan-Id == 2 ) {
> +++? if ("%{control:LDAP-UserDN}" =~ /ou=guest,ou=wifi,o=mydomain.com$/i )
>         expand: %{control:LDAP-UserDN} -> uid=u5496622,# Executing section
> post-auth from file /usr/app/radius/prod-corp-internal//sites-enabled/wifi
> +group post-auth {
> ++? if (Airespace-Wlan-Id == 2 )
> ? Evaluating (Airespace-Wlan-Id == 2 ) -> TRUE
> ++? if (Airespace-Wlan-Id == 2 ) -> TRUE
> ++if (Airespace-Wlan-Id == 2 ) {
> +++? if ("%{control:LDAP-UserDN}" =~ /ou=guest,ou=wifi,o=mydomain.com$/i )
>         expand: %{control:LDAP-UserDN} -> uid=u5496622,
> ou=Wifiusers,ou=Partners,o=mydomain.com
> ? Evaluating ("%{control:LDAP-UserDN}" =~ /ou=guest,ou=wifi,o=mydomain.com
> $/i)
> -> FALSE
> +++? if ("%{control:LDAP-UserDN}" =~ /ou=guest,ou=wifi,o=mydomain.com$/i )
> -> FALSE
> +++? elsif (LDAP-Group == "cn=WiFiGuestPartners,ou=RADIUS
> Groups,ou=Groups,ou=staff,o=mydomain.com" )
>   [ldapwifi2] Entering ldap_groupcmp()
>         expand: o=mydomain.com -> o=mydomain.com
>         expand:
> (&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))
> ->
> (&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3du5496622\
> 2cou\3dWifiusers\2cou\3dPartners\2co\
> 3dmydomain.com))
>   [ldapwifi2] ldap_get_conn: Checking Id: 0
>   [ldapwifi2] ldap_get_conn: Got Id: 0
>   [ldapwifi2] performing search in cn=WiFiGuestPartners,ou=RADIUS
> Groups,ou=Groups,ou=staff,o=mydomain.com, with filter
> (&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3du5496622\
> 2cou\3dWifiusers\2cou\3dPartners\2co\
> 3dmydomain.com))
> rlm_ldap::ldap_groupcmp: User found in group cn=WiFiGuestPartners,ou=RADIUS
> Groups,ou=Groups,ou=staff,o=mydomain.com
>   [ldapwifi2] ldap_release_conn: Release Id: 0
> ? Evaluating (LDAP-Group == "cn=WiFiGuestPartners,ou=RADIUS
> Groups,ou=Groups,ou=staff,o= mydomain.com " ) -> TRUE
> +++? elsif (LDAP-Group == "cn=WiFiGuestPartners,ou=RADIUS
> Groups,ou=Groups,ou=staff,o= mydomain.com " ) -> TRUE
> +++elsif (LDAP-Group == "cn=WiFiGuestPartners,ou=RADIUS
> Groups,ou=Groups,ou=staff,o= mydomain.com " ) {
> ++++[noop] = noop
> +++} # elsif (LDAP-Group == "cn=WiFiGuestPartners,ou=RADIUS
> Groups,ou=Groups,ou=staff,o= mydomain.com " ) = noop
> +++ ... skipping else for request 1: Preceding "if" was taken
> ++} # if (Airespace-Wlan-Id == 2 ) = noop
>
> Existing version is 2.0.x & new version is 3.0.17. Could you please help us
> with correct method to search LDAP directory from radius...?
>
> ----
>
> *Thanks & Kind Regards,*
> Saurabh LAHOTI.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html


More information about the Freeradius-Users mailing list