FreeRadius 3 OpenLDAP and MAC based Auth

Jürgen Northe jn at northe-online.de
Thu Jan 10 21:53:41 CET 2019


Hello !
> You send an Access-Request with User-Name and User-Password
> (0) Received Access-Request Id 165 from 192.168.0.7:3437 to
>> 192.168.0.215:1812 length 241
>> (0) User-Name = "106530670342"
>> (0) User-Password = "106530670342"
> You check the user but there's no password
> (0) redundant redundant_ldap {
>> rlm_ldap (ldap1): Reserved connection (0)
>> (0) ldap1: EXPAND (cn=%{%{Stripped-User-Name}:-%{User-Name}})
>> (0) ldap1: --> (cn=106530670342)
>> (0) ldap1: Performing search in "dc=firma,dc=de" with filter
>> "(cn=106530670342)", scope "sub"
>> (0) ldap1: Waiting for search result...
>> (0) ldap1: User object found at DN
>> "cn=NBBZ1807-134,cn=4.notebooks,cn=172.17.0.0,cn=SUBNET,cn=DHCP
>> Config,dc=firma,dc=de"
>> (0) ldap1: Processing user attributes
>> (0) ldap1: WARNING: No "known good" password added. Ensure the admin user
>> has permission to read the password attribute
>> (0) ldap1: WARNING: PAP authentication will *NOT* work with Active
>> Directory (if that is what you were trying to configure)
>>
> So Access-Reject is sent

Yes, the Access-request from the switch contains User-Name and
User-Password, both attributes contain the mac address without hyphen.  If there is a match in LDAP the user is authorized and therefor
accepted. The Access-reply should contain the the attributes like VLAN ID.

I can see that the user is found in the directory...

(0) ldap1: Performing search in "dc=firma,dc=de" with filter "(cn=106530670342)", scope "sub"
(0) ldap1: Waiting for search result...
(0) ldap1: User object found at DN "cn=NBBZ1807-134,cn=4.notebooks,cn=172.17.0.0,cn=SUBNET,cn=DHCP Config,dc=firma,dc=de"
(0) ldap1: Processing user attributes
...
(0) } # authorize = ok

Am I wrong to say the authorization was successful?

In FR2 I had a schema for the freeradius loaded in OpenLDAP. I did not found any related informations for a FR3 schema for OpenLDAP but also tried to use the scheme which I used in FR2 without any other results.

Thank you!




More information about the Freeradius-Users mailing list