Microsoft AD group check

Alan DeKok aland at deployingradius.com
Mon Jan 13 01:09:14 CET 2020 

On Jan 12, 2020, at 5:21 PM, Marek SmoliƄski <marksmol at o2.pl> wrote:
> 
> I turned off cachable_dn
> Debug output 
> 
> if 802.1x authentication fails, MAB authentication is attempted. You can see it at the end of the printout. The attempt will of course fail, because there is no such user in MySQL database. In MySQL database there are only MAC addresses of printers.

  If you're not debugging MAB, then don't include it in the debug output.  The same goes for accounting packets.  When you add useless garbage to the debug output, you're making it more difficult for us to help you.

  There's a wiki page which describes what to do when posting to the list.   Please follow it.

http://wiki.freeradius.org/list-help/

  Simply searching the debug output for LDAP-Cached-Membership shows the problem:

(7) ldap: Adding cacheable user object memberships
(7) ldap:   &control:LDAP-Cached-Membership += "VLAN130_SIEO1"
...
(8) ldap:   &control:LDAP-Cached-Membership += "VLAN130_SIEO1"
(8) ldap: EXPAND (|(&(objectClass=group)(member=%{control:Ldap-UserDn})))
...
(9)       elsif (LDAP-Cached-Membership[*] =~ /.*VLAN130_.*/) {
(9)       elsif (LDAP-Cached-Membership[*] =~ /.*VLAN130_.*/)  -> FALSE

  The first number (7), (8), and (9) are the packet numbers.  So you're saving the LDAP-Cached-Membership attribute in packet 8, and then looking for it in packet 9.  That won't work.

  Further, read the debug output.  The LDAP-Cached-Membership attribute is being added to the *control* list.  And the "if" check you wrote isn't looking in the "control" list.

  The server doesn't cache all attributes across all packets.  You need to save the packets in the session-state list.

  i.e.  In the post-auth section, do:

post-auth {
	...
	Post-Auth-Type Challenge {
		update session-state {
			&LDAP-Cached-Membership = &control:LDAP-Cached-Membership
		}
	}
	...
}

  The server will then cache that attribute across multiple packets for the same EAP session.

  Then, when checking it, do:

	if (&session-state:LDAP-Cached-Membership[*] =~ /.*VLAN130_.*/) {

  That should work.

  Alan DeKok.

More information about the Freeradius-Users mailing list