post-auth | ldap-group | huntgroup

Markus Demmert (BESITEC-DEHAM) MDemmert at besitec.com
Fri Feb 5 21:49:51 CET 2021


Hi,
Thank you that was the right advice. 
The switch does not send a NAS IP. Unfortunately there is no option on the switch to enter this manually.
Many thanks for your help!
Brgds,
MaDe

> Sorry I overread 
> So... where is the the Huntrgoup-Name coming from?
> 
> I edited the file huntgroup with the following:
> cisco-group	NAS-IP-Address == 10.3.10.10

> And the debug output shows that the "preprocess" module doesn't match anything.  Why?  Reading the debug output again shows that the packet contains:

> (0) Received Access-Request Id 19 from 10.3.10.10:49205 to 10.3.3.10:1812 length 94
> (0)   User-Name = "user.name"
> (0)   User-Password = "pass.word"
> (0)   Cisco-AVPair = "shell:priv-lvl=1"
> (0)   NAS-IP-Address = 0.0.0.0
> (0)   Acct-Session-Id = "0500015B"

>Why doesn't this packet match
>NAS-IP-Address == 10.3.10.10 ?


> Sorry I overread 
> So... where is the the Huntrgoup-Name coming from?

> I edited the file huntgroup with the following:
> cisco-group	NAS-IP-Address == 10.3.10.10

> Thh
> MaDe



>Hi,
>Thanks for your reply here is the debug output.

>FreeRADIUS Version 3.0.20
>Copyright (C) 1999-2019 The FreeRADIUS server project and contributors 
>There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A 
>PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the 
>terms of the GNU General Public License For more information about 
>these matters, see the file named COPYRIGHT Starting - reading 
>configuration files ...
>including dictionary file /usr/share/freeradius/dictionary including 
>dictionary file /usr/share/freeradius/dictionary.dhcp
>including dictionary file /usr/share/freeradius/dictionary.vqp
>including dictionary file /etc/freeradius/3.0/dictionary including 
>configuration file /etc/freeradius/3.0/radiusd.conf including 
>configuration file /etc/freeradius/3.0/proxy.conf including 
>configuration file /etc/freeradius/3.0/clients.conf including files in 
>directory /etc/freeradius/3.0/mods-enabled/ including configuration 
>file /etc/freeradius/3.0/mods-enabled/replicate
>including configuration file /etc/freeradius/3.0/mods-enabled/ldap
>including configuration file /etc/freeradius/3.0/mods-enabled/passwd
>including configuration file /etc/freeradius/3.0/mods-enabled/always
>including configuration file /etc/freeradius/3.0/mods-enabled/ntlm_auth
>including configuration file /etc/freeradius/3.0/mods-enabled/chap
>including configuration file /etc/freeradius/3.0/mods-enabled/pap
>including configuration file /etc/freeradius/3.0/mods-enabled/digest
>including configuration file 
>/etc/freeradius/3.0/mods-enabled/detail.log
>including configuration file /etc/freeradius/3.0/mods-enabled/linelog
>including configuration file /etc/freeradius/3.0/mods-enabled/realm
>including configuration file /etc/freeradius/3.0/mods-enabled/sradutmp
>including configuration file /etc/freeradius/3.0/mods-enabled/unpack
>including configuration file 
>/etc/freeradius/3.0/mods-enabled/preprocess
>including configuration file /etc/freeradius/3.0/mods-enabled/utf8
>including configuration file /etc/freeradius/3.0/mods-enabled/echo
>including configuration file /etc/freeradius/3.0/mods-enabled/eap
>including configuration file 
>/etc/freeradius/3.0/mods-enabled/dynamic_clients
>including configuration file /etc/freeradius/3.0/mods-enabled/soh
>including configuration file /etc/freeradius/3.0/mods-enabled/unix
>including configuration file /etc/freeradius/3.0/mods-enabled/cache_eap
>including configuration file /etc/freeradius/3.0/mods-enabled/detail
>including configuration file /etc/freeradius/3.0/mods-enabled/exec
>including configuration file 
>/etc/freeradius/3.0/mods-enabled/expiration
>including configuration file /etc/freeradius/3.0/mods-enabled/radutmp
>including configuration file /etc/freeradius/3.0/mods-enabled/logintime
>including configuration file 
>/etc/freeradius/3.0/mods-enabled/attr_filter
>including configuration file /etc/freeradius/3.0/mods-enabled/expr
>including configuration file /etc/freeradius/3.0/mods-enabled/mschap
>including configuration file /etc/freeradius/3.0/mods-enabled/files
>including files in directory /etc/freeradius/3.0/policy.d/ including 
>configuration file /etc/freeradius/3.0/policy.d/filter
>including configuration file /etc/freeradius/3.0/policy.d/abfab-tr
>including configuration file /etc/freeradius/3.0/policy.d/rfc7542
>including configuration file /etc/freeradius/3.0/policy.d/accounting
>including configuration file /etc/freeradius/3.0/policy.d/operator-name
>including configuration file 
>/etc/freeradius/3.0/policy.d/moonshot-targeted-ids
>including configuration file /etc/freeradius/3.0/policy.d/debug
>including configuration file 
>/etc/freeradius/3.0/policy.d/canonicalization
>including configuration file /etc/freeradius/3.0/policy.d/eap including 
>configuration file /etc/freeradius/3.0/policy.d/dhcp including 
>configuration file /etc/freeradius/3.0/policy.d/control
>including configuration file /etc/freeradius/3.0/policy.d/cui including 
>files in directory /etc/freeradius/3.0/sites-enabled/
>including configuration file 
>/etc/freeradius/3.0/sites-enabled/ldap-network
>including configuration file 
>/etc/freeradius/3.0/sites-enabled/inner-tunnel
>main {
> security {
> 	user = "freerad"
> 	group = "freerad"
> 	allow_core_dumps = no
> }
>	name = "freeradius"
>	prefix = "/usr"
>	localstatedir = "/var"
>	logdir = "/var/log/freeradius"
>	run_dir = "/var/run/freeradius"
>}
>main {
>	name = "freeradius"
>	prefix = "/usr"
>	localstatedir = "/var"
>	sbindir = "/usr/sbin"
>	logdir = "/var/log/freeradius"
>	run_dir = "/var/run/freeradius"
>	libdir = "/usr/lib/freeradius"
>	radacctdir = "/var/log/freeradius/radacct"
>	hostname_lookups = no
>	max_request_time = 30
>	cleanup_delay = 5
>	max_requests = 16384
>	pidfile = "/var/run/freeradius/freeradius.pid"
>	checkrad = "/usr/sbin/checkrad"
>	debug_level = 0
>	proxy_requests = yes
> log {
> 	stripped_names = no
> 	auth = no
> 	auth_badpass = no
> 	auth_goodpass = no
> 	colourise = yes
> 	msg_denied = "You are already logged in - access denied"
> }
> resources {
> }
> security {
> 	max_attributes = 200
> 	reject_delay = 1.000000
> 	status_server = yes
> }
>}
>radiusd: #### Loading Realms and Home Servers ####  proxy server {
> 	retry_delay = 5
> 	retry_count = 3
> 	default_fallback = no
> 	dead_time = 120
> 	wake_all_if_all_dead = no
> }
> home_server localhost {
> 	ipaddr = 127.0.0.1
> 	port = 1812
> 	type = "auth"
> 	secret = <<< secret >>>
> 	response_window = 20.000000
> 	response_timeouts = 1
> 	max_outstanding = 65536
> 	zombie_period = 40
> 	status_check = "status-server"
> 	ping_interval = 30
> 	check_interval = 30
> 	check_timeout = 4
> 	num_answers_to_alive = 3
> 	revive_interval = 120
>  limit {
>  	max_connections = 16
>  	max_requests = 0
>  	lifetime = 0
>  	idle_timeout = 0
>  }
>  coa {
>  	irt = 2
>  	mrt = 16
>  	mrc = 5
>  	mrd = 30
>  }
> }
> home_server_pool my_auth_failover {
>	type = fail-over
>	home_server = localhost
> }
> realm example.com {
>	auth_pool = my_auth_failover
> }
> realm LOCAL {
> }
>radiusd: #### Loading Clients ####
> client localhost {
> 	ipaddr = 10.3.3.10
> 	require_message_authenticator = no
> 	secret = <<< secret >>>
> 	nas_type = "other"
> 	proto = "*"
>  limit {
>  	max_connections = 16
>  	lifetime = 0
>  	idle_timeout = 30
>  }
> }
> client cisco {
> 	ipaddr = 10.3.10.10/24
> 	require_message_authenticator = no
> 	secret = <<< secret >>>
> 	virtual_server = "ldap-network"
>  limit {
>  	max_connections = 16
>  	lifetime = 0
>  	idle_timeout = 30
>  }
> }
>Debugger not attached
>systemd watchdog is disabled
> # Creating Auth-Type = LDAP
> # Creating Auth-Type = mschap
> # Creating Auth-Type = eap
> # Creating Auth-Type = PAP
> # Creating Auth-Type = CHAP
> # Creating Auth-Type = MS-CHAP
>radiusd: #### Instantiating modules ####  modules {
>  # Loaded module rlm_replicate
>  # Loading module "replicate" from file 
>/etc/freeradius/3.0/mods-enabled/replicate
>  # Loaded module rlm_ldap
>  # Loading module "ldap" from file 
>/etc/freeradius/3.0/mods-enabled/ldap
>  ldap {
>  	server = "ldaps://bg-deham-dc"
>  	identity = "cn=service.network.ldap,ou=service,ou=infrastructure,ou=user,dc=fhbertling,dc=local"
>  	password = <<< secret >>>
>   sasl {
>   }
>  	user_dn = "LDAP-UserDn"
>   user {
>   	scope = "sub"
>   	access_positive = yes
>    sasl {
>    }
>   }
>   group {
>   	filter = "(objectClass=group)"
>   	scope = "sub"
>   	name_attribute = "cn"
>   	membership_attribute = "memberOf"
>   	cacheable_name = no
>   	cacheable_dn = no
>   	allow_dangling_group_ref = no
>   }
>   client {
>   	filter = "(objectClass=radiusClient)"
>   	scope = "sub"
>   	base_dn = "ou=user,dc=fhbertling,dc=local"
>   }
>   profile {
>   }
>   options {
>   	ldap_debug = 40
>   	chase_referrals = yes
>   	rebind = yes
>   	net_timeout = 1
>   	res_timeout = 10
>   	srv_timelimit = 3
>   	idle = 60
>   	probes = 3
>   	interval = 3
>   }
>   tls {
>   	ca_file = "/etc/ssl/certs/fhbertling_root.pem"
>   	start_tls = no
>   	require_cert = "never"
>   }
>  }
>Creating attribute LDAP-Group
>  # Loaded module rlm_passwd
>  # Loading module "etc_passwd" from file 
>/etc/freeradius/3.0/mods-enabled/passwd
>  passwd etc_passwd {
>  	filename = "/etc/passwd"
>  	format = "*User-Name:Crypt-Password:"
>  	delimiter = ":"
>  	ignore_nislike = no
>  	ignore_empty = yes
>  	allow_multiple_keys = no
>  	hash_size = 100
>  }
>  # Loaded module rlm_always
>  # Loading module "reject" from file 
>/etc/freeradius/3.0/mods-enabled/always
>  always reject {
>  	rcode = "reject"
>  	simulcount = 0
>  	mpp = no
>  }
>  # Loading module "fail" from file 
>/etc/freeradius/3.0/mods-enabled/always
>  always fail {
>  	rcode = "fail"
>  	simulcount = 0
>  	mpp = no
>  }
>  # Loading module "ok" from file 
>/etc/freeradius/3.0/mods-enabled/always
>  always ok {
>  	rcode = "ok"
>  	simulcount = 0
>  	mpp = no
>  }
>  # Loading module "handled" from file 
>/etc/freeradius/3.0/mods-enabled/always
>  always handled {
>  	rcode = "handled"
>  	simulcount = 0
>  	mpp = no
>  }
>  # Loading module "invalid" from file 
>/etc/freeradius/3.0/mods-enabled/always
>  always invalid {
>  	rcode = "invalid"
>  	simulcount = 0
>  	mpp = no
>  }
>  # Loading module "userlock" from file 
>/etc/freeradius/3.0/mods-enabled/always
>  always userlock {
>  	rcode = "userlock"
>  	simulcount = 0
>  	mpp = no
>  }
>  # Loading module "notfound" from file 
>/etc/freeradius/3.0/mods-enabled/always
>  always notfound {
>  	rcode = "notfound"
>  	simulcount = 0
>  	mpp = no
>  }
>  # Loading module "noop" from file 
>/etc/freeradius/3.0/mods-enabled/always
>  always noop {
>  	rcode = "noop"
>  	simulcount = 0
>  	mpp = no
>  }
>  # Loading module "updated" from file 
>/etc/freeradius/3.0/mods-enabled/always
>  always updated {
>  	rcode = "updated"
>  	simulcount = 0
>  	mpp = no
>  }
>  # Loaded module rlm_exec
>  # Loading module "ntlm_auth" from file 
>/etc/freeradius/3.0/mods-enabled/ntlm_auth
>  exec ntlm_auth {
>  	wait = yes
>  	program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
>  	shell_escape = yes
>  }
>  # Loaded module rlm_chap
>  # Loading module "chap" from file 
>/etc/freeradius/3.0/mods-enabled/chap
>  # Loaded module rlm_pap
>  # Loading module "pap" from file /etc/freeradius/3.0/mods-enabled/pap
>  pap {
>  	normalise = yes
>  }
>  # Loaded module rlm_digest
>  # Loading module "digest" from file 
>/etc/freeradius/3.0/mods-enabled/digest
>  # Loaded module rlm_detail
>  # Loading module "auth_log" from file 
>/etc/freeradius/3.0/mods-enabled/detail.log
>  detail auth_log {
>  	filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
>  	header = "%t"
>  	permissions = 384
>  	locking = no
>  	escape_filenames = no
>  	log_packet_header = no
>  }
>  # Loading module "reply_log" from file 
>/etc/freeradius/3.0/mods-enabled/detail.log
>  detail reply_log {
>  	filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
>  	header = "%t"
>  	permissions = 384
>  	locking = no
>  	escape_filenames = no
>  	log_packet_header = no
>  }
>  # Loading module "pre_proxy_log" from file 
>/etc/freeradius/3.0/mods-enabled/detail.log
>  detail pre_proxy_log {
>  	filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
>  	header = "%t"
>  	permissions = 384
>  	locking = no
>  	escape_filenames = no
>  	log_packet_header = no
>  }
>  # Loading module "post_proxy_log" from file 
>/etc/freeradius/3.0/mods-enabled/detail.log
>  detail post_proxy_log {
>  	filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
>  	header = "%t"
>  	permissions = 384
>  	locking = no
>  	escape_filenames = no
>  	log_packet_header = no
>  }
>  # Loaded module rlm_linelog
>  # Loading module "linelog" from file 
>/etc/freeradius/3.0/mods-enabled/linelog
>  linelog {
>  	filename = "/var/log/freeradius/linelog"
>  	escape_filenames = no
>  	syslog_severity = "info"
>  	permissions = 384
>  	format = "This is a log message for %{User-Name}"
>  	reference = "messages.%{%{reply:Packet-Type}:-default}"
>  }
>  # Loading module "log_accounting" from file 
>/etc/freeradius/3.0/mods-enabled/linelog
>  linelog log_accounting {
>  	filename = "/var/log/freeradius/linelog-accounting"
>  	escape_filenames = no
>  	syslog_severity = "info"
>  	permissions = 384
>  	format = ""
>  	reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
>  }
>  # Loaded module rlm_realm
>  # Loading module "IPASS" from file 
>/etc/freeradius/3.0/mods-enabled/realm
>  realm IPASS {
>  	format = "prefix"
>  	delimiter = "/"
>  	ignore_default = no
>  	ignore_null = no
>  }
>  # Loading module "suffix" from file 
>/etc/freeradius/3.0/mods-enabled/realm
>  realm suffix {
>  	format = "suffix"
>  	delimiter = "@"
>  	ignore_default = no
>  	ignore_null = no
>  }
>  # Loading module "bangpath" from file 
>/etc/freeradius/3.0/mods-enabled/realm
>  realm bangpath {
>  	format = "prefix"
>  	delimiter = "!"
>  	ignore_default = no
>  	ignore_null = no
>  }
>  # Loading module "realmpercent" from file 
>/etc/freeradius/3.0/mods-enabled/realm
>  realm realmpercent {
>  	format = "suffix"
>  	delimiter = "%"
>  	ignore_default = no
>  	ignore_null = no
>  }
>  # Loading module "ntdomain" from file 
>/etc/freeradius/3.0/mods-enabled/realm
>  realm ntdomain {
>  	format = "prefix"
>  	delimiter = "\\"
>  	ignore_default = no
>  	ignore_null = no
>  }
>  # Loaded module rlm_radutmp
>  # Loading module "sradutmp" from file 
>/etc/freeradius/3.0/mods-enabled/sradutmp
>  radutmp sradutmp {
>  	filename = "/var/log/freeradius/sradutmp"
>  	username = "%{User-Name}"
>  	case_sensitive = yes
>  	check_with_nas = yes
>  	permissions = 420
>  	caller_id = no
>  }
>  # Loaded module rlm_unpack
>  # Loading module "unpack" from file 
>/etc/freeradius/3.0/mods-enabled/unpack
>  # Loaded module rlm_preprocess
>  # Loading module "preprocess" from file 
>/etc/freeradius/3.0/mods-enabled/preprocess
>  preprocess {
>  	huntgroups = "/etc/freeradius/3.0/mods-config/preprocess/huntgroups"
>  	hints = "/etc/freeradius/3.0/mods-config/preprocess/hints"
>  	with_ascend_hack = no
>  	ascend_channels_per_line = 23
>  	with_ntdomain_hack = no
>  	with_specialix_jetstream_hack = no
>  	with_cisco_vsa_hack = no
>  	with_alvarion_vsa_hack = no
>  }
>  # Loaded module rlm_utf8
>  # Loading module "utf8" from file 
>/etc/freeradius/3.0/mods-enabled/utf8
>  # Loading module "echo" from file 
>/etc/freeradius/3.0/mods-enabled/echo
>  exec echo {
>  	wait = yes
>  	program = "/bin/echo %{User-Name}"
>  	input_pairs = "request"
>  	output_pairs = "reply"
>  	shell_escape = yes
>  }
>  # Loaded module rlm_eap
>  # Loading module "eap" from file /etc/freeradius/3.0/mods-enabled/eap
>  eap {
>  	default_eap_type = "md5"
>  	timer_expire = 60
>  	ignore_unknown_eap_types = no
>  	cisco_accounting_username_bug = no
>  	max_sessions = 16384
>  }
>  # Loaded module rlm_dynamic_clients
>  # Loading module "dynamic_clients" from file 
>/etc/freeradius/3.0/mods-enabled/dynamic_clients
>  # Loaded module rlm_soh
>  # Loading module "soh" from file /etc/freeradius/3.0/mods-enabled/soh
>  soh {
>  	dhcp = yes
>  }
>  # Loaded module rlm_unix
>  # Loading module "unix" from file 
>/etc/freeradius/3.0/mods-enabled/unix
>  unix {
>  	radwtmp = "/var/log/freeradius/radwtmp"
>  }
>Creating attribute Unix-Group
>  # Loaded module rlm_cache
>  # Loading module "cache_eap" from file 
>/etc/freeradius/3.0/mods-enabled/cache_eap
>  cache cache_eap {
>  	driver = "rlm_cache_rbtree"
>  	key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
>  	ttl = 15
>  	max_entries = 0
>  	epoch = 0
>  	add_stats = no
>  }
>  # Loading module "detail" from file 
>/etc/freeradius/3.0/mods-enabled/detail
>  detail {
>  	filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
>  	header = "%t"
>  	permissions = 384
>  	locking = no
>  	escape_filenames = no
>  	log_packet_header = no
>  }
>  # Loading module "exec" from file 
>/etc/freeradius/3.0/mods-enabled/exec
>  exec {
>  	wait = no
>  	input_pairs = "request"
>  	shell_escape = yes
>  	timeout = 10
>  }
>  # Loaded module rlm_expiration
>  # Loading module "expiration" from file 
>/etc/freeradius/3.0/mods-enabled/expiration
>  # Loading module "radutmp" from file 
>/etc/freeradius/3.0/mods-enabled/radutmp
>  radutmp {
>  	filename = "/var/log/freeradius/radutmp"
>  	username = "%{User-Name}"
>  	case_sensitive = yes
>  	check_with_nas = yes
>  	permissions = 384
>  	caller_id = yes
>  }
>  # Loaded module rlm_logintime
>  # Loading module "logintime" from file 
>/etc/freeradius/3.0/mods-enabled/logintime
>  logintime {
>  	minimum_timeout = 60
>  }
>  # Loaded module rlm_attr_filter
>  # Loading module "attr_filter.post-proxy" from file 
>/etc/freeradius/3.0/mods-enabled/attr_filter
>  attr_filter attr_filter.post-proxy {
>  	filename = "/etc/freeradius/3.0/mods-config/attr_filter/post-proxy"
>  	key = "%{Realm}"
>  	relaxed = no
>  }
>  # Loading module "attr_filter.pre-proxy" from file 
>/etc/freeradius/3.0/mods-enabled/attr_filter
>  attr_filter attr_filter.pre-proxy {
>  	filename = "/etc/freeradius/3.0/mods-config/attr_filter/pre-proxy"
>  	key = "%{Realm}"
>  	relaxed = no
>  }
>  # Loading module "attr_filter.access_reject" from file 
>/etc/freeradius/3.0/mods-enabled/attr_filter
>  attr_filter attr_filter.access_reject {
>  	filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_reject"
>  	key = "%{User-Name}"
>  	relaxed = no
>  }
>  # Loading module "attr_filter.access_challenge" from file 
>/etc/freeradius/3.0/mods-enabled/attr_filter
>  attr_filter attr_filter.access_challenge {
>  	filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_challenge"
>  	key = "%{User-Name}"
>  	relaxed = no
>  }
>  # Loading module "attr_filter.accounting_response" from file 
>/etc/freeradius/3.0/mods-enabled/attr_filter
>  attr_filter attr_filter.accounting_response {
>  	filename = "/etc/freeradius/3.0/mods-config/attr_filter/accounting_response"
>  	key = "%{User-Name}"
>  	relaxed = no
>  }
>  # Loaded module rlm_expr
>  # Loading module "expr" from file 
>/etc/freeradius/3.0/mods-enabled/expr
>  expr {
>  	safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
>  }
>  # Loaded module rlm_mschap
>  # Loading module "mschap" from file 
>/etc/freeradius/3.0/mods-enabled/mschap
>  mschap {
>  	use_mppe = yes
>  	require_encryption = no
>  	require_strong = no
>  	with_ntdomain_hack = yes
>   passchange {
>   }
>  	allow_retry = yes
>  	winbind_retry_with_normalised_username = no
>  }
>  # Loaded module rlm_files
>  # Loading module "files" from file 
>/etc/freeradius/3.0/mods-enabled/files
>  files {
>  	filename = "/etc/freeradius/3.0/mods-config/files/authorize"
>  	acctusersfile = "/etc/freeradius/3.0/mods-config/files/accounting"
>  	preproxy_usersfile = "/etc/freeradius/3.0/mods-config/files/pre-proxy"
>  }
>  instantiate {
>  }
>  # Instantiating module "ldap" from file 
>/etc/freeradius/3.0/mods-enabled/ldap
>rlm_ldap: libldap vendor: OpenLDAP, version: 20449
>   accounting {
>   	reference = "%{tolower:type.%{Acct-Status-Type}}"
>   }
>   post-auth {
>   	reference = "."
>   }
>rlm_ldap (ldap): Initialising connection pool
>   pool {
>   	start = 5
>   	min = 3
>   	max = 32
>   	spare = 10
>   	uses = 0
>   	lifetime = 0
>   	cleanup_interval = 30
>   	idle_timeout = 60
>   	retry_delay = 30
>   	spread = no
>   }
>rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending 
>slots used rlm_ldap (ldap): Connecting to ldaps://bg-deham-dc:636 
>ldaps://bg-deham-dc2:636 rlm_ldap (ldap): Waiting for bind result...
>rlm_ldap (ldap): Bind successful
>rlm_ldap (ldap): Opening additional connection (1), 1 of 31 pending 
>slots used rlm_ldap (ldap): Connecting to ldaps://bg-deham-dc:636 
>ldaps://bg-deham-dc2:636 rlm_ldap (ldap): Waiting for bind result...
>rlm_ldap (ldap): Bind successful
>rlm_ldap (ldap): Opening additional connection (2), 1 of 30 pending 
>slots used rlm_ldap (ldap): Connecting to ldaps://bg-deham-dc:636 
>ldaps://bg-deham-dc2:636 rlm_ldap (ldap): Waiting for bind result...
>rlm_ldap (ldap): Bind successful
>rlm_ldap (ldap): Opening additional connection (3), 1 of 29 pending 
>slots used rlm_ldap (ldap): Connecting to ldaps://bg-deham-dc:636 
>ldaps://bg-deham-dc2:636 rlm_ldap (ldap): Waiting for bind result...
>rlm_ldap (ldap): Bind successful
>rlm_ldap (ldap): Opening additional connection (4), 1 of 28 pending 
>slots used rlm_ldap (ldap): Connecting to ldaps://bg-deham-dc:636 
>ldaps://bg-deham-dc2:636 rlm_ldap (ldap): Waiting for bind result...
>rlm_ldap (ldap): Bind successful
>  # Instantiating module "etc_passwd" from file 
>/etc/freeradius/3.0/mods-enabled/passwd
>rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
>  # Instantiating module "reject" from file 
>/etc/freeradius/3.0/mods-enabled/always
>  # Instantiating module "fail" from file 
>/etc/freeradius/3.0/mods-enabled/always
>  # Instantiating module "ok" from file 
>/etc/freeradius/3.0/mods-enabled/always
>  # Instantiating module "handled" from file 
>/etc/freeradius/3.0/mods-enabled/always
>  # Instantiating module "invalid" from file 
>/etc/freeradius/3.0/mods-enabled/always
>  # Instantiating module "userlock" from file 
>/etc/freeradius/3.0/mods-enabled/always
>  # Instantiating module "notfound" from file 
>/etc/freeradius/3.0/mods-enabled/always
>  # Instantiating module "noop" from file 
>/etc/freeradius/3.0/mods-enabled/always
>  # Instantiating module "updated" from file 
>/etc/freeradius/3.0/mods-enabled/always
>  # Instantiating module "pap" from file 
>/etc/freeradius/3.0/mods-enabled/pap
>  # Instantiating module "auth_log" from file 
>/etc/freeradius/3.0/mods-enabled/detail.log
>rlm_detail (auth_log): 'User-Password' suppressed, will not appear in 
>detail output
>  # Instantiating module "reply_log" from file 
>/etc/freeradius/3.0/mods-enabled/detail.log
>  # Instantiating module "pre_proxy_log" from file 
>/etc/freeradius/3.0/mods-enabled/detail.log
>  # Instantiating module "post_proxy_log" from file 
>/etc/freeradius/3.0/mods-enabled/detail.log
>  # Instantiating module "linelog" from file 
>/etc/freeradius/3.0/mods-enabled/linelog
>  # Instantiating module "log_accounting" from file 
>/etc/freeradius/3.0/mods-enabled/linelog
>  # Instantiating module "IPASS" from file 
>/etc/freeradius/3.0/mods-enabled/realm
>  # Instantiating module "suffix" from file 
>/etc/freeradius/3.0/mods-enabled/realm
>  # Instantiating module "bangpath" from file 
>/etc/freeradius/3.0/mods-enabled/realm
>  # Instantiating module "realmpercent" from file 
>/etc/freeradius/3.0/mods-enabled/realm
>  # Instantiating module "ntdomain" from file 
>/etc/freeradius/3.0/mods-enabled/realm
>  # Instantiating module "preprocess" from file 
>/etc/freeradius/3.0/mods-enabled/preprocess
>reading pairlist file 
>/etc/freeradius/3.0/mods-config/preprocess/huntgroups
>reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/hints
>  # Instantiating module "eap" from file /etc/freeradius/3.0/mods-enabled/eap
>   # Linked to sub-module rlm_eap_md5
>   # Linked to sub-module rlm_eap_leap
>   # Linked to sub-module rlm_eap_gtc
>   gtc {
>   	challenge = "Password: "
>   	auth_type = "PAP"
>   }
>   # Linked to sub-module rlm_eap_tls
>   tls {
>   	tls = "tls-common"
>   }
>   tls-config tls-common {
>   	verify_depth = 0
>   	ca_path = "/etc/freeradius/3.0/certs"
>   	pem_file_type = yes
>   	private_key_file = "/etc/ssl/private/ssl-cert-snakeoil.key"
>   	certificate_file = "/etc/ssl/certs/ssl-cert-snakeoil.pem"
>   	ca_file = "/etc/ssl/certs/ca-certificates.crt"
>   	private_key_password = <<< secret >>>
>   	dh_file = "/etc/freeradius/3.0/certs/dh"
>   	fragment_size = 1024
>   	include_length = yes
>   	auto_chain = yes
>   	check_crl = no
>   	check_all_crl = no
>   	cipher_list = "DEFAULT"
>   	cipher_server_preference = no
>   	ecdh_curve = "prime256v1"
>   	disable_tlsv1 = yes
>   	disable_tlsv1_1 = yes
>   	tls_max_version = "1.2"
>   	tls_min_version = "1.2"
>    cache {
>    	enable = no
>    	lifetime = 24
>    	max_entries = 255
>    }
>    verify {
>    	skip_if_ocsp_ok = no
>    }
>    ocsp {
>    	enable = no
>    	override_cert_url = yes
>    	url = "http://127.0.0.1/ocsp/"
>    	use_nonce = yes
>    	timeout = 0
>    	softfail = no
>    }
>   }
>Please use tls_min_version and tls_max_version instead of disable_tlsv1 
>Please use tls_min_version and tls_max_version instead of disable_tlsv1_2
>   # Linked to sub-module rlm_eap_ttls
>   ttls {
>   	tls = "tls-common"
>   	default_eap_type = "md5"
>   	copy_request_to_tunnel = no
>   	use_tunneled_reply = no
>   	virtual_server = "inner-tunnel"
>   	include_length = yes
>   	require_client_cert = no
>   }
>tls: Using cached TLS configuration from previous invocation
>   # Linked to sub-module rlm_eap_peap
>   peap {
>   	tls = "tls-common"
>   	default_eap_type = "mschapv2"
>   	copy_request_to_tunnel = no
>   	use_tunneled_reply = no
>   	proxy_tunneled_request_as_eap = yes
>   	virtual_server = "inner-tunnel"
>   	soh = no
>   	require_client_cert = no
>   }
>tls: Using cached TLS configuration from previous invocation
>   # Linked to sub-module rlm_eap_mschapv2
>   mschapv2 {
>   	with_ntdomain_hack = no
>   	send_error = no
>   }
>  # Instantiating module "cache_eap" from file 
>/etc/freeradius/3.0/mods-enabled/cache_eap
>rlm_cache (cache_eap): Driver rlm_cache_rbtree (module 
>rlm_cache_rbtree) loaded and linked
>  # Instantiating module "detail" from file 
>/etc/freeradius/3.0/mods-enabled/detail
>  # Instantiating module "expiration" from file 
>/etc/freeradius/3.0/mods-enabled/expiration
>  # Instantiating module "logintime" from file 
>/etc/freeradius/3.0/mods-enabled/logintime
>  # Instantiating module "attr_filter.post-proxy" from file 
>/etc/freeradius/3.0/mods-enabled/attr_filter
>reading pairlist file 
>/etc/freeradius/3.0/mods-config/attr_filter/post-proxy
>  # Instantiating module "attr_filter.pre-proxy" from file 
>/etc/freeradius/3.0/mods-enabled/attr_filter
>reading pairlist file 
>/etc/freeradius/3.0/mods-config/attr_filter/pre-proxy
>  # Instantiating module "attr_filter.access_reject" from file 
>/etc/freeradius/3.0/mods-enabled/attr_filter
>reading pairlist file 
>/etc/freeradius/3.0/mods-config/attr_filter/access_reject
>  # Instantiating module "attr_filter.access_challenge" from file 
>/etc/freeradius/3.0/mods-enabled/attr_filter
>reading pairlist file 
>/etc/freeradius/3.0/mods-config/attr_filter/access_challenge
>  # Instantiating module "attr_filter.accounting_response" from file 
>/etc/freeradius/3.0/mods-enabled/attr_filter
>reading pairlist file 
>/etc/freeradius/3.0/mods-config/attr_filter/accounting_response
>  # Instantiating module "mschap" from file 
>/etc/freeradius/3.0/mods-enabled/mschap
>rlm_mschap (mschap): using internal authentication
>  # Instantiating module "files" from file 
>/etc/freeradius/3.0/mods-enabled/files
>reading pairlist file /etc/freeradius/3.0/mods-config/files/authorize
>reading pairlist file /etc/freeradius/3.0/mods-config/files/accounting
>reading pairlist file /etc/freeradius/3.0/mods-config/files/pre-proxy
> } # modules
>radiusd: #### Loading Virtual Servers #### server { # from file 
>/etc/freeradius/3.0/radiusd.conf } # server server ldap-network { # 
>from file /etc/freeradius/3.0/sites-enabled/ldap-network
> # Loading authenticate {...}
> # Loading authorize {...}
> # Loading preacct {...}
> # Loading accounting {...}
> # Loading post-auth {...}
>} # server ldap-network
>server inner-tunnel { # from file 
>/etc/freeradius/3.0/sites-enabled/inner-tunnel
> # Loading authenticate {...}
> # Loading authorize {...}
> # Loading session {...}
> # Loading post-proxy {...}
> # Loading post-auth {...}
>Ignoring "sql" (see raddb/mods-available/README.rst)  # Skipping 
>contents of 'if' as it is always 'false' -- 
>/etc/freeradius/3.0/sites-enabled/inner-tunnel:336
>} # server inner-tunnel
>radiusd: #### Opening IP addresses and Ports #### listen {
>  	type = "auth"
>  	ipv4addr = 10.3.3.10
>  	port = 0
>   limit {
>   	max_connections = 16
>   	lifetime = 0
>   	idle_timeout = 30
>   }
>}
>listen {
>  	type = "acct"
>  	ipaddr = *
>  	port = 0
>   limit {
>   	max_connections = 16
>   	lifetime = 0
>   	idle_timeout = 30
>   }
>}
>listen {
>  	type = "auth"
>  	ipv6addr = ::
>  	port = 0
>   limit {
>   	max_connections = 16
>   	lifetime = 0
>   	idle_timeout = 30
>   }
>}
>listen {
>  	type = "acct"
>  	ipv6addr = ::
>  	port = 0
>   limit {
>   	max_connections = 16
>   	lifetime = 0
>   	idle_timeout = 30
>   }
>}
>listen {
>  	type = "auth"
>  	ipaddr = 127.0.0.1
>  	port = 18120
>}
>Listening on auth address 10.3.3.10 port 1812 bound to server 
>ldap-network Listening on acct address * port 1813 bound to server 
>ldap-network Listening on auth address :: port 1812 bound to server 
>ldap-network Listening on acct address :: port 1813 bound to server 
>ldap-network Listening on auth address 127.0.0.1 port 18120 bound to 
>server inner-tunnel Listening on proxy address * port 34537 Listening 
>on proxy address :: port 58493
>
>----------------------------------
>Ready to process requests
>(0) Received Access-Request Id 19 from 10.3.10.10:49205 to 10.3.3.10:1812 length 94
>(0)   User-Name = "user.name"
>(0)   User-Password = "pass.word"
>(0)   Cisco-AVPair = "shell:priv-lvl=1"
>(0)   NAS-IP-Address = 0.0.0.0
>(0)   Acct-Session-Id = "0500015B"
>(0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/ldap-network
>(0)   authorize {
>(0)     policy filter_username {
>(0)       if (&User-Name) {
>(0)       if (&User-Name)  -> TRUE
>(0)       if (&User-Name)  {
>(0)         if (&User-Name =~ / /) {
>(0)         if (&User-Name =~ / /)  -> FALSE
>(0)         if (&User-Name =~ /@[^@]*@/ ) {
>(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
>(0)         if (&User-Name =~ /\.\./ ) {
>(0)         if (&User-Name =~ /\.\./ )  -> FALSE
>(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
>(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
>(0)         if (&User-Name =~ /\.$/)  {
>(0)         if (&User-Name =~ /\.$/)   -> FALSE
>(0)         if (&User-Name =~ /@\./)  {
>(0)         if (&User-Name =~ /@\./)   -> FALSE
>(0)       } # if (&User-Name)  = notfound
>(0)     } # policy filter_username = notfound
>(0)     [preprocess] = ok
>(0) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
>(0) auth_log:    --> /var/log/freeradius/radacct/10.3.10.10/auth-detail-20210205
>(0) auth_log: 
>/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IP
>v6-Address}}/auth-detail-%Y%m%d expands to 
>/var/log/freeradius/radacct/10.3.10.10/auth-detail-20210205
>(0) auth_log: EXPAND %t
>(0) auth_log:    --> Fri Feb  5 14:34:58 2021
>(0)     [auth_log] = ok
>rlm_ldap (ldap): Reserved connection (0)
>(0) ldap: EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})
>(0) ldap:    --> (samaccountname=user.name)
>(0) ldap: Performing search in "ou=XXXX,dc=XXXXXX,dc=local" with filter "(samaccountname=user.name)", scope "sub"
>(0) ldap: Waiting for search result...
>(0) ldap: User object found at DN "CN=UserName,OU=XXX Systems,OU=XXXX,OU=XXXXX,OU=XXX,DC=XXXXXX,DC=local"
>(0) ldap: Processing user attributes
>(0) ldap: WARNING: No "known good" password added. Ensure the admin 
>user has permission to read the password attribute
>(0) ldap: WARNING: PAP authentication will *NOT* work with Active 
>Directory (if that is what you were trying to configure) rlm_ldap 
>(ldap): Released connection (0) Need 5 more connections to reach 10 
>spares rlm_ldap (ldap): Opening additional connection (5), 1 of 27 
>pending slots used rlm_ldap (ldap): Connecting to 
>ldaps://xx-xxxx-xx:636 ldaps://xx-xxxx-xx2:636 rlm_ldap (ldap): Waiting for bind result...
>rlm_ldap (ldap): Bind successful
>(0)     [ldap] = ok
>(0)     if ((ok || updated) && User-Password && !control:Auth-Type) {
>(0)     if ((ok || updated) && User-Password && !control:Auth-Type)  -> TRUE
>(0)     if ((ok || updated) && User-Password && !control:Auth-Type)  {
>(0)       update {
>(0)         control:Auth-Type := LDAP
>(0)       } # update = noop
>(0)     } # if ((ok || updated) && User-Password && !control:Auth-Type)  = noop
>(0)     [expiration] = noop
>(0)     [logintime] = noop
>(0)   } # authorize = ok
>(0) Found Auth-Type = LDAP
>(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/ldap-network
>(0)   Auth-Type LDAP {
>rlm_ldap (ldap): Reserved connection (1)
>(0) ldap: Login attempt by "user.name"
>(0) ldap: Using user DN from request "CN=UserName,OU=XXX Systems,OU=XXXX,OU=XXXXX,OU=XXX,DC=XXXXXX,DC=local"
>(0) ldap: Waiting for bind result...
>(0) ldap: Bind successful
>(0) ldap: Bind as user CN=UserName,OU=XXX 
>Systems,OU=XXXX,OU=XXXXX,OU=XXX,DC=XXXXXX,DC=local" was successful rlm_ldap (ldap): Released connection (1)
>(0)     [ldap] = ok
>(0)   } # Auth-Type LDAP = ok
>(0) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/ldap-network
>(0)   post-auth {
>(0)     if (Huntgroup-Name == "cisco-group") {
>(0)     ERROR: Failed retrieving values required to evaluate condition
>(0)     else {
>(0)       [reject] = reject
>(0)     } # else = reject
>(0)   } # post-auth = reject
>(0) Using Post-Auth-Type Reject
>(0) Post-Auth-Type sub-section not found.  Ignoring.
>(0) # Executing group from file 
>/etc/freeradius/3.0/sites-enabled/ldap-network
>(0) Delaying response for 1.000000 seconds Waking up in 0.3 seconds.
>Waking up in 0.6 seconds.
>(0) Sending delayed response
>(0) Sent Access-Reject Id 19 from 10.3.3.10:1812 to 10.3.10.10:49205 
>length 20


>Good day,
>
>I have problems to get this running:
>-----------------------------------------------------------------------
>-------------------
>if (Huntgroup-Name == "cisco-group") {
>	if (Ldap-Group == "Group_Network_Device_RW") {
>       		update reply {
>			cisco-avpair = "shell:priv-lvl=15"
>			}
>		}
>	}	
>	else {
>		reject
>	}
>-----------------------------------------------------------------------
>------------------
>I get this debug output:
>-----------------------------------------------------------------------------------------
>(0)     [ldap] = ok
>(0)   } # Auth-Type LDAP = ok
>(0) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/ldap-network
>(0)   post-auth {
>(0)     if (Huntgroup-Name == "cisco-group") {
>(0)     ERROR: Failed retrieving values required to evaluate condition
>(0)     else {
>(0)       [reject] = reject
>-----------------------------------------------------------------------
>------------------ When I remove the huntgroup line it is working and I 
>can authenticate against a network device. But in combination with the huntgroup I get this error.
>What I am doing wrong? Can someone point me in the right direction. 
>Many thanks,
>MaDe



More information about the Freeradius-Users mailing list