<html><head><style type="text/css"><!-- DIV {margin:0px;} --></style></head><body><div style="font-family:times new roman, new york, times, serif;font-size:12pt"><div>Hi Ivan,<br> Sorry to get back to you early as I did not had ldap access :(<br><br>After adding radiusAuthType on ONE uid it is working fine now. <br><span style="font-weight: bold;">But now the issue is, I have some cases where the MAC address are stored multiple times in Ldap. Thus the ldap query is failing.</span><br style="font-weight: bold;">
<span style="font-weight: bold;">Please check the log below. Can you please suggest me any workaround? Will really appreciate.</span><br style="font-weight: bold;">
<br style="font-weight: bold;">
<span style="font-weight: bold;">Thanks and Regards.</span><br><br><span style="text-decoration: underline;">Test Case 1 :: 1 UID</span><br>+- entering group authorize<br>++[preprocess] returns ok<br>++[chap] returns noop<br>++[mschap] returns noop<br> rlm_realm: No '@' in User-Name = "0014F846C199", looking up realm NULL<br> rlm_realm: No such realm "NULL"<br>++[suffix] returns noop<br> rlm_eap: No EAP-Message, not doing EAP<br>++[eap] returns noop<br>++[unix] returns notfound<br>++[files] returns noop<br>rlm_ldap: - authorize<br>rlm_ldap: performing user authorization for 0014F846C199<br> expand: %{Stripped-User-Name} -> <br> expand: %{User-Name} -> 0014F846C199<br> expand: (&(did=%{%{Stripped-User-Name}:-%{User-Name}})) ->
(&(did=0014F846C199))<br> expand: ou=roles,o=entitlement -> ou=roles,o=entitlement<br>rlm_ldap: ldap_get_conn: Checking Id: 0<br>rlm_ldap: ldap_get_conn: Got Id: 0<br>rlm_ldap: performing search in ou=roles,o=entitlement, with filter (&(did=0014F846C199))<br>rlm_ldap: looking for check items in directory...<br>rlm_ldap: LDAP attribute radiusAuthType as RADIUS attribute Auth-Type == Accept<br>rlm_ldap: looking for reply items in directory...<br>rlm_ldap: LDAP attribute roleid as RADIUS attribute rCidx = "111111"<br>WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?<br>rlm_ldap: user 0014F846C199 authorized to use remote access<br>rlm_ldap: ldap_release_conn: Release Id: 0<br>++[ldap] returns ok<br>++[expiration] returns noop<br>++[logintime] returns noop<br>rlm_pap: Found existing Auth-Type, not changing it.<br>++[pap] returns noop<br>
rad_check_password: Found Auth-Type Accept<br> rad_check_password: Auth-Type = Accept, accepting the user<br>Login OK: [0014F846C199/<via Auth-Type = Accept>] (from client samir port 0)<br>Sending Access-Accept of id 39 to 216.2.193.1 port 38625<br>Finished request 3.<br><br><br><br><span style="font-weight: bold;"></span><span style="font-weight: bold;"></span><br><br><br><span style="text-decoration: underline;">Test Case 2 :: Multiple UIDs</span><br><br>rad_recv: Access-Request packet from host 216.2.193.1 port 37788, id=38, length=34<br> User-Name = "0014F846C199"<br>+- entering group authorize<br>++[preprocess] returns ok<br>++[chap] returns noop<br>++[mschap] returns noop<br> rlm_realm: No '@' in User-Name = "0014F846C199", looking up realm NULL<br> rlm_realm: No such realm "NULL"<br>++[suffix] returns noop<br> rlm_eap: No EAP-Message, not doing
EAP<br>++[eap] returns noop<br>++[unix] returns notfound<br>++[files] returns noop<br>rlm_ldap: - authorize<br>rlm_ldap: performing user authorization for 0014F846C199<br> expand: %{Stripped-User-Name} -> <br> expand: %{User-Name} -> 0014F846C199<br> expand: (&(uid=%{%{Stripped-User-Name}:-%{User-Name}})) -> (&(uid=0014F846C199))<br> expand: ou=roles,o=entitlement -> ou=roles,o=entitlement<br>rlm_ldap: ldap_get_conn: Checking Id: 0<br>rlm_ldap: ldap_get_conn: Got Id: 0<br><span style="color: rgb(255, 0, 0);">rlm_ldap: performing search in ou=roles,o=entitlement, with filter (&(uid=0014F846C199))</span><br style="color: rgb(255, 0, 0);"><span style="font-weight: bold; color: rgb(255, 0, 0);">rlm_ldap: object not found or got ambiguous search
result</span><br>rlm_ldap: search failed<br>rlm_ldap: ldap_release_conn: Release Id: 0<br>++[ldap] returns notfound<br>++[expiration] returns noop<br>++[logintime] returns noop<br>rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this.<br>++[pap] returns noop<br>auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user<br>auth: Failed to validate the user.<br>Login incorrect (rlm_ldap: User not found): [0014F846C199/<no User-Password attribute>] (from client samir port 0)<br> Found Post-Auth-Type Reject<br>+- entering group REJECT<br> expand: %{User-Name} -> 0014F846C199<br> attr_filter: Matched entry DEFAULT at line 11<br>++[attr_filter.access_reject] returns updated<br>Delaying reject of request 2 for 1 seconds<br><br><br><br>----- Original Message ----<br>From: Ivan Kalik
<tnt@kalik.net><br>To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org><br>Sent: Thursday, March 20, 2008 1:01:11 PM<br>Subject: Re: MACAddress silent authentication in LDAP using freeradius2.0.2<br><br>
>
Bit
confusing..do
you
want
me
to
create
entries
in<br>>ldap
as, <br>><br><br>No:<br><br>uid
=
001122334455<br>radiusAuthType
=
Accept<br><br>Forget
about
the
device
entries.
radius
authenticates
users.
Have
a
look<br>at
the
filter
configured
in
ldap
section
of
radiusd.conf<br><br>>If
yes,
what
additional
changes
I
have
to
do
in<br>>freeradius
and
how
I
can
return
devicename
along
the<br>>freeradius
reply?<br><br>And
what
would
you
do
with
that?
Groups?
Than
create
a
group
entries
for<br>them
and
use
memberof
in
(mac)
user
entry.<br><br>Ivan
Kalik<br>Kalik
Informatika
ISP<br><br>-<br>List
info/subscribe/unsubscribe?
See
<a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br></div><br></div><br>
<hr size=1>Looking for last minute shopping deals? <a href="http://us.rd.yahoo.com/evt=51734/*http://tools.search.yahoo.com/newsearch/category.php?category=shopping">
Find them fast with Yahoo! Search.</a></body></html>