<div dir="ltr">Hi:<div><br></div><div>I am using FreeRadius version 2.1.12 on CentOS6.</div><div><br></div><div style>I am authenticating against Active Directory (that works). And authorizing against LDAP (that works as well).</div>
<div style><br></div><div style>I am trying to return attributes, used for VLAN assignment, based on the usersDN.</div><div style><br></div><div style>In my<font face="arial, sans-serif"><span style="white-space:nowrap"> /etc/raddb/sites-enabled/default (and inner-tunnel) I have the following</span></font></div>
<div style><font face="arial, sans-serif"><span style="white-space:nowrap"><br></span></font></div><div style><font face="arial, sans-serif"><span style="white-space:nowrap"><br></span></font></div><div style><font face="arial, sans-serif"><div>
<span style="white-space:nowrap"> #</span></div><div><span style="white-space:nowrap"> # The ldap module will set Auth-Type to LDAP if it has not</span></div><div><span style="white-space:nowrap"> # already been set</span></div>
<div><span style="white-space:nowrap"> ldap</span></div><div><span style="white-space:nowrap"> if (control:Ldap-UserDn =~ /OU=QA/) {</span></div><div><span style="white-space:nowrap"> update reply {</span></div>
<div><span style="white-space:nowrap"> Tunnel-Type:1 := 13</span></div><div><span style="white-space:nowrap"> Tunnel-Medium-Type:1 := 6</span></div><div><span style="white-space:nowrap"> Tunnel-Private-Group-Id:1 := 7</span></div>
<div><span style="white-space:nowrap"> }</span></div><div><span style="white-space:nowrap"> }</span></div><div><span style="white-space:nowrap"> elsif (control:Ldap-UserDn =~ /OU=IT/) {</span></div>
<div><span style="white-space:nowrap"> update reply {</span></div><div><span style="white-space:nowrap"> Tunnel-Type:1 := 13</span></div><div><span style="white-space:nowrap"> Tunnel-Medium-Type:1 := 6</span></div>
<div><span style="white-space:nowrap"> Tunnel-Private-Group-Id:1 := 2</span></div><div><span style="white-space:nowrap"> }</span></div><div><span style="white-space:nowrap"> }</span></div>
<div><span style="white-space:nowrap"> else {</span></div><div><span style="white-space:nowrap"> update reply {</span></div><div><span style="white-space:nowrap"> Tunnel-Type:1 := 13</span></div>
<div><span style="white-space:nowrap"> Tunnel-Medium-Type:1 := 6</span></div><div><span style="white-space:nowrap"> Tunnel-Private-Group-Id:1 := 21</span></div><div><span style="white-space:nowrap"> }</span></div>
<div><span style="white-space:nowrap"> }</span></div><div style="white-space:nowrap"><br></div><div style="white-space:nowrap">In the authorize section. That works, when authorize is done it queries LDAP successfully.</div>
<div style="white-space:nowrap"><br></div><div style="white-space:nowrap">Looking through the radius debug I see the IF statements processing:</div><div style="white-space:nowrap"><br></div><div><div><span style="white-space:nowrap">rad_recv: Access-Request packet from host 127.0.0.1 port 48400, id=0, length=122</span></div>
<div><span style="white-space:nowrap"> User-Name = "mceroni"</span></div><div><span style="white-space:nowrap"> NAS-IP-Address = 127.0.0.1</span></div><div><span style="white-space:nowrap"> Calling-Station-Id = "02-00-00-00-00-01"</span></div>
<div><span style="white-space:nowrap"> Framed-MTU = 1400</span></div><div><span style="white-space:nowrap"> NAS-Port-Type = Wireless-802.11</span></div><div><span style="white-space:nowrap"> Connect-Info = "CONNECT 11Mbps 802.11b"</span></div>
<div><span style="white-space:nowrap"> EAP-Message = 0x0200000c016d6365726f6e69</span></div><div><span style="white-space:nowrap"> Message-Authenticator = 0xc429bf6a61dfc3cf27f1b6dc84f4e558</span></div><div>
<span style="white-space:nowrap"># Executing section authorize from file /etc/raddb/sites-enabled/default</span></div><div><span style="white-space:nowrap">+- entering group authorize {...}</span></div><div><span style="white-space:nowrap">++[preprocess] returns ok</span></div>
<div><span style="white-space:nowrap">++[chap] returns noop</span></div><div><span style="white-space:nowrap">++[mschap] returns noop</span></div><div><span style="white-space:nowrap">++[digest] returns noop</span></div><div>
<span style="white-space:nowrap">[suffix] No '@' in User-Name = "mceroni", looking up realm NULL</span></div><div><span style="white-space:nowrap">[suffix] No such realm "NULL"</span></div><div>
<span style="white-space:nowrap">++[suffix] returns noop</span></div><div><span style="white-space:nowrap">[ntdomain] No '\' in User-Name = "mceroni", looking up realm NULL</span></div><div><span style="white-space:nowrap">[ntdomain] No such realm "NULL"</span></div>
<div><span style="white-space:nowrap">++[ntdomain] returns noop</span></div><div><span style="white-space:nowrap">[eap] EAP packet type response id 0 length 12</span></div><div><span style="white-space:nowrap">[eap] No EAP Start, assuming it's an on-going EAP conversation</span></div>
<div><span style="white-space:nowrap">++[eap] returns updated</span></div><div><span style="white-space:nowrap">++[files] returns noop</span></div><div><span style="white-space:nowrap">[ldap] performing user authorization for mceroni</span></div>
<div><span style="white-space:nowrap">[ldap] expand: %{Stripped-User-Name} -></span></div><div><span style="white-space:nowrap">[ldap] ... expanding second conditional</span></div><div><span style="white-space:nowrap">[ldap] expand: %{User-Name} -> mceroni</span></div>
<div><span style="white-space:nowrap">[ldap] expand: (samAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (samAccountName=mceroni)</span></div><div><span style="white-space:nowrap">[ldap] expand: ou=Clairmail OU,dc=clairmail,dc=local -> ou=Clairmail OU,dc=clairmail,dc=local</span></div>
<div><span style="white-space:nowrap"> [ldap] ldap_get_conn: Checking Id: 0</span></div><div><span style="white-space:nowrap"> [ldap] ldap_get_conn: Got Id: 0</span></div><div><span style="white-space:nowrap"> [ldap] attempting LDAP reconnection</span></div>
<div><span style="white-space:nowrap"> [ldap] (re)connect to cmad01.clairmail.local:389, authentication 0</span></div><div><span style="white-space:nowrap"> [ldap] bind as svnadmin@clairmail.local/iBis93sLit+ to cmad01.clairmail.local:389</span></div>
<div><span style="white-space:nowrap"> [ldap] waiting for bind result ...</span></div><div><span style="white-space:nowrap"> [ldap] Bind was successful</span></div><div><span style="white-space:nowrap"> [ldap] performing search in ou=Clairmail OU,dc=clairmail,dc=local, with filter (samAccountName=mceroni)</span></div>
<div><span style="white-space:nowrap">[ldap] looking for check items in directory...</span></div><div><span style="white-space:nowrap">[ldap] looking for reply items in directory...</span></div><div><span style="white-space:nowrap">WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?</span></div>
<div><span style="white-space:nowrap">[ldap] user mceroni authorized to use remote access</span></div><div><span style="white-space:nowrap"> [ldap] ldap_release_conn: Release Id: 0</span></div><div><span style="white-space:nowrap">++[ldap] returns ok</span></div>
<div><span style="white-space:nowrap">++? if (control:Ldap-UserDn =~ /OU=QA/)</span></div><div><span style="white-space:nowrap">? Evaluating (control:Ldap-UserDn =~ /OU=QA/) -> FALSE</span></div><div><span style="white-space:nowrap">++? if (control:Ldap-UserDn =~ /OU=QA/) -> FALSE</span></div>
<div><span style="white-space:nowrap">++? elsif (control:Ldap-UserDn =~ /OU=IT/)</span></div><div><span style="white-space:nowrap">? Evaluating (control:Ldap-UserDn =~ /OU=IT/) -> TRUE</span></div><div><span style="white-space:nowrap">++? elsif (control:Ldap-UserDn =~ /OU=IT/) -> TRUE</span></div>
<div><span style="white-space:nowrap">++- entering elsif (control:Ldap-UserDn =~ /OU=IT/) {...}</span></div><div><span style="white-space:nowrap">+++[reply] returns ok</span></div><div style="white-space:nowrap"><br></div>
</div><div style="white-space:nowrap">And it appears to set the attributes:</div><div style="white-space:nowrap"><br></div><div><div><span style="white-space:nowrap">+[pap] returns noop</span></div><div><span style="white-space:nowrap">++? if ("%{request:User-Name}" =~ /^host\/(.*).clairmail.local$/)</span></div>
<div><span style="white-space:nowrap"> expand: %{request:User-Name} -> mceroni</span></div><div><span style="white-space:nowrap">? Evaluating ("%{request:User-Name}" =~ /^host\/(.*).clairmail.local$/) -> FALSE</span></div>
<div><span style="white-space:nowrap">++? if ("%{request:User-Name}" =~ /^host\/(.*).clairmail.local$/) -> FALSE</span></div><div><span style="white-space:nowrap">Found Auth-Type = EAP</span></div><div><span style="white-space:nowrap"># Executing group from file /etc/raddb/sites-enabled/default</span></div>
<div><span style="white-space:nowrap">+- entering group authenticate {...}</span></div><div><span style="white-space:nowrap">[eap] EAP Identity</span></div><div><span style="white-space:nowrap">[eap] processing type tls</span></div>
<div><span style="white-space:nowrap">[tls] Initiate</span></div><div><span style="white-space:nowrap">[tls] Start returned 1</span></div><div><span style="white-space:nowrap">++[eap] returns handled</span></div><div><span style="white-space:nowrap">Sending Access-Challenge of id 0 to 127.0.0.1 port 48400</span></div>
<div><span style="white-space:nowrap"> Tunnel-Type:1 = VLAN</span></div><div><span style="white-space:nowrap"> Tunnel-Medium-Type:1 = IEEE-802</span></div><div><span style="white-space:nowrap"> Tunnel-Private-Group-Id:1 = "2"</span></div>
<div><span style="white-space:nowrap"> EAP-Message = 0x010100061920</span></div><div><span style="white-space:nowrap"> Message-Authenticator = 0x00000000000000000000000000000000</span></div><div><span style="white-space:nowrap"> State = 0x2a1689d42a17904c9b87561fac99b7b3</span></div>
<div><span style="white-space:nowrap">Finished request 0.</span></div><div><span style="white-space:nowrap">Going to the next request</span></div><div><span style="white-space:nowrap">Waking up in 4.9 seconds.</span></div>
<div><span style="white-space:nowrap">rad_recv: Access-Request packet from host 127.0.0.1 port 48400, id=1, length=250</span></div><div><span style="white-space:nowrap"> User-Name = "mceroni"</span></div>
<div><span style="white-space:nowrap"> NAS-IP-Address = 127.0.0.1</span></div><div><span style="white-space:nowrap"> Calling-Station-Id = "02-00-00-00-00-01"</span></div><div><span style="white-space:nowrap"> Framed-MTU = 1400</span></div>
<div><span style="white-space:nowrap"> NAS-Port-Type = Wireless-802.11</span></div><div><span style="white-space:nowrap"> Connect-Info = "CONNECT 11Mbps 802.11b"</span></div><div><span style="white-space:nowrap"> EAP-Message = 0x0201007a198000000070160301006b01000067030150ee101279602ec4eddc8d6cfc926da85eee0e034a2c20ea6abd4fd75e1ea55500003a00390038008800870035008400160013000a00330032009a009900450044002f00960041000500040015001200090014001100080006000300ff0100000400230000</span></div>
<div><span style="white-space:nowrap"> State = 0x2a1689d42a17904c9b87561fac99b7b3</span></div><div><span style="white-space:nowrap"> Message-Authenticator = 0x0a3e365c6cd7a8ae795def8cb962360e</span></div><div style="white-space:nowrap">
<br></div></div><div style="white-space:nowrap"><br></div><div style="white-space:nowrap">But in the final response those attributes are not there.</div><div style="white-space:nowrap"><br></div><div><div><span style="white-space:nowrap">Sending Access-Accept of id 9 to 127.0.0.1 port 48400</span></div>
<div><span style="white-space:nowrap"> MS-MPPE-Recv-Key = 0xf318d3dd21910be1544fd848af03baebe4f23ae85b786100b02b967d4cc1761e</span></div><div><span style="white-space:nowrap"> MS-MPPE-Send-Key = 0xa01a409bf3f54388c69613c576e657605022285909917ddbee9e52e776c3b0e1</span></div>
<div><span style="white-space:nowrap"> EAP-Message = 0x03090004</span></div><div><span style="white-space:nowrap"> Message-Authenticator = 0x00000000000000000000000000000000</span></div><div><span style="white-space:nowrap"> User-Name = "mceroni"</span></div>
<div style="white-space:nowrap"><br></div></div><div style="white-space:nowrap"><br></div><div style="white-space:nowrap">Any help would be appreciated.</div><div style="white-space:nowrap"><br></div><div style="white-space:nowrap">
Thanks</div><div style="white-space:nowrap"><br></div><div style="white-space:nowrap"><br></div></font></div></div>