Dear Alan Thanks again for your help and guidance. I forgot to paste the /users config file. This is it: DEFAULT Ldap-Group == "cn=Management,ou=SeminaryOU,dc=seminary,dc=local" Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = "1" #Reply-Message = "You are Accepted" DEFAULT Ldap-Group == "cn=Formators,ou=SeminaryOU,dc=seminary,dc=local" Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = "10" #Reply-Message = "You are Accepted" DEFAULT Ldap-Group == "cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local" Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = "11" #Reply-Message = "You are Accepted" DEFAULT Ldap-Group == "cn=SeminaryAdmin,ou=SeminaryOU,dc=seminary,dc=local" Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = "12" DEFAULT Ldap-Group == "cn=Staff,ou=SeminaryOU,dc=seminary,dc=local" Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = "13" #Reply-Message = "You are Accepted" DEFAULT Ldap-Group == "cn=Guests1,ou=SeminaryOU,dc=seminary,dc=local" Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = "20" #Reply-Message = "You are Accepted" DEFAULT Ldap-Group == "cn=Guests2,ou=SeminaryOU,dc=seminary,dc=local" Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = "30" #Reply-Message = "You are Accepted" DEFAULT Ldap-Group == "cn=School,ou=SeminaryOU,dc=seminary,dc=local" Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = "50" #Reply-Message = "You are Accepted" DEFAULT Auth-Type := Reject and the /ldap configuration: ldap { # # Note that this needs to match the name in the LDAP # server certificate, if you're using ldaps. server = "seminary.local" identity = "cn=admin,dc=seminary,dc=local" password = PASSOFADMIN basedn = "ou=SeminaryOU,dc=seminary,dc=local" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" #base_filter = "(objectclass=radiusprofile)" #access_attr = "uid" # authtype = ldap # password_attribute = userPassword groupname_attribute = cn groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))" groupmembership_attribute = radiusGroupName # How many connections to keep open to the LDAP server. # This saves time over opening a new LDAP socket for # every authentication request. ldap_connections_number = 5 # seconds to wait for LDAP query to finish. default: 20 timeout = 4 # seconds LDAP server has to process the query (server-side # time limit). default: 20 # # LDAP_OPT_TIMELIMIT is set to this value. timelimit = 3 Is that what you suggested in your reply? This should be the translation no? Matthew Pulis web: www.matthewpulis.info mob: +356 79539404 On Tue, Aug 16, 2016 at 8:36 PM, Matthew Pulis <mpulis@gmail.com> wrote:
Dear Buxley,
Thanks for your reply.
I want to assign the VLAN according to which cn in LDAP is the user assigned. So ttester since he is in cn=SeminaryAdmin,ou= SeminaryOU,dc=seminary,dc=local he should get VLAN ID 12.
I only have one virtual-server so I guess the default should work no?
I took your advice to upgrade and this is the new version: freeradius: FreeRADIUS Version 2.2.8, for host x86_64-pc-linux-gnu, built on Apr 5 2016 at 13:40:43
which shows not a single sign of policy to set the VLAN <- this is why I am so lost as to why it is not working :S
Some configs which I guess you might find useful to help me please:
radiusd: #### Loading Virtual Servers #### server { # from file /etc/freeradius/radiusd.conf modules { Module: Creating Auth-Type = digest Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/freeradius/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/freeradius/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no allow_retry = yes } Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /etc/freeradius/modules/digest Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/freeradius/modules/unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/freeradius/eap.conf eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 }
Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no }
Module: Linked to module rlm_ldap Module: Instantiating module "ldap" from file /etc/freeradius/modules/ldap ldap { server = "seminary.local" port = 389 password = "FAKEPASS" expect_password = yes identity = "cn=admin,dc=seminary,dc=local" net_timeout = 1 timeout = 4 timelimit = 3 max_uses = 0 tls_mode = no start_tls = no tls_require_cert = "allow" tls { start_tls = no require_cert = "allow" } basedn = "ou=SeminaryOU,dc=seminary,dc=local" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" auto_header = no access_attr_used_for_allow = yes groupname_attribute = "cn" groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{ control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)( uniquemember=%{control:Ldap-UserDn})))" groupmembership_attribute = "radiusGroupName" dictionary_mapping = "/etc/freeradius/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 5 compare_check_items = no do_xlat = yes edir_account_policy_check = no set_auth_type = yes keepalive { idle = 60 probes = 3 interval = 3 } }
Thanks for your support :)
Matthew Pulis web: www.matthewpulis.info mob: +356 79539404
On Tue, Aug 16, 2016 at 11:14 AM, Matthew Pulis <mpulis@gmail.com> wrote:
Hi all,
I am trying to have dynamic VLAN assignment on Freeradius based on LDAP. The connection between Freeradius and LDAP works fine. If I test with a user I get the Authorise packet but not the dynamic VLAN assignment. We will be testing using this LDAP user:
# ttester, SeminaryAdmin, SeminaryOU, seminary.local dn: cn=ttester,cn=SeminaryAdmin,ou=SeminaryOU,dc=seminary,dc=local cn: ttester givenName: Test gidNumber: 505 homeDirectory: /home/users/ttester sn: Tester objectClass: inetOrgPerson objectClass: posixAccount objectClass: top uidNumber: 1002 uid: ttester
This is the received reply: radius@daloradius:~$ radtest -x ttester openldap localhost 1812 testing456 Sending Access-Request of id 30 to 127.0.0.1 port 1812 User-Name = "ttester" User-Password = "openldap" NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=30, length=20
Freeradius version: FreeRADIUS Version 2.1.12, for host x86_64-pc-linux-gnu, built on Feb 27 2015 at 12:38:34
This is an extract of the Freeradius debug:
Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 38281, id=59, length=77 User-Name = "ttester" User-Password = "openldap" NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 Message-Authenticator = 0xbe303901f2b855fb146f2f1fda9cd3fd # Executing section authorize from file /etc/freeradius/sites-enabled/ default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "ttester", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [ldap] performing user authorization for ttester [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> ttester [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=ttester) [ldap] expand: ou=SeminaryOU,dc=seminary,dc=local -> ou=SeminaryOU,dc=seminary,dc=local [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to seminary.local:389, authentication 0 [ldap] bind as cn=admin,dc=seminary,dc=local/FalseBINDINGPASS to seminary.local:389 [ldap] waiting for bind result ... [ldap] Bind was successful * [ldap] performing search in ou=SeminaryOU,dc=seminary,dc=local, with filter (uid=ttester)* [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] userPassword -> Password-With-Header == "{SSHA}T4sU9zSLN/Auop+ImthH4nLyLG/rPU0R" [ldap] looking for reply items in directory... [ldap] user ttester authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group PAP {...} [pap] login attempt with password "openldap" [pap] Using SSHA encryption. [pap] Normalizing SSHA1-Password from base64 encoding [pap] User authenticated successfully ++[pap] returns ok Login OK: [ttester] (from client localhost port 1812) # Executing section post-auth from file /etc/freeradius/sites-enabled/ default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 59 to 127.0.0.1 port 38281 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 59 with timestamp +5 Ready to process requests.
In any tutorials I am following this line: [ldap] performing search in ou=SeminaryOU,dc=seminary,dc=local, with filter (uid=ttester) .... should have the filter but in mine this is not coming.
I am following this tutorial mainly: https://system-eng.blogspot.co m.mt/2015/12/setting-up-freeradius-in-debian-with_28.html? showComment=1470925094566
My config files:
/etc/freeradius/modules/ldap : http://paste.ubuntu.com/23060929/ /etc/freeradius/sites-available/inner-tunnel : http://paste.ubuntu.com/23060930/ /etc/freeradius/sites-available/default : http://paste.ubuntu.com/230609 31/ /etc/freeradius/users : http://paste.ubuntu.com/23060935/
Any idea where I should start looking at the problem please?
Thanks and best regards
Matthew
Matthew Pulis web: www.matthewpulis.info mob: +356 79539404