Hi I tried to update freeradius from 1.1.6 to 1.1.7 on my 2 servers, but i had great problems: some of the ldap instances i configured do not set auth-type even if they find the user in the ldap directory. Of the ldap instances described below only the macbypass ones do not set Auth-Type, the others 2 do the correct thing: the aaa modules set Auth-Type to the module name while the 802x instances set Auth-Type to eap (since objects in that part of the ldap tree authenticate with eap-mschapv2) What's wrong? did i misconfigured something (but i doubt, since the configuration didn't change between the 2 versions) or i incurred in some kind of bug? This is my setup (only the relevant parts) ldap aaa1 { server = "XXXX.ifom-ieo-campus.it" port = 636 basedn = XXXXXXXX identity = XXXXXXXX password = XXXX start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 groupmembership_filter = "(memberuid=%{User-Name})" timeout =3 timelimit = 5 net_timeout = 5 } ldap aaa2 { server = "XXXX.ifom-ieo-campus.it" port = 636 basedn = XXXXXXXX identity = XXXXXXXX password = XXXX start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 groupmembership_filter = "(memberuid=%{User-Name})" timeout = 3 timelimit = 5 net_timeout = 5 } ldap macbypass1 { server = "XXXX.ifom-ieo-campus.it" port = 636 basedn =XXXXXX filter = "(macAddress=%{User-Name})" base_filter = "(objectclass=radiusprofile)" password_attribute = macAddress start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 timeout =3 timelimit = 5 net_timeout = 5 } ldap macbypass2 { server = "XXXX.ifom-ieo-campus.it" port = 636 basedn = XXXXXX filter = "(macAddress=%{User-Name})" base_filter = "(objectclass=radiusprofile)" password_attribute = macAddress start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 timeout =3 timelimit = 5 net_timeout = 5 } ldap 8021x1 { server = "XXXX.ifom-ieo-campus.it" port = 636 basedn = XXXXXXXX identity = XXXXXXXX password = XXXX start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 groupmembership_filter = "(memberuid=%{User-Name})" timeout =3 timelimit = 5 net_timeout = 5 } ldap 8021x2 { server = "XXXX.ifom-ieo-campus.it" port = 636 basedn = XXXXXXXX identity = XXXXXXXX password = XXXX start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 groupmembership_filter = "(memberuid=%{User-Name})" timeout =3 timelimit = 5 net_timeout = 5 } attr_rewrite UserNameNormalize { attribute = User-Name searchin = packet searchfor = "(..)(..)(..)(..)(..)(..)" replacewith = "%{1}:%{2}:%{3}:%{4}:%{5}:%{6}" ignore_case = no new_attribute = no max_matches = 10 append = no } preprocess { huntgroups = ${confdir}/huntgroups } files { usersfile = ${confdir}/users } always ok { rcode = ok simulcount = 0 mpp = no } perl { module = "/ofb/freeradius/bin/getVlan.pl" } } authorize { perl UserNameNormalize redundant { macbypass1 macbypass2 } redundant { aaa1 aaa2 } redundant { 8021x1 8021x2 } chap mschap eap files } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } Auth-Type macbypass1 { ok } Auth-Type macbypass2 { ok } Auth-Type aaa1 { aaa1 } Auth-Type aaa2 { aaa2 } Auth-Type 8021x1 { 8021x1 } Auth-Type 8021x2 { 8021x2 } Auth-Type perl { ok } eap } This is the dump of a successful authentication, with version 1.1.6: rad_recv: Access-Request packet from host XXX.XXX.XXX.XXX:1645, id=16, length=167 User-Name = "000a95deba4a" User-Password = "000a95deba4a" Service-Type = Call-Check Framed-MTU = 1520 Called-Station-Id = "00-18-B9-EB-A6-93" Calling-Station-Id = "00-0A-95-DE-BA-4A" Message-Authenticator = 0x43b095f8f280648759c3cea2bf92b2bb NAS-Port-Type = Ethernet NAS-Port = 50017 NAS-IP-Address = XXX.XXX.XXX.XXX NAS-Identifier = "0c13.igp.ifom-ieo-campus.it" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 Using perl at 0x66f180 Use of uninitialized value in string eq at /ofb/freeradius/bin/ getVlan.pl line 340, <DATA> line 228. rlm_perl: ___ macAddr=000a95deba4a switch=XXX.XXX.XXX.XXX port=50017 exit-value=SUCCESS vlan=180 rlm_perl: Added pair Tunnel-Type = VLAN rlm_perl: Added pair Tunnel-Medium-Type = IEEE-802 rlm_perl: Added pair Tunnel-Private-Group-Id = 180 modcall[authorize]: module "perl" returns ok for request 0 radius_xlat: '(..)(..)(..)(..)(..)(..)' radius_xlat: '00:0a:95:de:ba:4a' rlm_attr_rewrite: Changed value for attribute User-Name from '000a95deba4a' to '00:0a:95:de:ba:4a' modcall[authorize]: module "UserNameNormalize" returns ok for request 0 modcall: entering group redundant for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for 00:0a:95:de:ba:4a radius_xlat: '(macAddress=00:0a:95:de:ba:4a)' radius_xlat: 'ou=Network,dc=ifom-ieo-campus,dc=it' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to XXXX.ifom-ieo-campus.it:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: bind as / to XXXX.ifom-ieo-campus.it:636 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=Network,dc=ifom-ieo-campus,dc=it, with filter (macAddress=00:0a:95:de:ba:4a) rlm_ldap: Added password 00:0a:95:de:ba:4a in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Setting Auth-Type = macbypass1 rlm_ldap: user 00:0a:95:de:ba:4a authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "macbypass1" returns ok for request 0 modcall: leaving group redundant (returns ok) for request 0 modcall: entering group redundant for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for 00:0a:95:de:ba:4a radius_xlat: '(uid=00:0a:95:de:ba:4a)' radius_xlat: 'ou=Admins,ou=People,ou=Accounts,dc=ifom-ieo-campus,dc=it' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to XXXX.ifom-ieo-campus.it:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: bind as XXXXXXX to XXXX.ifom-ieo-campus.it:636 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=Admins,ou=People,ou=Accounts,dc=ifom-ieo-campus,dc=it, with filter (uid=00:0a:95:de:ba:4a) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "aaa1" returns notfound for request 0 modcall: leaving group redundant (returns notfound) for request 0 modcall: entering group redundant for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for 00:0a:95:de:ba:4a radius_xlat: '(uid=00:0a:95:de:ba:4a)' radius_xlat: 'ou=Users,ou=People,ou=Accounts,dc=ifom-ieo-campus,dc=it' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to XXXX.ifom-ieo-campus.it:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: bind as XXXXXX to XXXX.ifom-ieo-campus.it:636 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=Users,ou=People,ou=Accounts,dc=ifom- ieo-campus,dc=it, with filter (uid=00:0a:95:de:ba:4a) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "8021x1" returns notfound for request 0 modcall: leaving group redundant (returns notfound) for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 modcall[authorize]: module "files" returns notfound for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type macbypass1 auth: type "macbypass1" Processing the authenticate section of radiusd.conf modcall: entering group macbypass1 for request 0 modcall[authenticate]: module "ok" returns ok for request 0 modcall: leaving group macbypass1 (returns ok) for request 0 Sending Access-Accept of id 16 to XXX.XXX.XXX.XXX port 1645 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "180" Finished request 0 While this is the dump of a similar request after the upgrade: rad_recv: Access-Request packet from host XXX.XXX.XXX.XXX:1645, id=230, length=166 User-Name = "0017f2f52bda" User-Password = "0017f2f52bda" Service-Type = Call-Check Framed-MTU = 1520 Called-Station-Id = "00-18-73-84-4C-95" Calling-Station-Id = "00-17-F2-F5-2B-DA" Message-Authenticator = 0xbf1846c5bbc8ef89556c34df53cddb72 NAS-Port-Type = Ethernet NAS-Port = 50019 NAS-IP-Address = XXX.XXX.XXX.XXX NAS-Identifier = "3a1.igp.ifom-ieo-campus.it" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 Using perl at 0x653fc0 rlm_perl: ___ macAddr=0017f2f52bda switch=XXX.XXX.XXX.XXX port=50019 exit-value=SUCCESS vlan=554 rlm_perl: Added pair Tunnel-Type = VLAN rlm_perl: Added pair Tunnel-Medium-Type = IEEE-802 rlm_perl: Added pair Tunnel-Private-Group-Id = 554 modcall[authorize]: module "perl" returns ok for request 4 radius_xlat: '(..)(..)(..)(..)(..)(..)' radius_xlat: '00:17:f2:f5:2b:da' rlm_attr_rewrite: Changed value for attribute User-Name from '0017f2f52bda' to '00:17:f2:f5:2b:da' modcall[authorize]: module "UserNameNormalize" returns ok for request 4 modcall: entering group redundant for request 4 rlm_ldap: - authorize rlm_ldap: performing user authorization for 00:17:f2:f5:2b:da radius_xlat: '(macAddress=00:17:f2:f5:2b:da)' radius_xlat: 'ou=Network,dc=ifom-ieo-campus,dc=it' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Network,dc=ifom-ieo-campus,dc=it, with filter (macAddress=00:17:f2:f5:2b:da) rlm_ldap: Added password 00:17:f2:f5:2b:da in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user 00:17:f2:f5:2b:da authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "macbypass1" returns ok for request 4 modcall: leaving group redundant (returns ok) for request 4 modcall: entering group redundant for request 4 rlm_ldap: - authorize rlm_ldap: performing user authorization for 00:17:f2:f5:2b:da radius_xlat: '(uid=00:17:f2:f5:2b:da)' radius_xlat: 'ou=Admins,ou=People,ou=Accounts,dc=ifom-ieo-campus,dc=it' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Admins,ou=People,ou=Accounts,dc=ifom-ieo-campus,dc=it, with filter (uid=00:17:f2:f5:2b:da) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "aaa1" returns notfound for request 4 modcall: leaving group redundant (returns notfound) for request 4 modcall: entering group redundant for request 4 rlm_ldap: - authorize rlm_ldap: performing user authorization for 00:17:f2:f5:2b:da radius_xlat: '(uid=00:17:f2:f5:2b:da)' radius_xlat: 'ou=Users,ou=People,ou=Accounts,dc=ifom-ieo-campus,dc=it' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Users,ou=People,ou=Accounts,dc=ifom- ieo-campus,dc=it, with filter (uid=00:17:f2:f5:2b:da) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "8021x1" returns notfound for request 4 modcall: leaving group redundant (returns notfound) for request 4 modcall[authorize]: module "chap" returns noop for request 4 modcall[authorize]: module "mschap" returns noop for request 4 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 4 modcall[authorize]: module "files" returns notfound for request 4 modcall: leaving group authorize (returns ok) for request 4 auth: type Local auth: user supplied User-Password does NOT match local User-Password auth: Failed to validate the user. Delaying request 4 for 1 seconds Finished request 4 Going to the next request