When you use AD then the following simple query will do all the hard workŠ Recursive Group Memberships (member:1.2.840.113556.1.4.1941:=%{control:Ldap-UserDn}) Or as config snipped: group { base_dn = 'dc=foo,dc=bar' scope = 'sub' name_attribute = cn membership_filter = "(member:1.2.840.113556.1.4.1941:=%{control:Ldap-UserDn})" cacheable_name = "yes" cacheable_dn = "no" } - Peter Am 24.04.14 23:13 schrieb "Josh Essar" unter <jessar@kvcc.edu>:
I have having some problems with ldap group checking. Our students do not have a common group that they are a member of. They are all a member of a group based on their username (ST_Students for every student that has a username that start with st). We then have groups based off each letter of the alphabet (S_Students would contain the SA_Students through SZ_Students groups). We then have another group called students, that has the A_Students through Z_Students groups.
I know this is overly complex, but that is how our administrative computing department has set things up. I would like to use the student group to allow access to a wireless network. My current rule is as follows.
if ((Called-Station-SSID == "Test2) && (LDAP-Group == "students")) { noop }
When the test user sexample5555 connects, they get denied because their account is a member of the SE_Students group. The SE_Students group is a member of the S_Students group, and that group is a member of the students group....but the user is not a direct member of the students group.
Is there an easy solution that I am missing?
Here is the full debug output. I know some things are not 100% correct. We are still in the testing phase.
freeradius: FreeRADIUS Version 3.0.2, for host x86_64-pc-linux-gnu, built on Apr 7 2014 at 08:43:37 Copyright (C) 1999-2014 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... including dictionary file /usr/share/freeradius/dictionary including dictionary file /etc/freeradius/dictionary including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/mods-enabled/ including configuration file /etc/freeradius/mods-enabled/eap including configuration file /etc/freeradius/mods-enabled/preprocess including configuration file /etc/freeradius/mods-enabled/expiration including configuration file /etc/freeradius/mods-enabled/replicate including configuration file /etc/freeradius/mods-enabled/sradutmp including configuration file /etc/freeradius/mods-enabled/detail.log including configuration file /etc/freeradius/mods-enabled/exec including configuration file /etc/freeradius/mods-enabled/realm including configuration file /etc/freeradius/mods-enabled/ntlm_auth including configuration file /etc/freeradius/mods-enabled/logintime including configuration file /etc/freeradius/mods-enabled/attr_filter including configuration file /etc/freeradius/mods-enabled/files including configuration file /etc/freeradius/mods-enabled/radutmp including configuration file /etc/freeradius/mods-enabled/mschap including configuration file /etc/freeradius/mods-enabled/cache_eap including configuration file /etc/freeradius/mods-enabled/always including configuration file /etc/freeradius/mods-enabled/chap including configuration file /etc/freeradius/mods-enabled/unpack including configuration file /etc/freeradius/mods-enabled/ldap including configuration file /etc/freeradius/mods-enabled/detail including configuration file /etc/freeradius/mods-enabled/echo including configuration file /etc/freeradius/mods-enabled/linelog including configuration file /etc/freeradius/mods-enabled/dynamic_clients including configuration file /etc/freeradius/mods-enabled/utf8 including files in directory /etc/freeradius/policy.d/ including configuration file /etc/freeradius/policy.d/eap including configuration file /etc/freeradius/policy.d/filter including configuration file /etc/freeradius/policy.d/canonicalization including configuration file /etc/freeradius/policy.d/operator-name including configuration file /etc/freeradius/policy.d/dhcp including configuration file /etc/freeradius/policy.d/control including configuration file /etc/freeradius/policy.d/accounting including configuration file /etc/freeradius/policy.d/cui including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/wifi including configuration file /etc/freeradius/sites-enabled/inner-tunnel including configuration file /etc/freeradius/sites-enabled/default main { security { user = "freerad" group = "freerad" allow_core_dumps = no } } main { name = "freeradius" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no colourise = yes msg_denied = "You are already logged in - access denied" } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = <<< secret >>> response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 revive_interval = 120 status_check_timeout = 4 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } } realm LOCAL { } home_server_pool my_auth_failover { type = fail-over home_server = localhost } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = <<< secret >>> nas_type = "other" proto = "*" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client our-wireless-controller.our.domain { require_message_authenticator = no secret = <<< secret >>> shortname = "ttcbluesocket" virtual_server = "wifi" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } No 'ipaddr' or 'ipv6addr' field found in client our-wireless-controller.our.domain. Please fix your configuration Support for old-style clients will be removed in a future release radiusd: #### Instantiating modules #### instantiate { } modules { # Loaded module rlm_eap # Instantiating module "eap" from file /etc/freeradius/mods-enabled/eap eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no mod_accounting_username_bug = no max_sessions = 4096 } # Linked to sub-module rlm_eap_md5 # Linked to sub-module rlm_eap_leap # Linked to sub-module rlm_eap_gtc gtc { challenge = "Password: " auth_type = "PAP" } # Linked to sub-module rlm_eap_tls tls { tls = "tls-common" } tls-config tls-common { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 ca_path = "/etc/freeradius/certs" pem_file_type = yes private_key_file = "/etc/freeradius/certs/server.pem" certificate_file = "/etc/freeradius/certs/server.pem" ca_file = "/etc/freeradius/certs/ca.pem" private_key_password = <<< secret >>> dh_file = "/etc/freeradius/certs/dh" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" ecdh_curve = "prime256v1" cache { enable = yes lifetime = 24 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = yes } } # Linked to sub-module rlm_eap_ttls ttls { tls = "tls-common" default_eap_type = "md5" copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "inner-tunnel" include_length = yes require_client_cert = no } Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_peap peap { tls = "tls-common" default_method = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no require_client_cert = no } Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } # Loaded module rlm_preprocess # Instantiating module "preprocess" from file /etc/freeradius/mods-enabled/preprocess preprocess { huntgroups = "/etc/freeradius/mods-config/preprocess/huntgroups" hints = "/etc/freeradius/mods-config/preprocess/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } reading pairlist file /etc/freeradius/mods-config/preprocess/huntgroups reading pairlist file /etc/freeradius/mods-config/preprocess/hints # Loaded module rlm_expiration # Instantiating module "expiration" from file /etc/freeradius/mods-enabled/expiration # Loaded module rlm_replicate # Instantiating module "replicate" from file /etc/freeradius/mods-enabled/replicate # Loaded module rlm_radutmp # Instantiating module "sradutmp" from file /etc/freeradius/mods-enabled/sradutmp radutmp sradutmp { filename = "/var/log/freeradius/sradutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 420 caller_id = no } # Loaded module rlm_detail # Instantiating module "auth_log" from file /etc/freeradius/mods-enabled/detail.log detail auth_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6 -Address}}/auth-detail-%Y%m%d" header = "%t" permissions = 384 dir_permissions = 493 locking = no log_packet_header = no } rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output # Instantiating module "reply_log" from file /etc/freeradius/mods-enabled/detail.log detail reply_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6 -Address}}/reply-detail-%Y%m%d" header = "%t" permissions = 384 dir_permissions = 493 locking = no log_packet_header = no } # Instantiating module "pre_proxy_log" from file /etc/freeradius/mods-enabled/detail.log detail pre_proxy_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6 -Address}}/pre-proxy-detail-%Y%m%d" header = "%t" permissions = 384 dir_permissions = 493 locking = no log_packet_header = no } # Instantiating module "post_proxy_log" from file /etc/freeradius/mods-enabled/detail.log detail post_proxy_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6 -Address}}/post-proxy-detail-%Y%m%d" header = "%t" permissions = 384 dir_permissions = 493 locking = no log_packet_header = no } # Loaded module rlm_exec # Instantiating module "exec" from file /etc/freeradius/mods-enabled/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } # Loaded module rlm_realm # Instantiating module "IPASS" from file /etc/freeradius/mods-enabled/realm realm IPASS { format = "prefix" delimiter = "/" ignore_default = no ignore_null = no } # Instantiating module "suffix" from file /etc/freeradius/mods-enabled/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } # Instantiating module "realmpercent" from file /etc/freeradius/mods-enabled/realm realm realmpercent { format = "suffix" delimiter = "%" ignore_default = no ignore_null = no } # Instantiating module "ntdomain" from file /etc/freeradius/mods-enabled/realm realm ntdomain { format = "prefix" delimiter = "\" ignore_default = no ignore_null = no } # Instantiating module "ntlm_auth" from file /etc/freeradius/mods-enabled/ntlm_auth exec ntlm_auth { wait = yes program = "/usr/bin/ntlm_auth --request-nt-key --domain=our.domain --username=%{mschap:User-Name} --password=%{User-Password}" shell_escape = yes } # Loaded module rlm_logintime # Instantiating module "logintime" from file /etc/freeradius/mods-enabled/logintime logintime { minimum_timeout = 60 } # Loaded module rlm_attr_filter # Instantiating module "attr_filter.post-proxy" from file /etc/freeradius/mods-enabled/attr_filter attr_filter attr_filter.post-proxy { filename = "/etc/freeradius/mods-config/attr_filter/post-proxy" key = "%{Realm}" relaxed = no } reading pairlist file /etc/freeradius/mods-config/attr_filter/post-proxy # Instantiating module "attr_filter.pre-proxy" from file /etc/freeradius/mods-enabled/attr_filter attr_filter attr_filter.pre-proxy { filename = "/etc/freeradius/mods-config/attr_filter/pre-proxy" key = "%{Realm}" relaxed = no } reading pairlist file /etc/freeradius/mods-config/attr_filter/pre-proxy # Instantiating module "attr_filter.access_reject" from file /etc/freeradius/mods-enabled/attr_filter attr_filter attr_filter.access_reject { filename = "/etc/freeradius/mods-config/attr_filter/access_reject" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/freeradius/mods-config/attr_filter/access_reject # Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/mods-enabled/attr_filter attr_filter attr_filter.access_challenge { filename = "/etc/freeradius/mods-config/attr_filter/access_challenge" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/freeradius/mods-config/attr_filter/access_challenge # Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/mods-enabled/attr_filter attr_filter attr_filter.accounting_response { filename = "/etc/freeradius/mods-config/attr_filter/accounting_response" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/freeradius/mods-config/attr_filter/accounting_response # Loaded module rlm_files # Instantiating module "files" from file /etc/freeradius/mods-enabled/files files { filename = "/etc/freeradius/mods-config/files/authorize" usersfile = "/etc/freeradius/mods-config/files/authorize" acctusersfile = "/etc/freeradius/mods-config/files/accounting" preproxy_usersfile = "/etc/freeradius/mods-config/files/pre-proxy" compat = "no" } reading pairlist file /etc/freeradius/mods-config/files/authorize reading pairlist file /etc/freeradius/mods-config/files/authorize reading pairlist file /etc/freeradius/mods-config/files/accounting reading pairlist file /etc/freeradius/mods-config/files/pre-proxy # Instantiating module "radutmp" from file /etc/freeradius/mods-enabled/radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 384 caller_id = yes } # Loaded module rlm_mschap # Instantiating module "mschap" from file /etc/freeradius/mods-enabled/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username= %{%{Stripped-User-Name}:-%{%{mschap:User-Name}:-None}} --domain= %{%{mschap:NT-Domain}:-our.domain} --challenge= %{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}" ntlm_auth_timeout = 10 passchange { } allow_retry = yes } # Loaded module rlm_cache # Instantiating module "cache_eap" from file /etc/freeradius/mods-enabled/cache_eap cache cache_eap { key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}" ttl = 15 max_entries = 16384 epoch = 0 add_stats = no } # Loaded module rlm_always # Instantiating module "reject" from file /etc/freeradius/mods-enabled/always always reject { rcode = "reject" simulcount = 0 mpp = no } # Instantiating module "fail" from file /etc/freeradius/mods-enabled/always always fail { rcode = "fail" simulcount = 0 mpp = no } # Instantiating module "ok" from file /etc/freeradius/mods-enabled/always always ok { rcode = "ok" simulcount = 0 mpp = no } # Instantiating module "handled" from file /etc/freeradius/mods-enabled/always always handled { rcode = "handled" simulcount = 0 mpp = no } # Instantiating module "invalid" from file /etc/freeradius/mods-enabled/always always invalid { rcode = "invalid" simulcount = 0 mpp = no } # Instantiating module "userlock" from file /etc/freeradius/mods-enabled/always always userlock { rcode = "userlock" simulcount = 0 mpp = no } # Instantiating module "notfound" from file /etc/freeradius/mods-enabled/always always notfound { rcode = "notfound" simulcount = 0 mpp = no } # Instantiating module "noop" from file /etc/freeradius/mods-enabled/always always noop { rcode = "noop" simulcount = 0 mpp = no } # Instantiating module "updated" from file /etc/freeradius/mods-enabled/always always updated { rcode = "updated" simulcount = 0 mpp = no } # Loaded module rlm_chap # Instantiating module "chap" from file /etc/freeradius/mods-enabled/chap # Loaded module rlm_unpack # Instantiating module "unpack" from file /etc/freeradius/mods-enabled/unpack # Loaded module rlm_ldap # Instantiating module "ldap" from file /etc/freeradius/mods-enabled/ldap ldap { server = "server.our.domain" port = 636 password = <<< secret >>> identity = "ACCOUNT" user { filter = "(cn=%{%{mschap:User-Name}:-%{User-Name}})" scope = "sub" base_dn = "dc=our,dc=domain" access_positive = yes } group { filter = "(objectClass=posixGroup)" scope = "sub" base_dn = "dc=our,dc=domain" name_attribute = "cn" membership_attribute = "memberOf" membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid= %{%{mschap:User-Name}:-%{User-Name}}))" cacheable_name = no cacheable_dn = no } client { filter = "(objectClass=frClient)" scope = "sub" base_dn = "dc=our,dc=domain" attribute { identifier = "radiusClientIdentifier" shortname = "cn" secret = "radiusClientSecret" } } profile { filter = "(&)" } options { ldap_debug = 40 chase_referrals = yes rebind = yes net_timeout = 1 res_timeout = 20 srv_timelimit = 20 idle = 60 probes = 3 interval = 3 } tls { start_tls = no } } accounting { reference = "%{tolower:type.%{Acct-Status-Type}}" } post-auth { reference = "." } rlm_ldap (ldap): Initialising connection pool pool { start = 5 min = 4 max = 32 spare = 3 uses = 0 lifetime = 0 cleanup_interval = 30 idle_timeout = 60 retry_delay = 1 spread = no } rlm_ldap (ldap): Opening additional connection (0) rlm_ldap (ldap): Connecting to server.our.domain:636 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Opening additional connection (1) rlm_ldap (ldap): Connecting to server.our.domain:636 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Opening additional connection (2) rlm_ldap (ldap): Connecting to server.our.domain:636 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Opening additional connection (3) rlm_ldap (ldap): Connecting to server.our.domain:636 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Opening additional connection (4) rlm_ldap (ldap): Connecting to server.our.domain:636 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful # Instantiating module "detail" from file /etc/freeradius/mods-enabled/detail detail { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6 -Address}}/detail-%Y%m%d" header = "%t" permissions = 384 dir_permissions = 493 locking = no log_packet_header = no } # Instantiating module "echo" from file /etc/freeradius/mods-enabled/echo exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = "request" output_pairs = "reply" shell_escape = yes } # Loaded module rlm_linelog # Instantiating module "linelog" from file /etc/freeradius/mods-enabled/linelog linelog { filename = "/var/log/freeradius/linelog" permissions = 384 format = "This is a log message for %{User-Name}" reference = "%{%{Packet-Type}:-format}" } # Loaded module rlm_dynamic_clients # Instantiating module "dynamic_clients" from file /etc/freeradius/mods-enabled/dynamic_clients # Loaded module rlm_utf8 # Instantiating module "utf8" from file /etc/freeradius/mods-enabled/utf8 } # modules radiusd: #### Loading Virtual Servers #### server { # from file /etc/freeradius/radiusd.conf } # server server wifi { # from file /etc/freeradius/sites-enabled/wifi # Loading authenticate {...} # Loading authorize {...} # Loading preacct {...} # Loading accounting {...} # Loading post-proxy {...} # Loading post-auth {...} } # server wifi server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel # Creating Auth-Type = LDAP # Loading authenticate {...} # Loading authorize {...} # Loading session {...} # Loading post-proxy {...} # Loading post-auth {...} } # server inner-tunnel server default { # from file /etc/freeradius/sites-enabled/default # Loading authenticate {...} # Loading authorize {...} # Loading preacct {...} # Loading accounting {...} # Loading post-proxy {...} # Loading post-auth {...} } # server default radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 1912 limit { max_connections = 26 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } listen { type = "auth" ipaddr = * port = 1812 limit { max_connections = 26 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } Listening on auth address * port 1912 as server wifi Listening on acct address * port 1813 as server wifi Listening on auth address 127.0.0.1 port 18120 as server inner-tunnel Listening on auth address * port 1812 as server default Listening on acct address * port 1813 as server default Opening new proxy socket 'proxy address * port 0' Listening on proxy address * port 33306 Ready to process requests. rad_recv: Access-Request packet from host WIFI-CONTROLLER-IP port 1034, id=39, length=174 User-Name = 'DOMAIN\\sexample5555' NAS-Port = 0 Called-Station-Id = '00-19-92-04-7E-81:Test2' Calling-Station-Id = '00-26-5E-31-33-3B' Framed-MTU = 1400 Attr-26 = 0x000026ef030302 NAS-Port-Type = Wireless-802.11 Connect-Info = 'CONNECT 0Mbps 802.11' EAP-Message = 0x025c0016014b5643435c736578616d706c6535353535 Message-Authenticator = 0x8c275779e337acf4e7eaccbf78cad923 (0) # Executing section authorize from file /etc/freeradius/sites-enabled/wifi (0) authorize { (0) if (Called-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?( [0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) (0) if (Called-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?( [0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) -> TRUE (0) if (Called-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?( [0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) { (0) update request { (0) EXPAND %{7} (0) --> Test2 (0) Called-Station-SSID := "Test2" (0) } # update request = noop (0) } # if (Called-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?( [0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) = noop (0) if ((Called-Station-SSID == "Test2") && (LDAP-Group == "students")) (0) Searching for user in group "students" rlm_ldap (ldap): Reserved connection (4) (0) EXPAND (cn=%{%{mschap:User-Name}:-%{User-Name}}) (0) --> (cn=sexample5555) (0) EXPAND dc=our,dc=domain (0) --> dc=our,dc=domain (0) Performing search in 'dc=our,dc=domain' with filter '(cn=sexample5555)', scope 'sub' (0) Waiting for search result... rlm_ldap (ldap): Rebinding to URL ldaps://ForestDnsZones.our.domain/DC=ForestDnsZones,DC=our,DC=domain rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldaps://domainainDnsZones.our.domain/DC=DomainDnsZones,DC=our,DC=domain rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldaps://our.domain/CN=Configuration,DC=our,DC=domain rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful User object found at DN "CN=sexample5555,OU=OUR-OU,OU=OUR-OU,OU=OUR-OU,OU=people,DC=our,DC=domain" (0) Checking for user in group objects (0) EXPAND (&(cn=students)(objectClass=posixGroup)(|(member= %{control:Ldap-UserDn})(memberUid= %{%{mschap:User-Name}:-%{User-Name}}))) (0) --> (&(cn=students)(objectClass=posixGroup)(|(member=CN \3dsexample5555\2cOU\3dse_students\2cOU\3dS_students\2cOU\3dstudents \2cOU\3dpeople\2cDC\3dour\2cDC\3ddom)(memberUid=sexample5555))) (0) EXPAND dc=our,dc=domain (0) --> dc=our,dc=domain (0) Waiting for bind result... (0) Bind successful (0) Performing search in 'dc=our,dc=domain' with filter '(&(cn=students)(objectClass=posixGroup)(|(member=CN\3dsexample5555\2cOU \3dse_students\2cOU\3dS_students\2cOU\3dstudents\2cOU\3dpeople\2cDC \3dour\2cDC\3ddom)(memberUid=sexample5555)))', scope 'sub' (0) Waiting for search result... rlm_ldap (ldap): Rebinding to URL ldaps://ForestDnsZones.our.domain/DC=ForestDnsZones,DC=our,DC=domain rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldaps://DomainDnsZones.our.domain/DC=DomainDnsZones,DC=our,DC=domain rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldaps://our.dom/CN=Configuration,DC=our,DC=domain rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful (0) Search returned no results (0) Search returned not found (0) Checking user object membership (memberOf) attributes (0) Waiting for bind result... (0) Bind successful (0) Performing unfiltered search in 'CN=sexample5555,OU=se_students,OU=S_students,OU=students,OU=people,DC=our ,DC=domain', scope 'base' (0) Waiting for search result... (0) Processing group membership value "CN=GROUP1,OU=_Section-Groups,OU=students,OU=people,DC=our,DC=domain" (0) Converting group DN to group Name (0) Performing unfiltered search in 'CN=GROUP1,OU=_Section-Groups,OU=students,OU=people,DC=our,DC=domain', scope 'base' (0) Waiting for search result... (0) Group name is "GROUP1" (0) Processing group membership value "CN=GROUP2,OU=groups,DC=our,DC=domain" (0) Converting group DN to group Name (0) Performing unfiltered search in 'CN=GROUP2,OU=groups,DC=our,DC=domain', scope 'base' (0) Waiting for search result... (0) Group name is "GROUP2" (0) Processing group membership value "CN=SE_students,OU=se_students,OU=S_students,OU=students,OU=people,DC=our, DC=domain" (0) Converting group DN to group Name (0) Performing unfiltered search in 'CN=SE_students,OU=se_students,OU=S_students,OU=students,OU=people,DC=our, DC=domain', scope 'base' (0) Waiting for search result... (0) Group name is "SE_students" (0) Processing group membership value "CN=GROUP4,OU=_Dept-Groups,OU=students,OU=people,DC=our,DC=domain" (0) Converting group DN to group Name (0) Performing unfiltered search in 'CN=GROUP4,OU=_Dept-Groups,OU=students,OU=people,DC=our,DC=domain', scope 'base' (0) Waiting for search result... (0) Group name is "GROUP4" (0) Processing group membership value "CN=GROUP5,OU=staff,OU=people,DC=our,DC=domain" (0) Converting group DN to group Name (0) Performing unfiltered search in 'CN=GROUP5,OU=staff,OU=people,DC=our,DC=domain', scope 'base' (0) Waiting for search result... (0) Group name is "GROUP5" rlm_ (ldap): Deleting connection (4) (0) User is not a member of specified group (0) if ((Called-Station-SSID == "Test2") && (LDAP-Group == "students")) -> FALSE (0) else else { (0) [reject] = reject (0) } # else else = reject (0) } # authorize = reject (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/freeradius/sites-enabled/wifi (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject : EXPAND %{User-Name} (0) attr_filter.access_reject : --> DOMAIN\sexample5555 (0) attr_filter.access_reject : Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) eap : Request was previously rejected, inserting EAP-Failure (0) [eap] = updated (0) remove_reply_message_if_eap remove_reply_message_if_eap { (0) if (reply:EAP-Message && reply:Reply-Message) (0) if (reply:EAP-Message && reply:Reply-Message) -> FALSE (0) else else { (0) [noop] = noop (0) } # else else = noop (0) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Delaying reject of request 0 for 1 seconds Waking up in 0.2 seconds. Waking up in 0.7 seconds. (0) Sending delayed reject Sending Access-Reject of id 39 from Radius-Server port 1912 to WIFI-CONTROLLER-IP port 1034 EAP-Message = 0x045c0004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. rad_recv: Access-Request packet from host WIFI-CONTROLLER-IP port 1034, id=40, length=174 User-Name = 'our\\sexample5555' NAS-Port = 0 Called-Station-Id = '00-19-92-04-7E-81:Test2' Calling-Station-Id = '00-26-5E-31-33-3B' Framed-MTU = 1400 Attr-26 = 0x000026ef030302 NAS-Port-Type = Wireless-802.11 Connect-Info = 'CONNECT 0Mbps 802.11' EAP-Message = 0x02b00016014b5643435c736578616d706c6535353535 Message-Authenticator = 0xfc98b83654758f9d0071ba123c21ca2e (1) # Executing section authorize from file /etc/freeradius/sites-enabled/wifi (1) authorize { (1) if (Called-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?( [0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) (1) if (Called-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?( [0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) -> TRUE (1) if (Called-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?( [0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) { (1) update request { (1) EXPAND %{7} (1) --> Test2 (1) Called-Station-SSID := "Test2" (1) } # update request = noop (1) } # if (Called-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?( [0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) = noop (1) if ((Called-Station-SSID == "Test2") && (LDAP-Group == "students")) (1) Searching for user in group "students" rlm_ldap (ldap): Reserved connection (3) (1) EXPAND (cn=%{%{mschap:User-Name}:-%{User-Name}}) (1) --> (cn=sexample5555) (1) EXPAND dc=our,dc=domain (1) --> dc=our,dc=domain (1) Performing search in 'dc=our,dc=domain' with filter '(cn=sexample5555)', scope 'sub' (1) Waiting for search result... rlm_ldap (ldap): Rebinding to URL ldaps://ForestDnsZones.our.domain/DC=ForestDnsZones,DC=our,DC=domain rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldaps://DomainDnsZones.our.domain/DC=DomainDnsZones,DC=our,DC=domain rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldaps://our.domain/CN=Configuration,DC=our,DC=domain rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful (1) User object found at DN "CN=sexample5555,OU=OUR-OU,OU=OUR-OU,OU=OUR-OU,OU=people,DC=our,DC=domain" (1) Checking for user in group objects (1) EXPAND (&(cn=students)(objectClass=posixGroup)(|(member= %{control:Ldap-UserDn})(memberUid= %{%{mschap:User-Name}:-%{User-Name}}))) (1) --> (&(cn=students)(objectClass=posixGroup)(|(member=CN \3dsexample5555\2cOU\3dse_students\2cOU\3dS_students\2cOU\3dstudents \2cOU\3dpeople\2cDC\3dour\2cDC\3ddom)(memberUid=sexample5555))) (1) EXPAND dc=our,dc=domain (1) --> dc=our,dc=domain (1) Waiting for bind result... (1) Bind successful (1) Performing search in 'dc=our,dc=domain' with filter '(&(cn=students)(objectClass=posixGroup)(|(member=CN\3dsexample5555\2cOU \3dse_students\2cOU\3dS_students\2cOU\3dstudents\2cOU\3dpeople\2cDC \3dour\2cDC\3ddom)(memberUid=sexample5555)))', scope 'sub' (1) Waiting for search result... rlm_ldap (ldap): Rebinding to URL ldaps://ForestDnsZones.our.domain/DC=ForestDnsZones,DC=our,DC=domain rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldaps://DomainDnsZones.our.domain/DC=DomainDnsZones,DC=our,DC=domain rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Rebinding to URL ldaps://our.domain/CN=Configuration,DC=our,DC=domain rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Bind successful (1) Search returned no results (1) Search returned not found (1) Checking user object membership (memberOf) attributes (1) Waiting for bind result... (1) Bind successful (1) Performing unfiltered search in 'CN=sexample5555,OU=se_students,OU=S_students,OU=students,OU=people,DC=our ,DC=domain', scope 'base' (1) Waiting for search result... (1) Processing group membership value "CN=GROUP1,OU=_Section-Groups,OU=students,OU=people,DC=our,DC=domain" (1) Converting group DN to group Name (1) Performing unfiltered search in 'CN=GROUP1,OU=_Section-Groups,OU=students,OU=people,DC=our,DC=domain', scope 'base' (1) Waiting for search result... (1) Group name is "GROUP1" (1) Processing group membership value "CN=GROUP2,OU=groups,DC=our,DC=domain" (1) Converting group DN to group Name (1) Performing unfiltered search in 'CN=GROUP2,OU=groups,DC=our,DC=domain', scope 'base' (1) Waiting for search result... (1) Group name is "GROUP2" (1) Processing group membership value "CN=SE_students,OU=se_students,OU=S_students,OU=students,OU=people,DC=our, DC=domain" (1) Converting group DN to group Name (1) Performing unfiltered search in 'CN=SE_students,OU=se_students,OU=S_students,OU=students,OU=people,DC=our, DC=domain', scope 'base' (1) Waiting for search result... (1) Group name is "SE_students" (1) Processing group membership value "CN=GROUP4,OU=_Dept-Groups,OU=students,OU=people,DC=our,DC=domain" (1) Converting group DN to group Name (1) Performing unfiltered search in 'CN=GROUP4,OU=_Dept-Groups,OU=students,OU=people,DC=our,DC=domain', scope 'base' (1) Waiting for search result... (1) Group name is "GROUP4" (1) Processing group membership value "CN=GROUP5,OU=staff,OU=people,DC=our,DC=domain" (1) Converting group DN to group Name (1) Performing unfiltered search in 'CN=GROUP5,OU=staff,OU=people,DC=our,DC=domain', scope 'base' (1) Waiting for search result... (1) Group name is "GROUP5" rlm_ldap (ldap): Deleting connection (3) (1) User is not a member of specified group (1) if ((Called-Station-SSID == "Test2") && (LDAP-Group == "students")) -> FALSE (1) else else { (1) [reject] = reject (1) } # else else = reject (1) } # authorize = reject (1) Using Post-Auth-Type Reject (1) # Executing group from file /etc/freeradius/sites-enabled/wifi (1) Post-Auth-Type REJECT { (1) attr_filter.access_reject : EXPAND %{User-Name} (1) attr_filter.access_reject : --> DOMAIN\sexample5555 (1) attr_filter.access_reject : Matched entry DEFAULT at line 11 (1) [attr_filter.access_reject] = updated (1) eap : Request was previously rejected, inserting EAP-Failure (1) [eap] = updated (1) remove_reply_message_if_eap remove_reply_message_if_eap { (1) if (reply:EAP-Message && reply:Reply-Message) (1) if (reply:EAP-Message && reply:Reply-Message) -> FALSE (1) else else { (1) [noop] = noop (1) } # else else = noop (1) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (1) } # Post-Auth-Type REJECT = updated (1) Delaying reject of request 1 for 1 seconds Waking up in 0.2 seconds. Waking up in 0.7 seconds. (1) Sending delayed reject Sending Access-Reject of id 40 from SERVER-IP port 1912 to WIFI-CONTROLLER-IP port 1034 EAP-Message = 0x04b00004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 1.3 seconds. (0) Cleaning up request packet ID 39 with timestamp +6 Waking up in 2.6 seconds.
Thanks! -Josh
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html