De : François Mehault
Envoyé : mardi 12 mai 2009 11:27
À : 'freeradius-users@lists.freeradius.org'
Cc : François Mehault
Objet : RE: check-item NAS-IP-ADdress & Calling-Station-ID with
openldap
Hi All,
I want to use FreeRadius to administer network equipement. I
use also OpenLDAP to stock information about users. FreeRADIUS and OpenLDAP are
installed on the same server FreeBSD 7.0.
I contact a Network equipement (like catalyst cisco 2950
v12.1) with putty (ssh/telnet).
To resume :
Windows XP -> ssh or telnet -> Cisco 2950 (client
radius/authenticator/NAS) -> EAPoRadius (I suppose) -> FreeRADIUS &
OpenLDAP
For the moment, I don’t install/configure supplicant on the
Windows XP, I don’t know if it’s require because I don’t want to use FreeRADIUS
to auhtenticate my Windows session. I have an active directory to do this.
I configure slapd.conf, radius.conf, clients.conf, module
ldap etc … and it’s works. And now I would like to add some check-item like
NAS-IP-Address and Caliing-Station-ID. But I don’t succeed :s, I use
checkval to do this.
I have 2 questions :
-
Why my calling-station-id in the request is a IP and
not a MAC ?
-
When I authenticate on the cisco 2950, I have in my log
« rlm_checkval: Item Name: NAS-IP-Address, Value: À¨ » instead of 192.168.0.50, what is the
problem ???
I think I have numerous problem, If you see one of them,
could you inform me ? I am a novice with freeradius (and openldap
also :s ). I could give you all information you need to help me to fix my
problem.
Thanks for your help,
Regards
Francçois MEHAULT
On my cisco 2950 :
aaa new-model
aaa authentication login default local group radius
aaa authorization exec default group radius local
aaa authorization network default group radius
My ldap.attrmap :
checkItem Calling-Station-Id
radiusCallingStationId
checkItem
NAS-IP-Address
radiusNASIpAddress
Extract of my openldap :
dn: cn=Francois MEHAULT,ou=Utilisateurs,dc=netplus,dc=fr
givenName:: RnJhbsOnb2lz
sn: MEHAULT
uid: fmehault
cn: Francois MEHAULT
homeDirectory: /home/admins/fmehault
loginShell: /usr/local/bin/zsh
gidNumber: 1203
uidNumber: 1203
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: radiusprofile
radiusGroupName: stagiaire
radiusCallingStationId: 192.168.0.80 -> I put a IP address and not a Mac address because in the request it’s a IP and not a mac, I don’t know why…
radiusNASIpAddress: 192.168.0.60 -> in fact, the NAS IP is 192.168.0.50, but I put .60 to have Access-Reject
userPassword: {SSHA}tOoPUvtVW5O3+StoxScmQLiGFTO5l/+z
<12:34>[labobe2:~]# radiusd -X
FreeRADIUS Version 2.1.4, for host i386-portbld-freebsd7.0,
built on Apr 16 2009 at 12:03:36
Copyright (C) 1999-2008 The FreeRADIUS server project and
contributors.
There is NO warranty; not even for MERCHANTABILITY or
FITNESS FOR A
[…]
radiusd: #### Loading Clients ####
client 192.168.0.50 {
require_message_authenticator = no
secret =
"cherche"
shortname =
"swlabo"
nastype =
"cisco"
}
radiusd: #### Instantiating modules ####
[…]
modules {
Module: Checking authenticate {...} for more modules
to load
Module: Linked to module rlm_ldap
Module: Instantiating ldap
ldap {
server =
"127.0.0.1"
port = 389
password =
"secret"
identity =
"cn=root,dc=netplus,dc=fr"
net_timeout = 1
timeout = 4
timelimit = 3
tls_mode = no
start_tls = no
tls_require_cert
= "allow"
tls {
start_tls = no
require_cert =
"allow"
}
basedn =
"dc=netplus,dc=fr"
filter =
"(uid=%{Stripped-User-Name:-%{User-Name}})"
base_filter =
"(objectclass=radiusprofile)"
auto_header = no
access_attr_used_for_allow = yes
groupname_attribute
= "cn"
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
groupmembership_attribute = "radiusGroupName"
dictionary_mapping
= "/usr/local/etc/raddb/ldap.attrmap"
ldap_debug = 0
ldap_connections_number = 5
compare_check_items = no
do_xlat = yes
set_auth_type =
yes
}
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
[…]
rlm_ldap: LDAP radiusVSA mapped to RADIUS Cisco-AVPair
conns: 0x2852c240
Module: Checking authorize {...} for more modules to
load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups =
"/usr/local/etc/raddb/huntgroups"
hints =
"/usr/local/etc/raddb/hints"
with_ascend_hack
= no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module:
Linked to module rlm_checkval
Module:
Instantiating station-check
checkval station-check {
item-name = "Calling-Station-Id"
check-name = "Calling-Station-Id"
data-type = "string"
notfound-reject = no
}
rlm_checkval:
Registered name Calling-Station-Id for attribute 31
Module:
Instantiating nas-check
checkval nas-check {
item-name = "NAS-IP-Address"
check-name = "NAS-IP-Address"
data-type = "ipaddr"
notfound-reject = no
}
rlm_checkval: Registered name NAS-IP-Address for attribute 4
Module: Checking preacct {...} for more modules to
load
Module: Linked to module rlm_acct_unique
Module: Instantiating acct_unique
acct_unique {
key =
"User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address,
NAS-Port"
}
Module: Checking accounting {...} for more modules to
load
Module: Linked to module rlm_detail
[…]
Then I launch my putty and log on the cisco :
rad_recv: Access-Request packet from host 192.168.0.50 port
1812, id=117, length=80
NAS-IP-Address =
192.168.0.50
NAS-Port = 1
NAS-Port-Type =
Virtual
User-Name =
"fmehault"
Calling-Station-Id = "192.168.0.80" à
it’s not a MAC address, why ???
User-Password =
"toto"
+- entering group authorize {...}
++[preprocess] returns ok
[…]
[ldap] WARNING: Deprecated conditional expansion
":-". See "man unlang" for details
[ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}})
-> (uid=fmehault)
[ldap] expand: dc=netplus,dc=fr -> dc=netplus,dc=fr
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=netplus,dc=fr, with filter
(uid=fmehault)
rlm_ldap: performing search in
cn=stagiaire,ou=Profiles,dc=netplus,dc=fr, with filter
(objectclass=radiusprofile)
rlm_ldap: radiusServiceType -> Service-Type =
NAS-Prompt-User
[ldap] looking for check items in directory...
rlm_ldap: radiusNASIpAddress -> NAS-IP-Address ==
192.168.0.60
rlm_ldap: radiusCallingStationId -> Calling-Station-Id ==
"192.168.0.80"
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in
LDAP. Are you sure that the user is configured correctly?
[ldap] Setting Auth-Type = LDAP
[ldap] user fmehault authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
rlm_checkval: Item Name: Calling-Station-Id, Value:
192.168.0.80
rlm_checkval: Value Name: Calling-Station-Id, Value:
192.168.0.80
++[station-check] returns ok
rlm_checkval: Item Name:
NAS-IP-Address, Value: À¨ à what
is the problem ???
rlm_checkval: Value Name: NAS-IP-Address, Value:
192.168.0.60 (I put 192.168.0.60 instead of
192.168.0.50 to be reject )
[…]
Sending Access-Accept of id 117 to 192.168.0.50 port 1812
Reply-Message =
"Utilisateur: fmehault, group: Stagiaire"
Service-Type =
NAS-Prompt-User
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 117 with timestamp +237
Ready to process requests.