Voila! Got it to work. Here is what was wrong. Windows machine passes username for EAP-MSCHAP packet response in Domain\Username format which does not goes well with our ldap filters as there is no attribute (as I know) in AD which holds domain\username value for a object and you cannot remove domain part from EAP packets as this will make eap auth to fail. As mentioned here http://lists.freeradius.org/pipermail/freeradius-users/2011-November/057116.... (go through whole thread for complete understanding) we have to remove domain part from username field for ldap lookups (not from eap packets),so ass to make ldap lookups work and this is done by configuring domain realm in proxy.conf and configure ntdomain in virtual servers and ntdomain_hack in mshchap mod. Below are the config details. mods-enabled\eap set copy_request_to_tunnel = yes raddb/proxy.conf #add empty stanza for your domain realm domain { } mods-enabled\mschap set with_ntdomain_hack = yes sites-enabled\default Authorize { # These 2 lines will remove domain name when passing the username attribute for ldap lookups preprocess ntdomain ... .. } sites-enabled\inner-tunnel authrozie{ # These 2 lines will remove domain name when passing the username attribute for ldap lookups preprocess suffix ntdomain if (!State) { if ((outer.Called-Station-SSID =="XYZ") && (LDAP-Group != "ABC")) { reject } } ..... .... } Do let me know if there is a more diligent way of doing the same. Regards Misbah On 17 February 2017 at 00:23, Misbah Hussaini <misbhauddin@gmail.com> wrote:
I think I found the reason why the ldap group check is not working.
My ldap config has the filter set to sAMAccountName as shown below but the EAP packet is passing username as DOMAIN\USERNAME which is incorrect format for sAMAccountName.
filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
Now, the question is how do I remove the domain\ from the username field, as I read elsewhere changing the username will cause EAP auth to fail.
Pointers are welcome... Quest continues..
Regards Misbah
On 16 February 2017 at 21:45, Misbah Hussaini <misbhauddin@gmail.com> wrote:
Thanks for pointer, changing the condition to below worked, but im a uable to figure out how to do ldap-group lookups inside inner tunnel config? I have tried to do the ldap lookup inside default config by removing the if condition from inner tunnel and adding to default but still it fails.
If (outer.Called-Station-SSID != "SSID02362") { Reject }
On Feb 16, 2017 5:23 PM, "Herwin Weststrate" <herwin@quarantainenet.nl> wrote:
On 16-02-17 14:12, Misbah Hussaini wrote:
Dear Alan,
The "if" condition doesn't match. Why? Go read the debug output. Run tests on each "if" check. >*Understand* how the server works.
I changed the if condition to below but still the if condition is not matching, I can confirm from logs that Called-Station-SSID is set to SSID02362, what's wrong in the if condition?
if (!State) { if ((Called-Station-SSID == "SSID02362") ) { reject } }
Here is processing of rewrite statement from debug, full debug can be found here -> http://pastebin.com/SuS2t9Er
You're changing the Called-Station-SSID in the outer tunnel (line 1848), then send a tunneled request (line 1911) with only a few attributes. The check is performed in the inner tunnel, and can't find the Called-Station-SSID.
Possible solutions: - Perform the check in the outer tunnel - Write to/Read from session-state:Called-Station-SSID - Use outer:request:Called-Station-SSID (or whatever the exact syntax was) to use the outer request.
-- Herwin Weststrate - List info/subscribe/unsubscribe? See http://www.freeradius.org/list /users.html