Hi, That is what I originally hoped for. Your post made me go back and rewrite my ldap module config, which in the end didn't change anything. I also did a search on the entire directory for any instances of "Auth-Type" to verify that I had not set it to "Accept". I found no occurrences that weren't in unused sites or documentation. So then I tried: 1. Uncommenting LDAP in the authorization and authentication sections of the default virtual server. They are commented out in my 2.2 config, because I don't use the default virtual server to handle ldap. More on this later. 2. Removed the NULL realm so that these requests would be handled locally. And success! A login that should work, works, and one that should not, doesn't. However, this isn't an acceptable solution in the long run. Then I tried adding the NULL realm back to proxy.conf to send the request to another virtual server, and adding a DEFAULT line to the users file, with Proxy-To-Realm, to make sure it gets there. I saw again that any random user and password would be accepted. I can clearly see the LDAP search fail with [ldap] = notfound. The reason I proxy the null realm is because of the variety of things the server has to handle: 1. local EAP and 802.1x - done in the default virtual server since you can't proxy twice. 2. proxying to eduroam - I use realm DEFAULT to send to the eduroam pool. 3. captive portal logins - no realm in username, ldap with group checking 4. vpn logins - no realm in username 5. network device management (ssh) - no realm in username, ldap with group checking 6. guest wireless authentication - no realm in username, different ldap server with group checking So, what I was doing was using the users file to match a specific attribute from each request, and then Proxy-To-Realm, so I could handle each in its own virtual server. I understand that its kind of ugly and I am open to suggestions on how to improve, or redesign if needed. Anyway, here is an example of the ldap search failing, but Access-Accept. rad_recv: Access-Request packet from host 172.x.x.x port 33182, id=73, length=170 Code: 1 Id: 73 Length: 170 Vector: 42ff0476073ba8c8168873d6f27aabd1 Data: 04 06 ac 10 20 8a 05 06 00 00 00 00 3d 06 00 00 00 13 01 05 31 32 33 02 12 03 c5 b2 f2 1f 3c 3b 4b f1 89 27 84 0c 63 6f b3 1f 0e 43 38 42 43 43 38 45 44 32 37 36 38 1e 0e 30 30 30 42 38 36 30 39 33 39 38 30 08 06 ac 15 0d af 06 06 00 00 00 01 1a 0e 000039e7 (14823) 05 08 75 77 2d 6e 73 64 1a 17 000039e7 (14823) 06 11 41 53 2d 41 50 2d 4d 43 2d 31 30 39 35 2d 42 1a 0e 000039e7 (14823) 0a 08 4d 43 2d 73 74 64 50 12 fb b9 f9 b2 c5 c3 8e 04 95 e6 03 39 64 97 79 4b NAS-IP-Address = 172.x.x.x NAS-Port = 0 NAS-Port-Type = Wireless-802.11 User-Name = "123" User-Password = "123" Calling-Station-Id = "redacted" Called-Station-Id = "redacted" Framed-IP-Address = 172.x.x.x Service-Type = Login-User Aruba-Essid-Name = "wireless" Aruba-Location-Id = "AP1" Aruba-AP-Group = "MC-std" Message-Authenticator = 0xfbb9f9b2c5c38e0495e603396497794b Thu Jul 5 07:59:33 2012 : Info: (0) # Executing section authorize from file /etc/raddb/sites-enabled/default Thu Jul 5 07:59:33 2012 : Info: (0) group authorize { Thu Jul 5 07:59:33 2012 : Info: (0) - entering group authorize {...} Thu Jul 5 07:59:33 2012 : Info: (0) [preprocess] = ok Thu Jul 5 07:59:33 2012 : Info: (0) [chap] = noop Thu Jul 5 07:59:33 2012 : Info: (0) [mschap] = noop Thu Jul 5 07:59:33 2012 : Info: (0) [digest] = noop Thu Jul 5 07:59:33 2012 : Info: (0) suffix : No '@' in User-Name = "123", looking up realm NULL Thu Jul 5 07:59:33 2012 : Info: (0) suffix : Found realm "NULL" Thu Jul 5 07:59:33 2012 : Info: (0) suffix : Adding Stripped-User-Name = "123" Thu Jul 5 07:59:33 2012 : Info: (0) suffix : Adding Realm = "NULL" Thu Jul 5 07:59:33 2012 : Info: (0) suffix : Proxying request from user 123 to realm NULL Thu Jul 5 07:59:33 2012 : Info: (0) suffix : Preparing to proxy authentication request to realm "NULL" Thu Jul 5 07:59:33 2012 : Info: (0) [suffix] = updated Thu Jul 5 07:59:33 2012 : Info: (0) eap : No EAP-Message, not doing EAP Thu Jul 5 07:59:33 2012 : Info: (0) [eap] = noop Thu Jul 5 07:59:33 2012 : Info: (0) files : users: Matched entry DEFAULT at line 207 Thu Jul 5 07:59:33 2012 : Info: (0) [files] = ok Thu Jul 5 07:59:33 2012 : Info: (0) ldap : performing user authorization for 123 Thu Jul 5 07:59:33 2012 : Info: (0) ldap : expand: %{Stripped-User-Name} -> 123 Thu Jul 5 07:59:33 2012 : Info: (0) ldap : expand: (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}}) -> (samaccountname=123) Thu Jul 5 07:59:33 2012 : Info: (0) ldap : expand: dc=ads,dc=xxxxxx,dc=ca -> dc=ads,dc=xxxxx,dc=ca Thu Jul 5 07:59:33 2012 : Debug: [ldap] ldap_get_conn: Checking Id: 0 Thu Jul 5 07:59:33 2012 : Debug: [ldap] ldap_get_conn: Got Id: 0 Thu Jul 5 07:59:33 2012 : Debug: [ldap] attempting LDAP reconnection Thu Jul 5 07:59:33 2012 : Debug: [ldap] (re)connect to ldap.xxxxxx.ca:389, authentication 0 Thu Jul 5 07:59:33 2012 : Debug: [ldap] bind as AD\xxxxx/xxxxx to ldap.xxxxxx.ca:389 Thu Jul 5 07:59:33 2012 : Debug: [ldap] waiting for bind result ... Thu Jul 5 07:59:33 2012 : Debug: [ldap] Bind was successful Thu Jul 5 07:59:33 2012 : Debug: [ldap] performing search in dc=ads,dc=xxxxxx,dc=ca, with filter (samaccountname=123) Thu Jul 5 07:59:33 2012 : Debug: [ldap] object not found Thu Jul 5 07:59:33 2012 : Info: (0) ldap : search failed Thu Jul 5 07:59:33 2012 : Debug: [ldap] ldap_release_conn: Release Id: 0 Thu Jul 5 07:59:33 2012 : Info: (0) [ldap] = notfound Thu Jul 5 07:59:33 2012 : Info: (0) [expiration] = noop Thu Jul 5 07:59:33 2012 : Info: (0) [logintime] = noop Thu Jul 5 07:59:33 2012 : Info: (0) [pap] = noop Thu Jul 5 07:59:33 2012 : Info: (0) WARNING: Empty pre-proxy section. Using default return values. Thu Jul 5 07:59:33 2012 : Debug: Proxying to virtual server captive_portal Thu Jul 5 07:59:33 2012 : Info: (0) # Executing section authorize from file /etc/raddb/sites-enabled/default Thu Jul 5 07:59:33 2012 : Info: (0) group authorize { Thu Jul 5 07:59:33 2012 : Info: (0) - entering group authorize {...} Thu Jul 5 07:59:33 2012 : Info: (0) [preprocess] = ok Thu Jul 5 07:59:33 2012 : Info: (0) [chap] = noop Thu Jul 5 07:59:33 2012 : Info: (0) [mschap] = noop Thu Jul 5 07:59:33 2012 : Info: (0) [digest] = noop Thu Jul 5 07:59:33 2012 : Info: (0) suffix : Proxy reply, or no User-Name. Ignoring. Thu Jul 5 07:59:33 2012 : Info: (0) [suffix] = ok Thu Jul 5 07:59:33 2012 : Info: (0) [eap] = noop Thu Jul 5 07:59:33 2012 : Info: (0) files : users: Matched entry DEFAULT at line 207 Thu Jul 5 07:59:33 2012 : Info: (0) [files] = ok Thu Jul 5 07:59:33 2012 : Info: (0) ldap : performing user authorization for 123 Thu Jul 5 07:59:33 2012 : Info: (0) ldap : expand: %{Stripped-User-Name} -> 123 Thu Jul 5 07:59:33 2012 : Info: (0) ldap : expand: (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}}) -> (samaccountname=123) Thu Jul 5 07:59:33 2012 : Info: (0) ldap : expand: dc=ads,dc=xxxxxxxx,dc=ca -> dc=ads,dc=xxxxxxxx,dc=ca Thu Jul 5 07:59:33 2012 : Debug: [ldap] ldap_get_conn: Checking Id: 0 Thu Jul 5 07:59:33 2012 : Debug: [ldap] ldap_get_conn: Got Id: 0 Thu Jul 5 07:59:33 2012 : Debug: [ldap] performing search in dc=ads,dc=xxxxxxx,dc=ca, with filter (samaccountname=123) Thu Jul 5 07:59:33 2012 : Debug: [ldap] object not found Thu Jul 5 07:59:33 2012 : Info: (0) ldap : search failed Thu Jul 5 07:59:33 2012 : Debug: [ldap] ldap_release_conn: Release Id: 0 Thu Jul 5 07:59:33 2012 : Info: (0) [ldap] = notfound Thu Jul 5 07:59:33 2012 : Info: (0) [expiration] = noop Thu Jul 5 07:59:33 2012 : Info: (0) [logintime] = noop Thu Jul 5 07:59:33 2012 : Info: (0) [pap] = noop Thu Jul 5 07:59:33 2012 : Info: (0) Auth-Type = Accept, accepting the user Thu Jul 5 07:59:33 2012 : Auth: (0) Login OK: [123] (from client wxxxxxxx port 0 cli C8BCC8ED2768) Thu Jul 5 07:59:33 2012 : Info: (0) # Executing section post-auth from file /etc/raddb/sites-enabled/default Thu Jul 5 07:59:33 2012 : Info: (0) group post-auth { Thu Jul 5 07:59:33 2012 : Info: (0) - entering group post-auth {...} Thu Jul 5 07:59:33 2012 : Info: (0) [exec] = noop Thu Jul 5 07:59:33 2012 : Info: (0) policy remove_reply_message_if_eap { Thu Jul 5 07:59:33 2012 : Info: (0) - entering policy remove_reply_message_if_eap {...} Thu Jul 5 07:59:33 2012 : Info: (0) ? if (reply:EAP-Message && reply:Reply-Message) Thu Jul 5 07:59:33 2012 : Info: (0) ? Evaluating (reply:EAP-Message ) -> FALSE Thu Jul 5 07:59:33 2012 : Info: (0) ? Skipping (reply:Reply-Message) Thu Jul 5 07:59:33 2012 : Info: (0) ? if (reply:EAP-Message && reply:Reply-Message) -> FALSE Thu Jul 5 07:59:33 2012 : Info: (0) else else { Thu Jul 5 07:59:33 2012 : Info: (0) - entering else else {...} Thu Jul 5 07:59:33 2012 : Info: (0) [noop] = noop Thu Jul 5 07:59:33 2012 : Info: (0) - else else returns noop Thu Jul 5 07:59:33 2012 : Info: (0) - policy remove_reply_message_if_eap returns noop Sending Access-Accept of id 73 to 172.16.32.138 port 33182 Code: 2 Id: 73 Length: 20 Vector: 69147ff0c996e2d6f56993d745fe3fca Dave A. On 2012-07-05, at 4:07 AM, Phil Mayers wrote: On 07/05/2012 12:24 AM, David Aldwinckle wrote:
Hello,
I am having a problem getting LDAP authentication working on FreeRADIUS Version 3.0.0. The behaviour I am experiencing is that the server will send an Access-Accept message without doing any checking of credentials. I would expect to see an LDAP bind, but that does not occur. In the debug output, I see a FreeRadius preparing to proxy, but this never happens. I'm hoping that I've overlooked something simple, it has been a while since I've done a fresh install.
You've most likely misconfigured the server, possibly without realising it. I note you are proxying the NULL realm to a local virtual server, which is a very not-default configuration.
(0) Auth-Type = Accept, accepting the user
Find out where this is configured, and remove it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html